Password Manager Pro | Password Management Solution

Adding Resources

The first step to get started with Password Management in PMP is adding your "resource" to the PMP database.

To add your resource,

Addition of resources to be managed in your setup falls under three steps. The first steps involves entering details about the resource such as its name, its DNS Name/IP, type, location etc. The second step

Step 1: Adding Resource Details

Go to "Resources" tab in the web interface
Click the "Add Resource" link
In the UI that opens, enter the name of the resource in the text field against "Resource Name". The resource name is the one that uniquely identifies the resource in the PMP database. This field is mandatory
Enter the DNS Name/IP Address of the resource against "DNS Name/IP Address". The DNS name or the IP address is used during password changes made to the resource. This field is optional. However, if you want to enable remote password reset, this is mandatory.
Select the type of the resource against the text field "Resource Type". For example, if you are adding a server, you can select its type - Windows/Windows Domain/Linux/Mac/Soalris/HP UNIX/IBM AIX/MS SQL Server/ MySQL server/ Oracle DB Server/ VMWare ESXi/ Sybase ASE/ LDAP Server / HP ProCurve/ HP iLO/ Cisco IOS/ Cisco CatOS/ Cisco PIX/ Juniper Netscreen/ File Store/ Key Store/ License Store/ Website Accounts. Based on your requirements and the nature of your resource, you can add any custom type by clicking the link "Add New". PMP provides the option to store digital files, certificates, images and documents too. In that case, you need to choose the Resource Type as explained below:

Storing Digital Certificates, Licence Keys, Files, Documents, Images etc.

Different file types could be securely stored in the PMP repository along with the passwords. To store a license key or a certificate or a document etc. you need to select the 'Resource Type' as explained below:

By default, PMP supports the following file stores:

Certificate store: to store any private / public keys, digital certificates and digital signature files

License key store: to store any software license keys

File store: to store any digital content (documents, pictures, executables etc)

You can create any new resource type as pert your requirements.

Resources of the above types are managed and shared the same way as other resources. During retrieval, a link to the file is provided for it to be saved locally to the disc.

If you already have resource groups and if you wish to make the resource you are adding as part of a group, select the "Group Name". Otherwise, leave this column with default value
Provide a description for the resource addition. This will be helpful for reference at a future point of time
In case, the resource belongs to type 'Windows Domain', enter the domain name. This is needed if you wish to use Windows Service Account Reset feature
Fill-in details such as "Department" and "Location" of the resource (if applicable)
If you want to access the resource being added over the web, you can specify the URL for the same. You can even specify the user name and password in the URL to directly login to the resource. For security reasons, PMP provides the option for using place holders to avoid the usage of user name, password etc in plain text in the URL. At the time of URL invocation, PMP replaces the respective data for the placeholders and submits the data by 'POST' method. Nowhere during the URL invocation, the password will be visible to the users. The following four place holders are allowed: %RESOURCE_NAME%, %DNS_NAME%, %ACCOUNT_NAME% and %PASSWORD%

Examples for using the place holders in the URL:

(1) Assume that you have a resource named 'abc' and on typing the resource name in the browser as http://abc you can access an application. In this case, you can enter the resource url with placeholder as shown below:

http://%RESOURCE_NAME%

(2) Assume you have an application running on port 7272 and you can access it through the DNS name of the host where it runs. You can make use of the placeholder and construct the URL as below:

https://%DNS_NAME%:7272

In case, you wish to supply the username and password for the application and directly login to the resource, you can construct the URL as below:

https://%DNS_NAME%:7272/j_security_check?j_username=%ACCOUNT_NAME%&j_password=%PASSWORD%&domainName=LOCAL
Select the required 'Password Policy' - Strong, Medium or Low. Apart from the default policies, you can create more custom policies based on your needs. Selection of the required policy is crucial because, when administrators try to change the passwords of the accounts that are part of this resource, this policy would be enforced. The chosen password policy is applied to passwords of all the accounts of this resource by the password generator.

What is the need for Password Policy field here?

This question naturally arises when you are in the process of adding a resource. The following example would provide the answer: If your intention is to have accounts with strong passwords, others with admin privileges should not disturb this intention while changing the password. So, this step is crucial though it does not have a direct bearing on resource addition.

Can I add my own custom fields for resources?

Yes, you can. You can have up to 20 additional custom fields to resources. To add a custom field, go to "Resources" tab and click the button "Customize Resource" in the drop-down under "More Actions"

Character/list - for text inputs
Numeric - to store numeric inputs
Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate
Date & Time - to store date and time inputs
File - to store file based inputes

Can others see the resources added by me?

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, if you decide to share your resources with other administrators, they will be able to see them.

Step 2: Adding Account Details - (User Account & Password to be Managed)

The second step is to add the user accounts and their passwords of this resource that are to be shared between multiple users. Notes can be added to each account.

Important Note:

If you want to enable password reset in remote systems, make sure that the passwords you enter in this step and the ones in the actual target systems are the same. PMP uses these credentials to login to the target systems and do the password reset and if the passwords are wrong, the password reset will not happen.

In the text field for "User Account", enter the user name of the particular account being added. This field is mandatory
In the text field for "Password", enter the password of the account. This field is mandatory. If you have set a 'Password Policy' during the previous step, you need to enter your password only in accordance with the specified policy. For example, if you have set 'Strong' as the policy, the password entered here should comply to that. If you do not want to enforce the policy here, change the setting through "General Settings"
Confirm the password
Enter description about the account being added in the "Notes" column. This would help in properly identifying a particular account in future
In case, the resource belongs to type 'Windows Domain', you can choose to use Windows Service Account Reset feature (refer to this link for more details on this)
The account added until now are listed in the table below
Within one resource, one might have many accounts - for example, consider managing the passwords of a linux server. There will be many user accounts for the server such as root, guest and so on. For a single resource, you can add as many accounts and passwords as present in the resource. If you have multiple accounts for the resource, repeat the above procedure
If your resource type belongs to Windows, Linux, Windows Domain, IBM AIX, HP UNIX, Solaris, Mac OS, VMWare ESXi, MS SQL Server, MySQL server, Oracle DB Server, Sybase ASE, LDAP Server, HP ProCurve, HP iLO, Cisco IOS, Cisco CatOS, Cisco PIX, Juniper Netscreen and if you require remote password reset, click "Next";
Otherwise, click "Finish" to complete the resource addition process

Can I add my own custom fields for accounts?

Yes, you can. You can have up to 20 additional custom fields to accounts. To add a custom field, traverse to "Admin >> Customize >> Accounts -Additional Fields". Your additional fields can be in any of the following four formats -

Character/list - for text inputs
Numeric - to store numeric inputs
Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate
Date & Time - to store date and time inputs

The required user name and password have now been added to the PMP repository. Users who are authorized to access the resource, will be able to view the information.

Step 3: Remote Password Reset

(Feature available only in Premium Edition)

PMP provides the option to remotely change the password of select resources. As of now, this facility is available for changing the password of only those resources that belong to the type Windows, Windows Domain, Linux, IBM AIX, HP UNIX, Solaris, Mac OS, VMWare ESXi, MS SQL server, MySQL server, Oracle DB Server, Sybase ASE, HP ProCurve, HP iLO and Cisco Devices (IOS, CatOS, PIX), Juniper Netscreen. Using this utility, you can change the password of a server present in a remote location, from the PMP web interface itself.

You can avail this facility in two ways:

By deploying PMP agents in the remote location
Without deploying agents

If the remote resource has restrictions such as a firewall, you would require deployment of agents. Otherwise, you can do password reset without deploying agents.

You may proceed with Step 3 only if you intend to do password reset without deploying agents. You need to specify the credentials to be used to login to the resource and effect the changes. For Windows domain controller, Linux, IBM AIX, HP UNIX, Solaris, Mac OS, VMWare ESXi, MS SQL server, MySQL server, Oracle DB Server, Sybase ASE, LDAP Server, HP ProCurve, HP iLO and Cisco Devices (IOS, CatOS, PIX), Juniper Netscreen specify the accounts that will be used to login from remote to perform password reset. For other type of resources this step is not applicable.

Specifying credentials & enabling remote reset for different resource types

Resource Type

Reset Credentials Requirement

Windows & Windows Domain

Configure Auto Logon

PMP offers support to launch a secure direct connection to the resource from the web-interface. The configuration for the auto logon can be made here. For logging into a Windows resource, you need to configure the domain account that can be used by users to authenticate a Windows RDP session to this remote host. You can authenticate with local accounts also. This is just another option.

Configure Remote Password Reset

For resetting the passwords of the local user accounts, choosing the administrator account in this step is not mandatory.
If you want to reset service account passwords of services running in this Windows resource, specify the local Administrator account, which will be used to login into the machine and perform the password reset
PMP has the ability to find and reset the local service account passwords of the resource being added. If you want to reset the local service account passwords, select the checkbox "Find and change associated Windows service account passwords in this resource" after adding the local administrator account. You also have the option to restart the Windows services after changing the passwords of local service accounts.
If the PMP service is run with domain administrator privilege, PMP will be able to change the passwords of all the local accounts in the computer (present in the domain) without the need for supplying the old password
Click "Finish"

Windows password reset

Linux / IBM AIX, HP UNIX, Solaris, Mac OS

Configure Auto Logon

PMP offers support to launch a secure direct connection through SSH to the resource from the web-interface. The configuration for the auto logon has to be made here. To connect through SSH, you need to specify the port to connect, if it is different than the default 22.

Configure Remote Password Reset

For remote password reset of Unix resources, PMP first uses the remote login account to login to the target system. Then, to carry out password reset, privilege elevation is needed. PMP can either 'su' as root or use 'sudo' to execute the remote password reset commands (if the target system supports execution of password reset commands through 'sudo)'.

In this process, the following steps are involved:

Selecting the protocol
Selecting the authentication method for remote login based on the protocol chosen and specifying the remote login account
Specifying the root account if PMP has to use 'su' / selecting 'sudo'

Step 1 - Selecting the Protocol

Select the protocol for remote login - ssh or telnet and then select the remote login account and root account. If you have chosen telnet, you can go to step 3.

Step 2 - If you opt for SSH, specify the authentication method

If you opt for SSH, you have the option to use either "Password Authentication" or "Public Key Infrastructure" (PKI) Authentication.

If you choose PKI authentication, you need to select the remote login account as explained below:

The public key would be present under the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present. Also, PMP supports SSH2 and above only.

Then browse and supply the corresponding Private Key.

Step 3 - Specifying the root account / selecting 'sudo'

As mentioned above, for executing remote password reset commands, PMP can either 'su' as root or use 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.
If you use the option, 'su' as root, you need to select the root account
If the target system allows execution of password reset commands through 'sudo', you can select that option
Click "Finish"

unix-password-reset

VMWare ESXi

Configure Auto Logon

Configure Remote Password Reset

For remote password reset of VMWare ESXi resources, PMP first uses the remote login account to login to the target system. Then, to carry out password reset, privilege elevation is needed. PMP can either 'su' as root or use 'sudo' to execute the remote password reset commands (if the target system supports execution of password reset commands through 'sudo)'.

In this process, the following steps are involved:

Selecting the protocol
Selecting the authentication method for remote login based on the protocol chosen and specifying the remote login account
Specifying the root account if PMP has to use 'su' / selecting 'sudo'

Step 1 - Selecting the Protocol

Select the protocol for remote login - ssh or telnet and then select the remote login account and root account. If you have chosen telnet, you can go to step 3.

Step 2 - If you opt for SSH, specify the authentication method

If you opt for SSH, you need to specify SSH port first and then specify the SSH User Prompt. You have the option to use either "Password Authentication" or "Public Key Infrastructure" (PKI) Authentication.

If you choose PKI authentication, you need to select the remote login account as explained below:

The public key would be present under the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present. Also, PMP supports SSH2 and above only.

Then browse and supply the corresponding Private Key.

Step 3 - Specifying the root account / selecting 'sudo'

As mentioned above, for executing remote password reset commands, PMP can either 'su' as root or use 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.
If you use the option, 'su' as root, you need to select the root account. You need to specify the 'Root User Prompt'.
If the target system allows execution of password reset commands through 'sudo', you can select that option
Click "Finish"

vmware

MySQL Server Resource Type

Password reset for MySQL server is done over JDBC. So, the MySQL Administrator credentials are required. You can enable remote reset of the password of MySQL server as below:

Specify the port where the MySQL server is running. By default, MySQL occupies the port 3306Specify the connection mode - you can configure the connection between MySQL Server and PMP to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.

To enable the SSL mode, the MySQL server should be serving over SSL and you will have to import the MySQL server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.

To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows
importCert.bat <Absolute Path of certificate>

For Linux
importCert.sh <Absolute Path of certificate>

Restart PMP server. Then continue with the following steps.

To enable PMP access the MySQL server, provide MySQL Root Account Name
Click "Finish"

MySQL Reset

MS SQL Server Resource Type

Password reset for MS SQL server is done over JDBC. So, either a domain account credential having enough privileges to modify SQL server passwords or the MS SQL Administrator credential are required. You can enable remote reset of the password of MS SQL server as below:

Specify the port where the MS SQL server is running. By default, MS SQL occupies the port 1433
Specify the connection mode - you can configure the connection between MS SQL Server and PMP to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.

To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the MS SQL server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.

To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows
importCert.bat <Absolute Path of certificate>

For Linux
importCert.sh <Absolute Path of certificate>

Restart PMP server. Then continue with the following steps.
To enable PMP access the MS SQL server, provide any one of the following details -

Windows Authentication details - that is specifying the domain name of which the MS SQL server is a part and then selecting any one user username present in the domain (OR)
MS SQL Administrator Account

Click "Finish"

For Oracle DB Server

To carry out password reset for Oracle DB server, administrative privileges are required. So, an administrator account has to be specified. You can enable remote reset of the password of Oracle DB server as below:

Specify the Oracle DB Listener Port. By default, the Oracle DB server listens to the port 1521
Specify the connection mode - you can configure the connection between Oracle DB Server and PMP to be over an encrypted channel (AES 256). If you choose the option 'YES' (encrypted mode), do the following. Otherwise, proceed to Step 3.

Start Oracle Net Manager
In the Navigator window, select "Oracle Net Configuration".
Expand the option Local > Profile
From the list in the right side pane, select the option "Oracle Advanced Security"
In the tabbed window that appears thereafter, click the tab "Encryption"
In the drop-down list for Encryption, select the option "Server"
For "Encryption Type" list, select the option "Accepted"
In the text-filed for 'Encryption Seed', enter random characters numbering between 10 and 70. Or, it can even be left blank
Select the algorithm "AES 256"
Specify an Oracle administrator account

Specify the Oracle Service Name. By default, the service name is taken as ORCL
Click "Finish"

For Sybase ASE

Prerequisite:

jConnect 6.0 JDBC driver is required for the password reset. The driver is a file named "jconn3.jar" will be available under <Sybase_Install_Directory>\jConnect_6_0\classes folder (in Sybase ASE 15.0)
Copy the jconn3.jar and save it under <PMP_Install_Directory>\lib folder (in the machine running PMP server)

To carry out password reset for Sybase ASE, administrative privileges are required. So, an administrator account has to be specified. Steps for enabling remote password reset for Sybase ASE are explained below:

Specify the Sybase ASE Port. By default, it occupies the port 5000 (in SSL mode, default port is 2748)
Specify the connection mode - you can configure the connection between Sybase ASE and PMP to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.
- If you want to enable SSL communication from PMP to Sybase ASE
- Restart PMP server
Specify an administrator account of Sybase ASE
Click "Finish"

For LDAP Server

Prerequisite:

In Step 2 of 'Resource Addition', while adding accounts, you should have specified the Distinguished Name of the LDAP server account being added. Example: c=administator,cn=people,dc=test,dc=com.

LDAP server password reset

To carry out password reset for LDAP server, administrative privileges are required. So, an administrator account has to be specified. For remote reset, PMP supports Microsoft Active Directory, OpenLDAP, Oracle Internet Directory and Novell eDirectory. You can enable remote reset of the passwords of the above types of LDAP servers as below:

Specify the type of the LDAP Server being added
Specify the LDAP server Port. By default, it occupies the port 389 (in SSL mode, default port is 636)
Specify the connection mode - you can configure the connection between the LDAP server and PMP to be over an encrypted channel (SSL) or Non-SSL. If your LDAP server is of type Microsoft Active Directory, the connection has to be through SSL only. For other types, you may choose SSL or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 4.
- To enable the SSL mode, the LDAP server should be serving over SSL and you will have to import the LDAP server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
  
  To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
  
  For Windows
  importCert.bat <Absolute Path of certificate>
  
  For Linux
  importCert.sh <Absolute Path of certificate>
  
  Restart PMP server. Then continue with the following steps.
Specify an administrator account of LDAP server
Click "Finish"

For HP ProCurve Devices

Configure Auto Logon

Configure Remote Password Reset

PMP requires Telnet or SSH service to be running in the resource. Manager Account and Prompts of Manager Mode and Configuration Mode are required for PMP to login to the resource. PMP will use the configuration mode to reset the passwords. You can enable remote reset of passwords of your HP Pro Curve devices by providing the following credentials:

Credential	Description
Remote Login Method	PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol
Manager Account	Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, PMP will expect only the password prompt.
Manger Mode Prompt	The prompt that appears after successful login
Configuration Mode Prompt	This is for entering into privileged mode to perform password reset.
Copy Password Changes to Startup	If you want the password changes made to the running configuration from PMP to be applied to the startup configuration, select this checkbox. Exercise caution while enabling the option to copy the running configuration to the startup configuration, as it will cause the current configuration content, including those made outside of PMP, to be copied immediately.

hp-procurve

For HP iLO

Configure Auto Logon

Configure Remote Password Reset

Select the Remote Login Method

PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol. Telnet or SSH service to be running in the resource.

Then, specify the prompt that appears upon successful user login. Also, specify the user account with administer privileges.

HPiLO

For Cisco Devices (IOS/CatOS/PIX)

Configure Auto Logon

Configure Remote Password Reset

PMP requires Telnet or SSH service to be running in the resource. Passwords of the enable mode and a user account are required for PMP to login to the resource. PMP will use the configuration terminal mode to reset the passwords. You can enable remote reset of passwords of your cisco devices by providing the following credentials:

Credential	Description
Remote Login Method	PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol
Remote Login Account	Login account for establishing connection with the device
User Mode Prompt	The prompt that appears after successful login
Enable Secret	This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify enable secret
Enable Password	This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify enable password
Enable Mode Prompt	This is the prompt that will appear after going into enable mode. For example, #
Account name required for login	For the user and enable modes, if the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, PMP will expect only the password prompt.
Configuration Mode Prompt	To carry out any change to any feature/configuration of the device, you need to enter configuration mode. The prompt that will appear while going into configuration mode has to be entered here. For example, #" Primary Credentials
Copy Password Changes to Startup	If you want the password changes made to the running configuration from PMP to be applied to the startup configuration, select this checkbox. Exercise caution while enabling the option to copy the running configuration to the startup configuration, as it will cause the current configuration content, including those made outside of PMP, to be copied immediately.

Cisco-IOS

For Juniper Netscreen Firewall Devices

Configure Auto Logon

Configure Remote Password Reset

PMP requires Telnet or SSH service to be running in the resource. Admin Account and Prompt of Admin Account are required for PMP to login to the resource. You can enable remote reset of passwords of your Netscreen devices by providing the following credentials:

Credential	Description
Remote Login Method	PMP supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol
Admin Account	Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, PMP will expect only the password prompt.
Admin Account Prompt	The prompt that appears after successful login

juniper