Welcome to ManageEngine Password Manager Pro!
This section provides information on how to install Password Manager Pro (PMP) in your system. This section also deals with the system requirements for PMP, how to install the solution, how to start and shutdown and how to connect web interface after successfully starting the server.
There is no prerequisite software installation required to use PMP. The standard system (hardware and software) requirements as mentioned below plus an external mail server (SMTP server) are essential for the functioning of PMP server and to send various notifications to users.
Following table provides the minimum hardware and software configuration required by PMP:
|
Hardware |
Operating systems |
Database |
Web-Client |
|
Processor
RAM
Hard Disk
|
Windows
Linux
Note: Password Manager Pro can be run on VMs of the above operating systems |
|
HTML client requires one of the following browsers** to be installed
in the system:
** PMP is optimized for 1024 x 768 resolution and above. |
PMP consists of the following components:
MySQL 5.1.50 bundled with PMP. MySQL runs as a separate process (mysqld.exe in Windows/ mysqld in Linux). It accepts connections only from the host in which it is running and is not visible externally
Download and execute ManageEngine_PMP.exe
The installation wizard will guide you through the installation process
Choose an installation directory - by default, it will be installed in C:/Program Files/PMP; Henceforth, this installation directory path shall be referred as "PMP_Home"
In the final step, you will see two check-boxes - one for viewing ReadMe file and the other one for starting the server immediately after installation; if you choose to start the server immediately, it will get started in the background.
If you choose to start the server later, after installation, you can start it from the Start >> Programs >> ManageEngine Password Manager Pro menu
Download ManageEngine_PMP.bin for linux
Assign executable permission using command chmod a+x <file-name>
Execute the following command: ./<file_name>
Follow the instructions as they appear on the screen
PMP is installed in your machine in the desired location. Henceforth, this installation directory path shall be referred as "PMP_Home".
|
Using Start Menu |
Using Tray Icon |
|
From Start >> Programs >>
Password Manager Pro menu, you can do the following:
|
Once you installed PMP, in the windows tray area on the far right end
of your task bar, you will find the icon
|
|
Installing as Startup Service |
Starting & Stopping the Server as Service |
|
To Start PMP as a service in Linux
To Stop PMP Server started as service in Linux
|
By default, a standard, self-signed SSL certificate is bundled with PMP for MySQL server. For enhanced security, you can generate a unique certificate. By doing so, you can rule out the possibilities of data sniffing during data transit.
As a prerequisite to generate a unique certificate, you need to install OpenSSL and add it to the system path and then invoke the following batch/script file from the command-line interface:
Navigate to <Password Manager Pro Installation Folder>/bin directory and execute createMySQLCertificate.bat (In Windows) or createMySQLCertificate.sh (in Linux)
The output from this command looks like this:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Pleasanton
Organization Name (eg, company :Zoho Corporation
Organizational Unit Name (eg, section) []:Manage Engine Password Manager Pro
Common Name (eg, YOUR name) []:localhost
Email Address []:
Enter details for these as required. The certificate will be created.
Automatic Browser Launch
Once the server is started successfully, a browser is automatically launched with the PMP login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.
Launching the Web Client Manually
In the case of windows, you can also launch the web client manually from the Windows Tray. Right-click the PMP tray icon and click "PMP Web Console". A browser would be launched with the PMP login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.
In the case of Linux, open a browser and connect to the URL
|
https://<hostname>:portnumber/ where hostname - host where Password Manager Pro Server is running; Default port - 7272 Example: https://localhost:7272 |
Connecting the Web Client in Remote Hosts
If you want to connect web clients in a different machine than the one in which PMP is running, open a browser and connect to the URL
https://<hostname>:port
As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.
Password Manager Pro supports both MySQL and MS SQL Server as backend. MySQL database is bundled with the product and by default, it is configured to run with MySQL. In case, you wish to use MS SQL server, follow the steps detailed below (to change the database from MySQL to MS SQL Server) :
Important Note
MS SQL server as backend is supported from PMP version 6400 only. Earlier versions do not have provision to run with MS SQL server.
To ensure high level of security, PMP has been configured to connect to SQL server only through SSL.
Summary of Steps:
Create SSL certificate and install it in Windows Certificate Store (where SQL server is running)
Get the certificate signed by a third-party CA or use self-signed certificate
Import the SSL certificate to PMP
Enable SSL Encryption in SQL Server
Configure PMP to Connect to SQL Server
Prior to trying to connect PMP with SQL server, you need to enable SSL encryption in SQL Server. Here, you may create an SSL Certificate and get it signed by a Certificate Authority (CA) or it could be self-signed.
You can create the certificate using openssl and it involves two steps - generating private key and generating certificate. Use the following commands to create the certificate.
Generate private key
openssl genrsa -des3 -out server.key 1024
Generate a certificate request
Use the server private key to create a certificate
request. Enter the passphrase for the key, Common Name, hostname or IP
address, when prompted:
openssl req -new -key server.key -out server.csr
Here, for Common Name, specify the FQDN of the SQL Server.
After generating the certificate, you need to get it signed by a third-party CA such as VeriSign, Thawte, RapidSSL etc or you may self-sign the certificate. Procedure for both have been explained below. Choose one based on your environment:
Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
This process usually takes a few days time and you will be returned your signed server SSL certificate and the CA's root certificate as .cer files
The server certificate has to be installed in
the machine where SQL server is running. The CA root certificate has to
be installed in PMP server.
Install the server certificate
in the machine where SQL server is running. You may use MMC to do this
as shown below
Open the MMC console by clicking Start >>> Run (in the machine where SQL server is running). In the Run dialog box type: MMC
On the Console menu, click Add/Remove Snap-in. Click Add and then click Certificates. Click Add again.You will be prompted to open the snap-in for the current user account, the service account, or for the computer account. Select the Computer Account.
Select Certificates (Local Computer) >> Personal >> Certificates
Right-click Certificates >> Click All Tasks >> Import
Browse select the certificate to be installed
Install the CA's root certificate in PMP
Copy the CA's root certificate and paste it under <Password Manager Pro Installation Folder>/bin directory
From <Password
Manager Pro Installation Folder>/bin directory,
execute the following command:
importCert.bat <name of the
root certificate pasted as explained above>
This adds the certificate to the PMP certificate store.
If you want to create a self-signed certificate and use it, you need to carry out the following steps in the machine where SQL server is installed:
Create a self signed
certificate using the certificate creation tool makecert.exe and install
it in the machine where SQL Server is running
Execute the following command from the machine
where SQL server is installed
makecert.exe -r -pe -n "CN=pmptestlab.manageengine.com"
-b 01/01/2011 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine
-sky exchange pmptestlab.manageengine.com.cer
Here, for CN, enter the FQDN of the SQL server replacing the example
entry pmptestlab.manageengine.com.
The above command will install a self signed certificate
in your local store. It will also store the certificate in the file pmptestlab.manageengine.com.cer
Install the server certificate in PMP
Copy the server certificate and paste it under <Password Manager Pro Installation Folder>/bin directory
From <Password
Manager Pro Installation Folder>/bin directory,
execute the following command:
importCert.bat <name of the
server certificate>
This adds the certificate to the PMP certificate store.
To enable SSL for SQL Server,
In the machine where SQL server is running, click Start, in the Microsoft SQL Server program group, click Configuration Tools, and then click SQL Server Configuration Manager.
Expand SQL Server Network Configuration, right-click the protocols for the server you want, and then click Properties. (This is the Protocols for <instance_name> section in the left pane of the tool, not a specific protocol in the right pane.)
On the Certificate tab, configure the Database Engine to use the certificate.
When the ForceEncryption option for the Database Engine is set to Yes, all client/server communication is encrypted and clients that cannot support encryption are denied access.
When the ForceEncryption option for the Database Engine is set to No, encryption can be requested by the client application but is not required.
SQL Server must be restarted after you change the ForceEncryption setting.
For more details, refer to the section "Configuring SSL for SQL Server" in Microsoft's knowledge base article available at http://msdn.microsoft.com/en-us/library/ms189067.aspx
Now, you need to provide the details about the SQL server to PMP by editing the file ChangeDB.bat (Windows) or ChangeDB.sh (Linux)
Navigate to <Password Manager Pro Installation Folder>/bin folder and execute ChangeDB.bat (Windows) or sh ChangeDB.sh (Linux)
Select 'Server Type' as SQL Server and enter other values
Host Name: The name or the IP address of the machine where MSSQL server is installed.
Port: The port number in which PMP must connect with the database. Default is 1433. Since PMP connects to MSSQL only in SSL mode, it is recommended that you create a dedicated database instance running in a specific port for PMP.
Database Name: Name of the PMP database. Default is "PassTrix". If you want to have a different database name, you may specify here. PMP will take care of creating the Master Key, Symmetric Key etc.
Authentication: The way in which you would like to connect to the SQL server. If you are connecting to the SQL server from Windows, you have the option to make use of the Windows Single Sign On facility provided PMP service is running with a service account, which has the privilege to connect to SQL server. In that case, choose the option "Windows". Otherwise, select the option "SQL". It is recommended to choose the option 'Windows' as the username and password used for authentication are not stored anywhere.
User Name
and Password: If you have selected the option "SQL",
specify the user name and password with which PMP needs to connect to
the database. The username and password
entered here will be stored in database_params.conf file in PMP. So, you
need to take care of hardening the host.
Here, you have the option to use even your Windows login credentials,
if you are connecting to the database from Windows. In this case, you
need to enter the username as <domain-name>\<username>
Encryption Key: The key with which your data is to be encrypted and stored in the SQL server. You may either leave it "Default" making PMP to generate a key. If you want to have your custom key, select the option "Custom".
If you have
selected the option "Custom:" If you have chosen the
option 'Custom', you need to create a new database, create Master Key,
create Certificate (this will be certificate name) and Create the Symmetric
Key using AES 256 encryption.
You need to do the following steps:
Create Database -> For details, refer to http://msdn.microsoft.com/en-us/library/aa258257(v=sql.80).aspx
Create Master Key -> For details, refer to http://technet.microsoft.com/en-us/library/ms174382.aspx
Create Certificate -> For details, refer to http://msdn.microsoft.com/en-us/library/ms187798.aspx
Create Symmetric Key -> For details, refer to http://msdn.microsoft.com/en-us/library/ms188357.aspx
After doing the above, you need to provide certificate name and symmetric key name in the GUI.
Finally, click "Test" to ensure that the connection settings are proper and then click "Save"
After performing the above steps, navigate to <Password Manager Pro Installation Folder>/conf directory and move the master_key.key file to a secure location. SQL Server encrypts data with a hierarchical encryption and key management infrastructure. Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. One among them is the Database Master Key, which in turn is created by Service Master Key and a password. This password is stored in PMP under <Password Manager Pro Installation Folder>/conf directory in a file named master_key.key. It is highly recommended that you move the master_key.key file to a secure location. This is to ensure data security.Take care to keep this key safe. You will require it while performing High Availability and Disaster Recovery. If you lose this key, you will have to configure MS SQL server setup all over again.
For more details on encryption and key management in MS SQL, refer to this MSDN document http://msdn.microsoft.com/en-us/library/ms189586.aspx
If you are already using PMP with MySQL and wish to use MS SQL as backend database, you may follow the steps below to migrate the data. (These steps are only migrating the data from MySQL to MS SQL server. You should have already completed steps 1, 2 and 3 above to use MS SQL as backend database)
Take a copy of the entire Password Manager Pro Installation folder and keep it somewhere. If something goes wrong with data migration, this will serve as a backup copy.
Shutdown PMP server. Also, make sure that the mysqld.exe process is not running
Navigate to <Password Manager Pro Installation Folder>/bin folder and execute MigrateDB.bat (Windows) or sh MigrateDB.sh (Linux). In the pop-up, select to read the "Best Practices Guide" first and later choose the option "Go to Migration Set Up".
In the window that opens up, enter the details:
Host Name: The name or the IP address of the machine where MSSQL server is installed.
Port: The port number in which PMP must connect with the database. Default is 1433. Since PMP connects to MSSQL only in SSL mode, it is recommended that you create a dedicated database instance running in a specific port for PMP.
Database Name: Name of the PMP database. Default is "PassTrix". If you want to have a different database name, you may specify here. PMP will take care of creating the Master Key, Symmetric Key etc.
Authentication: The way in which you would like to connect to the SQL server. If you are connecting to the SQL server from Windows, you have the option to make use of the Windows Single Sign On facility provided PMP service is running with a service account, which has the privilege to connect to SQL server. In that case, choose the option "Windows". Otherwise, select the option "SQL". It is recommended to choose the option 'Windows' as the username and password used for authentication are not stored anywhere.
User Name
and Password: If you have selected the option "SQL",
specify the user name and password with which PMP needs to connect to
the database. The username and password
entered here will be stored in database_params.conf file in PMP. So, you
need to take care of hardening the host.
Here, you have the option to use even your Windows login credentials,
if you are connecting to the database from Windows. In this case, you
need to enter the username as <domain-name>\<username>
Encryption Key: The key with which your data is to be encrypted and stored in the SQL server. You may either leave it "Default" making PMP to generate a key. If you want to have your custom key, select the option "Custom".
If you have selected the option "Custom:" If you have chosen the option 'Custom', you need to create a new database, create Master Key, create Certificate (this will be certificate name) and Create the Symmetric Key using AES 256 encryption. You need to do the following steps:
Create Database -> For details, refer to http://msdn.microsoft.com/en-us/library/aa258257(v=sql.80).aspx
Create Master Key -> For details, refer to http://technet.microsoft.com/en-us/library/ms174382.aspx
Create Certificate -> For details, refer to http://msdn.microsoft.com/en-us/library/ms187798.aspx
Create Symmetric Key -> For details, refer to http://msdn.microsoft.com/en-us/library/ms188357.aspx
After doing the above, you need to provide certificate name and symmetric key name in the GUI
Finally, click "Test" to ensure that the connection settings are proper and then click "Migrate". The status of data migration will be displayed in the textbox
After the end of data migration, start PMP server
If database migration is attempted when PMP server is running, you will encounter this error in the DB Migration GUI: "Server seems to be running. Shutdown PMP server and try again" and the GUI will remain open. In case, you get this error even after shutting down the server, you need to delete the .lock file under <PMP-Installation-Folder>/bin folder and then try migration. If the issue persists, contact PMP support with the .lock file.
Following table provides the comparison of features available with MYSQL and MSSQL backends.
Feature |
MySQL |
MS SQL Server |
|
Live Backup |
Available |
Not Available (But, High Availability Architecture could be used) |
Refer to the "Work flow in PMP" section of help documentation.
For any assistance, please contact passwordmanagerpro-support@manageengine.com / Toll Free: + 1 925 924 9500
PMP uses AES-256 encryption to secure the passwords and other sensitive information in the password database. The key used for encryption is auto-generated and is unique for every installation. By default, this encryption key is stored in a file named pmp_key.key under <PMP_HOME>/conf folder. For production instances, PMP does not allow the encryption key to be stored within its installation folder. This is done to ensure that the encryption key and the encrypted data, in both live and backed-up database, do not reside together.
We strongly recommend that you move and store this encryption key outside of the machine in which PMP is installed - in another machine or an external drive. You can supply the full path of the folder where you want to move the pmp_key.key file and manually move the file to that location and delete any reference within PMP server installation folder. The path can be a mapped network drive or external USB (hard drive / thumb drive) device.
PMP will store the location of the pmp_key.key in a configuration file named manage_key.conf present under <PMP_HOME>/conf folder. You can also edit that file directly to change the key file location. After configuring the folder location, move the pmp_key.key file to that location and ensure the file or the key value is not stored anywhere within the PMP installation folder.
PMP requires the pmp_key.key folder accessible with necessary permissions to read the pmp_key.key file when it starts up every time. After a successful start-up, it does not need access to the file anymore and so the device with the file can be taken offline.
Important Note: You need to take care of sufficiently protecting the key with layers of encryption (like using Windows File Encryption for example) and access control. Only the PMP application needs access to this key, so make sure no other software, script or person has access to this key under any circumstance. You also need to take care of securely backing up the pmp_key.key file yourself. You can recover from PMP backups only if you supply this key. If you misplace the key or lose it, PMP will not start.
Apart from the AES encryption, the PMP database is secured through a separate password, which is auto-generated and unique for every installation
The password for the database can be stored securely in the PMP itself
There is also option to store it at some other secure location accessible to the PMP server
Leaving it to PMP
If you choose to leave it to PMP, you need not do anything. PMP will take care of it automatically
Storing it by yourself
By default, the database password is present in the file <PMP Installation Folder>/conf/database_params.conf file
If you choose to manage the database key by yourself, you need to store this configuration file somewhere securely and instruct the location of the file to PMP
If you are starting PMP as service, go to <<PMP Installation Folder>/conf/wrapper.conf (in Windows) / <PMP Installation Folder>/conf/wrapper_lin.conf (in Linux) and edit the following entry under "Java Additional Parameters"
wrapper.java.additional.9=-Ddatabaseparams.file=<full path of the database_params.conf file
location>
If you are starting PMP from command line or through Start >> Programs, you need to edit the file system_properties.conf present in <PMP Installation Folder>/conf directory. In this file, edit the following entry under "Splash Screen default Properties"
databaseparams.file=<full path of database_params.conf file>
|
Note: If you misplace the conf file or lose it, PMP will not start. So, take care to save it in a secure location. |
PMP uses the following two ports:
MySQL port : 2345
Web client port : 7272
There are three license types:
Evaluation download valid for 30 days capable of supporting a maximum of 2 administrators
Free Edition licensed software allows you to have 1 administrator and manage up to 10 resources. Valid forever.
Registered Version - need to buy license based on the number of administrators required and the type of edition Standard/Premium:
Standard - If your requirement is to have a secure, password repository to store your passwords and selectively share them among enterprise users, Standard Edition would be ideal.
Premium - Apart from storing and sharing your passwords, if you wish to have enterprise-class password management features such as remote password reset, password alerts and notifications, application-to-application password management, reports, high-availability and others, Premium edition would be the best choice.
|
Standard Edition |
Premium Edition |
|
|
For more information and to get license, contact sales@manageengine.com
If you want to move the PMP installed in one machine to another or to a different location within the same machine, follow the procedure detailed below:
Do not remove existing installation of PMP until the new installation works fine. This is to ensure backup, to overcome disasters/data corruption during the movement.
Stop PMP server / service, if running
If you have installed PMP to run as a startup service, remove it as service before proceeding further.
See the table below for the procedure to remove it as service.
Take a zip of the
entire PMP installation folder; move the zip to a different machine or
to a different location in the same machine as required Then, install it to
run as service.
|
Installing as Startup Service in Windows |
Installing as Startup Service in Linux |
|
To install as service using batch file
To remove as service using batch file
|
|
In this option, you will not be able to uninstall the program through windows Add/Remove programs console. If you want to uninstall anytime, just delete the entire installation folder.
You need not reapply the license after moving the installation
©2009, ZOHO Corp. All Rights Reserved.
for PMP.