Frequently Asked Questions

1. What are the license types available in PAM360?

PAM360 offers three types of licenses:

Evaluation download/Trial Version: A fully functional trial version that supports up to 5 administrators and allows you to explore all features for 30 days.
Free Edition: A licensed version available for free, allowing 1 administrator to manage up to 10 resources. This license is valid forever.
Registered Version: The enterprise edition with licensing based on the number of administrators. It provides advanced enterprise-class features, including auto discovery of privileged accounts, integration with ticketing systems and SIEM solutions, jump server configuration, application-to-application password management, out-of-the-box compliance reports, SQL server/cluster as backend database, policy-based access control, cloud entitlements management, etc.
Additional Detail
PAM360 offers six user roles: Administrator, Password Administrator, Privileged Administrator, Cloud Administrator, Password Auditor, and Password User. Licensing limits apply to administrators, which include Administrators, Password Administrators, and Privileged Administrators. However, there are no restrictions on the number of Password Users and Password Auditors. For more details on user roles, refer to the help documentation.

2. Can I purchase a permanent license for PAM360?

Yes, PAM360 offers a perpetual licensing option in addition to its annual subscription model. A perpetual license costs three times the annual subscription price, with a 20% Annual Maintenance and Support (AMS) fee applicable from the second year. For further details, contact sales@manageengine.comfor more details.

3. How do I apply my license file in PAM360?

To apply your license file, follow these steps:

Log in as an administrator to the PAM360 web interface.
Click the My Profile icon at the top-right corner and select License from the dropdown menu.
Browse for your license file and click Upgrade.
Verify if the new license has been applied under the same section.

4. Can I set up High Availability (HA) with a single license?

Yes, a single license entitles you to set up HA for PAM360. You can use the same license on both the primary and secondary servers. Here is how to update the license for the secondary server:

Stop the PAM360 service on the primary server.
Log in to the PAM360 secondary server URL as an Administrator.
Click License under the My Profile icon at the top-right corner.
Apply the same license file used for the primary server.

5. Does PAM360 support more than 1000 administrators?

Absolutely. PAM360 supports environments with more than 1000 administrators. For tailored licensing options, contact sales@manageengine.com.

6. Are there limitations on managing resources and accounts?

No, PAM360 imposes no restrictions on the number of resources and accounts you can manage. You can add or import unlimited resources, depending on the supported types, and manage accounts without limitations.

7. Can I extend my evaluation license with more administrator users or for more number of days?

Yes, you can request an extension for your evaluation period to accommodate additional administrators or extend the trial duration. Simply fill out the required details on the website, and the license keys will be sent to you.

8. Do I need to purchase an add-on license to use integrations such as SIEM/UEBA?

No, PAM360 does not require any additional license for enabling SIEM or UEBA integrations. However, a valid license for the respective SIEM or UEBA application is mandatory to utilize the integration.

9. Is a separate license required for Log360 and Analytics Plus for User Behavior Analytics (UBA)?

Yes, separate licenses are required for Log360 and Analytics Plus. However, integrating these tools with PAM360 does not require an additional license from the PAM360 side.

10. Does PAM360 affect Windows CAL licenses?

No, PAM360 does not impact Windows CAL licenses. Remote Desktop Protocol (RDP) sessions are relayed via Spark Gateway, a component bundled with PAM360, which operates independently of CAL licenses.

1. Do I need to install any prerequisite softwares before using PAM360?

Apart from the standard system requirements (both hardware and software), the following elements are essential for the proper functioning of the PAM360 server.

These are especially required if you are planning to make use of PAM360's account discovery and password reset provisions.

An external mail server (SMTP server) for the functioning of PAM360 server to send various notifications to users.
A service account or a gMSA that has either domain admin rights or local admin rights in the PAM360 server and in the target systems that you would like to manage.
Visual C++ Redistributable for Visual Studio 2015 and above (for PAM360's Account Discovery and Password Reset features.)
Microsoft .NET framework 4.5.2 or above must be installed in the server where PAM360 is installed.

To check if these software requirements are met:

Go to Support » Software Requirements and click Check Configuration.

In the pop-up box that opens, the configuration status will be displayed.

2. What are the operating systems supported by PAM360?

PAM360 supports the following flavors of Windows and Linux operating systems:

Windows	Linux
Windows Server 2022 Windows Server 2019 Windows Server 2016	Ubuntu 18.04 and above CentOS 6 and above Red Hat Linux 9.0 Red Hat Enterprise Linux 5.x and above AlmaLinux 9.x and above Note: In general, PAM360 works well with any flavor of Linux and can also be run on VMs of the above operating systems.

3. How do I fix the error 'PAM360 detected harmful content in the data entered by the user and aborted the operation' during resource import?

This error occurs if prohibited characters, such as HTML tags (`<`, `>`), URLs (HTTP:// or HTTPS://) security mark (?), or excessive spaces, are detected in the import file. To resolve this:

Review the CSV/TSV file and ensure that prohibited characters are removed.
Ensure that resource and account descriptions do not exceed 2000 characters.

4. Can I run custom SQL queries for integration with other reporting systems?

Yes, custom SQL queries can be generated to support reporting integrations. Contact our support team with your requirements, and we will provide the appropriate query to generate an XML output.

5. Does domain Single Sign-On (SSO) work across firewalls or VPNs?

Domain SSO in Windows environments uses non-standard HTTP header parameters. These parameters are often stripped by devices like firewalls or VPNs. Therefore:

PAM360 is primarily designed for use within the internal network.
If users are connecting from outside the network, SSO cannot be enabled effectively.

6. Can PAM360 be rebranded with my organization’s logo and information?

Yes, PAM360 offers extensive customization options, including:

Adding your organization’s logo (recommended size: 210x50 pixels).
Setting a custom login page description.
Changing the user interface theme color.
Displaying a banner with legal content or privacy policies.

To configure, navigate to Admin >> Customization >> Rebrand and update the settings as required. Refer to this document to know more about rebranding.

7. Does PAM360 track password viewing and retrieval attempts?

Yes, PAM360 records all user actions, including password viewing and copying attempts. These logs are accessible through detailed and comprehensive audit trails.

8. Why does the PostgreSQL `wal_archive` file grow rapidly?

This occurs if the backup location becomes inaccessible. In simple terms, whenever the PostgreSQL database backup fails, 'wal_archive' folder size will start increasing. To resolve this:

Ensure sufficient disk space on the PAM360 drive.
Remove unnecessary logs and old backups and retain only one or two backups.
Navigate to Admin >> Configuration >> Database Backup and click Backup Now.

This will trigger an immediate backup and purge the `wal_archive` directory.

9. What Syslog formats does PAM360 use?

The following are three different types of syslog formats that PAM360 uses to send syslog messages to your syslog collector host:

i. Resource Audit

operatedName+":"+operatedIp operationType operatedDate statusMess resourceName+":"+accName+":"+reason

ii. User Audit

operatedName+":"+operatedIp operationType operatedDate statusMess auditUserName+":"+reason

iii. Key Audits

SSL: <190> Parent_Domain: manageengine.com Included_Domain: kmp.com Days_to_Expire: 100 Expire_Date: 5.08.2020
SSH: <190> Key_Name:172.21.147.130_test123_id Days_Exceeded:0 Modified_On:2016-02-16 17:41:24.008

10. How do I run the PAM360 service using a group Managed Service Account (gMSA)?

For detailed steps on configuring PAM360 with gMSA, refer to the help documentation.

11. How to resolve PostgreSQL server start-up failure?

Error Scenarios:

During the upgrade, Trying to start PostgreSQL server failed error occurs in the command prompt after choosing the PPM file.
While setting up High Availability, Trying to start PostgreSQL server failed error occurs after executing the HASetup.bat command.
During service start-up, PAM360 service fails to start after an upgrade or PAM360 service fails to start after updating the service account in the Services console.

For the above service start-up error scenarios, check the <PAM360-Installation-Directory>\logs\wrapper file via notepad/Notepad++. At the end of the most recent entries, you will know about the error scenarios in detail.

Possible Causes:

Lack of appropriate permissions to access specific sub-folders inside the PAM360 directory.
PostgreSQL database failed to start due to an improperly terminated background process.
The database port is occupied by another process.

Resolution Steps:

The solution given below applies to all the above error scenarios. To fix this issue, follow the steps mentioned below:

Open the task manager and terminate any PostgreSQL-related processes.
Update the PAM360 service account to a privileged account in the Services console.
Open the command prompt with administrative privileges and execute the following command:
```
icacls "<PAM360-Installation-Directory>" /q /c /t /grant Users:F
```
Replace the <PAM360-Installation-Directory> with ManageEngine PAM360's installation directory and specify the PAM360 service account in the format <DomainName\Username> or <Username@DomainName >.
For example: icacls "C:\Program Files\ManageEngine\PAM360" /q /c /t /grant ManageEngine\svcpam360:F
Caution
If the encryption key is placed outside the PAM360 installation directory, provide permission for the encryption key's locations using icacls command.
Grant full control for <PAM360-Installation-Directory>\pgsql\data folder and ensure proper inheritance.
Navigate to <PAM360-Installation-Directory>\pgsql\data and perform the following actions:
- Open the pg_hba.conf file and remove lines containing NULL.
- Rename the logs folder to logs.old and create a new logs folder.
- Rename the Patch folder to Patch.old and create a new Patch folder.
Navigate to the following directories and move the files to another directory for backup:
- In <PAM360-Installation-Directory>\bin, move any .lock or lockfile files to another directory.
- In <PAM360-Installation-Directory>\pgsql\data, move any recovery.conf or postmaster.pid files to another directory.
Apply the PPM, configure HA (if applicable) and restart the service.

If the issue persists, collect logs from <PAM360-Installation-Directory> and <PAM360-Installation-Directory>\pgsql\data\pg_log, and email them with screenshots to pam360-support@manageengine.com.

12. How to handle the exceptions that occur during PAM360 upgrade?

Exception #1 - Caused by: java.lang.OutOfMemory Error: GC overhead limit exceeded

Stop the PAM360 service.
Back up the <PAM360-Installation-Directory> or create a VM snapshot.
Navigate to the <PAM360-Installation-Directory>\bin folder and open the file UpdateManager.bat (UpdateManager.sh for Linux) in a text editor.
Search for the entry: $JAVA -Xmx100m $JAVA_OPTS -Dtier-type=BE -Djava.library.path=./lib/native -Dtier-id=BE1 -cp $CLASSPATH com.adventnet.tools.update.installer.UpdateManager -u conf $*
Change the value to $JAVA -Xmx2048m $JAVA_OPTS -Dtier-type=BE -Djava.library.path=./lib/native -Dtier-id=BE1 -cp $CLASSPATH com.adventnet.tools.update.installer.UpdateManager -u conf $*
Save the file, restart the PAM360 service and attempt a PAM360 upgrade again.

If the issue still persists, please send your logs to pam360-support@manageengine.com for further investigation.

Exception #2: Trying to start the PostgreSQL server failed

Refer to the resolution provided in the above PostgreSQL server start-up failure question for details.

13. How to perform version upgrade using the CLI mode?

For Windows:

Stop the PAM360 service.
Open command prompt with administrator privileges.
Navigate to the <PAM360-Installation-Directory>/bin folder and execute the following command:
```
- UpdateManager.bat -u conf -c -option i
```
Mention the .ppm file location in the next line.
Now, press enter to proceed with the upgrade.

For Linux:

Stop the PAM360 service.
Open command prompt with administrator privileges.
Navigate to<PAM360-Installation-Directory>/bin and execute the following command:
```
- UpdateManager.sh -u conf -c -option i -ppmPath
```
For example, UpdateManager.sh -u conf -c -option i -ppmPath c:\pam360.ppm.
Enter to proceed with the upgrade.

Click here for detailed upgrade pack instructions.

14. Logs, Reports, and CAPTCHA are unreadable after a version upgrade. How to fix this issue?

Open logs and check if you could find the following error: javax.servlet.ServletException: javax.servlet.ServletException: java.lang.Error: Probable fatal error:No fonts found.

Now, check if you have installed the dejavu fonts. If not, use any of the following commands based on your operating system to install the dejavu fonts.

For RHEL/Centos:

sudo yum install fontconfig dejavu-sans-fonts dejavu-serif-fonts

For Ubuntu/Debian:

sudo apt install fonts-dejavu fontconfig

For SLES:

sudo zypper install dejavu-fonts fontconfig

You have successfully installed the dejavu font in your machine.

Now, navigate to the <PAM360-Installation-Directory>/conf folder.
Open the wrapper_lin.conf file and add following system property: wrapper.java.additional.27=-Dsun.java2d.fontpath=<Font-Directory-Path> (or) copy all the ttf files and paste it under <PAM360-Installation-Directory>/jre/lib/fonts folder.
Restart the PAM360 service and proceed.

15. Do you recommend antivirus exclusion during the installation of PAM360?

Yes, we do recommend the exclusion of the 'ManageEngine/PAM360' directory from Antivirus, Endpoint Detection and Response (EDR) and Extended detection and response (XDR) scanning during the product installation - the installation wizard will prompt you to do so. The essential components that make the product operative are available inside this directory, which includes different scripts that are used for initiating remote connections and in performing maintenance operations. If this directory is not excluded, there will be slowness in the product as the Antivirus scanning will scan each script file during scheduled operations in PAM360. Also, features such as remote password reset may not function properly.

16. How to utilize multiple ManageEngine application services simultaneously without limitations?

Presently, ManageEngine PAM360 and other ManageEngine products utilize some common cookie names (JSESSIONID and JSESSIONIDSSO), which can hinder concurrent sessions of the ManageEngine application services. To enable multiple sessions with similar cookies in PAM360, follow these steps to identify and customize the PAM360 cookie settings:

Navigate to the <PAM360-Installation-Directory>/conf folder.

Open the system_properties.conf file with the administrator privilege, add the following entries at the end of the line and save.

org.apache.catalina.authenticator.Constants.SSO_SESSION_COOKIE_NAME=PAMJSESSIONIDSSO

	org.apache.catalina.SESSION_COOKIE_NAME=PAMSESSIONID

Now, open the web.xml file with the administrator privilege, look out for the <session-config> section, and update it as follows:

<session-config>

	<session-timeout>450</session-timeout>
<cookie-config>

	<name>PAMSESSIONID</name>

	</cookie-config>

	</session-config>

Now, restart the PAM360 service and proceed.

17. Do you have a roadmap outlining future enhancements for PAM360?

Yes, we maintain a detailed roadmap for PAM360’s future developments. You can access the roadmap from here.

18. Does PAM360 have an Enterprise Application in Azure?

Yes, PAM360 is available as an enterprise application in Azure Marketplace and Microsoft Entra ID.

19. Is there an easy migration approach from Password Manager Pro to PAM360 with all settings, permissions, and resources?

Yes, migrating from Password Manager Pro to PAM360 is seamless. The provided migration pack ensures all settings, permissions, and resources remain intact and unaltered during the process.

20. Does PAM360 integrate with Freshservice?

Currently, PAM360 does not support integration with Freshservice.

21. How can an ITSM tool be integrated when out-of-box integration is unavailable?

To integrate an ITSM tool without out-of-box support:

Navigate to Admin >> Integrations >> Ticketing System in PAM360.
Under the Others section, click Apply.
Enter the necessary configuration details and click Save.

22. Which ManageEngine (ME) and ZOHO tools can PAM360 integrate with?

PAM360 integrates with the following ME and ZOHO products:

ServiceDesk Plus
ServiceDesk Plus Cloud
AD Self Service Plus (ADSSP)
Analytics Plus
AD Manager Plus
EventLog Analyzer
Log360 UEBA
ITOM Applications
Endpoint Central
Application Control Plus
ZOHO Flow

23. Which report is suitable for the security team to validate all onboarded accounts?

The Password Inventory Report of PAM360 provides detailed information on all onboarded accounts, including shared access details.

24. Does PAM360 use APIs to fetch virtual machine (VM) resources? We use vSphere API to connect to and import VMware ESXi hosts.

Yes, PAM360 uses the vSphere API to connect to and import VMware ESXi hosts.

25. What are the JDBC drivers supported by PAM360 for database communication?

From PAM360 build 8000 onwards, PAM360 uses Microsoft’s JDBC driver as the default driver for communication with MS SQL and Azure MS SQL databases. This driver is recommended for most installations, as it ensures compatibility with the latest SQL Server versions and features.

26. How can I migrate to Microsoft’s JDBC driver from jTDS for Database Communication?

If you have previously configured the jTDS driver for database communication, you should switch to Microsoft’s JDBC driver for continued support and compatibility. Follow the steps detailed below to update the driver configuration and ensure seamless connectivity.

Navigate to the <PAM360-Installation-Directory>/bin folder and execute the ChangeDB.bat command (Windows) or sh ChangeDB.sh (Linux) command based on your operating system.
In the pop-up that opens, read the Best Practices Guide and click the Continue with Setup button to open the DB Change Configuration window.
In the Host Name field, enter the hostname, i.e., the Common Name of the MS SQL server specified in the server certificate.
In the Database Name field, enter the database name of the MS SQL server as specified in the database_params.conf file.
Input all the remaining essential fields and click Test. To learn more about each essential field, refer to this help document.
Upon a successful test result, click Save.

27. Will I need PAM360 product updates to support database version changes or property updates?

PAM360 supports custom database configurations that allows you to connect to any SQL server effortlessly, even when there are version upgrades or changes in connection properties. As long as the database supports JDBC and the appropriate driver and connection details are provided, PAM360 ensures a seamless connection, future-proofing your credential management strategy.

28. How do I troubleshoot the PAM360 server when it is not running on RHEL 9 with SELinux enabled?

If the PAM360 server does not start on an RHEL 9 machine with SELinux enabled, verify the SELinux status and configuration. Ensure that SELinux is set to permissive or enforcing mode. Also, ensure that the PAM360 service is being initiated by a non-root user, as required. To set SELinux to permissive or enforcing mode, follow these steps:

To check the SELinux status in RHEL 9, run the following command:
```
sestatus
```
To change the SELinux mode temporarily to enforcing, run the following command:
```
setenforce
```
To change the SELinux mode permanently to permissive, open the /etc/selinux/config file in a text editor. Set the following parameter:
```
SELINUX=permissive
```
Save the changes and reboot the system.
After rebooting the system, start the PAM360 server and verify that it runs successfully. You can use the following command to check the current SELinux mode:
```
getenforce
```

1. How do I add a new Active Directory (AD) domain in PAM360?

Administrators can add new AD domains for both resource discovery and user discovery operations.

To add a new domain for resource discovery, follow these steps:

Navigate to the Resource tab and click Discover Resources.
Here you can click New Domain beside the Enter Domain Name field and add a new domain name.

Refer to this help document for detailed instructions.

To add a new domain for user discovery, follow these steps:

Navigate to Admin >>Authentication >> Active Directory.
Here, click New Domain beside the Enter Domain Name field and add a new domain name.

Refer to this help document for detailed instructions.

2. How can I remove a domain from PAM360?

To remove a domain from PAM360, you first need to remove the users that belong to the domain. Once the users are removed, follow the below steps to remove the domain:

Go to the Admin >> Authentication >> Active Directory.
On the page that appears, click View Synchronization Schedules.
Now, delete the required domain from the Domains pane on the left.

3. How can I resolve the errors “The list of Groups is too large to display” or “The list of OUs is too large to display” during AD import?

These errors occur when the number of OUs or groups exceeds the default limit. To resolve this:

Stop the PAM360 service.
Back up of the system_properties.conf file present inside the <PAM360-installation-Directory\conf> folder.
Now, open the system_properties.conf in the Word Pad with administrative permission and update the following values:
- Search for domain.ou.limit=2500 and change the value to 25000.
- Search for domain.group.limit=2500 and change the value to 25000.
Save the file and restart the PAM360 service.

4. How can I edit the schedule for a periodic task, such as AD synchronization?

To modify an existing schedule or to create a new schedule, follow the below steps:

Log in as an administrator and go to the Groups tab.
Click the Actions icon available beside the resource group and select Periodic Account Discovery from the drop down.
In the pop-up that comes up, schedule or modify the time interval for AD synchronization.
Caution
Only the owner of the task can modify schedules via Admin >> Manage >> Scheduled tasks.

5. Can I configure an AD sync job to run multiple times a day, such as every 4 hours?

Yes, you can configure this during the AD import process:

Navigate to Resources >> Discover Resources >> Import
Set the synchronization interval to your desired frequency (e.g., every 4 hours) and proceed with the import.

6. How do I troubleshoot AD import failures?

Verify the user credentials entered.
If the administrator credentials fail, try using non-administrator credentials to confirm the connection.
If the issue persists, contact pam360-support@manageengine.com.

7. Why does a deleted account in Active Directory not get removed from PAM360?

In general, the user accounts deleted in Active Directory will not be removed from PAM360. Instead, the accounts will be locked in the PAM360 web interface, and you have to delete them manually.

If you have ended in a scenario where the accounts are not even locked in PAM360, check for the Active Directory synchronization schedule configured. Setting up the synchronization schedule in PAM360 will ensure the changes.

8. How can I perform LDAP resource discovery and import only specific LDAP resources?

PAM360 does not support LDAP resource discovery. However, it does allow the discovery of users from an LDAP directory.

9. If a Linux resource added through AD polling and mapped with the AD account, can it be switched to use the root account for establishing connections instead of the AD account?

Yes, this can be addressed by either of the following:

Editing the resource in PAM360 and changing its Resource Type to Linux, ensuring it aligns with the desired configuration.
Deleting and re-adding the Linux resource manually.

10. Can users be synchronized from Active Directory?

Yes, PAM360 supports both periodic and on-demand synchronization of users from Active Directory.

1. Can I change the default port (8282) where PAM360 listens?

Yes, you can change the default port by following these steps:

Login to PAM360 as an Administrator.
Navigate to Admin >> Configuration >> PAM360 Server .
Enter the desired port number in the Server Port field and click Save.
Restart PAM360 for the changes to take effect.

2. How do I customize the PAM360 web portal access URL?

Login as an administrator.
Navigate to Admin >> Settings >> Mail Server Settings.
Enter the desired URL in the Access URL field and save the settings.

This updated URL will serve as the web portal access point for PAM360.

3. Can PAM360 be accessed remotely through a web browser?

PAM360 is an on-premise tool installed on physical servers or virtual machines. You can access its web interface from any machine connected to the same LAN using a compatible web browser.

4. Can I configure PAM360 to bind to a specific IP address when multiple NIC cards and IPs are available?

Yes, PAM360 supports configuring specific IP addresses for both its web server and JVM components.

To bind the web server to a specific IP, follow these steps:

Stop the PAM360 service.
Navigate to the <PAM360-Installation-Directory>/conf folder and back up of the file server.xml.
Open the server.xml file in WordPad with administrator privileges.
Locate the line containing port="8282", and add address="<specific-IP-address>"
Save the changes and restart the PAM360 service. Now the PAM360 web server will start using the newly specified IP address.

To bind the JVM to a specific IP, follow these steps:

Stop the PAM360 service.
Navigate to the <PAM360-Installation-Directory>/conf folder and back up the file wrapper.conf.
Open the wrapper.conf file in WordPad with administrator privileges.
Look out for wrapper.app.parameter.1 and add the following line below to it:
```
wrapper.app.parameter.2=-Dspecific.bind.address=<specific-IP-address>
```
Rename the <PAM360-Installation-Directory>/logs folder to logs_older.
Restart the PAM360 service.

Verify the binding by logging into the product and performing tasks like password resets.

5. Why users are not receiving notifications about their PAM360 accounts?

Users are typically notified via email. If they are not receiving notifications, verify the following:

Ensure proper configuration of mail server settings, including SMTP server details.
Check if valid credentials have been provided as some mail servers require authentication.
Confirm that the Sender Email ID is correctly configured, as some servers reject emails without a valid "From" address or from unknown domains.

6. What authentication mechanisms are available in PAM360?

PAM360 supports multiple authentication mechanisms:

Active Directory: When enabled, the authentication request is forwarded to the configured domain controller and based on the result, the user is allowed or denied access into PAM360. The user name, password and the domain are supplied in the PAM360 login screen. This scheme works only for users whose details have been imported previously from AD, and is available only when the PAM360 server is installed on a Windows system.
LDAP Directory: When enabled, the authentication request is forwarded to the configured LDAP directory server and based on the result, the user is allowed or denied access into PAM360. The username, password and the option to use LDAP authentication are supplied in the PAM360 login screen. This scheme works only for users whose details have been imported previously from the LDAP directory.
PAM360 Local Authentication: The authentication is done locally by the PAM360 server. Irrespective of AD or LDAP authentication being enabled, this scheme is always available for the users to choose in the login page. This scheme has a separate password for users and the AD or LDAP passwords are never stored in the PAM360 database. However, for security reasons, we recommend that you disable the local authentication for users after enabling AD/LDAP authentication.
Microsoft Entra ID: Once you integrate PAM360 with Microsoft Entra ID (Microsoft Entra ID) in your environment, you can allow users to use their Microsoft Entra ID credentials to log in to PAM360 in both Windows and Linux platforms. To use this authentication, PAM360 should first be added as a native client application in your Microsoft Entra ID portal.
Smartcard Authentication: Enabling this feature will mandate users to possess a smartcard, and also know their Personal Identification Number (PIN). Note that smartcard authentication will bypass other first factor authentication methods like AD, LDAP or Local Authentication.
RADIUS Authentication: You can integrate PAM360 with RADIUS server in your environment and use RADIUS authentication to replace the local authentication provided by PAM360. The users who will be accessing PAM360 using their RADIUS server credentials will have to be added as users in PAM360 first. When you do so, you need to ensure that the "username" in PAM360 is the same as the username used for accessing the RADIUS server.
SAML SSO: PAM360 acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. Once you integrate PAM360 with an IdP, the users have to just login to the IdP and then, they can automatically login to PAM360 from the respective IdP's GUI without having to provide the credentials again. PAM360 supports integration with Okta, AD FS, and Microsoft Entra ID SSO.
Additional Detail
For SAML SSO, the Assertion Consumer URL is set to the server hostname by default. You can update it under Admin >> Settings >> Mail Server Settings >> Access URL.

7. What should I do if I forget my PAM360 login password?

On the login page, click Forgot Password? to reset your login password.
Caution
Forgot Password option will be only visible to users when enabled by the administartor under Admin >> General Settings >> User Management. If not found, please contact your administrator to reset the PAM360 login password.
In the pop-up that appears, enter your Username, E-mail address and click Reset to send a password reset link to your email address.
Open your email and find the email containing the password reset link.
Click the link to receive a One-Time Password (OTP).
Now, log in using the OTP and reset your PAM360 login password.

8. Why do I see a security warning when accessing the PAM360 console via a browser?

PAM360 uses HTTPS for communication and comes with a self-signed SSL certificate by default. Browsers may flag this as untrusted.

Best Practice

Replace the self-signed certificate with one from a recognized Certificate Authority (CA) for production use.

1. How secure are passwords stored in PAM360?

PAM360 ensures high security for password storage using:

Advanced Encryption Standard (AES): Passwords are encrypted and stored securely.
Database Access Restriction: The database is only accessible from the host server.
Role-Based Access Control: Users can access passwords based on assigned roles.
Secure Communication: All data is transmitted over HTTPS.
Password Generator: Helps create strong passwords.

2. How secure are Application-to-Application and Application-to-Database password management processes?

PAM360 uses secure RESTful APIs and SSH-based CLI APIs for Application-to-Application/Database password management. Security measures include:

HTTPS communication for API interactions.
Identity verification through SSL certificates and IP/hostname validation.
API user registration and unique authentication tokens.
Access restricted to explicitly delegated information.

3. Can I install a custom web server certificate for PAM360?

Yes, you can install an SSL certificate to secure PAM360. To do so, follow these steps:

Navigate to Admin >> Configuration >> PAM360 Server.
Choose the Keystore Type as JKS, PKCS12, or PKCS11 whichever you chose while generating the CSR.
Upload the Keystore File and enter the Keystore Password.
Adjust the Server Port if required, then click Save.
Tick the Manage Server Certificates option to manage the server certificates in the PAM360 centralized repository without impacting the key limit defined in the product license.
Restart PAM360 for the certificate to take effect.

4. Why does PAM360 require a CA-signed SSL certificate?

PAM360 operates as an HTTPS service to ensure secure communication. It requires a valid CA-signed SSL certificate with the principal name as the name of the host on which it run. By default, PAM360 generates a self-signed certificate upon installation. However, these certificates are not trusted by web browsers or end-users. To ensure trust and eliminate browser warnings, a valid SSL certificate signed by a Certificate Authority (CA) is required.

To make the PAM360 server trusted by web browsers and users, obtain a new signed certificate from a CA for the PAM360 host or configure an existing certificate obtained from a CA with wild-card principal support for the PAM360 host.

5. What are the available methods for generating a valid web server certificate in PAM360?

PAM360 offers several methods to generate a valid SSL certificate. Below are the supported methods, click on the desired method to learn more about in detail:

Using In-Built PAM360 Certificate Management Module
Using OpenSSL
Using Keytool

Refer to this help document to learn more about in detail.

6. Can I install a signed SSL certificate for PAM360 web server using an existing wildcard certificate?

Yes, you can install a signed SSL certificate for PAM360 web server using an existing wildcard certificate. Follow these steps:

Obtain a wildcard SSL certificate from a trusted Certificate Authority (CA) that supports your domain (e.g., `.example.com`).
Follow your CA’s documentation for generating a Certificate Signing Request (CSR) and completing the certificate issuance process.
Convert your wildcard certificate (usually provided as a .crt or .pem file) and its corresponding private key into a format compatible with a Java Keystore (.jks). Ensure you note the keystore filename and the keystore password, as these will be used in the following steps.
Now, navigate to the <PAM360-Installation-Directory>/conf folder and open the server.xml file using a text editor.
Locate the following entries and update their values:
- Keystore File: Replace the default value (conf/server.keystore) with conf/<keystore_filename>, where <keystore_filename> is the name of the keystore file containing the wildcard certificate.
- Keystore Password: Replace the default value (passtrix) with <keystore_password>, which is the password protecting the keystore.
Restart the PAM360 server to apply the changes.
Open the PAM360 web console in a browser. If the login page loads without any browser security warnings, the SSL certificate has been successfully installed.

Refer to your Certificate Authority’s documentation for detailed steps on generating and managing the wildcard SSL certificate, resolving potential issues, and verifying the installation.

1. Can others view the resources I add in PAM360?

No, except for Super Administrators (if configured in your PAM360 setup), other users, including administrators, cannot view the resources added by you. However, if you choose to share your resources with other administrators, they will gain access.

2. Does PAM360 currently support Azure resource discovery?

No, PAM360 does not currently support the discovery of Azure resources. However, it does support the discovery of SSL certificates and TLS secrets stored in Azure.

3. Can I add custom attributes to PAM360 resources?

Yes, you can extend the attributes of resources and user accounts in PAM360 to include details specific to your requirements. For more information, refer to the relevant additional fields documentation.

4. Can I change resource passwords from the PAM360 console?

Yes, you can change resource passwords directly from the PAM360 console. PAM360 provides the capability to remotely reset passwords for various endpoints. It supports both agent-based and agent-less modes for password changes. For more information on configuring and using these modes, please refer to this document for relevant information.

5. How can we provide a domain account access to a specific server without providing access to the domain controller?

To grant a domain account access to a specific server without giving access to the domain controller:

Configure the access control workflow mechanism for the Windows domain (domain controller) server.
Share both the Windows Domain and the specific server with the user.
Educate users to request password access for the specific server from the Windows Domain resource through the available Select option.

This method ensures secure and restricted domain account access to a specific server without providing the domain controller access.

6. How can I change service account passwords in PAM360?

Service account passwords can be rotated by configuring Remote Password Reset (RPR) for the respective resource. Detailed instructions on configuring RPR can be found from this documentation.

7. Does transferring ownership of a resource reset its permissions?

No, transferring ownership of a resource does not reset its permissions. When resources are transferred to another administrator, the original owner loses access unless the new owner explicitly shares the resource back. Any existing shares configured for other users will remain unchanged with the workflow.

8. How can I ensure that service account passwords have been reset in PAM360?

When service account passwords are reset, an email notification is sent to the resource owner. This notification serves as confirmation that the password reset has occurred.

9. Why are not service accounts discovered during the initial resource discovery process?

If the service account passwords are not discovered during the initial resource discovery process, perform the discovery again at the account level. If the issue persists, contact PAM360 support for assistance.

10. Can PAM360 rotate website account passwords?

No, PAM360 does not currently support password rotation for website accounts.

11. Can PAM360 rotate or update credentials stored in an Azure Key Vault?

Yes, PAM360 allows direct rotation and updating of credentials stored in Azure Key Vault through its interface.

12. How can Oracle database users be added to PAM360?

Add the resource manually with the Resource Type as Oracle and discover the associated user accounts from the resource.

13. What might cause account discovery issues?

Account discovery issues could arise due to invalid credentials configured in the remote login credential i.e the remote password reset configuration. Any underlying software requirement can also cause the issue in accounts discovery. If the issue persists, contact the PAM360 support team for assistance.

14. What is the purpose of Remote Password Reset? Will it change passwords in PAM360 without affecting physical resources?

The Remote Password Reset feature rotates passwords based on the administrator’s configuration, ensuring synchronization between PAM360 and the physical resource. Passwords are changed simultaneously in both locations.

15. When should I use the agent and agent-less modes for password synchronization?

The choice between agent and agent-less modes depends on your environment's requirements. Here are the prerequisites for both modes:

Agent Mode:

Requires installing the agent as a service on each endpoint.
The agent must have administrative privileges on the endpoints to perform password reset operations.
Utilizes one-way communication through outbound traffic to connect to the PAM360 server.

Agent-less Mode:

Requires supplying administrative credentials to perform password changes.s
For Linux endpoints, two accounts are necessary: one with root privileges and another with standard user privileges for remote login. Also, the Telnet or SSH services must be active on the Linux resources.
For Windows systems, domain administrator credentials are required. PAM360 uses remote procedure calls (RPC), so the necessary ports must be open on the resource.

We recommend to use the Agent Mode when:

Administrative credentials for a resource are unavailable in PAM360.
Required services (e.g., Telnet/SSH for Linux or RPC for Windows) are not running.
PAM360 is deployed on Linux, but you need to manage passwords for Windows resources.

Use the Agent-less Mode for all other scenarios, as it offers greater convenience and reliability for password changes.

16. Can I enable agent-less password resets for custom resource types in PAM360?

Yes, PAM360 supports enabling agent-less password resets for custom resource types, provided their labels include the strings Linux or Windows.

Examples of valid resource type labels: Debian Linux, Linux - Cent OS, SuSE Linux, Windows XP Workstation, Windows 2003 Server.

As long as the resource type label conforms to this format, agent-less password reset can be configured successfully.

17. Is it possible to perform remote password synchronization for custom resource types not natively supported by PAM360?

Yes, PAM360 enables remote password synchronization for custom resource types through any of the following methods:

SSH Command Sets: For SSH-based devices, you can build command-based executables directly from PAM360 using a set of default or customized SSH commands. These command sets can then be associated with the respective SSH device accounts that do not come out of the box with PAM360 to perform their password resets without the need for a CLI.
Password Reset Plugin: You can build your own implementation class and run it via PAM360 to enforce automatic password resets of custom resource types. With the plugin, you can also leverage access control for legacy accounts and automatically reset passwords instantly upon usage. This way, the passwords of these accounts will serve as one-time passwords that are reset after every use via the associated plugin.
Password Reset Listeners: Listeners are custom scripts or executables that can be invoked for local password changes, as well as to reset the passwords of custom resource types for which remote password reset is not supported out-of-the-box by PAM360. You can configure listener scripts individually for each resource type including the custom ones.

18. How do I troubleshoot password reset issues?

For Agent Mode:

Verify that the agent is running. On Windows, check the active process list for PAM360Agent.exe. On Linux, check for a process named PAM360Agent.
Ensure the account hosting the agent has sufficient privileges for password resets.

For Agent-less Mode:

Confirm the administrative credentials provided are correct, and remote synchronization is enabled.
Check that necessary services (e.g., Telnet/SSH for Linux or RPC for Windows) are running on the resource.
Ensure the resource is reachable from the PAM360 server using the provided DNS name.

19. How can I resolve the 'authentication mechanism is unknown' error during Windows domain password reset?

This error occurs when PAM360 runs as a Windows service and the Log On As property is configured to use the local system account. To resolve this, configure it to use a domain user account:

Open the Windows Services Applet by navigating to Control Panel >> Administrative Tools >> Services.
Locate and select the ManageEngine PAM360 service. Right-click and choose Properties.
Under the Log On tab, select the This Account option and provide the domain user credentials in the format <domainname>\<username>.
Save the changes and restart the PAM360 server.

20. What are the prerequisites for enabling Windows Service Account Reset?

Before enabling this feature, ensure the following services are active on the servers where dependent services are running:

Windows RPC Service
Windows Management Instrumentation (WMI) Service

1. Can PAM360 function in a VLAN for servers with a firewall rule and with all inbound and outbound ports blocked, except those needed for SSH and RDP?

Yes, PAM360 can operate in such environments. Ensure that only the required ports for SSH and RDP connections are opened, as detailed here.

2. How does PAM360 handle operations in heavily segregated networks with default deny firewall rules?

For highly segregated networks with deny-all firewall rules, specific ports must be opened to ensure the smooth functioning of the PAM360 application. A comprehensive list of required ports is provided here.

3. We use identity-based rules for accessing the network in our organization. What accounts are used for SSH and RDP connections in PAM360?

In PAM360, SSH and RDP sessions use the privileged accounts securely stored in the application's vault.

For SSH, PAM360 leverages the associated SSH credentials configured for the target system, either through a default account or a user-selected one during session initiation.
Similarly, for RDP, PAM360 uses the stored credentials tied to the target machine. These accounts are securely fetched during runtime, ensuring that no sensitive information is exposed.
Identity-based rules, such as multi-factor authentication (MFA) or policy-based access control (PBAC), are applied to validate the user's access permissions before allowing the session to begin.
Advanced identity-based controls, such as Just-In-Time (JIT) access and temporary credential provisioning, further enhance session security. These features allow for ephemeral accounts or credentials that expire after the session ends, minimizing risks from credential misuse.
Additionally, administrators can define granular access policies based on user groups, IP restrictions, or device-specific rules to tailor security protocols to the organization's needs.

With these configurations, PAM360 ensures robust, secure, and policy-compliant access to critical systems via SSH and RDP sessions.

4. Why is session recording not available for browser activities performed by the user?

Starting from build 7400, PAM360 supports session recording for website account activities. Upgrade to the latest build to relish the new benefits.

5. What is the best way to search for an activity that has been recorded by PAM360?

To locate and review a recorded activity in PAM360:

Navigate to the Audit tab.
Select the specific category corresponding to the type of activity you want to search.
Utilize the provided filter options and the search icon to quickly locate the desired activity.

This allows the best way to search for an activity that has been recorded by PAM360.

6. Is there a third-party tool that supports session playback?

No, PAM360 does not integrate with any third-party tools for session playback. All session recordings must be managed and reviewed within the PAM360 platform.

7. What are the required ports to be opened from the PAM360 application server to the Landing Server for RDP, SSH, HTTP-Gateway, and RemoteApp?

To ensure seamless operation of PAM360, specific ports need to be configured and opened. Refer to this help documentation for a comprehensive list of ports required for RDP, SSH, HTTPS-Gateway, and RemoteApp functionalities.

8. Can audit permissions be enabled exclusively for viewing recordings without providing access to logs?

No, PAM360 does not currently support enabling audit permissions exclusively for viewing recordings while restricting access to logs.

9. Can auditing permissions be configured to share alerts through email?

Yes, PAM360 allows audit records to be shared via email alerts. To configure this feature:

Navigate to the Audit tab and select the desired Audit category.
From the detailed audit page on the right, click Configure Audit from the Audit Actions.
Enable the SEND EMAIL option for the respective operations.
Specify the recipient email addresses for receiving notifications.

Specify the recipient email addresses for receiving notifications.

1. What user roles are available in PAM360, and what are their access levels?

PAM360 provides six predefined roles along with the custom role creation capability:

Privileged Administrator
Administrators
Cloud Administrators
Password Administrator
Password Auditor
Password User

Apart from these predefined and custom roles, any administrator can be promoted as a Super Administrator with the privilege to view and manage all the resources available in PAM360. Click here to learn more about individual role capabilities and access levels.

2. What happens if an administrator user is deleted in PAM360? Will their resources/accounts be removed as well?

PAM360 does not allow the deletion of an administrator user who owns active resources/accounts. To delete such a user, either the accounts they own must be deleted by the user themselves or transferred to another user with similar privileges. Only then can the administrator user be removed. Refer to this help documentation to know more about transferring the user accountabilities before deleting a PAM360 user.

3. What is the difference between a Privileged Administrator and a Super Administrator in PAM360?

Privileged Administrator: This role enables users to configure, customize, and oversee the PAM360 application comprehensively. Privileged Administrators can manage privacy and security controls, including IP restrictions and emergency measures. They can see resources and accounts they create or those shared with them and perform all operations related to these entities. Additionally, they can promote other administrators to Super Administrators.

Super Administrator: This role encompasses all permissions granted to Privileged Administrators, with the added ability to access and manage all resources and accounts owned by any user within PAM360.

4. Can administrators share passwords with other users?

Yes, users with any of the administrators' privileged roles can share accounts/passwords they own or have manage permissions for with other users.

5. Can both Password Users and Connection Users be utilized simultaneously?

Yes, both roles can be used as required:

Password Users: Users with this role can access accounts shared with them and make modifications if permitted.

Connection User: In addition to Password User privileges, they can establish HTTPS gateway connections, RemoteApp connections, and perform secure file transfers.

Caution

Password Users are unlimited in the license, whereas Connection Users are limited based on the purchased license.

6. Can user roles be assigned during user import or addition?

Yes, roles can be assigned while adding users manually or during import. For manual addition, select the user role from the appropriate field. During import, include a user role column in the source file and map it accordingly during the import process.

7. Can user roles be restricted from accessing Personal Passwords?

Yes, you can restrict Personal Passwords for specific users regardless of user roles. To do so:

Group the desired users in a User Group.
From the User Groups tab, under the Actions icon beside the relevant user group, click User Group Privileges.
In the pop-up that appears, disable the Manage personal passwords option.
Now, click Save to save the changes.

8. Which user roles are eligible to manage certificates?

User roles with the administrative privileges and custom roles with certificates privilege enabled can manage certificates in PAM360. These roles ensure users can handle tasks like issuance, renewal, and deployment of certificates effectively.

9. What happens if a user leaves the organization without sharing their sensitive passwords?

If an administrative user leaves the organization, the user's resources and responsibilities can be transferred to other administrators. This ensures the departing user no longer has access to these resources. Note that resources and responsibilities can also be transferred back to the original user if required. For detailed guidance, refer to the transfer user accountabilities help documentation.

1. What are the agent types concerning the Zero Trust approach?

In the context of the Zero Trust approach, two types of agents are pertinent: User Device and Resource. These agents can be installed on user devices and resources, respectively. Their functionality revolves around collecting data specific to the entity they are associated with, which is then utilized for trust score calculations.

2. How does the agent work for user devices and resources?

The agent operates by gathering data from the user device or resource. This includes information such as:

Firewall status
Antivirus status
Open ports
Running processes/services
Installed applications/packages

The collected data is instrumental in calculating a trust score, which determines whether the user or resource meets the criteria for privileged access and account governance.

3. Will the device installed with the PAM360 agent of usage type 'user device' be added as a resource in PAM360?

No, a user device equipped with a PAM360 agent of usage type User Device will not be registered as a resource in PAM360. Conversely, devices with the agent installed under the Resource usage type will be added as resources within PAM360.

4. Can I use the policy-based access privilege feature in an agentless mode?

Yes, the policy-based access privilege feature can function in an agentless mode, relying solely on the authentication parameters defined for users.

5. How to fetch the default system data from a user device/resource?

To retrieve the default system data for configuring trust score parameters, follow these steps:

Download the provided ZIP file and extract it to a user device or resource.
Navigate to the folder corresponding to your Operating System (Windows or Linux) within the extracted contents.
Execute the appropriate script (fetch_configuration_details) using administrative privileges. The file format may vary based on the OS (e.g., .sh, .bat, .ps1).
Upon execution, a file named query_result.txt will be generated in the same folder.
Open the query_result.txt file to review the system data or device properties. Use the search function to locate the values of specific parameters identified by the following IDs:
- Antivirus_status
- Application_and_packages
- Chrome_extensions
- Disk_encryption_status
- Firefox_addons
- Firewall_status
- OS_version
- Open_ports
- Process_and_services
- Secure_boot_status

6. How do you decide a weightage value for a parameter for trust score validation?

Weightage values for trust score parameters are assigned on a scale of 0-10, reflecting their priority within the organization. Administrators can customize these values based on organizational needs. For instance: assign a weightage of 10 to critical parameters like invalid sign-in attempts and assign a lower weightage (e.g., 2-5) to less critical parameters like OS version.

7. How is the user trust score and resource trust score calculated?

User Trust Score is derived from the user’s authentication and the state of their user device. Resource Trust Score is determined by evaluating the resource’s state. Both scores are computed using the parameter configurations and weightages defined by the administrator.

8. What is the purpose of an access policy?

Access policies automate the granting or restriction of access privileges to resources. This automation is based on criteria such as: user trust score, resource trust score, password policy and access control parameters defined by the administrator.

99. How many access policies can a user and a resource be associated with?

A user can be associated with multiple access policies via various conditions across different resources. A resource can be associated with multiple access policies through different static resource groups. However, only the most recently associated access policy will remain active for the resource.

10. When does a conflict occur in policy-based access privilege?

A conflict arises when a resource is linked to multiple access policies through different static resource groups.

11. If there are multiple access policies associated with a resource via various static groups, what will be the active access policy?

The active access policy for a resource will be the most recently associated policy via a static resource group.

12. How to resolve a conflict between the access policies of a resource?

Navigate to the Groups tab.
Click on the Actions icon beside the respective static resource group.
Select Edit Group Attributes.
In the pop-up, choose the desired access policy from the Access Policy field that is to be associated with the resource group.
Click Save to apply the changes.

13. How does the precedence of actions work in access policy conditions?

When an access policy includes multiple conditions with varying criteria and actions, the action from the condition with the higher precedence value is applied. For instance, actions like Deny/Terminate or Exclude User Group take precedence over others.

14. Where can I see the user trust score?

The Users tab in PAM360 displays the trust scores of all users. However, users with roles such as Password User, Password Auditor, Connection User, or Password Administrator cannot view trust scores or receive related notifications. Only Privileged Administrators, Administrators, and Custom Users with the administrative privilege can access this information.

15. Where can I see the resource trust score?

The Resources tab displays trust scores next to their respective resources. Viewing permissions are as follows: users who own or manage a resource can view its trust score and Super Administrators have visibility into the trust scores of all resources.

16. What are the possible reasons for session termination?

Sessions may be terminated if either the user trust score or resource trust score falls below the required threshold due to violations of predefined parameters set by administrators. In case of termination, users should contact their administrator for further clarification.

1. Does PAM360 support High Availability (HA)?

Yes, PAM360 supports High Availability and Disaster Recovery models. Refer to this introduction document for more details.

2. Can I migrate PAM360 to a different server?

Yes, you can migrate PAM360 to another server by following these steps:

Stop the PAM360 service and exit the tray icon.
Ensure that the PostgreSQL process is not running in the Task Manager.
Copy the entire PAM360 directory and move it to the new server.
Open the command prompt with administrative privileges, navigate to the <PAM360-Installation-Directory>\bin folder, and execute the following command:
```
PAM360.bat install
```
This installs the PAM360 service on the new server.
Move the PAM360 encryption key to the new server and update its location in the <PAM360-Installation-Direcotry>/conf/manage_key.conf file. Click here to learn more about the encryption key in PAM360.
Open the Services console, configure the service account, and start the PAM360 service.
If you need the tray icon, navigate to the PAM360 installation direcotry, right-click on PAM360.exe, and select Run as Administrator. You should now be able to access PAM360 via the new server name in the URL.

3. What do I do in case of a High Availability Failure?

Once the HA status becomes Inactive, the PAM360 HA setup also breaks down. In case of a HA failure, contact pam360-support@manageengine.com with the log file pgsql_Mon.log available in the directory - <PAM360 Installation Folder>/pgsql/data/pg_log.

4. Can I set up disaster recovery for the PAM360 database?

Yes, PAM360 allows periodic backups of the database. You can configure this through the PAM360 console. Refer to this document for detailed instructions.

5. Where is the backup data stored, and is it encrypted?

The backup data is securely stored under the <PAM360-Installation-Directory>/backUp folder as a .zip file. All sensitive data in the backup file is encrypted using the AES-256 algorithm through the 7-Zip utility. For enhanced security, we recommend storing the backup files in a secure, secondary storage location.

1. Is there a difference between managing SSH user accounts and SSH service accounts in PAM360?

No, PAM360 uses the same approach for managing both SSH user accounts and SSH service accounts.

If you establish a connection using service/root account credentials during resource discovery, PAM360 grants extended privileges to import and manage keys from all user accounts on the resource.
If the connection is established using user account credentials, you can manage only the SSH keys within that particular user account.

2. Can I view SSH keys that have not been rotated?

Yes, PAM360 provides a dashboard that displays the number of SSH keys that have not been rotated within the predefined period specified in the Notification Policy.

3. Does PAM360 support managing digital keys other than SSH keys and SSL certificates?

Yes, PAM360 features a Key Store that allows you to store and manage any type of digital key. However, automatic discovery and import functionalities are limited to SSH keys and SSL certificates only.

4. Can the same built-in roles be used to control access to PGP Keys? We have vendors requiring PGP Keys for data sharing.

Yes, all user roles with administrative privileges or custom roles with SSH Key management privileges can manage PGP Keys in PAM360. These users can generate PGP keys and share the keys with vendors for secure data exchange. This ensures that encrypted data sharing requirements are seamlessly handled.

1. Are there any certificate types that PAM360 does not support?

No, PAM360 is fully compatible with all X.509 certificate types.

2. Can PAM360 automatically identify and update certificates in its repository?

Yes, PAM360 allows you to schedule automatic certificate discovery tasks. This process imports updated certificates from target systems and replaces the old ones in the repository. Click here for a detailed explanation on creating schedules.

3. Does the Linux version of PAM360 support certificate discovery from Active Directory (AD) and MS Certificate Store?

No, certificate discovery from AD User Certificates and MS Certificate Store is available only in the Windows version of PAM360.

4. Can PAM360 track the expiry of certificates with the same common name?

PAM360 differentiates certificates based on their common name and records certificates with the same name as a single entry in the repository. This approach avoids unnecessary consumption of licensing limits. However, if there is a need to manage both the certificates separately, you can do so by listing them as separate entries in PAM360's certificate repository. Once listed, the newly added certificate will be counted for licensing.

If you need to manage certificates with the same common name separately, follow these steps:

Navigate to Certificates >> Certificates, and click the Certificate History icon beside the desired certificate.
Click the Certificate Settings icon next to the required version and select Manage Certificate.

This will list the selected version as a separate certificate in the repository, which will be counted for licensing. To manage only one version, use the Set as Current Certificate option.

5. How can I import a private key for a certificate?

Follow these steps to import a certificate's private key into PAM360:

Navigate to Certificates >> Certificates.
Select the desired certificate for which you need to import the private key.
From the More dropdown menu, select Import Keys.
Browse and select the file containing the private key, enter the keystore password, and click Import.

The private key will be attached to the selected certificate.

6. How can I deploy a certificate to the Certificate Store and map it to its application?

PAM360 supports certificate deployment to a target server's Microsoft Certificate Store. Click here for step-by-step explanation on certificate deployment.

To map the certificate to its application, you need to manually restart the server where the application runs for the changes to take effect.

7. Does PAM360 support subnet-based SSL certificate discovery?

No, PAM360 does not currently support subnet-based certificate discovery.

8. Can I schedule automatic certificate discovery from the MS Certificate Store?

No, PAM360 does not currently support automatic scheduling for certificate discovery from the MS Certificate Store.

9. Are email alerts generated for all certificate versions shown in Certificate History?

No, email alerts are generated only for certificates listed in PAM360's certificate repository, not for other versions displayed in the "Certificate History" section.

10. Are certificates issued by an internal Certification Authority (CA) counted toward licensing?

Yes, all SSL certificates, SSH keys, and other digital keys managed using PAM360 are included in the licensing count. You can track licensing usage via the License Details dashboard widget, which provides insights into the type and number of digital identities being managed.

11. How can I import a certificate into PAM360 repository?

To import a certificate into PAM360, open the command prompt/terminal and navigate to the <PAM360-Installation-Directory>\bin folder and execute the following command:

For Windows:

importCert.bat <Absolute-Path-of-Certificate>

For Linux:

importCert.sh <Absolute-Path-of-Certificate>

12. After integrating PAM360 with GoDaddy, can certificates be renewed through the platform?

Yes, once PAM360 is successfully integrated with GoDaddy or any other supported Certificate Authority, administrators can manage certificates directly through PAM360. This includes actions such as renewal, revocation, deployment, etc.

13. What privilege is required to discover a Microsoft Store certificate, and what is the difference between a Microsoft Certificate Store and a Microsoft Certificate Authority?

To discover certificates from the Microsoft Certificate Store, a user role with administrator privileges is required.

Microsoft Certificate Store: A secure storage location on a Windows system where certificates and associated private keys are stored. These certificates support functions such as authentication, encryption, and signing.

Microsoft Certificate Authority: A service offered by Active Directory Certificate Services (AD CS) that issues, revokes, and manages digital certificates within an organization’s infrastructure.

1. Is there an MSP edition of PAM360?

Yes, a Managed Service Provider (MSP) edition of PAM360 is available. Details can be found on the product's official page.

2. How many client organizations does the PAM360 support?

PAM360 supports up to 900 client organizations.