Password reset using PAM360 Agents

(Feature available only in Premium and Enterprise Editions. This document is applicable only for PAM360 versions 6303 and earlier. If you are using PAM360 6400 and later, click here.)

PAM360 provides the option to remotely change the password of select resources by deploying PAM360 agents. As of now, this facility is available for changing the password of servers - Windows, Windows Domain and Linux alone. Using this utility, you can change the password of a server present in a remote location, from the PAM360 web interface itself.

The agent could be used in target machines to which the PAM360 server can connect and effect password changes. All password related communication is over HTTPS and is secure. The agent is useful in cases when,

  • the PAM360 server runs in a Linux system and has to make password changes to Windows resources
  • the required administrative credentials are not available in the PAM360 server to make the password changes from remote
  • to change the password of domain accounts without the administrator credentials of the domain controller

Downloading the PAM360 Agent

The PAM360 agent package is dynamically created by the PAM360 server to include the SSL certificate of the PAM360 server, that is used for the HTTPS communication between the server and the agent. So, the only place to download the agent is from the 'Admin' tab of the PAM360 web GUI. The agent package is a zip file containing the necessary executables, configuration files and the SSL certificate. Download the agent based on the OS of the target and just unzip the package.

Installing the PAM360 Agent in Windows

The package has all the necessary configuration already created by the server. Make sure the account in the system in which the agent is installed has sufficient privileges required to modify passwords.

To install the PAM360 Agent as a Windows service,

  • Open a command prompt and navigate to the PAM360 agent installation directory
  • Execute the command 'AgentInstaller.exe start'

To install the PAM360 Agent as a Windows service,

  • Open a command prompt and navigate to the PAM360 agent installation directory
  • Execute the command 'AgentInstaller.exe stop'

To install the PAM360 Agent as a Windows service,

    The default port in which the agent listens to the triggers from the server for password reset is 5768. To change this to a different value,

  • Go to the PAM360 agent installation directory
  • Open the file Agent.conf
  • Modify the parameter ScheduleInterval. to the value you require
  • Restart the agent service

Installing the PAM360 Agent in Linux

The package has all the necessary configuration already created by the server. Make sure the account in the system in which the agent is installed has sufficient privileges required to modify passwords.

To install the agent as service

  • Execute the command "sh installAgent-service.sh install" to install the agent as service

To start the agent

  • Execute the command "sh installAgent-service.sh start"

To stop the agent

  • Execute the command "sh installAgent-service.sh stop"

To uninstall the agent as service

  • Use the command "sh installAgent-service.sh remove", in case you wish to remove PAM360 Agent as service

Configuring the port

The default port in which the agent listens to the triggers from the server for password reset is 5768. To change this to a different value,

  • Go to the PAM360 agent installation directory
  • Open the file Agent.conf
  • Modify the parameter ScheduleInterval to the value you require
  • Restart the agent service

To remotely change the password,

  • Go to 'Resources' Tab
  • Click the name of the resource whose password has to be changed remotely
  • Click the "Change Password" icon

Parameters in Agent.conf

Field Name Description

ServerName

Host name in which the PAM360 server is running.

ServerPort

Web server port of PAM360.

ScheduleInterval

Agent keeps checking the PAM360 server periodically to see if any tasks related to password reset or integrity check are pending. ​By default, the schedule interval for this activity is set to be 60 seconds. The value (in seconds) is configurable.

userAddScheduleInterval

If any new user accounts get added in the machine where the agent has been deployed, the same can be automatically added to PAM360 server at periodic intervals. ​By default, the schedule interval for new user accounts addition is set to be 24 hours. The value (in hours) is configurable.

UserName

Name of the user who deployed the agent in the machine.

FIPS

Status whether PAM360 is running in FIPS 140-2 compliant mode.

OSType

Type of operating system in which the agent is deployed.

OrgAgentKey

Unique key for the agent. It is unique for every organization. PAM360 authenticates this key for every request.

certificate.check

PAM360 verifies the SSL certificate if the certificate check is set to "TRUE". However, all the communication will happen over SSL only.

Version

It displays the PAM360 version of the machine in which the agent is deployed.


Troubleshooting

If the password changes do not take effect in the target systems, check

  • if the agent port is reachable from the server through a TCP connection (using telnet)
  • if the account in which the agent is installed has sufficient privileges to make password changes

©2019, ZOHO Corp. All Rights Reserved.

Top