Getting Started with PAM360

Once you have finished setting up PAM360, you can get started to work with the PAM360 application. Before you begin to work with the PAM360 console and configure the required settings, you will have to know about a set of configurations that will help you get started with PAM360.

At the end of this document, you will have learned about:

  1. Starting and Shutting Down PAM360
    1.1 In Windows
    1.2 In Linux
  2. Launching the PAM360 Web Client
  3. Running the PAM360 service using a group Managed Service Account
  4. Managing PAM360 Encryption Key
  5. Rotating the Encryption Key
  6. Updating Web Server Certificates using PAM360 Web Console

1. Starting and Shutting Down PAM360

1.1 In Windows

Using the Start Menu Using the Tray Icon
  1. Navigate to Start >> Run [OR] press Win+r. The Run box appears. Type services.msc and hit Enter.
  2. Locate the PAM360 service in the Services console.
  3. You can start, stop or restart the service from the services console.
  1. Once you have successfully installed PAM360 in your system, you will find the PAM360 icon in the windows tray area on the far right end of your task bar.
  2. Right click the tray icon and click the desired operation:
    • Start the PAM360 Service
    • Stop the PAM360 Service
    • Launch the PAM360 web console

1.2 In Linux

Installing PAM360 as a Startup Service Starting & Stopping the Server as a Service
  1. Login as a root user.
  2. Open the console and navigate to the <PAM360_Home>/bin directory.
  3. Execute "sh pam360.sh install" (In Ubuntu, execute as "bash pam360.sh install").
  4. To uninstall, execute the script "sh pam360.sh remove".

To Start PAM360 as a service in Linux:

  1. Login as non-root user.
  2. Execute /etc/rc.d/init.d/pam360-service start.
  3. PAM360 server runs in the background as service.

To Stop PAM360 Server started as a service, in Linux:

  • Execute /etc/rc.d/init.d/pam360-service stop.(as non-root user)

2. Launching the PAM360 Web Client

There are different ways of connecting to the PAM360 web client:

2.1 Automatic Browser Launch

Once the server has started after the successful installation of PAM360, the PAM360 Login screen shows up in a browser window. As PAM360 uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.

2.2 Launching the Web Client Manually

Windows:

Right-click the PAM360 tray icon and click PAM360 Web Console to launch the web client manually. The PAM360 Login screen shows up in a browser window. As PAM360 uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.

Linux:

Open a browser and connect to the URL specified in the below box:

https://<hostname>:portnumber/
where,
<hostname> - the host where the PAM360 server is running.
<portnumber> - the default port is 8282.
Example: https://localhost:8282

2.3 Connecting the Web Client in Remote Hosts

If you want to connect to the PAM360 web client in a remote machine (different from the one where PAM360 is running), open a browser and connect to the below URL:

https://<hostname>:port

As PAM360 uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password is admin and admin, respectively. Every time you start the server, the browser will be automatically launched.

3. Running the PAM360 Service using a group Managed Service Account

PAM360 allows you to run/manage services using group Managed Service Account (gMSA). To learn about gMSA in detail, refer to Microsoft's documentation.

To create a group Managed Service Account,

  1. Open Powershell ISE as administrator.
  2. Execute the following commands:
    1. Import-Module ActiveDirectory
    2. Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
    3. New-ADServiceAccount -Name <MSA_AccountName> -DNSHostName <DNSNAme> -PrincipalsAllowedToRetrieveManagedPassword <Machine_Name>$
    4. Add-ADComputerServiceAccount -Identity <Machine_Name> -ServiceAccount <MSA_AccountName>
    5. Install -ADServiceAccount -Identity <MSA_AccountName>
  3. Provide Full Control Permission to the installation folder.
  4. To configure LogOn Services,
    1. Navigate to Services >> Properties >> LogOn.
    2. Browse for MSA Account.
    3. Now, clear the Password field and click Apply.
    4. Click Ok.

      Now you have successfully configured the LogOn Services.

    You have successfully created a group Managed Service Account (gMSA) account. Now, you can run your PAM360 service using the gMSA account.

Troubleshooting Step:

If you are unable to Install the Service Account, execute the below command before executing Install statement:

Set-ADServiceAccount -Identity <MSA_AccountName> -KerberosEncryptionType AES128,AES256

4. Managing PAM360 Encryption Key

PAM360 uses AES-256 encryption to secure the passwords and other sensitive information in the password database. The key used for encryption is auto-generated and is unique for every installation. By default, this encryption key is stored in a file named pam360_key.key under the <PAM360_HOME>/conf folder. For production instances, PAM360 does not allow the encryption key to be stored within its installation folder. This is done to ensure that the encryption key and the encrypted data, in both live and backed-up database, do not reside together.

We strongly recommend that you move and store this encryption key outside of the machine, where PAM360 is installed, in another machine or an external drive. You can supply the full path of the folder, where you want to move the pam360_key.key file, manually move the file to that location and delete any reference within PAM360 server installation folder. The path can be a mapped network drive or an external USB (hard drive / thumb drive) device.

PAM360 will store the location of the pam360_key.key in a configuration file named manage_key.conf, present under the <PAM360_HOME>/conf folder. You can also edit that file directly to change the key file location. After configuring the folder location, move the pam360_key.key file to that location and ensure the file or the key value is not stored anywhere within the PAM360 installation folder.

PAM360 requires the <PAM360 installation directory>PAM360\conf path to be accessible with necessary permissions, to read the pam360_key.key file, when it starts up every time. After a successful start-up, it does not need access to the file anymore and the device with the file can go offline.

IMPORTANT NOTES:

  1. Always ensure sufficient protection to the key with multiple layers of encryption (such as by using Windows File Encryption) and access control.
  2. Since only the PAM360 application needs access to this key, make sure no other software, script or person has access to this key under any circumstances.
  3. Take care of securely backing up the pam360_key.key file by yourself. You can recover the PAM360 backups only if you supply this key. If you misplace the key or lose it, PAM360 will not start.
  4. If you store the database_params.conf file at a different location, you will have to copy the file back to the original location (i.e. to <PAM360 Installation Folder>/conf/ ), whenever you perform an application upgrade.

5. Rotating the Encryption Key

Even if you are sure of managing the encryption key securely outside of PAM360, one of the best practices is to periodically change the encryption key. PAM360 provides an easy option to automatically rotate the encryption key.

5.1 How does the key rotation process work?

PAM360 will look for the current encryption key present in the file pam360_key.key, available in the path specified in the manage_key.conf file, present under the <PAM360_HOME>/conf folder. Only if it is present in the specified path, the rotation process will continue. Before rotating the encryption key, PAM360 will take a copy of the entire database. This is to avoid data loss, if anything goes wrong with the rotation process.

During the key rotation process, all passwords and sensitive data will be decrypted first using the current encryption key and subsequently encrypted with the new key. Later, the new key will be written in the pam360_key.key file present in the location as specified in the manage_key.conf file. At the end of successful key rotation, PAM360 will write the new encryption key in the same file that contains the old key. If any error occurs while writing the key, the rotation process will be aborted.

5.2 Steps to rotate the encryption key (if you are NOT using High Availability)

  1. Ensure that the current encryption key (pam360_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PAM360 gets the read/write permission while accessing the pam360_key.key file.
  2. Stop the PAM360 server.
  3. Open the command prompt and navigate to <PAM360-Installation-Folder>/bin directory. Execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
  4. Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete.
  5. Start the PAM360 server once you see the confirmation message.

5.3 Steps to rotate the encryption key (if you are USING High Availability)

  1. Navigate to Admin >> General >> High Availability in the PAM360 web interface. Make sure High Availability and Replication Status are alive.
  2. Check if the current encryption key (pam360_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PAM360 gets the read/write permission when accessing the pam360_key.key file.
  3. Stop the PAM360 Primary server and make sure PAM360 Secondary server is running.
  4. Open the command prompt in the PAM360 Primary installation, navigate to the /bin directory and execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
  5. Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete. You will see confirmation message ons successful completion of the rotation process.
  6. Copy the new encryption key from the Primary installation and paste it in the location, as specified in the manage_key.conf file. This is the location from where the Standby will fetch the pam360_key.key file.
  7. Now, start the Primary and the Standby servers.

6. Updating Web Server Certificates using PAM360 Web Console

If you want to use PAM360 web console to update the web server certificates, follow the below steps:

  1. Navigate to Admin >> Configuration >> PAM360 Server.
  2. In the PAM360 Server page that opens, install your keystore file belonging to the SSL certificate and/or change the default PAM360 server port.
  3. To update your SSL certificate, select the type of the keystore file (JKS, PKCS12 or PKCS11) from the Keystore type drop down menu.
  4. Browse the keystore file from your system and upload it in the Keystore Filename field.
  5. Enter the password of your keystore file beside the Keystore Password field.

  6. If you want to change the default PAM360 server port, enter the port number against the Server Port field.
  7. Click Save.
  8. Restart PAM360 after saving the changes.
Top