ClearPass - database access

I'm trying to connect to a ClearPass databases to see how and what exactly is saved so I can hopefully use some of that with a custom query to satisfy customer requests.


One such customer request resulted in a blacklist-user-db query that polls the user_id from one of its tables and then does some amazing magic with that. These queries usualy come from Aruba support.


Now, having received such a query again I'd like to adapt it a little bit and for that I'd need a look into the table and records itself to see what I can actualy use.


For this I downloaded DbVisualizer and plugged in the database settings I could find for the database source. 

This however does not let me in.


Has any tinkered with (looked into) a ccpm database like this succesfully?

Care to share a tip or 2?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.

Re: ClearPass - database access

A couple things you need to do..


1. make sure you have appexternal password set






2. custom properties on the sql SSL







Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I

Re: ClearPass - database access

I hate to resurect an old thread but I thought this might be the best place to add this


I have the following version of dbVisualizer 


Product: DbVisualizer Free 9.2.6 [Build #2447]
OS: Mac OS X
OS Version: 10.10.2
OS Arch: x86_64
Java Version: 1.7.0_80
Java VM: Java HotSpot(TM) 64-Bit Server VM
Java Vendor: Oracle Corporation

And have not been able to set up the SSL settings referenced above - I was able to make this work on my older installation on Mavericks - I am now on Yosimite and the latest version. Has something changed or have I missed something, The driver used is the standard posgreSQL and it will not allow any changes


Screen Shot 2015-04-25 at 10.57.12 PM.png 

Aruba Employee

Re: ClearPass - database access

I'll take a look at it and respond to this thread later. In the mean time, I recommend using pgAdmin3 to connect to the ClearPass databases.

Zach Jennings
Contributor II

Re: ClearPass - database access

Just was trying to use pgadmin on 6.6.8, and it seems as 5432/tcp is now closed. Nothing seems to be mentioned on the 6.6.8 release notes about this potential change. 


$ nmap -Pn -p 5432
5432/tcp closed postgresql



Anyone else run into this issue?







Justin Kwasnik | ACMX# 598 | ACCX# 638
Contributor II

Re: ClearPass - database access

After rebuilding a new server in the lab, it looks like there was some corruption with the config files that it was using for iptables. The services is starting and the port is listening as expected on 6.6.8. 


$ nmap -Pn -p 5432
5432/tcp open postgresql


After going back and carefully reviewing services when server was booting, it was clear that cpass-firewall was failing after succesfully loading firewall rules with iptables. 






Active Firewall Rules from iptables can also be found by collecting clearpass logs and selecting System Logs.  After extracting the logs, you can navigate to SystemLogs => network-info.txt and scroll down the page until you see "Iptables rule:"


I have listed a snipit for just 5432/tcp from the netwrok-info.txt log file of a correctly working filter. If you dont see the lines for dpt:5432 listed in the input rules, you may be affected by corruption of iptables as well. 


Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination

16 tcp -- tcp dpt:5432

30 ACCEPT tcp -- state NEW tcp dpt:5432



You can also open up the SystemLogs => service-info.txt file and see which services have been started by the opperating system. You dont see the cpass-firewall as displayed form the console screenshots, although you will see tcp/udp ports listed which should reflect the network-info.txt log file. 


Justin Kwasnik | ACMX# 598 | ACCX# 638
Guru Elite

Re: ClearPass - database access

I assume you're working with TAC to get this information. What's the TAC case #?

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: