Installing and Getting Started with PAM360
This document allows you to learn the step-by-step procedure to install PAM360 in your system. This document also deals with other related topics such as the system requirements for PAM360, steps to start and shut down the PAM360 server, steps to connect to the web interface after successfully starting the server, and many more.
You will learn the following topics with respect to PAM360 installation and configuration here:
- System Requirements
- Components of PAM360
- Ports used by PAM360
- Installing the PAM360 Agent
- Installing PAM360
6.1 In Windows
6.2 In Linux
- Starting and Shutting Down PAM360
7.1 In Windows
7.2 In Linux
- Launching the PAM360 Web Client
- Using MS SQL Server as the Backend Database
- Using MS SQL Cluster as the Backend Database
- Workflow in PAM360
- Managing PAM360 Encryption Key
- Rotating the Encryption Key
- Managing the PAM360 Database Password
15.1 License Types
15.3 Features Matrix
- Transferring PAM360 Installation
- Updating Web Server Certificates using PAM360 Web Console
- MSP Edition
Apart from the standard system requirements (both hardware and software), the following elements are essential for the proper functioning of the PAM360 server:
Note: The following are required, if you're planning to make use of PAM360's account discovery and password reset provisions.
- An external mail server (SMTP server) for the functioning of PAM360 server and to send various notifications to users.
- A service account that has either domain admin rights or local admin rights in the PAM360 server and in the target systems that you would like to manage.
- Microsoft .NET framework.
- Visual C++ Redistributable for Visual Studio 2015 and above (for PAM360's Account Discovery and Password Reset features).
2. System Requirements
The below table provides an overview of the hardware and software configurations required by PAM360:
|Hardware||Operating systems||Web interface|
Note: For Session Recordings, the disk space requirement may vary based on the usage levels.
Note: In general, PAM360 works well with any flavor of Linux and can also be run on VMs of the above operating systems.
HTML client requires one of the following browsers** to be installed in the system:
** PAM360 is optimized for 1280 x 800 resolution and above.
3. Components of PAM360
PAM360 comprises of the following components:
1. The PAM360 server
2. The PAM360 Agent:
- for extablishing connections with the remote resources.
3. The database PostgreSQL 9.5.3:
- bundled with PAM360 that runs as a separate process.
- accepts connections only from the host where it is running.
- runs in an invisible mode.
4. Ports used by PAM360
The below table lists the set of all ports used by PAM360 for remote access:
|Port Name||Port Number|
Web client port
LDAP without SSL port
LDAP with SSL port
MS SQL port
Sybase ASE port
Password Verification port
135, 139, 445
SSH CLI port
Auto Logon Sparview Gateway port
5. Installing the PAM360 Agent
Click here for steps.
6. Installing PAM360
You can install PAM360 in both Windows and Linux operating systems.
6.1 Steps to Install PAM360 in Windows
- Download and execute the file ManageEngine_PAM360.exe. The PAM360 installation wizard shows up.
- Follow the step-by-step instructions in the installation wizard.
- Choose an installation directory. By default, PAM360 will be installed in the path "C:\Program Files\ManageEngine\PAM360". Henceforth, this installation directory shall be referred to as PAM360_Home.
- In the final wizard, you will have the following options:
i. Option to view the ReadMe file.
ii. Option to choose to start the server immediately.
iii. Option to start the server later after installation. Use the Windows tray icon to start the server manually later. Using the tray icon, you can also perform other actions such as stopping the server and uninstalling the product.
6.2 Steps to Install PAM360 in Linux
- Download the file ManageEngine_PAM360.bin for linux.
- Execute the command chmod a+x <file-name> to assign the executable permission.
- Execute the command: ./<file_name>.
- Execute the command ./<file_name> -i console, if you are installing on a headless server.
- Follow the step-by-step instructions as they appear on the screen. Now, PAM360 will be installed in your machine in the location chosen. Henceforth, this installation directory shall be referred to as PAM360_Home.
7. Starting and Shutting Down PAM360
7.1 In Windows
|Using the Start Menu||Using the Tray Icon|
7.2 In Linux
8. Launching the PAM360 Web Client
There are different ways of connecting to the PAM360 web client:
8.1 Automatic Browser Launch
Once the server has started after the successful installation of PAM360, the PAM360 Login screen shows up in a browser window. As PAM360 uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.
8.2 Launching the Web Client Manually
Right-click the PAM360 tray icon and click PAM360 Web Console to launch the web client manually. The PAM360 Login screen shows up in a browser window. As PAM360 uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.
Open a browser and connect to the URL specified in the below box:
<hostname> - the host where the PAM360 server is running.
<portnumber> - the default port is 8282.
If you want to connect to the PAM360 web client in a remote machine (different from the one where PAM360 is running), open a browser and connect to the below URL:
As PAM360 uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password is admin and admin, respectively. Every time you start the server, the browser will be automatically launched.
9. Using MS SQL Server as the Backend Database
Though PAM360 supports both PostgreSQL and MSSQL databases as the backend, PAM360 is configured to run with PostgreSQL by default, and it comes bundled with the product. If you want to run PAM360 using the MSSQL database, follow the steps below:
- To ensure high level of security, PAM360 has been configured to connect to the SQL server only through SSL.
9.1.1 Create SSL certificate and install it in the Windows Certificate Store (in the machine where the SQL server is running)
Prior to connecting PAM360 with the SQL server, you need to enable SSL encryption in the SQL Server. For this, you need to create an SSL Certificate and get it signed by either a Certificate Authority (CA) or self-sign it (See more)
A) Generating the certificate and getting it signed by a third-party CA:
Create the certificate using openssl. This involves two steps - generating private key and generating certificate request. Use the following commands to create the certificate.
a. Generating Private Key: Execute the following command:
openssl genrsa -des3 -out server.key 2048b. Generating Certificate Request: Follow the below steps:
c. Installing the server certificate in the machine where the SQL server is running: Use MMC
- Use the server's Private Key to create a certificate request. Enter the Passphrase for the key, Common Name, Hostname or IP Address, when prompted. For the Common Name, specify the FQDN of the SQL Server.
openssl req -new -key server.key -out server.csr
- Once the certificate is generated, get it signed by a third-party CA such as VeriSign, Thawte, RapidSSL, etc, or self-sign it, based on your environment's requirement. For more details on submitting the CSRs, refer the corresponding CA's documentation/website. Remember, this is a paid service. In a few days, you will receive your signed SSL certificate and the CA's root certificate as .cer files.
- Install the server certificate in the machine where the SQL server is running.
- Install the CA root certificate in the PAM360 server.
- Click Start >> Run in the machine where the SQL server is running. In the Run dialog box type: MMC. The MMC console is displayed.
- From the Console menu, click Add/Remove Snap-in. Click Add and then click Certificates. Click Add again. You will be prompted to open the snap-in for the current user account, the service account, or for the computer account. Select the Computer Account.
- Select Certificates (Local Computer) >> Personal >> Certificates.
- Right-click Certificates and click All Tasks >> Import.
- Browse and select the certificate to be installed.d. Installing the CA's root certificate in PAM360:
- Copy the CA's root certificate and paste it under <PAM360 Installation Folder >/bin directory.
- From <PAM360 Installation Folder>/bin directory, execute the following command:
importCert.bat <name of the root certificate pasted as explained above>
- This adds the certificate to the PAM360 certificate store.
B) Creating a self-signed certificate:
To create a self-signed certificate and use it, carry out the following steps in the machine where SQL server is installed:
a. Create a self signed certificate using the certificate creation tool makecert.exe and install it in the machine where the SQL Server is running.
b. Execute the following command from the machine where SQL server is installed:
makecert.exe -r -pe -n "CN=pam360testlab.manageengine.com" -a sha1 -b 01/01/2011 -e 01/01/2036 -eku 220.127.116.11.18.104.22.168.1 -ss my -sr localMachine -sky exchange pam360testlab.manageengine.com.cer
Here, for CN, enter the FQDN of the SQL server, replacing the example entry pam360testlab.manageengine.com.
The above command will install a self-signed certificate in your local store. It will also store the certificate in the file: pam360testlab.manageengine.com.cer.
9.1.2 Import the SSL certificate to PAM360Follow the below steps:
- Copy the server certificate and paste it under the <PAM360 Installation Folder>/bin directory.
- Execute the following command:
importCert.bat <name of the server certificate>
This adds the certificate to the PAM360 certificate store.
9.1.3 Enable SSL Encryption in SQL Server
- Click Start in the machine where trhe SQL server is running. From the Microsoft SQL Server program menu, click Configuration Tools, and then click SQL Server Configuration Manager.
- Expand the SQL Server Network Configuration, right-click the Protocols for the server you want, and then click Properties. (Remember to click the Protocols for
section in the left pane of the tool and not the specific Protocols in the right pane.)
- On the Certificate tab, configure the Database Engine to use the certificate.
- Set the ForceEncryption option for the Database Engine to Yes, so that all the client/server communication is encrypted and the clients that cannot support encryption are denied access (recommended). Set the ForceEncryption option for the Database Engine to No, if you want the encryption to be requested by the client application (not recommended).
- Restart the SQL Server.
For more details, refer to the section Configuring SSL for SQL Server in the Microsoft's knowledge base article.
9.1.4 Execute ChangeDB.bat in PAM360
Provide the details about the SQL server to PAM360 by editing the file ChangeDB.bat (Windows) or ChangeDB.sh (Linux). Follow the below steps:
- Navigate to the <PAM360 Installation Folder>/bin folder and execute the file ChangeDB.bat (Windows) or sh ChangeDB.sh (Linux).
- In the window displayed, enter the below details:
- Select the 'Server Type' as SQL Server.
- Host Name: The name or the IP address of the machine, where the MS SQL server is installed.
- Instance Name: Specify the named instance of the SQL server, to be used for PAM360. If the instance name is not specified, PAM360 will try establishing connection with the default instance on port 1433.
Since PAM360 connects to MS SQL only in SSL mode, it is recommended that you create a dedicated database instance running in a specific port for PAM360. If you want to specify a port number other than 1433, you can specify it in the Host Name parameter above as <hostname>:<port>.
- Database Name: Name of the PAM360 database. Default is "PassTrix". If you want to have a different database name, specify it here. PAM360 will take care of creating the Master Key, Symmetric Key, etc.
- Authentication: The way by which you wish to connect to the SQL server. Choose Windows, if you are connecting to the SQL server from Windows. Make use of the Windows Single Sign On facility, provided the PAM360 service is running with a service account, which has the privilege to connect to the SQL server. Otherwise, select the option SQL.
It is recommended to choose the option Windows, as the Username and Password used for authentication are not stored anywhere.
- User Name and Password: If you have selected the option SQL in step v, specify the user name and password with which PAM360 can connect to the database.
The User Name and Password entered here will be stored in the database_params.conf file in PAM360. So, take care of hardening the host.
You can use even your Windows login credentials, if you are connecting to the database from Windows. In this case, you need to enter the User Name as <domain-name>\<username>.
- Encryption Key: The key to encrypt your data and store it in the SQL server. You may either leave it "Default" allowing PAM360 to generate a key. If you want to have your custom key, select the option Custom.
If you have selected the option Custom, do the following:
Create Database -> For details, refer to http://msdn.microsoft.com/en-us/library/aa258257(v=sql.80).aspx
Create Master Key -> For details, refer to http://technet.microsoft.com/en-us/library/ms174382.aspx
Create Certificate -> For details, refer to http://msdn.microsoft.com/en-us/library/ms187798.aspx
Create Symmetric Key -> For details, refer to http://msdn.microsoft.com/en-us/library/ms188357.aspx
- Provide the certificate name and symmetric key name in the GUI.
- Finally, click "Test" to ensure that the connection settings are proper and then click Save.
After performing the above steps, navigate to the <PAM360 Installation Folder>/conf directory and move the masterkey.key file to a secure location. The SQL Server encrypts the data with a hierarchical encryption and key management infrastructure. Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. One among them is the Database Master Key, which in turn is created by the Service Master Key and a Password. This password is stored in PAM360 under the <PAM360 Installation Folder>/conf directory in a file named masterkey.key. It is highly recommended that you move the masterkey.key file to a secure location. This is to ensure data security. Take care to keep this key safe. You will require it while performing High Availability and Disaster Recovery. If you lose this key, you will have to configure MS SQL server setup all over again.
For more details on encryption and key management in MS SQL, refer to this MSDN document http://msdn.microsoft.com/en-us/library/ms189586.aspx
10. Using MS SQL Cluster as the Backend Database
Click here for steps.
11. Workflow in PAM360
Click here for steps.
PAM360 uses AES-256 encryption to secure the passwords and other sensitive information in the password database. The key used for encryption is auto-generated and is unique for every installation. By default, this encryption key is stored in a file named pam360_key.key under the <PAM360_HOME>/conf folder. For production instances, PAM360 does not allow the encryption key to be stored within its installation folder. This is done to ensure that the encryption key and the encrypted data, in both live and backed-up database, do not reside together.
We strongly recommend that you move and store this encryption key outside of the machine, where PAM360 is installed, in another machine or an external drive. You can supply the full path of the folder, where you want to move the pam360_key.key file, manually move the file to that location and delete any reference within PAM360 server installation folder. The path can be a mapped network drive or an external USB (hard drive / thumb drive) device.
PAM360 will store the location of the pam360_key.key in a configuration file named manage_key.conf, present under the <PAM360_HOME>/conf folder. You can also edit that file directly to change the key file location. After configuring the folder location, move the pam360_key.key file to that location and ensure the file or the key value is not stored anywhere within the PAM360 installation folder.
PAM360 requires the <PAM360 installation directory>PAM360\conf path to be accessible with necessary permissions, to read the pam360_key.key file, when it starts up every time. After a successful start-up, it does not need access to the file anymore and the device with the file can go offline.
- Always ensure sufficient protection to the key with multiple layers of encryption (such as by using Windows File Encryption) and access control.
- Since only the PAM360 application needs access to this key, make sure no other software, script or person has access to this key under any circumstances.
- Take care of securely backing up the pam360_key.key file by yourself. You can recover the PAM360 backups only if you supply this key. If you misplace the key or lose it, PAM360 will not start.
- If you store the database_params.conf file at a different location, you will have to copy the file back to the original location (i.e. to <PAM360 Installation Folder>/conf/ ), whenever you perform an application upgrade.
13. Rotating the Encryption Key
Even if you are sure of managing the encryption key securely outside of PAM360, one of the best practices is to periodically change the encryption key. PAM360 provides an easy option to automatically rotate the encryption key.
13.1 How does the key rotation process work?
PAM360 will look for the current encryption key present in the file pam360_key.key, available in the path specified in the manage_key.conf file, present under the <PAM360_HOME>/conf folder. Only if it is present in the specified path, the rotation process will continue. Before rotating the encryption key, PAM360 will take a copy of the entire database. This is to avoid data loss, if anything goes wrong with the rotation process.
During the key rotation process, all passwords and sensitive data will be decrypted first using the current encryption key and subsequently encrypted with the new key. Later, the new key will be written in the pam360_key.key file present in the location as specified in the manage_key.conf file. At the end of successful key rotation, PAM360 will write the new encryption key in the same file that contains the old key. If any error occurs while writing the key, the rotation process will be aborted.
13.2 Steps to rotate the encryption key (if you are NOT using High Availability)
- Ensure that the current encryption key (pam360_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PAM360 gets the read/write permission while accessing the pam360_key.key file.
- Stop the PAM360 server.
- Open the command prompt and navigate to <PAM360-Installation-Folder>/bin directory. Execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
- Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete.
- Start the PAM360 server once you see the confirmation message.
13.3 Steps to rotate the encryption key (if you are USING High Availability)
- Navigate to Admin >> General >> High Availability in the PAM360 web interface. Make sure High Availability and Replication Status are alive.
- Check if the current encryption key (pam360_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PAM360 gets the read/write permission when accessing the pam360_key.key file.
- Stop the PAM360 Primary server and make sure PAM360 Secondary server is running.
- Open the command prompt in the PAM360 Primary installation, navigate to the
/bin directory and execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
- Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete. You will see confirmation message ons successful completion of the rotation process
- Copy the new encryption key from the Primary installation and paste it in the location, as specified in the manage_key.conf file. This is the location from where the Standby will fetch the pam360_key.key file.
- Now, start the Primary and the Standby servers.
14. Managing the PAM360 Database Password
Apart from AES encryption, the PAM360 database is secured using a separate password, which is auto-generated and unique for every installation. The password for the database can be stored securely in PAM360 itself. There is also an option to store the password at some other secure location, accessible by the PAM360 server.
By default, the database password is stored under <PAM360 Installation Folder>/conf/database_params.conf. If you choose to manage the database password by yourself, store the configuration file somewhere securely and instruct the location of the file to PAM360. Follow the below steps:
- If you are starting PAM360 as service, go to <<PAM360 Installation Folder>/conf/wrapper.conf (in Windows) / <PAM360 Installation Folder>/conf/wrapper_lin.conf (in Linux) and edit the following entry under "Java Additional Parameters"
wrapper.java.additional.9=-Ddatabaseparams.file=<full path of the database_params.conf file location>
- If you are starting PAM360 from command line or through the tray icon, you need to edit the file system_properties.conf present in <PAM360 Installation Folder>/conf directory. In this file, edit the following entry under "Splash Screen default Properties"
databaseparams.file=<full path of database_params.conf file>
15.1 License Types
There are three license types:
- Evaluation download / Trial Version: You can straightaway download and install this trial version. It is fully functional, capable of supporting a maximum of 5 administrators and you can evaluate all the features for 30 days.
- Free Edition: Licensed software that allows you to have 1 administrator and manage up to 10 resources. Valid forever.
- Registered Version - You get the Enterprise edition, and Licensing is based on the Number of Administrators. This is useful if you require more enterprise-class features such as auto discovery of privileged accounts, integration with ticketing systems and SIEM solutions, jump server configuration, application-to-application password management, out-of-the-box compliance reports, SQL server / cluster as backend database, etc.
15.2 User Roles and Licensing
PAM360 comes with five user roles:
The term 'administrator' denotes Administrators, Password Administrators and Privileged Administrators. So, licensing restricts the number of administrators as a whole, which includes Administrators, Password Administrators and Privileged Administrators. There is no restriction on the number of Password Users and Password Auditors. To get more details on the five user roles, see here.
15.3 Features Matrix
For more information on licensing or to procure a license, get in touch with our sales team @firstname.lastname@example.org.
16. Transferring PAM360 Installation
If you want to move the PAM360 installation from one machine to another, or to a different location within the same machine, follow the procedure detailed below:
Do not remove the existing installation of PAM360 until the new installation works fine. This is to ensure a backup and to overcome any disaster/data corruption during the movement.
16.2 Steps Required
- Take a backup of the current database and install PAM360 in the new machine.
- Restore the backup data in the new installation.
17. Updating Web Server Certificates using PAM360 Web Console
If you want to use PAM360 web console to update the web server certificates, follow the below steps:
- Navigate to Admin >> Configuration >> PAM360 Server.
- In the PAM360 Server page that opens, install your keystore file belonging to the SSL certificate and/or change the default PAM360 server port.
- To update your SSL certificate, select the type of the keystore file (JKS, PKCS12 or PKCS11) from the Keystore type drop down menu.
- Browse the keystore file from your system and upload it in the Keystore Filename field.
- Enter the password of your keystore file beside the Keystore Password field.
- If you want to change the default PAM360 server port, enter the port number against the Server Port field.
- Click Save.
- Restart Password Manger Pro after saving the changes.
18. MSP Edition
If you want to use the MSP edition of PAM360, refer here.
For any assistance, please contact email@example.com / Toll Free: + 1 888 720 9500.