Application Credential Injection in PAM360 Remote Connect
(Applicable from Remote Connect version 4100 and PAM360 build version 8000)

PAM360 supports automatic password injection for third-party thick-client applications via the Application Credential Injection feature in the PAM360 Remote Connect desktop client. The Application Credential Injection significantly improves both security and usability by eliminating the need for users to enter manually or manage complex passwords when connecting to target database servers.

With this feature, users can effortlessly launch supported applications, such as DBeaver and MySQL Workbench, to connect to the database servers, including MS SQL Server, MySQL, Oracle, and PostgreSQL, without manually entering passwords or connection details. Passwords are securely retrieved directly from PAM360 at runtime, ensuring that they are never exposed. This functionality is available when the target database servers have been added as resources in PAM360 and appropriately shared with the respective end users.

1. Prerequisites

To successfully establish remote connections to target database servers using the Application Credential Injection feature, ensure the following requirements are met:

  1. The PAM360 Remote Connect application installed machine should have seamless connectivity to both the PAM360 server and the target database servers.
  2. The third-party thick-client applications, such as DBeaver version 25.0.0 & above and MySQL Workbench version 8.0.40 & above, should be installed on the machines where the PAM360 Remote Connect client is running and accessible at the same directory (specified on the Applications page in PAM360) across all the installed machines as this path is used to launch and autofill passwords for remote connections. Refer to this section for details about configuring the file path for the application as needed.
  3. Ensure that the third-party thick-client applications are set to use English as the interface language.
  4. To ensure Application Credential Injection works during remote connections to target database servers, the PAM360 server should have a valid web server certificate.
  5. The target database servers should be added as resources in PAM360. While adding the resources, ensure the following factors:
    1. Details such as Username, Password, Hostname, and Port should be configured correctly.
    2. The Default Database field must exactly match the actual name of the target database. For Oracle database servers, the value configured as the Default Database in PAM360 should be the service name of the database, not the SID.
    3. Remote Password Reset should be configured for each database server in PAM360. This is essential to allow PAM360 Remote Connect to retrieve the port details for the database server from PAM360 for the autofill support during the remote connection to the database servers through thick-client applications.
  6. Currently, only non-SSL connections are supported when using PAM360 Remote Connect to launch thick-client applications like DBeaver for MS SQL database authentication. Ensure that the target MS SQL database does not enforce SSL or require client certificates, as these configurations are not currently supported.
  7. For now, the RSA public key retrieval property should be enabled to establish a connection to MySQL database servers (initial versions) using third-party thick-client applications for password autofill via PAM360 Remote Connect.
  8. When launching a connection to an Oracle database server using DBeaver via PAM360 Remote Connect, password autofill is currently supported only for user accounts with the role set to Normal. Therefore, ensure the role type is set to Normal before initiating the connection.

2. Launching Remote Connection Using Application Credential Injection

After completing the necessary prerequisites, you can launch remote connections to database servers using supported third-party thick-client applications directly from the PAM360 Remote Connect application. For detailed steps on how to use the Application Credential Injection feature with applications like DBeaver and MySQL Workbench for database connections, refer to this help documentation.

3. Modifying Application Details in PAM360

By default, PAM360 is pre-configured with the following settings for the third-party thick-client applications:

  1. The installation path is set to C:\Program Files\<application name> for Windows environments.
  2. The following database resource types are selected as supported resource types by default:
    • MS SQL Server
    • MySQL Server
    • Oracle DB Server
    • PostgreSQL

To modify the above details for the third-party thick-client applications, perform the steps below:

  1. In the PAM360 web interface, navigate to Admin >> Privileged Session >> Auto Logon Helper >> Applications.
  2. On the page that appears, click the Edit Application Details icon for the application you want to edit.
  3. In the Application Configuration window that appears,
    1. Update the installation folder path if the application is installed in a different location.
    2. Modify the Resources Types field to include or exclude specific database server types as needed.

Note: Application Credential Injection is supported only for MS SQL Server, MySQL Server, Oracle Database Server, and PostgreSQL database resource types. As of now, password autofill is not supported for any other custom resource types created using the default database resource types added under this configuration.
Top