SSH/SSL Admin Settings

PAM360 allows you to enable notifications for various operations such as SSL key expiry, failed SSH key rotation, certificate management, PGP key expiry, etc. In addition, PAM360 allows you to retain or overwrite existing keys. Here in this document you will learn about the following topics:

  1. Configuring Notifications
  2. SSH Policy Configuration

1. Configuring Notifications

You can set up to get notified via email, syslog messages in case of any of the following cases:

  1. If SSL certificates are expiring within a specified number of days.
  2. If domain names are about to expire within a specified number of days.
  3. If SSH keys are not rotated for more than a specified number of days.
  4. For certificate management operations performed from within the application.
  5. If PGP keys are expiring within a specified number of days. Click here to learn more about PGP keys.

Note: Notifications regarding PGP key expiration will be sent via email only.

To configure notifications:

  1. Navigate to the Admin >> SSH/SSL >> Notification Settings.
  2. To enable SSL certificate expiry notifications, select the Notify about SSL certificates expiring within checkbox. Choose a value for days. You will get notified about only those certificates whose expiry dates fall within the period (number of days) you enter.
  3. Notification Email Frequency: Choose to receive notifications either Daily or Customize your notifications.
    1. If you choose to Customize, set the Interval (in days) to notify about the to-be-expired certificates.
    2. Select the Email certificates on every schedule if expiry is less than option if you want to receive notifications on all schedules irrespective of the above-set interval.
    3. Select Exclude expired certificates from email notifications to not get notified about expired certificates.
    4. Select Send a separate email per certificate if you want to customize each email with a unique subject, title, etc.

  4. You can also choose to get notifications regarding domain name expiration, PGP key expiration or SSH key rotation failure for the configured time period or both by selecting the respective check-boxes. Expiring SSL certificates, and the SSH keys that were not rotated within the specified days are notified during the mentioned Recurrence Time.

  5. You are also allowed to edit the Subject of your email-notifications.
  6. You can choose to be notified in two ways:
    1. E-mail – Enter the From and To addresses. To enter mail server details, go to the Mail Server Settings tab.

    2. Syslog – Navigate to Admin >> Integration >> SIEM Integration and select the required integration to mention the IP address of the server and the port to which the syslog is to be delivered. To learn more about SIEM integration, click here. Refer to the Syslog format given below:
      1. SSH

        <190> Key_Name: Days_Exceeded:0 Modified_On:2016-02-16 17:41:24.008

      2. SSL

        <190> Parent_Domain: Included_Domain: Days_to_Expire: 100 Expire_Date: 5.08.2017

  7. After filling in the details, click Save.

Note : The number of days specified in the SSH key rotation and SSL certificate expiry notification policy will be applied to the dashboard settings also.

2. SSH Policy Configuration

PAM360 allows you to create a high level policy on SSH keys management. You can specify whether to retain or overwrite the existing keys. That means, when PAM360 creates new keys if they are to be appended to the existing ones or they should be deleted. The second option helps you to remove all existing keys and have a fresh start. Your SSH environment will have only the keys that were generated by the PAM360. PAM360 carries out these changes in the authorized_keys file directly.

From the SSH Policy  , you can set the option for adding keys to the authorized_keys file. You can choose from:

  1. Append – Allows you to retain existing keys as well the new ones deployed by PAM360.
  2. Overwrite – Removes all existing public key information from the authorized keys file and retains the public keys deployed from PAM360 only. This is what we call as clean start.

To change the policy configuration:

  1. Navigate to the Admin >> SSH/SSL >> SSH Policy Configuration.
  2. Select to either Append or Overwrite the keys.
  3. Click Save.

You will get a confirmation that the SSH policy  settings have been updated.

©2019, ZOHO Corp. All Rights Reserved.