Users are notified of their PMP accounts only through email. If they do not get the notification email, check
You can use one of the following three mechanisms:
Two Factor Authentication: Option to enforce users to identify themselves with two unique factors before they are granted access to PMP web-interface. While the existing authentication mechanism of PMP (native authentication / AD / LDAP) will be the first authentication factor, the second authentication factor could be either a unique password generated by PMP and sent through email or RSA SecurID one-time password, which changes every sixty seconds. For RSA part, PMP has entered into a technology partnership with RSA SecurIDŽ two-factor authentication system.
PMP comes with four pre-defined roles.
Any administrator can be made as "Super
Administrator" with the privilege to view and manage all resources.
Refer help documentation for details
on access levels.
If you were already given a valid PMP account, you can use the 'Forgot Password?' link available in the login page to reset the password. The user name/e-mail id pair supplied should match the one already configured for the user and in that case, the password will be reset for that user and the new password will be emailed to that email id.
The PMP web console always uses HTTPS to communicate with the PMP server.
The PMP server comes with a default self-signed SSL certificate, which
the standard web browsers will not recognize and issue a warning. Particularly
IE 7's warning message appears serious. Ignoring this warning still guarantees
encrypted communication between the PMP console and the server but if
you want your users to be particularly sure that they are connecting only
to the PMP server, you will need to install a SSL certificate that you
have bought from a certificate authority, that is recognised by all standard
Yes, you can change the default port as explained below:
Go to <PMP_Installation_Folder>\conf directory and open the server.xml file
Replace the entry '7272' with the port number of your choice. Note that there will be 7272 entries within comments too and all should be replaced.
Ensuring the secure storage of passwords and offering high defence against intrusion are the mandatory requirements of PMP. The following measures ensure the high level security for the passwords:
Passwords are encrypted using the Advanced Encryption Standard (AES), which is currently the strongest encryption algorithm, and stored in the database. (AES has been adopted as an encryption standard by the U.S. Government)
The database which stores all the passwords accepts connections only from the host that it is running on and is not visible externally
Role-based, fine-grained user access control mechanism ensures that the users are allowed to view the passwords based on the authorization provided
All transactions between the PMP console and the server take place through HTTPS
In-built Password Generator can help you generate strong passwords
For detailed information, refer to Product Security Specifications document.
Refer to the FAQ section in website.
The web API exposed by PMP forms the basis for Application-to-Application/Database Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application.
Yes, of course. PMP can change the passwords currently for Windows, Windows domain and Linux systems. Capability to change passwords of other types of resources like databases, routers, switches etc will be gradually added. PMP supports both agent-based and agent-less modes of changing passwords.
Let us first look at the requisites for both the modes:
The agent mode requires the agent to be installed as a service and run with administrative privileges to perform password changes. The communication between the PMP server and agent takes place through TCP for normal information and HTTPS for password transfer and hence communication paths must exist (ports to be kept open) between the server and agent.
For the agentless mode, you must supply administrative credentials to perform the password changes. For Linux you must specify two accounts, one with root privileges and one with normal user privileges that can be used to login from remote. Telnet or SSH service must be running on the resources. For Windows domain, you must supply the domain administrator credentials. For Windows and Windows domain, PMP uses remote calls and relevant ports must be open on the resource.
Based on this you can choose which mode you want for your environment, indicated by the following tips:
Choose agent mode when,
you do not have administrative credentials stored for a particular resource in PMP
you do not have the required services running on the resource (Telnet / SSH for Linux, RPC for Windows)
you run PMP in Linux and want to make password changes to a Windows resource
Choose agentless mode in all other cases as it is a more convenient
and reliable way of doing password changes.
Yes, you can. As long as your resource type label contains the string
'Linux' or 'Windows', you can still configure agentless password reset
for those resources.
Example of valid resource type labels to enable password reset:
Debian Linux, Linux - Cent OS, SuSE Linux, Windows XP Workstation, Windows
Yes, you can make use of Password Reset Listeners, which enable invoking a custom script or executable as a follow-up action to Password Reset action in PMP. Refer to Password Reset Listener for more details.
In the agent mode,
Check if the agent is running by looking at the Windows active process list for the entry 'PMPAgent.exe' or the presence of a process named PMPAgent in Linux
Check if the agent port (default 5768) is reachable from the server through a TCP connection (using telnet)
Check if the account in which the agent is installed has sufficient privileges to make password changes
In the agentless mode,
Check if the right set of administrative credentials have been provided and the remote synchronization option is enabled
Check if the necessary services are running on the resource (Telnet / SSH for Linux, RPC for Windows)
Check if the resource is reachable from the PMP server using the DNS name provided
This happens when PMP is run as a Windows service and the 'Log on as" property of the service is set to the local system account. Change it to any domain user account to be able to reset domain passwords. Follow the instructions below to effect that setting:
Go to the Windows Services applet (from Control Panel --> Administrative Tools --> Services)
Select the 'ManageEngine PMP' service, right-click --> choose Properties
Click the Log On tab and choose the 'This Account' radio button and provide the username and password of any domain user - in the format <domainname>\<username>
Save the configuration and restart the server
Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:
Windows RPC service should have been enabled
Windows Management Instrumentation (WMI) service should have been enabled
The domain Single Sign On (windows integrated authentication) is achieved in the Windows environment by setting non-standard parameters in the HTTP header, which are usually stripped off by devices like firewalls / VPNs. PMP is designed for use within the network. So, if you have users connecting from outside the network, you cannot have SSO this enabled.
Yes, you can. PMP can periodically backup the entire contents of the database, which can be configured through the PMP console. Refer help documentation for more details.
All sensitive data in the backup file are stored in encrypted form in a .zip file under <PMP_Install_Directory/backUp> directory. It is recommended that you backup this file in your secure, secondary storage for disaster recovery.
There is no prerequisite software installation required to use PMP.
Except super administrators (if configured
in your PMP set up), no one, including admin users will be able to see
the resources added by you. Apart from this, decide to share
your resources with other administrators, they will be able to see
Yes, you can extend the attributes of the PMP resource and user account to include details that are specific to your needs. Refer the help documentation for more details.
This can very well happen in any enterprise, but with PMP you need not
worry about passwords getting orphaned. Administrators can 'transfer'
resources owned by users to other administrator users and in the process
they have no access to those resources themselves, unless they do the
transfer to their name. Refer the help
documentation for more details.
Yes, you can. Please contact us at email@example.com
with your specific request and we will help you with the relevant SQL
query to generate XML output.
Yes. If you want to replace the PMP logo appearing on the login screen and on the web-interface with that of yours, you can do so from the web-interface itself. It is preferable to have your logo of the size 210 * 50 pixels.
To rebrand the logo,
Go to the "Admin" tab
Click "Customize >> Rebrand"
Browse and choose the required image
The PMP will appear with rebranded look
Yes, PMP records all operations performed
by the user including the password viewing and copying operations. From
audit trails, you can get a comprehensive list of all the actions and
attempts by the users with password retrieval. The list of operations
that are audited (with the timestamp and the IP address) includes:
Yes, refer to High Availability section in the Help Documentation for more details
There are three license types:
Evaluation download valid for 30 days capable of supporting a maximum of 2 administrators
Free Edition licensed software allows you to have 1 administrator and manage up to 10 resources. Valid forever.
Version - need to buy license based on the number of administrators
required and the type of edition Standard/Premium:
Standard - If your requirement is to have a secure, password repository to store your passwords and selectively share them among enterprise users, Standard Edition would be ideal.
Though PMP follows an annual subscription model for pricing, we also
provide perpetual licensing option. The perpetual license will cost three
times the annual subscription price, with 20% AMS from the second year.
for more details.
Yes, very much. If you want a license with more than 100 administrator
users, please contact firstname.lastname@example.org
for more details.
Yes. Fill in the required details in the website and we will send you the license keys.
No. You need not have to reinstall or shut down the server. You just need to enter the new license file in the "License" link present in the top right corner of the PMP web interface.
FAQ Section in our website is updated frequently. Refer to that for more information.
© 2014, ZOHO Corp. All Rights Reserved.