faq

Password Manager Pro - FAQ

Web Interface, Authentication

1. Why are my users not notified of their PMP accounts?

Users are notified of their PMP accounts only through email. If they do not get the notification email, check

if you have configured the mail server settings properly with the details of the SMTP server in your environment
if you have provided valid credentials as part of mail server settings, as some mail servers require them for mails to be sent
if the 'Sender E-Mail ID' is properly configured as some mail servers reject emails sent without the from address or mails originating from unknown domains

2. What are the authentication schemes available in PMP?

You can use one of the following three mechanisms:

Active Directory: When enabled, the authentication request is forwarded to the configured domain controller and based on the result, the user is allowed or denied access into PMP. The user name, password and the domain are supplied in the PMP login screen. This scheme works only for users whose details have been imported previously from AD. Available only when PMP server is installed on Windows system.

LDAP Directory: When enabled, the authentication request is forwarded to the configured LDAP directory server and based on the result, the user is allowed or denied access into PMP. The user name and password and the option to use LDAP authentication are supplied in the PMP login screen. This scheme works only for users whose details have been imported previously from the LDAP directory

PMP Local Authentication: The authentication is done locally by the PMP server. Irrespective of AD or LDAP authentication being enabled, this scheme is always available for the users to choose in the login page. This scheme has a separate password for users and the AD or LDAP passwords are never stored in the PMP database.
Two Factor Authentication: Option to enforce users to identify themselves with two unique factors before they are granted access to PMP web-interface. While the existing authentication mechanism of PMP (native authentication / AD / LDAP) will be the first authentication factor, the second authentication factor could be either a unique password generated by PMP and sent through email or RSA SecurID one-time password, which changes every sixty seconds. For RSA part, PMP has entered into a technology partnership with RSA SecurIDŽ two-factor authentication system.

3. What are the user roles available in PMP? What are their access levels?

PMP comes with four pre-defined roles.

Administrators
Password Administrators
Password Users
Password Auditors

Any administrator can be made as "Super Administrator" with the privilege to view and manage all resources. Refer help documentation for details on access levels.

4. What if I forget my PMP login password?

If you were already given a valid PMP account, you can use the 'Forgot Password?' link available in the login page to reset the password. The user name/e-mail id pair supplied should match the one already configured for the user and in that case, the password will be reset for that user and the new password will be emailed to that email id.

5. Why does Internet Explorer 7 (and other browsers) complain while accessing PMP console?

The PMP web console always uses HTTPS to communicate with the PMP server. The PMP server comes with a default self-signed SSL certificate, which the standard web browsers will not recognize and issue a warning. Particularly IE 7's warning message appears serious. Ignoring this warning still guarantees encrypted communication between the PMP console and the server but if you want your users to be particularly sure that they are connecting only to the PMP server, you will need to install a SSL certificate that you have bought from a certificate authority, that is recognised by all standard web browsers.

6. Can I change the default port 7272 occupied by PMP?

Yes, you can change the default port as explained below:

Go to <PMP_Installation_Folder>\conf directory and open the server.xml file
Replace the entry '7272' with the port number of your choice. Note that there will be 7272 entries within comments too and all should be replaced.

Security

1. How secure are my passwords in PMP?

Ensuring the secure storage of passwords and offering high defence against intrusion are the mandatory requirements of PMP. The following measures ensure the high level security for the passwords:

Passwords are encrypted using the Advanced Encryption Standard (AES), which is currently the strongest encryption algorithm, and stored in the database. (AES has been adopted as an encryption standard by the U.S. Government)
The database which stores all the passwords accepts connections only from the host that it is running on and is not visible externally
Role-based, fine-grained user access control mechanism ensures that the users are allowed to view the passwords based on the authorization provided
All transactions between the PMP console and the server take place through HTTPS
In-built Password Generator can help you generate strong passwords

For detailed information, refer to Product Security Specifications document.

2. Can we install our own SSL certificate? How?

Refer to the FAQ section in website.

3. How secure are the A-to-A, A-to-DB password management done through Password Management APIs?

The web API exposed by PMP forms the basis for Application-to-Application/Database Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application.

password reset

1. Can I also change resource passwords from the PMP console?

Yes, of course. PMP can change the passwords currently for Windows, Windows domain and Linux systems. Capability to change passwords of other types of resources like databases, routers, switches etc will be gradually added. PMP supports both agent-based and agent-less modes of changing passwords.

2. When to use the agent and agent-less modes for password reset?

Let us first look at the requisites for both the modes:

The agent mode requires the agent to be installed as a service and run with administrative privileges to perform password changes. The communication between the PMP server and agent takes place through TCP for normal information and HTTPS for password transfer and hence communication paths must exist (ports to be kept open) between the server and agent.

For the agentless mode, you must supply administrative credentials to perform the password changes. For Linux you must specify two accounts, one with root privileges and one with normal user privileges that can be used to login from remote. Telnet or SSH service must be running on the resources. For Windows domain, you must supply the domain administrator credentials. For Windows and Windows domain, PMP uses remote calls and relevant ports must be open on the resource.

Based on this you can choose which mode you want for your environment, indicated by the following tips:

Choose agent mode when,

you do not have administrative credentials stored for a particular resource in PMP
you do not have the required services running on the resource (Telnet / SSH for Linux, RPC for Windows)
you run PMP in Linux and want to make password changes to a Windows resource

Choose agentless mode in all other cases as it is a more convenient and reliable way of doing password changes.

3. Can I enable agentless password reset if I add my own resource type for other distributions of Linux / other versions of Windows?

Yes, you can. As long as your resource type label contains the string 'Linux' or 'Windows', you can still configure agentless password reset for those resources.

Example of valid resource type labels to enable password reset:

Debian Linux, Linux - Cent OS, SuSE Linux, Windows XP Workstation, Windows 2003 Server

4. Is there a way to do remote password reset for resource types other than the ones for which remote reset is supported now?

Yes, you can make use of Password Reset Listeners, which enable invoking a custom script or executable as a follow-up action to Password Reset action in PMP. Refer to Password Reset Listener for more details.

5. How to troubleshoot when password reset does not happen?

In the agent mode,

Check if the agent is running by looking at the Windows active process list for the entry 'PMPAgent.exe' or the presence of a process named PMPAgent in Linux
Check if the agent port (default 5768) is reachable from the server through a TCP connection (using telnet)
Check if the account in which the agent is installed has sufficient privileges to make password changes

In the agentless mode,

Check if the right set of administrative credentials have been provided and the remote synchronization option is enabled
Check if the necessary services are running on the resource (Telnet / SSH for Linux, RPC for Windows)
Check if the resource is reachable from the PMP server using the DNS name provided

6. Windows domain password reset fails with the error message: "The authentication mechanism is unknown"

This happens when PMP is run as a Windows service and the 'Log on as" property of the service is set to the local system account. Change it to any domain user account to be able to reset domain passwords. Follow the instructions below to effect that setting:

Go to the Windows Services applet (from Control Panel --> Administrative Tools --> Services)
Select the 'ManageEngine PMP' service, right-click --> choose Properties
Click the Log On tab and choose the 'This Account' radio button and provide the username and password of any domain user - in the format <domainname>\<username>
Save the configuration and restart the server

7. What are the prerequisites for enabling Windows Service Account Reset?

Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:

Windows RPC service should have been enabled
Windows Management Instrumentation (WMI) service should have been enabled

8. Does domain SSO work across firewalls / VPNs?

The domain Single Sign On (windows integrated authentication) is achieved in the Windows environment by setting non-standard parameters in the HTTP header, which are usually stripped off by devices like firewalls / VPNs. PMP is designed for use within the network. So, if you have users connecting from outside the network, you cannot have SSO this enabled.

Backup & Disaster Recovery

1. Can I setup disaster recovery for the PMP database?

Yes, you can. PMP can periodically backup the entire contents of the database, which can be configured through the PMP console. Refer help documentation for more details.

2. Where does the backup data get stored? Is it encrypted?

All sensitive data in the backup file are stored in encrypted form in a .zip file under <PMP_Install_Directory/backUp> directory. It is recommended that you backup this file in your secure, secondary storage for disaster recovery.

General

1. Do I need any prerequisite software to be installed before using PMP?

There is no prerequisite software installation required to use PMP.

2. Can others see the resources added by me?

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, decide to share your resources with other administrators, they will be able to see tham.

3. Can I add my own attributes to PMP resources?

Yes, you can extend the attributes of the PMP resource and user account to include details that are specific to your needs. Refer the help documentation for more details.

4. What if a user who has not shared his sensitive passwords, leaves the enterprise?

This can very well happen in any enterprise, but with PMP you need not worry about passwords getting orphaned. Administrators can 'transfer' resources owned by users to other administrator users and in the process they have no access to those resources themselves, unless they do the transfer to their name. Refer the help documentation for more details.

5. Can I run custom queries to generate results for integration with other reporting systems?

Yes, you can. Please contact us at support@passwordmanagerpro.com with your specific request and we will help you with the relevant SQL query to generate XML output.

6. Can I rebrand PMP with our logo?

Yes. If you want to replace the PMP logo appearing on the login screen and on the web-interface with that of yours, you can do so from the web-interface itself. It is preferable to have your logo of the size 210 * 50 pixels.

To rebrand the logo,

Go to the "Admin" tab
Click "Customize >> Rebrand"
Browse and choose the required image
Click "Save"
The PMP will appear with rebranded look

7. Does PMP record Password viewing attempts and retrievals by users?

Yes, PMP records all operations performed by the user including the password viewing and copying operations. From audit trails, you can get a comprehensive list of all the actions and attempts by the users with password retrieval. The list of operations that are audited (with the timestamp and the IP address) includes:

User accounts created, deleted and modified
Users logging in and logging off the application
Resources and passwords created, accessed, modified and deleted

8. Does PMP provide high availability support?

Yes, refer to High Availability section in the Help Documentation for more details

Licensing

1. What is the Licensing Policy for PMP?

There are three license types:

Evaluation download valid for 30 days capable of supporting a maximum of 2 administrators
Free Edition licensed software allows you to have 1 administrator and manage up to 10 resources. Valid forever.
Registered Version - need to buy license based on the number of administrators required and the type of edition Standard/Premium:

Standard - If your requirement is to have a secure, password repository to store your passwords and selectively share them among enterprise users, Standard Edition would be ideal.
Premium - Apart from storing and sharing your passwords, if you wish to have enterprise-class password management features such as remote password reset, password alerts and notifications, application-to-application password management, reports, high-availability and others, Premium edition would be the best choice.

Features Matrix

Standard Edition

Premium Edition

User / User group Management
Password Repository
Password Policies
Password Sharing and Management
Audit / Audit Notifications
AD / LDAP integration
Auto Logon Helper
Password change listener
Backup and Disaster Recovery

All Features of Standard Edition
Password Alerts and Notifications
Remote Password Reset (on demand, scheduled and rule based)

for Windows, Windows Domain, Windows Service Accounts, Windows Scheduled Accounts, Flavours of UNIX and Linux, Cisco Devices, MS SQL, MySQL, Other Network Devices

Two Factor Authentication
Password Access Control Workflow
Reports
Password Management API
High Availability

2. Can I buy a permanent license for PMP? What are the options available?

Though PMP follows an annual subscription model for pricing, we also provide perpetual licensing option. The perpetual license will cost three times the annual subscription price, with 20% AMS from the second year. Contact sales@manageengine.com and support@passwordmanagerpro.com for more details.

3. Can PMP support more than 100 administrators?

Yes, very much. If you want a license with more than 100 administrator users, please contact sales@manageengine.com and support@passwordmanagerpro.com for more details.

4. Can I extend my evaluation to include more administrator users or for more number of days?

Yes. Fill in the required details in the website and we will send you the license keys.

5. Do I have to reinstall PMP when moving to the Standard/Premium Edition?

No. You need not have to reinstall or shut down the server. You just need to enter the new license file in the "License" link present in the top right corner of the PMP web interface.

FAQ Section in our website is updated frequently. Refer to that for more information.