When batch files, scripts and other programs have embedded (and usually plaintext) passwords, organizations have three options to move those passwords into the Hitachi ID Privileged Access Manager credential vault:

  1. Modify the batch file, script or program to call the Privileged Access Manager API to fetch passwords in real time, as required; or
  2. Modify the code which starts the batch process, to first fetch a password from Privileged Access Manager, inject it into a local configuration file or as a command-line argument and then run the batch process; or
  3. Have Privileged Access Manager modify passwords where they are currently stored whenever it changes them to a new, random value. In this case, neither the batch process nor the mechanism that calls it change.

The first option is clearly more robust and secure, but requires modification to the program that uses an embedded password. Such modification may be too costly (e.g., if there are thousands of such programs) or impossible (e.g., if the program came from a third party who is not willing to make changes).

The second and third options are recommended by Hitachi ID Systems wherever the first is infeasible.

Privileged Access Manager supports all of the above options.

Watch a Movie

Hitachi ID Privileged Access Manager API CMD


  • Command-line execution of FTP client.
  • Plaintext password replaced with credentials from secure vault.
  • Video shows establishment of trust relationship.

Key concepts:

  • Authentication into Privileged Access Manager web services API uses OTP and IP address validation.
  • Wrapper library manages caching, encryption, key generation, serialization.
  • Encryption key generated based on runtime environment.
  • Command-line launcher hides complexity from user.