FAQ Password Manager » Documents » FAQ
ManageEngine®

PasswordManager Pro - FAQ

Privileged Password Management Solution, Secure Password Manager

Web-Interface, Authentication

  1. Can change the default port 7272 occupied by PMP?
  2. Why are my users not notified of their PMP accounts?
  3. What are the authentication schemes available in PMP?
  4. What are the user roles available in PMP? What are their access levels?
  5. What if I forget my PMP login password?
  6. Why does Internet Explorer 7 (and other browsers) complain while accessing PMP console?

Security

  1. How secure are my passwords in PMP?
  2. How secure are the A-to-A, A-to-DB password management done through Password Management APIs?
  3. Can we install our own SSL certificate? How?
  4. How can I generate a unique SSL certificate for MySQL server? (Steps applicable for PMP 6500 onwards)

Password Synchronization

  1. Can I also change resource passwords from the PMP console?
  2. When to use the agent and agent-less modes for password synchronization?
  3. Can I enable agentless password synchronization if I add my own resource type for other distributions of Linux ⁄ other versions of Windows?
  4. Is there a way to do remote password syncronization for resource types other than the ones for which remote reset is supported now?
  5. How to troubleshoot when password synchronization does not happen?
  6. Windows domain password reset fails with the error message: "The authentication mechanism is unknown"
  7. What are the prerequisites for enabling windows service account reset?

Backup & Disaster Recovery

  1. Can I setup disaster recovery for the PMP database?
  2. Where does the backup data get stored? Is it encrypted?

Troubleshooting & General Tips

  1. Do I need any prerequisite software to be installed before using PMP?
  2. Can others see the resources added by me?
  3. Can I add my own attributes to PMP resources?
  4. What if a user who has not shared his sensitive passwords, leaves the enterprise?
  5. Importing users/resources from AD fails...
  6. Does PMP provide support for high availability?
  7. How to make the PMP application work with a MySQL database server installed in a separate machine (other than the one in which PMP server is running)?
  8. Can I rebrand PMP with our logo?
  9. Does domain SSO work across firewalls/VPNs?
  10. Does PMP record Password viewing attempts and retrievals by users?

Licensing

  1. What is the Licensing Policy for PMP?
  2. Can I buy a permanent license for PMP? What are the options available?
  3. I want to have high availability setup with redundant servers. Is one license enough?
  4. Can PMP support more than 100 administrators?
  5. Can I extend my evaluation to include more administrator users or for more number of days?
  6. Do I have to reinstall PMP when moving to the Professional Edition?

Web Interface, Authentication

Can I change the default port 7272 occupied by PMP?

Yes, you can change the default port as explained below:

  • Go to <PMP_Installation_Folder>\conf directory and open the server.xml file
  • Replace the entry '7272' with the port number of your choice. Note that there will be 7272 entries within comments too and all should be replaced.

Why are my users not notified of their PMP accounts?

Users are notified of their PMP accounts only through email. If they do not get the notification email, check

  • if you have configured the mail server settings properly with the details of the SMTP server in your environment
  • if you have provided valid credentials as part of mail server settings, as some mail servers require them for mails to be sent
  • if the 'Sender E-Mail ID' is properly configured as some mail servers reject emails sent without the from address or mails originating from unknown domains

What are the authentication schemes available in PMP?

You can use one of the following three mechanisms:

Active Directory: When enabled, the authentication request is forwarded to the configured domain controller and based on the result, the user is allowed or denied access into PMP. The user name, password and the domain are supplied in the PMP login screen. This scheme works only for users whose details have been imported previously from AD. Available only when PMP server is installed on Windows system.

LDAP Directory: When enabled, the authentication request is forwarded to the configured

LDAP directory server and based on the result, the user is allowed or denied access into PMP. The user name and password and the option to use LDAP authentication  are supplied in the PMP login screen. This scheme works only for users whose details have been imported previously from the LDAP directory

PMP Local Authentication: The authentication is done locally by the PMP server. Irrespective of AD or LDAP authentication being enabled, this scheme is always available for the users to choose in the login page. This scheme has a separate password for users and the AD or LDAP passwords are never stored in the PMP database.


What are the user roles available in PMP? What are their access levels?

PMP comes with three pre-defined roles:

  • Administrators
  • Password Administrators
  • Password Users

Any administrator can be made as "Super Administrator" with the privilege to view and manage all resources.Refer help documentation for details on access levels.


What if I forget my PMP login password?

PMP comes with three pre-defined roles:

If you were already given a valid PMP account, you can use the 'Forgot Password?' link available in the login page to reset the password. The user name/e-mail id pair supplied should match the one already configured for the user and in that case, the password will be reset for that user and the new password will be emailed to that email id.


Why does Internet Explorer 7 (and other browsers) complain while accessing PMP console?

PMP comes with three pre-defined roles:

The PMP web console always uses HTTPS to communicate with the PMP server. The PMP server comes with a default self-signed SSL certificate, which the standard web browsers will not recognize and issue a warning. Particularly IE 7's warning message appears serious. Ignoring this warning still guarantees encrypted communication between the PMP console and the server but if you want your users to be particularly sure that they are connecting only to the PMP server, you will need to install a SSL certificate that you have bought from a certificate authority, that is recognised by all standard web browsers.


Security

How secure are my passwords in PMP?

Ensuring the secure storage of passwords and offering high defence against intrusion are the mandatory requirements of PMP. The following measures ensure the high level security for the passwords:

  • Passwords are encrypted using the Advanced Encryption Standard (AES), which is currently the strongest encryption algorithm, and stored in the database. (AES has been adopted as an encryption standard by the U.S. Government)
  • The database which stores all the passwords accepts connections only from the host that it is running on and is not visible externally
  • Role-based, fine-grained user access control mechanism ensures that the users are allowed to view the passwords based on the authorization provided
  • All transactions between the PMP console and the server take place through HTTPS
  • In-built Password Generator can help you generate strong passwords

For detailed information, refer to Prouct Security Specifications document.


How secure are the A-to-A, A-to-DB password management done through Password Management APIs?

The web API exposed by PMP forms the basis for Application-to-Application/Database Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application.


Can we install our own SSL certificate? How?

The PMP runs as a HTTPS service. It requires a valid CA-signed SSL certificate with the principal name as the name of the host on which it runs. By default, on first time startup, it creates a self signed certificate. This self signed certificate will not be trusted by the user browsers. Thus, while connecting to PMP, you need to manually verify the certificate information and the hostname of PMP server carefully and should force the browser to accept the certificate.

To make the PMP server identify itself correctly to the web browser and theuser:

  • you need to obtain a new signed certificate from a CA for the PMP host or
  • you can configure an existing certificate obtained from a CA with wild-card principal support for the PMP host

You can use OpenSSL or keytool (bundled with Java) to create your certificates, get them signed by a CA and use them with PMP. The choice of which tool to use is yours, based on what your security administrators say. Detailed instructions on using both the tools are provided here. If you already have a certificate signed by a CA, then we recommend using OpenSSL to create the keystore and configure it in PMP (steps 4 and 5 in the instructions below).

Using OpenSSL

OpenSSL is available bundled with most of the Linux distributions. If you have Windows and do not have OpenSSL installed, download it from http://www.slproweb.com/products/Win32OpenSSL.html. Make sure the 'bin' folder under the OpenSSL installation is included in the 'PATH' environment variable.

Step 1: The first step is to create the public-private key pair that will be used for the SSL handshake

  • Open the command prompt
  • Execute 'openssl genrsa -des3 -out <privatekey_filename>.key 1024'
    • <privatekey_filename> is the filename you specify to store the private key
  • This will prompt you to enter a pass-phrase for the private key. Enter 'passtrix' or a pass-phrase of your choice. (Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alpha characters)
  • This will create a file named <privatekey_filename>.key in the same folder

Step 2: Create a Certificate Signing Request (CSR) for submission to a certificate authority to create a signed certificate with the public key generated in the previous step.

  • Execute 'openssl req -new -key <privatekey_filename>.key -out <certreq_filename>.csr'
    • <privatekey_filename>.key is the one used in the previous step
    • <certreq_filename>.csr is the filename you specify to carry the certificate creation request to the CA (certificate authority)
  • This will prompt you to enter a series of values that are part of the distinguished name (DN) of the server that will host PMP
  • Enter values as applicable to you and importantly for the 'Common Name' supply the fully qualified name of the server hosting PMP (with which it will be accessed through the browsers)
  • This will create a file name <certreq_filename>.csr in the same folder

Step 3 : Submit the CSR to a Certificate Authority (CA) to obtain a CA signed certificate

  • Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
  • This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's root certificate as .cer files
  • Save them both in the same working folder where files from steps 1 and 2 are stored

Step 4: Import the CA-signed certificate to a keystore

  • On a command prompt navigate to the same working folder
  • Execute 'openssl pkcs12 -export -in <cert_file>.cer -inkey <privatekey_filename>.key -out <keystore_filename>.p12 -name pmp -CAfile <root_cert_file>.cer -caname pmp -chain'
    • where
      • cert_file.cer is the signed SSL certificate with the .cer extention
      • privatekey_filename.key is the private key file with a .key extension
      • keystore_filename.p12 name is the keystore that will be generated with a .p12 extension
      • root_cert_file.cer is the CA's root certificate with a .cer extension
    • When prompted for password, enter the same password which you used in step 1 for the private key. Note that this requirement is due to an inherent limitation in tomcat, where these two passwords have to be the same
  • This will generate the keystore file <keystore_filename>.p12 on the same folder

Step 5: Finally, configure the PMP server to use the keystore with your SSL certificate

  • Copy this <keystore_filename>.p12 generated in the previous step to <PMP_Install_Folder>\conf folder
  • In a command prompt, navigate to <PMP_Install_Folder>\conf folder
  • Open the file server.xml and do the following changes
  • Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>.p12"
  • Make sure the entry  for 'keystorePass' is set to "passtrix" or the password you specified in the previous step while creating the keystore
  • Add a new entry keystoreType="PKCS12" next to the keystorePass entry
  • Save the server.xml file
  • Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!

Using Keytool

Step 1: The first step is to create the public-private key pair that will be used for the SSL handshake

  • Go to <PMP_Home>/jre/bin folder
  • Execute the command "./keytool -genkey -alias pmp -keyalg RSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore <keystore_filename>"
    • <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key. Note that due to an inherent limitation in tomcat, these two passwords have to be the same. (Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alpha characters)
    • <no_of_days> is the validity of the key pair in number of days, from the day it was created
  • The command will prompt you to enter details about you and your organization
    • For the 'first and the last name' enter the FQDN of the server running PMP
    • For other fields enter the relevant information
    • <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key and <no_of_days> is the validity of the key pair in number of days, from the day it was created
  • This will create a keystore file named <keystore_filename> in the same folder, with the generated key pair

Step 2: Create a Certificate Signing Request (CSR) for submission to a certificate authority to create a signed certificate with the public key generated in the previous step.

  • Go to <PMP_Home>/jre/bin folder
  • Execute the command "keytool -certreq -keyalg RSA -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore <keystore_filename>"
    • Note that the <csr_filename> that you choose should have .csr extension. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the last step
  • This will create a CSR file named <csr_filename> in the same folder

Step 3 : Submit the CSR to a Certificate Authority (CA) to obtain a CA signed certificate

  • Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
  • This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's certificate as .cer files
  • Save them both in the <PMP_Home>/jre/bin folder

Step 4: Import the CA-signed certificate to the PMP server

  • Import your SSL certificate into your keystore
  • Go to <PMP_Home>/jre/bin folder
  • Execute the command "keytool -import -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_certificate>"
  • <your_ssl_certificate> is the certificate you obtained from the CA, a .cer file saved in the previous step. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the previous steps
  • Now copy the <keystore_filename> to the <PMP_Home>/conf folder

Step 5: Finally, configure the PMP server to use the keystore with your SSL certificate

  • Go to <PMP_Home>/conf folder
  • Open the file server.xml
  • Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one used in the previous steps
  • Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to "passtrix". Change the value to "<keystore_password>" where <keystore_password> is the one used in the previous steps
  • Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!

Note : Tomcat by default accepts only the JKS (Java Key Store) and PKCS #12 format keystores. In case, the keystore is of PKCS #12 format, include the following option in the server.xml file along with the keystore name, keystoreType="PKCS12?This tells tomcat that the format is PKCS12. Restart the server after this change.

Installing an existing wild card supported SSL certificate

  • Go to <PMP_Home>/conf folder
  • Open the file server.xml
  • Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one belong to the existing wild-card certificate.
  • Also search for the entry 'keystorePass' (which will in fact be next to keystoreFile), which will have the default value set to "passtrix". Change the value to "<keystore_password>" where <keystore_password> is the one used to protected the existing wild-card certificate keystore.
  • Restart the PMP server and connect through the web browserconsole. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!

Note : Please refer your CA's documentation for more details and troubleshooting


How do I generate Unique SSL Certificate for MySQL Server? (Applicable for PMP 6500 onwards)

Follow the steps below to gererate SSL certificate for MySQL Server. (If you want to have a self-signed key, follow all the steps. If you are using a CA signed certificate, skip steps 1, 2 and 5.)

Step 1  Create certificate authority key

  • Open a command prompt
  • Execute the command openssl genrsa -out ca.key 1024
  • This will create a key named ca.key

Step 2 Create a self-signed certificate authority certificate

  • Execute the command openssl req -new -x509 -days 365 -key ca.key -out CAcert.pem 
  • Here ca.key is the file you created in step 1
  • This will create a file named CAcert.pem

Step 3 Generate private key

  • Open a command prompt
  • Execute the command openssl genrsa -out ServerKey.key 1024
  • This will create a file named ServerKey.key

Step 4 Generate a certificate request

  • Execute the command openssl req -new -key ServerKey.key -out server.csr
  • Here, ServerKey.key is the file you created in step 3
  • This will create a file named server.csr

Step 5 Create a Certificate Signing Request (CSR) for submission to a certificate authority (perform this step only if you are using a self-signed certificate. Otherwise, proceed to step 6)

  • Execute the command openssl x509 -req -days 365 -in server.csr -CA CAcert.pem -CAkey ca.key -set_serial 01 -out ServerCer.cer
  • Here, server.csr is the file you created in Step 4; CAcert.pem is the file created in Step 2; ca.key is the file created in Step 2
  • This will create a file named ServerCer.cer
Step 6 Generate .p12 file
  • Execute the command openssl pkcs12 -export -in ServerCer.cer -inkey ServerKey.key -out PMPKeyStore.p12 -name pmp -CAfile CAcert.pem -caname pmp -chain
  • Here, ServerCer.cer is the file you created in Step 5. If you are using a CA signed certificate, enter the signed SSL certificate with .cer extension; ServerKey.key is the one you created in Step 3; CAcert.pem is the file created in Step 2
  • This will create a file named PMPKeyStore.p12
  • Here, you will be prompted to enter 'Export Password'. The password specified here has to be entered in PMP configuration file in wrapper.conf (in Windows installation) and wrapper_lin.conf (in Linux installation) as explained below.

    Open wrapper.conf (in Windows installation) and wrapper_lin.conf (in Linux installation) and search for the following line:

    wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=passtrix

    In the above, replace passtrix with the password you have entered above.
Step 7  Configure the PMP server to use the keystore with your SSL certificate
  • By executing the above steps, you would have got four files namely CAcert.pem, ServerKey.key, ServerCer.cer and PMPKeyStore.p12. You need to copy and paste  these files into <PMP-Installation-Folder>/conf directory
Step 8  Import CAcert.pem into PMP
  • Navigate to <PMP-Installation-Folder>/bin directory and execute the following command:

In Windows: importcert.bat <absolute path of the CAcert.pem file created in step 2>
In Linux: sh importcert.sh\bat <absolute path of the CAcert.pem file created in step 2


Step 9 Put these files into MySQL
  • You need to copy the following three files created after Step 6 and rename them as below:

CAcert.pem to be renamed as ca-cert.pem
ServerKey.key to be renamed as server-key.pem
ServerCer.cer to be renamed as server-cert.pem

  • Then, put the renamed files into <PMP-Installation-Folder>/mysql/data directory

Important Note: If you are having High Availability setup, execute the steps 7, 8 and 9 in PMP secondary installation also.


Password Synchronization

Can I also change resource passwords from the PMP console?

Yes, of course. PMP can change the passwords currently for Windows, Windows domain and Linux systems. Capability to change passwords of other types of resources like databases, routers, switches etc will be gradually added. PMP supports both agent-based and agent-less modes of changing passwords.


When to use the agent and agent-less modes for password synchronization?

Let us first look at the requisites for both the modes:

The agent mode requires the agent to be installed as a service and run with administrative privileges to perform password changes. The communication between the PMP server and agent takes place through TCP for normal information and HTTPS for password transfer and hence communication paths must exist (ports to be kept open) between the server and agent.

For the agentless mode, you must supply administrative credentials to perform the password changes. For Linux you must specify two accounts, one with root privileges and one with normal user privileges that can be used to login from remote. Telnet or SSH service must be running on the resources. For Windows domain, you must supply the domain administrator credentials. For Windows and Windows domain, PMP uses remote calls and relevant ports must be open on the resource.

Based on this you can choose which mode you want for your environment, indicated by the following tips:

Choose agent mode when,

  • you do not have administrative credentials stored for a particular resource in PMP
  • you do not have the required services running on the resource (Telnet / SSH for Linux, RPC for Windows)
  • you run PMP in Linux and want to make password changes to a Windows resource

Choose agentless mode in all other cases as it is a more convenient and reliable way of doing password changes.


Can I enable agentless password synchronization if I add my own resource type for other distributions of Linux / other versions of Windows?

Yes, you can. As long as your resource type label contains the string 'Linux' or 'Windows', you can still configure agentless password synchronization for those resources.

Example of valid resource type labels to enable password synchronization:

Debian Linux, Linux - Cent OS, SuSE Linux, Windows XP Workstation, Windows 2003 Server


Is there a way to do remote password syncronization for resource types other than the ones for which remote reset is supported now?

Yes, you can make use of Password Reset Listeners, which enable invoking a custom script or executable as a follow-up action to Password Reset action in PMP. Refer to Help Documentation for more details.


How to troubleshoot when password synchronization does not happen?

In the agent mode,

  • Check if the agent is running by looking at the Windows active process list for the entry 'PMPAgent.exe' or the presence of a process named PMPAgent in Linux
  • Check if the agent port (default 5768) is reachable from the server through a TCP connection (using telnet)
  • Check if the account in which the agent is installed has sufficient privileges to make password changes

In the agentless mode,

  • Check if the right set of administrative credentials have been provided and the remote synchronization option is enabled
  • Check if the necessary services are running on the resource (Telnet / SSH for Linux, RPC for Windows)
  • Check if the resource is reachable from the PMP server using the DNS name provided

Windows domain password reset fails with the error message: "The authentication mechanism is unknown"

This happens when PMP is run as a Windows service and the 'Log on as" property of the service is set to the local system account. Change it to any domain user account to be able to reset domain passwords. Follow the instructions below to effect that setting:

  • Go to the Windows Services applet (from Control Panel --> Administrative Tools --> Services)
  • Select the 'ManageEngine PMP' service, right-click --> choose Properties
  • Click the Log On tab and choose the 'This Account' radio button and provide the username and password of any domain user - in the format <domainname>\<username>
  • Save the configuration and restart the server

What are the prerequisites for enabling Windows Service Account Reset?

Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:

(1) Windows RPC service should have been enabled
(2) Windows Management Instrumentation (WMI) service should have been enabled


Backup & Disaster Recovery

Can I setup disaster recovery for the PMP database?

Yes, you can. PMP can periodically backup the entire contents of the database, which can be configured through the PMP console. Refer help documentation for more details.


Where does the backup data get stored? Is it encrypted?

All sensitive data in the backup file are stored in encrypted form in a .zip file under <PMP_Install_Directory/backUp> directory. It is recommended that you backup this file in your secure, secondary storage for disaster recovery.


General

Do I need any pre-requisite software to be installed before using PMP?

There is no prerequisite software installation required to use PMP.


Can others see the resources added by me?

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, if you decide to share your resources with other administrators, they will be able to see tham.


Can I add my own attributes to PMP resources?

Yes, you can extend the attributes of the PMP resource and user account to include details that are specific to your needs. Refer the help documentation for more details.


What if a user who has not shared his sensitive passwords, leaves the enterprise?

This can very well happen in any enterprise, but with PMP you need not worry about passwords getting orphaned. Administrators can 'transfer' resources owned by users to other administrator users and in the process they have no access to those resources themselves, unless they do the transfer to their name. Refer the help documentation for more details.


Importing users/resources from AD fails...

Ensure the following:

  • Check if the user credentials are correct
  • If you are trying with an admin user and it fails, try entering the credentials of a non-admin user. This is just to verify if connection could be established properly

In case, if fails even after ensuring the above, contact passwordmanagerpro-support@manageengine.com.


Does PMP provide high availability support?

Yes, refer to Help Documentation for more details


How to make the PMP application work with a MySQL database server installed in a separate machine (other than the one in which PMP server is running)?

It is always recommended to run the PMP application (built over Tomcat web server) and the MySQL database in the same machine for better security. We have configured the bundled MySQL database so as it is not visible outside the machine in which it is installed (it will accept connections requested only from localhost) and you will lose this aspect when you separate them. If there is a pressing need to run MySQL elsewhere, follow the procedure detailed below:

  • Shutdown PMP server if it is already running
  • Install MySQL server in a different machine and create a database named 'PassTrix' (the casing is important, particularly in Linux)
  • Start the MySQL server and make sure you are able to connect to the database from remote (using the MySQL command line client)
  • Make the following configuration changes in PMP
    • Go to <PMP_Install_Dir>\conf\Persistence folder
    • Open the file persistence-configurations.xml and search for the entry 'StartDBServer' and set its value to 'false' (default will be 'true')
    • Save that file
    • Go to <PMP_Install_Dir>\conf folder
    • Open the file database_params.txt and make the following changes
      • In the URL property, change the entries 'localhost' and '5768' to the hostname and port number corresponding to the remote MySQL server
      • If you want to connect as root leave the username property as is. Otherwise make appropriate changes to that property. Note that PMP requires root privileges in MySQL
      • If you have set a password in the remote MySQL server specify it against the password property. Otherwise remove or comment out that line
      • Save that file
  • Now start the PMP server again and it should work with the remote database (which should be already running)

Does domain SSO work across firewalls / VPNs?

The domain Single Sign On (windows integrated authentication) is achieved in the Windows environment by setting non-standard parameters in the HTTP header, which are usually stripped off by devices like firewalls / VPNs. PMP is designed for use within the network. So, if you have users connecting from outside the network, you cannot have SSO this enabled.


Can I rebrand PMP with our logo?

Yes. If you want to replace the PMP logo appearing on the login screen and on the web-interface with that of yours, you can do so from the web-interface itself. It is preferable to have your logo of the size 210 * 50 pixels.

To rebrand the logo,

  • Go to the "Admin" tab
  • Click "Customize >> Rebrand"
  • Browse and choose the required image
  • Click "Save"
  • The PMP will appear with rebranded look

Does PMP record Password viewing attempts and retrievals by users?

Yes, PMP records all operations performed by the user including the password viewing and copying operations. From audit trails, you can get a comprehensive list of all the actions and attempts by the users with password retrieval. The list of operations that are audited (with the timestamp and the IP address) includes:

  • User accounts created, deleted and modified
  • Users logging in and logging off the application
  • Resources and passwords created, accessed, modified and deleted

What's the maximum size of a password that Password Manager Pro can store?

The resource passwords are stored as encrypted text (SQL type TEXT) in the database and hence the size of the content can be upto 64KB. For the PMP application login password, the maximum password length is 100 characters.


Licensing

What is the Licensing Policy for PMP?

Evaluation Edition - Evaluation Edition allows you to have 2 administrators in for 30 days. You can manage unlimited resources and evaluate all features of Premium Edition. During evaluation you can get free technical assistance.

Free Edition - Download valid for ever, capable for supporting a maximum of 1 administrator. You can manage a maximum of 10 resources and you will all functionalities of Standard Edition.

Registered Version - need to buy license based on the number of administrators required and the type of edition Standard/Premium:

  • Standard - If your requirement is to have a secure, password repository to store your passwords and selectively share them among enterprise users, Standard Edition would be ideal.
  • Premium - Apart from storing and sharing your passwords, if you wish to have enterprise-class password management features such as  remote password synchronization, password alerts and notifications, application-to-application password management, reports, high-availability and others, Premium edition would be the best choice.

Know the difference ..

Feature Standard Edition Premium Edition
User / User group Management tick tick
Password Repository tick tick
Password Policies tick tick
Password Sharing and Management tick tick
Audit / Audit Notifications tick tick
AD / LDAP integration tick tick
Auto Logon Helper tick tick
Password change listener tick tick
Backup and Disaster Recovery tick tick
Password Alerts and Notifications cross tick
Remote Password Reset(on demand, scheduled and rule based) - for Windows, Windows Domain, Windows Service Accounts, Windows Scheduled Accounts, Flavours of UNIX and Linux, Cisco and HP ProCurve Devices and MS SQL, MySQL servers ) cross tick
Reports cross tick
Password Management API cross tick
High Availability cross tick

Can I buy a permanent license for PMP? What are the options available?

Though PMP follows an annual subscription model for pricing, we also provide perpetual licensing option. The perpetual license will cost approximately three times the annual subscription price, with 20% AMS from the second yea onwards. Contact sales@manageengine.com and passwordmanagerpro-support@manageengine.com for more details.


I want to have high availability setup with redundant servers. Is one license enough?

Yes, if you buy a single PREMIUM Edition license, you are entitled to have high availability setup. You can apply the same license on Primary as well as Standby servers.

Can PMP support more than 100 administrators?

Yes, very much. If you want a license with more than 100 administrator users, please contact sales@manageengine.com and passwordmanagerpro-support@manageengine.com for more details.


Can I extend my evaluation to include more administrator users or for more number of days?

Yes. Fill in the required details in the website and we will send you the license keys.


Do I have to reinstall PMP when moving to the Professional Edition?

No. You need not have to reinstall or shut down the server. You just need to enter the new license file in the "License" link present in the top right corner of the PMP web interface.


Password Manager Pro - Enterprise Password Management Software trusted by