Password Management API for Application-to-Application Password Management

If you have applications in your infrastructure that require connecting to other applications using a password, they can query PAM360 to retrieve the password. This way, the application-to-application (A-to-A) passwords can also follow good password management practices like periodic rotation, without the trouble of manually making the updates at many places. Same procedure can be used for Application-to-Database password management (A-to-DB).

Here in this document you will learn about the following topics:

1. How does A-to-A / A-to-DB Password Retrieval & Management Work?
2. How to setup Password Management API?
3. Commands to be included in your Application for Automatic A-to-A / A-to-DB Password Management

1. How does A-to-A / A-to-DB Password Retrieval & Management Work?

The web API exposed by PAM360 forms the basis for A-to-A Password Management in PAM360. The applications connect and interact with PAM360 through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PAM360 corresponding to that application. PAM360 makes it easier for applications by providing a command line script that abstracts the complexities of using the web API. The command line scripts invoke libraries that use the web API.

2. How to setup Password Management API?

When you want an application to use the PAM360 web API, first you should register the application with PAM360, providing specific details on the application. PAM360 will then create an integration toolkit containing the libraries and the command line scripts. The application can then use the toolkit to perform password operations on the PAM360 repository. Follow the procedure detailed below to do this:

Step 1 - Downloading API Toolkit

1. Go to Admin >> General and click Password Management API.
2. In the GUI that opens, click Add Application and provide details about your application. Fill-in the following details.



Term	Definition
Application Name	Name of the application in which you wish to deploy A-to-A password management using PAM360
DNS Name/IP Address	This is required to establish communication between the application and PAM360
Resource Type	Select the operating system in which the application runs. Only those operating systems that are listed in the drop-down are supported by PAM360 (at present Windows & Linux are supported)
Operations Allowed	Select the password management operations you wish to allow for the application - Creating Passwords / Resetting Passwords / Retrieving Passwords.
Inherit the permissions of	You need to set the password access permissions for the application. The application cannot be allowed to manage all passwords. It has to be allotted specific passwords accessible to it. PAM360 already has a comprehensive, well-defined access permissions for users. The application may be permitted to inherit the same access levels of one of the users of PAM360. Select the name of the user from the drop-down.



3. Click Save. Now, using the details provided by you, PAM360 will create a toolkit for the application.
4. Click Download Toolkit and save the toolkit in the server where the application is running.

Step 2 - Setting up PAM360 API in the application

As mentioned above, the application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PAM360 corresponding to that application. To make these settings,

Create SSL client certificate & private key:

Create SSL client certificate & private key.

Configurations for PAM360 API:

Open a command prompt and navigate to the directory where you have installed the PAM360 API.

Edit PAM360_API.conf and set the absolute path of client certificate and its private key (that you created and stored as explained above) for the parameters ClientCertPath and ClientKeyPath.

Step 3 - Creating truststore in PAM360 Installation

1. This step is to create truststore in PAM360 for A-to-A / A-to-DB authentication. Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

   For Windows:

   importCert.bat <Absolute Path of client certificate created by you>

   For Linux:

   importCert.sh <Absolute Path of client certificate created by you>

2. Restart PAM360 server.

Important Note: The client certificate & private should be compulsorily present in the application server in which you want to use A-to-A / A-to-DB password management.

3. Commands to be included in your Application for Automatic A-to-A / A-to-DB Password Management

The above steps represent the completion of PAM360 API installation in the application. For automatic A-to-A password management, you need to use the following commands in your application invoking the API.

3.1 For Password Retrieval

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

Executing the above command will return the password alone.

3.2 For Resetting Password Locally

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

3.3 For Remote Password Reset

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

Executing the above command will try to do remote password reset. If the operation succeeds, it will change the password in PAM360 too and will return the message Password changed successfully. In case, remote password reset fails, it will not change the password in PAM360 and will return the message Password reset failed.

3.4 For Creating a New Resource & an User Account

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

Executing the above command will create a new resource and an account in PAM360. If you do not give a password for the account, PAM360 will automatically generate one.