Adding Resources

The first step to get started with Password Management in PMP is adding your "resource" to the PMP database.

To add your resource,

Addition of resources to be managed in your setup falls under three steps. The first steps involves entering details about the resource such as its name, its DNS Name/IP, type, location etc. The second step

Step 1:  Adding Resource Details

Storing Digital Certificates, Licence Keys, Files, Documents, Images etc.

 

Different file types could be securely stored in the PMP repository along with the passwords. To store a license key or a certificate or a document etc. you need to select the 'Resource Type' as explained below:

 

By default, PMP supports the following file stores:

Certificate store
: to store any private / public keys, digital certificates and digital signature files
 

License key store: to store any software license keys
 

File store: to store any digital content (documents, pictures, executables etc)

You can create any new resource type as pert your requirements.

 

Resources of the above types are managed and shared the same way as other resources. During retrieval, a link to the file is provided for it to be saved locally to the disc.

 

  • What is the need for Password Policy field here?  

 

This question naturally arises when you are in the process of adding a resource. The following example would provide the answer: If your intention is to have accounts with strong passwords, others with admin privileges should not disturb this intention while changing the password. So, this step is crucial though it does not have a direct bearing on resource addition.

 

  • Can I add my own custom fields for resources?

 

Yes, you can. You can have up to 20 additional custom fields to resources. To add a custom field, go to "Resources" tab and click the button "Customize Resource" in the drop-down under "More Actions"
 

    • Character/list - for text inputs

    • Numeric - to store numeric inputs

    • Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate

    • Date & Time - to store date and time inputs

    • File - to store file based inputes

Important Note:

When you create a custom field of the type 'File', it does not take effect automatically. You need to specify for which resource types you would like to have this additional field. To do this, you need to navigate to "Admin >> Resource Types", then click "Edit" against the required resource type. In the GUI that opens, select the checkbox against the field "File".

 

  • Can others see the resources added by me?

 

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, if you decide to share your resources with other administrators, they will be able to see them.

 

Step 2: Adding Account Details - (User Account & Password to be Managed)

The second step is to add the user accounts and their passwords of this resource that are to be shared between multiple users. Notes can be added to each account.

 

Important Note:

 

If you want to enable password reset in remote systems, make sure that the passwords you enter in this step and the ones in the actual target systems are the same. PMP uses these credentials to login to the target systems and do the password reset and if the passwords are wrong, the password reset will not happen.

 

 

 

 

 

  • Can I add my own custom fields for accounts?

 

Yes, you can. You can have up to 20 additional custom fields to accounts. To add a custom field, traverse to "Admin >> Customize >> Accounts -Additional Fields". Your additional fields can be in any of the following five formats -

 

Character/list - for text inputs

Numeric - to store numeric inputs

Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate

Date & Time - to store date and time inputs

File - to store file based inputes <

 

Important Note: When you create a custom field of the type 'File', it does not take effect automatically. You need to specify for which resource types you would like to have this additional field. To do this, you need to navigate to "Admin >> Resource Types", then click "Edit" against the required resource type. In the GUI that opens, select the checkbox against the field "File".

 

The required user name and password have now been added to the PMP repository. Users who are authorized to access the resource, will be able to view the information.

Step 3: Remote Password Reset

(Feature available only in Premium Edition)

 

PMP provides the option to remotely change the password of select resources. As of now, this facility is available for changing the password of only those resources that belong to the type Windows, Windows Domain, Linux, IBM AIX, HP UNIX, Solaris, Mac OS, VMWare ESXi, MS SQL server, MySQL server, Oracle DB Server, Sybase ASE, HP ProCurve, HP iLO and Cisco Devices (IOS, CatOS, PIX), Juniper Netscreen. Using this utility, you can change the password of a server present in a remote location, from the PMP web interface itself.

 

You can avail this facility in two ways:

 

 

If the remote resource has restrictions such as a firewall, you would require deployment of agents. Otherwise, you can do password reset without deploying agents.

 

You may proceed with Step 3 only if you intend to do password reset without deploying agents. You need to specify the credentials to be used to login to the resource and effect the changes. For Windows domain controller, Linux, IBM AIX, HP UNIX, Solaris, Mac OS, VMWare ESXi, MS SQL server, MySQL server, Oracle DB Server, Sybase ASE, LDAP Server, HP ProCurve, HP iLO and Cisco Devices (IOS, CatOS, PIX), Juniper Netscreen specify the accounts that will be used to login from remote to perform password reset. For other type of resources this step is not applicable.

Specifying credentials & enabling remote reset for different resource types

Resource Type

Reset Credentials Requirement

Windows & Windows Domain

Configure Auto Logon

 

  • PMP offers support to launch a secure direct connection to the resource from the web-interface. The configuration for the auto logon can be made here. For logging into a Windows resource, you need to configure the domain account that can be used by users to authenticate a Windows RDP session to this remote host. You can authenticate with local accounts also. This is just another option.

 

Configure Remote Password Reset

 

  • For resetting the passwords of the local user accounts, choosing the administrator account in this step is not mandatory.

  • If you want to reset service account passwords of services running in this Windows resource, specify the local Administrator account, which will be used to login into the machine and perform the password reset

  • PMP has the ability to find and reset the local service account passwords of the resource being added. If you want to reset the local service account passwords, select the checkbox "Find and change associated Windows service account passwords in this resource" after adding the local administrator account. You also have the option to restart the Windows services after changing the passwords of local service accounts.

  • If the PMP service is run with domain administrator privilege, PMP will be able to change the passwords of all the local accounts in the computer (present in the domain) without the need for supplying the old password

  • Click "Finish"

 

Windows password reset

Linux / IBM AIX, HP UNIX, Solaris, Mac OS

Configure Auto Logon

 

PMP offers support to launch a secure direct connection through SSH to the resource from the web-interface. The configuration for the auto logon has to be made here. To connect through SSH, you need to specify the port to connect, if it is different than the default 22.

Configure Remote Password Reset

 

For remote password reset of Unix resources, PMP first uses the remote login account to login to the target system. Then, to carry out password reset, privilege elevation is needed. PMP can either 'su' as root or use 'sudo' to execute the remote password reset commands (if the target system supports execution of password reset commands through 'sudo)'.

 

In this process, the following steps are involved:

 

  1. Selecting the protocol

  2. Selecting the authentication method for remote login based on the protocol chosen and specifying the remote login account

  3. Specifying the root account if PMP has to use 'su' / selecting 'sudo'
     

Step 1 - Selecting the Protocol

 

  • Select the protocol for remote login - ssh or telnet and then select the remote login account and root account. If you have chosen telnet, you can go to step 3.

 

Step 2 - If you opt for SSH, specify the authentication method
 

  • If you opt for SSH, you have the option to use either "Password Authentication" or "Public Key Infrastructure" (PKI) Authentication.

    If you choose PKI authentication, you need to select the remote login account as explained below:

    The public key would be present under the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present. Also, PMP supports SSH2 and above only.

    Then browse and supply the corresponding Private Key.

 

Step 3 - Specifying the root account / selecting 'sudo'
 

  • As mentioned above, for executing remote password reset commands, PMP can either 'su' as root or use 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.

  • If you use the option, 'su' as root, you need to select the root account

  • If the target system allows execution of password reset commands through 'sudo', you can select that option 

  • Click "Finish"

 

unix-password-reset


IBM AS400

 

No specific configuration in Step 3 required. The resource addition process ends with Step 2.

 

VMWare ESXi

Configure Auto Logon

 

PMP offers support to launch a secure direct connection through SSH to the resource from the web-interface. The configuration for the auto logon has to be made here. To connect through SSH, you need to specify the port to connect, if it is different than the default 22.

 

Configure Remote Password Reset

 

For remote password reset of VMWare ESXi resources, PMP first uses the remote login account to login to the target system. Then, to carry out password reset, privilege elevation is needed. PMP can either 'su' as root or use 'sudo' to execute the remote password reset commands (if the target system supports execution of password reset commands through 'sudo)'.

 

In this process, the following steps are involved:

  1. Selecting the protocol

  2. Selecting the authentication method for remote login based on the protocol chosen and specifying the remote login account

  3. Specifying the root account if PMP has to use 'su' / selecting 'sudo'
     

Step 1 - Selecting the Protocol

 

  • Select the protocol for remote login - ssh or telnet and then select the remote login account and root account. If you have chosen telnet, you can go to step 3.

 

Step 2 - If you opt for SSH, specify the authentication method
 

  • If you opt for SSH, you need to specify SSH port first and then specify the SSH User Prompt. You have the option to use either "Password Authentication" or "Public Key Infrastructure" (PKI) Authentication.

    If you choose PKI authentication, you need to select the remote login account as explained below:

    The public key would be present under the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present. Also, PMP supports SSH2 and above only.

    Then browse and supply the corresponding Private Key.

 

Step 3 - Specifying the root account / selecting 'sudo'
 

  • As mentioned above, for executing remote password reset commands, PMP can either 'su' as root or use 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.

  • If you use the option, 'su' as root, you need to select the root account. You need to specify the 'Root User Prompt'.

  • If the target system allows execution of password reset commands through 'sudo', you can select that option

  • Click "Finish"

 

 

vmware

 

MySQL Server Resource Type

Password reset for MySQL server is done over JDBC. So, the MySQL Administrator credentials are required. You can enable remote reset of the password of MySQL server as below:

 

    Specify the port where the MySQL server is running. By default,  MySQL occupies the port 3306Specify the connection mode - you can configure the connection between MySQL Server and PMP to  be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.

    To enable the SSL mode, the MySQL server should be serving over SSL and you will have to import the MySQL server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.

    To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

    For Windows

    importCert.bat
    <Absolute Path of certificate>


    For Linux

    importCert.sh
    <Absolute Path of certificate>

    Restart PMP server. Then continue with the following steps.

  1. To enable PMP access the MySQL server, provide MySQL Root Account Name
  2. Click "Finish"
 

 

MySQL Reset

MS SQL Server Resource Type

 

Password reset for MS SQL server is done over JDBC. So, either a domain account credential having enough privileges to modify SQL server passwords or the MS SQL Administrator credential are required. You can enable remote reset of the password of MS SQL server as below:

 

  1. Specify the port where the MS SQL server is running. By default,  MS SQL occupies the port 1433
  2. Specify the connection mode - you can configure the connection between MS SQL Server and PMP to  be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.

    To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the MS SQL server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.

    To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

    For Windows

    importCert.bat
    <Absolute Path of certificate>


    For Linux

    importCert.sh
    <Absolute Path of certificate>

    Restart PMP server. Then continue with the following steps.
  3. To enable PMP access the MS SQL server, provide any one of the following details -
    1. Windows Authentication details - that is specifying the domain name of which the MS SQL server is a part and then selecting any one user username  present in the domain (OR)
    2. MS SQL Administrator Account
  4. Click "Finish"
 

For Oracle DB Server

 

To carry out password reset for Oracle DB server, administrative privileges are required. So, an administrator account has to be specified. You can enable remote reset of the password of Oracle DB server as below:

 

  1. Specify the Oracle DB Listener Port. By default, the Oracle DB server listens to the port 1521
  2. Specify the connection mode - you can configure the connection between Oracle DB Server and PMP to  be over an encrypted channel (AES 256). If you choose the option 'YES' (encrypted mode), do the following. Otherwise, proceed to Step 3.
    • Start Oracle Net Manager
    • In the Navigator window, select "Oracle Net Configuration".

    • Expand the option Local > Profile

    • From the list in the right side pane, select the option "Oracle Advanced Security"

    • In the tabbed window that appears thereafter, click the tab "Encryption"

    • In the drop-down list for Encryption, select the option "Server"

    • For "Encryption Type" list, select the option "Accepted"

    • In the text-filed for 'Encryption Seed', enter random characters numbering between 10 and 70. Or, it can even be left blank

    • Select the algorithm "AES 256"
    • Specify an Oracle administrator account
  3. Specify the Oracle Service Name. By default, the service name is taken as ORCL
  4. Click "Finish"

 

 

For Sun Oracle ALOM / ILOM / XSCF

 

No specific configuration in Step 3 required. The resource addition process ends with Step 2.

For Sybase ASE

Prerequisite:

 

  • jConnect 6.0 JDBC driver is required for the password reset. The driver is a file named "jconn3.jar" will be available under <Sybase_Install_Directory>\jConnect_6_0\classes folder (in Sybase ASE 15.0)
  • Copy the jconn3.jar and save it under <PMP_Install_Directory>\lib folder (in the machine running PMP server)
 

To carry out password reset for Sybase ASE, administrative privileges are required. So, an administrator account has to be specified. Steps for enabling remote password reset for Sybase ASE are explained below:

 

  1. Specify the Sybase ASE Port. By default, it occupies the port 5000 (in SSL mode, default port is 2748)
  2. Specify the connection mode - you can configure the connection between Sybase ASE and PMP to  be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.
    • If you want to enable SSL communication from PMP to Sybase ASE
      • Copy and save the trust root certificate of the Sybase server present under  <SYBASE_HOME>\ASE-15_0\certificates (in sybase ASE 15.0) to <PMP_Install_Directoty>\conf\ folder
      • Run this command to import the certificate in PMP: '<PMP_HOME>\jre\bin\keytool.exe -import -v -alias sybase -file <rootcert.txt> -keystore server.keystore -keypass passtrix -storepass passtrix -noprompt'
      • <rootcert.txt> is the root certificate of the Sybase ASE and usually named as <hostname>.txt
    • Restart PMP server
  3. Specify an administrator account of Sybase ASE
  4. Click "Finish"
 

For LDAP Server

 

 

Prerequisite:

 

In Step 2 of 'Resource Addition', while adding accounts, you should have specified the Distinguished Name of the LDAP server account being added. Example: c=administator,cn=people,dc=test,dc=com.

 

LDAP server password reset

 

To carry out password reset for LDAP server, administrative privileges are required. So, an administrator account has to be specified. For remote reset, PMP supports Microsoft Active Directory, OpenLDAP, Oracle Internet Directory and Novell eDirectory. You can enable remote reset of the passwords of the above types of LDAP servers as below:

 

  1. Specify the type of the LDAP Server being added
  2. Specify the LDAP server Port. By default, it occupies the port 389 (in SSL mode, default port is 636)
  3. Specify the connection mode - you can configure the connection between the LDAP server and PMP to  be over an encrypted channel (SSL) or Non-SSL. If your LDAP server is of type Microsoft Active Directory, the connection has to be through SSL only. For other types, you may choose SSL or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 4.
    • To enable the SSL mode, the LDAP server should be serving over SSL and you will have to import the LDAP server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.

      To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

      For Windows

      importCert.bat
      <Absolute Path of certificate>


      For Linux

      importCert.sh
      <Absolute Path of certificate>

      Restart PMP server.
      Then continue with the following steps.
  4. Specify an administrator account of LDAP server
  5. Click "Finish"

For HP ProCurve Devices

Configure Auto Logon

 

PMP offers support to launch a secure direct connection through SSH to the resource from the web-interface. The configuration for the auto logon has to be made here. To connect through SSH, you need to specify the port to connect, if it is different than the default 22.

Configure Remote Password Reset

 

PMP requires Telnet or SSH service to be running in the resource. Manager Account and Prompts of Manager Mode and Configuration Mode are required for PMP to login to the resource. PMP will use the configuration mode to reset the passwords. You can enable remote reset of passwords of your HP Pro Curve devices by providing the following credentials:

 

 

Credential

Description

Remote Login Method

PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol

Manager Account

Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, PMP will expect only the password prompt.

Manger Mode Prompt

The prompt that appears after successful login

Configuration Mode Prompt

This is for entering into privileged mode to perform password reset.

Copy Password Changes to Startup

If you want the password changes made to the running configuration from PMP to be applied to the startup configuration, select this checkbox. Exercise caution while enabling the option to copy the running configuration to the startup configuration, as it will cause the current configuration content, including those made outside of PMP, to be copied immediately.

 

 

hp-procurve

For HP iLO

Configure Auto Logon

 

PMP offers support to launch a secure direct connection through SSH to the resource from the web-interface. The configuration for the auto logon has to be made here. To connect through SSH, you need to specify the port to connect, if it is different than the default 22.

Configure Remote Password Reset

 

Select the Remote Login Method

 

PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol. Telnet or SSH service to be running in the resource.

 

Then, specify the prompt that appears upon successful user login. Also, specify the user account with administer privileges.

 

 

HPiLO

 

For Cisco Devices (IOS/CatOS/PIX)

Configure Auto Logon

 

PMP offers support to launch a secure direct connection through SSH to the resource from the web-interface. The configuration for the auto logon has to be made here. To connect through SSH, you need to specify the port to connect, if it is different than the default 22.

Configure Remote Password Reset

 

PMP requires Telnet or SSH service to be running in the resource. Passwords of the enable mode and a user account are required for PMP to login to the resource. PMP will use the configuration terminal mode to reset the passwords. You can enable remote reset of passwords of your cisco devices by providing the following credentials:

 

 

Credential

Description

Remote Login Method

PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol

Remote Login Account

Login account for establishing connection with the device

User Mode Prompt

The prompt that appears after successful login

Enable Secret

This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify enable secret

Enable Password

This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify enable password

Enable Mode Prompt

This is the prompt that will appear after going into enable mode. For example, #

Account name required for login

 For the user and enable modes, if the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, PMP will expect only the password prompt.

Configuration Mode Prompt

To carry out any change to any feature/configuration of the device, you need to enter configuration mode. The prompt that will appear while going into configuration mode has to be entered here. For example, #" Primary Credentials 

Copy Password Changes to Startup

If you want the password changes made to the running configuration from PMP to be applied to the startup configuration, select this checkbox. Exercise caution while enabling the option to copy the running configuration to the startup configuration, as it will cause the current configuration content, including those made outside of PMP, to be copied immediately.

 

 

Cisco-IOS

For Juniper Netscreen Firewall Devices

Configure Auto Logon

 

PMP offers support to launch a secure direct connection through SSH to the resource from the web-interface. The configuration for the auto logon has to be made here. To connect through SSH, you need to specify the port to connect, if it is different than the default 22.

Configure Remote Password Reset

 

PMP requires Telnet or SSH service to be running in the resource. Admin Account and Prompt of Admin Account are required for PMP to login to the resource. You can enable remote reset of passwords of your Netscreen devices by providing the following credentials:

 

 

Credential

Description

Remote Login Method

PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol

Admin Account

Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, PMP will expect only the password prompt.

Admin Account Prompt

The prompt that appears after successful login

 

 

juniper

 

 

 


©2014, ZOHO Corp. All Rights Reserved.