Password Management API for Application-to-Application Password Management

(Feature available only in Premium and Enterprise Editions)

If you have applications in your infrastructure that require connecting to other applications using a password, they can query PAM360 to retrieve the password. This way, the application-to-application (A-to-A) passwords can also follow good password management practices like periodic rotation, without the trouble of manually making the updates at many places. Same procedure can be used for Application-to-Database password management (A-to-DB).

How does A-to-A / A-to-DB Password Retrieval & Management Work?

The web API exposed by PAM360 forms the basis for A-to-A Password Management in PAM360. The applications connect and interact with PAM360 through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PAM360 corresponding to that application. PAM360 makes it easier for applications by providing a command line script that abstracts the complexities of using the web API. The command line scripts invoke libraries that use the web API.

How to setup Password Management API?

When you want an application to use the PAM360 web API, first you should register the application with PAM360, providing specific details on the application. PAM360 will then create an integration toolkit containing the libraries and the command line scripts. The application can then use the toolkit to perform password operations on the PAM360 repository. Follow the procedure detailed below to do this:

Step 1 - Downloading API Toolkit

  • Go to "Admin" >> "General" and click "Password Management API"
  • In the GUI that opens, click "Add Application" and provide details about your application. Fill-in the following details
  • Term Definition

    Application Name

    Name of the application in which you wish to deploy A-to-A password management using PAM360

    DNS Name/IP Address

    This is required to establish communication between the application and PAM360

    Resource Type

    Select the operating system in which the application runs. Only those operating systems that are listed in the drop-down are supported by PAM360 (at present Windows & Linux are supported)

    Operations Allowed

    Select the password management operations you wish to allow for the application - Creating Passwords / Resetting Passwords / Retrieving Passwords.

    Inherit the permissions of

    You need to set the password access permissions for the application. The application cannot be allowed to manage all passwords. It has to be allotted specific passwords accessible to it. PAM360 already has a comprehensive, well-defined access permissions for users. The application may be permitted to inherit the same access levels of one of the users of PAM360. Select the name of the user from the drop-down.

  • Click "Save". Now, using the details provided by you, PAM360 will create a toolkit for the application
  • Click "Download Toolkit" and save the toolkit in the server where the application is running

Step 2 - Setting up PAM360 API in the application

As mentioned above, the application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PAM360 corresponding to that application. To make these settings,

Create SSL client certificate & private key

  • Create SSL client certificate & private key

Configurations for PAM360 API

  • Open a command prompt and navigate to the directory where you have installed the PAM360 API
  • Edit PAM360_API.conf and set the absolute path of client certificate and its private key (that you created and stored as explained above) for the parameters ClientCertPath and ClientKeyPath

Step 3 - Creating truststore in PAM360 Installation

  • This step is to create truststore in PAM360 for A-to-A / A-to-DB authentication. Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:
  • For Windows

    importCert.bat <Absolute Path of client certificate created by you>

    For Linux

    importCert.sh <Absolute Path of client certificate created by you>

  • Restart PAM360 server

Important Note: The client certificate & private should be compulsorily present in the application server in which you want to use A-to-A / A-to-DB password management.

Commands to be included in your application for automatic A-to-A / A-to-DB password management

The above steps represent the completion of PAM360 API installation in the application. For automatic A-to-A password management, you need to use the following commands in your application invoking the API.

For Password Retrieval

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

For Windows

PAM360_API.bat RETRIEVE <Resource Name as present in PAM360> <Account Name as present in PAM360>

For Linux

PAM360_API.sh RETRIEVE <Resource Name as present in PAM360> <Account Name as present in PAM360>

Executing the above command will return the password alone.

For Resetting Password Locally

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

For Windows

PAM360_API.bat RESET_LOCAL <Resource Name as present in PAM360> <Account Name as present in PAM360><New Password>

For Linux

PAM360_API.sh RESET_LOCAL <Resource Name as present in PAM360> <Account Name as present in PAM360><New Password>

For Remote Password Reset

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

For Windows

PAM360_API.bat RESET_REMOTE <Resource Name as present in PAM360> <Account Name as present in PAM360><New Password>

For Linux

PAM360_API.sh RESET_REMOTE <Resource Name as present in PAM360> <Account Name as present in PAM360><New Password>

Executing the above command will try to do remote password reset. If the operation succeeds, it will change the password in PAM360 too and will return the message "Password changed successfully". In case, remote password reset fails, it will not change the password in PAM360 and will return the message "Password reset failed".

For Creating a New Resource & an User Account

Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

For Windows

PAM360_API.bat CREATE <Resource Name> <Account Name><Password>

For Linux

PAM360_API.sh CREATE <Resource Name> <Account Name><Password>

Executing the above command will create a new resource and an account in PAM360. If you do not give a password for the account, PAM360 will automatically generate one.

©2019, ZOHO Corp. All Rights Reserved.

Top