Getting Started with Password Manager Pro

Once you have done with the prerequisite check and Password Manager Pro setup installation, you can get started to work with the Password Manager Pro application. This document provide you a brief information about the initial operations of the Password Manager Pro application which includes,starting and shutting down Password Manager Pro in different operating systems, connecting to Password Manager Pro web client, run/manage services using group Managed Service Account (gMSA) and updating web server certificates. This also emphasis the importance of managing and rotating the Password Manager Pro encryption key to make it secure and unattainable to other users or scripts in your system environment.

At the end of this document, you will have learned about:

  1. Starting and Shutting Down Password Manager Pro

    1.1 In Windows

    1.2 In Linux

  2. Launching the Password Manager Pro Web Client
  3. Running the Password Manager Pro service using a group Managed Service Account
  4. Managing Password Manager Pro Encryption Key
  5. Rotating the Encryption Key
  6. Updating Web Server Certificates using Password Manager Pro Web Console

1. Starting and Shutting Down Password Manager Pro

1.1 In Windows

Using the Start Menu Using the Tray Icon
  1. Navigate to Start >> Run [OR] press Win+r. The Run box appears. Type services.msc and hit Enter.
  2. Locate the Password Manager Pro service in the Services console.
  3. You can start, stop or restart the service from the services console.
  1. Once you have successfully installed Password Manager Pro in your system, you will find the icon in the windows tray area on the far right end of your task bar.
  2. Right click the tray icon and click the desired operation:
    • Start the Password Manager Pro Service
    • Stop the Password Manager Pro Service
    • Launch the Password Manager Pro web console

1.2 In Linux

Installing Password Manager Pro as a Startup Service Starting & Stopping the Server as a Service
  1. Login as a root user.
  2. Open the console and navigate to the <PMP_Home>/bin directory.
  3. Execute "sh pmp.sh install" (In Ubuntu, execute as "bash pmp.sh install").
  4. To uninstall, execute the script "sh pmp.sh remove".

To Start Password Manager Pro as a service in Linux:

  1. Login as non-root user.
  2. Execute /etc/rc.d/init.d/pmp-service start.
  3. Password Manager Pro server runs in the background as service.

To Stop Password Manager Pro Server started as a service, in Linux:

  • Execute /etc/rc.d/init.d/pmp-service stop(as non-root user).

2. Launching the Password Manager Pro Web Client

There are different ways of connecting to the Password Manager Pro web client:

2.1 Automatic Browser Launch

Once the server has started after the successful installation of Password Manager Pro, the Password Manager Pro Login screen shows up in a browser window. As Password Manager Pro uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.

2.2 Launching the Web Client Manually

Windows:

Right-click the Password Manager Pro tray icon and click Password Manager Pro Web Console to launch the web client manually. The Password Manager Pro Login screen shows up in a browser window. As Password Manager Pro uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.

Linux:

Open a browser and connect to the URL specified in the below box:

https://<hostname>:portnumber/
where,
<hostname> - the host where the Password Manager Pro server is running.
<portnumber> - the default port is 7272.
Example: https://localhost:7272

2.3 Connecting the Web Client in Remote Hosts

If you want to connect to the Password Manager Pro web client in a remote machine (different from the one where Password Manager Pro is running), open a browser and connect to the below URL:

https://<hostname>:port

As Password Manager Pro uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password is admin and admin, respectively. Every time you start the server, the browser will be automatically launched.

3. Running the Password Manager Pro service using a group Managed Service Account

Password Manager Pro allows you to run/manage services using group Managed Service Account (gMSA). To learn about gMSA in detail, refer to Microsoft's documentation.

To create a group Managed Service Account,

  1. Open Powershell ISE as administrator.
  2. Execute the following commands:
    1. Import-Module ActiveDirectory
    2. Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
    3. New-ADServiceAccount -Name <MSA_AccountName> -DNSHostName <DNSNAme> -PrincipalsAllowedToRetrieveManagedPassword <Machine_Name>$
    4. Add-ADComputerServiceAccount -Identity <Machine_Name> -ServiceAccount <MSA_AccountName>
    5. Install -ADServiceAccount -Identity <MSA_AccountName>
  3. Provide Full Control Permission to the installation folder.
  4. To configure LogOn Services,
    1. Navigate to Services >> Properties >> LogOn.
    2. Browse for MSA Account.
    3. Now, clear the Password field and click Apply.
    4. Click Ok.

      Now you have successfully configured the LogOn Services.

    You have successfully created a group Managed Service Account (gMSA) account. Now, you can run your Password Manager Pro service using the gMSA account.

Troubleshooting Step:

If you are unable to Install the Service Account, execute the below command before executing Install statement:

Set-ADServiceAccount -Identity <MSA_AccountName> -KerberosEncryptionType AES128,AES256


4. Managing Password Manager Pro Encryption Key
(Applicable from build 6402 onwards)

Password Manager Pro uses AES-256 encryption to secure the passwords and other sensitive information in the password database. The key used for encryption is auto-generated and is unique for every installation. By default, this encryption key is stored in a file named pmp_key.key under the <PMP_HOME>/conf folder. For production instances, Password Manager Pro does not allow the encryption key to be stored within its installation folder. This is done to ensure that the encryption key and the encrypted data, in both live and backed-up database, do not reside together.

We strongly recommend that you move and store this encryption key outside of the machine, where Password Manager Pro is installed, in another machine or an external drive. You can supply the full path of the folder, where you want to move the pmp_key.key file, manually move the file to that location and delete any reference within Password Manager Pro server installation folder. The path can be a mapped network drive or an external USB (hard drive / thumb drive) device.

Password Manager Pro will store the location of the pmp_key.key in a configuration file named manage_key.conf, present under the <PMP_HOME>/conf folder. You can also edit that file directly to change the key file location. After configuring the folder location, move the pmp_key.key file to that location and ensure the file or the key value is not stored anywhere within the Password Manager Pro installation folder.

Password Manager Pro requires the pmp_key.key folder to be accessible with necessary permissions, to read the pmp_key.key file, when it starts up every time. After a successful start-up, it does not need access to the file anymore and the device with the file can go offline.

Important Notes:

  1. Always ensure sufficient protection to the key with multiple layers of encryption (such as by using Windows File Encryption) and access control.
  2. Since only the Password Manager Pro application needs access to this key, make sure no other software, script or person has access to this key under any circumstances.
  3. Take care of securely backing up the pmp_key.key file by yourself. You can recover the Password Manager Pro backups only if you supply this key. If you misplace the key or lose it, Password Manager Pro will not start.
  4. If you store the database_params.conf file at a different location, you will have to copy the file back to the original location (i.e. to <PMP Installation Folder>/conf/ ), whenever you perform an application upgrade.

5. Rotating the Encryption Key
(This feature is now applicable to all the editions)

Even if you are sure of managing the encryption key securely outside of Password Manager Pro, one of the best practices is to periodically change the encryption key. Password Manager Pro provides an easy option to automatically rotate the encryption key.

5.1 How does the key rotation process work?

Password Manager Pro will look for the current encryption key present in the file pmp_key.key, available in the path specified in the manage_key.conf file, present under the <PMP_HOME>/conf folder. Only if it is present in the specified path, the rotation process will continue. Before rotating the encryption key, Password Manager Pro will take a copy of the entire database. This is to avoid data loss, if anything goes wrong with the rotation process.

During the key rotation process, all passwords and sensitive data will be decrypted first using the current encryption key and subsequently encrypted with the new key. Later, the new key will be written in the pmp_key.key file present in the location as specified in the manage_key.conf file. At the end of successful key rotation, Password Manager Pro will write the new encryption key in the same file that contains the old key. If any error occurs while writing the key, the rotation process will be aborted.

5.2 Steps to rotate the encryption key (if you are NOT using High Availability)

  1. Ensure that the current encryption key (pmp_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that Password Manager Pro gets the read/write permission while accessing the pmp_key.key file.
  2. Stop the Password Manager Pro server.
  3. Open the command prompt and navigate to <PMP-Installation-Folder>/bin directory. Execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
  4. Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete.
  5. Start the Password Manager Pro server once you see the confirmation message.

5.3 Steps to rotate the encryption key (if you are USING High Availability)

  1. Navigate to Admin >> General >> High Availability in the Password Manager Pro web interface. Make sure High Availability and Replication Status are alive.
  2. Check if the current encryption key (pmp_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that Password Manager Pro gets the read/write permission when accessing the pmp_key.key file.
  3. Stop the Password Manager Pro Primary server and make sure Password Manager Pro Secondary server is running.
  4. Open the command prompt in the Password Manager Pro Primary installation, navigate to the /bin directory and execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
  5. Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete. You will see confirmation message ons successful completion of the rotation process
  6. Copy the new encryption key from the Primary installation and paste it in the location, as specified in the manage_key.conf file. This is the location from where the Standby will fetch the pmp_key.key file.
  7. Now, start the Primary and the Standby servers.

6. Updating Web Server Certificates using Password Manager Pro Web Console

If you want to use Password Manager Pro web console to update the web server certificates, follow the below steps:

  1. Navigate to Admin >> Configuration >> Password Manager Pro Server.
  2. In the Password Manager Pro Server page that opens, install your keystore file belonging to the SSL certificate and/or change the default Password Manager Pro server port.
  3. To update your SSL certificate, select the type of the keystore file (JKS, PKCS12 or PKCS11) from the Keystore type drop down menu.
  4. Browse the keystore file from your system and upload it in the Keystore Filename field.
  5. Enter the password of your keystore file beside the Keystore Password field.

  6. If you want to change the default Password Manager Pro server port, enter the port number against the Server Port field.
  7. Click Save.

Restart Password Manger Pro after saving the changes.

Top