PAM360 Basic Implementation and Best Practices

Before managing your critical resources and privileged accounts, it is essential to properly set up your PAM360 account. The setup process involves several key steps: configuring the mail server, upgrading your account with the procured license key, managing the encryption key, onboarding users, and enhancing security with two-factor authentication. Let's explore each of these steps in detail to ensure your PAM360 account is configured correctly and securely.

  1. Licensing
  2. Managing the PAM360 Encryption Key
  3. Rotating the PAM360 Encryption Key
  4. Updating the PAM360 Web Server Certificate
  5. Setting up the Mail Server
  6. Adding the Users
  7. Adding the Resources
  8. Setting up Disaster Recovery

1. Licensing

The crucial step before configuring the PAM360 application is to update the license key in your PAM360 account. This step unlocks the complete functionality of the software. Store the purchased license file locally on your computer for easy access before beginning this process.

  1. Click on the profile icon at the top right corner of your PAM360 interface and select the License option. This action will open a pop-up window displaying your current license details.
  2. Click on the Browse option within the License pop-up window, locate the license file on your computer, and select it.
  3. Click Open to upload the selected license file.
    licensing
  4. Finally, click the Upgrade icon within the License window to complete the process.
  5. Close the PAM360 web client and restart the PAM360 service.

2. Managing PAM360 Encryption Key

PAM360 employs AES-256 encryption to secure passwords and other sensitive information in its password database. The encryption key used is auto-generated and unique for each installation. By default, this key is stored in a file named pam360_key.key within the <PAM360 Installation Directory>/conf folder of the installation directory. However, for production instances, PAM360 mandates that the encryption key not be stored within its installation folder to prevent the encryption key and the encrypted data in both live and backed-up databases from residing together.

We strongly recommend relocating this encryption key to an external location outside the machine where PAM360 is installed, such as another machine or an external drive. You can specify the full path of the folder where you wish to move the pam360_key.key file, manually transfer the file to that location and remove any references within the PAM360 server installation folder. The path can be a mapped network drive or an external USB (hard drive/thumb drive) device.
managing-pam360-key

PAM360 will record the location of the pam360_key.key in a configuration file named manage_key.conf, located in the <PAM360 Installation Directory>/conf folder. You can also directly edit this file to change the key file location. After configuring the folder location, move the pam360_key.key file there and ensure the file or the key value is not stored anywhere within the PAM360 installation folder.

PAM360 requires the conf path to be accessible with the necessary permissions to read the pam360_key.key file during startup. Once the startup is complete, access to the file is no longer needed, and the device containing the file can be taken offline.

Caution

From PAM360 build 8000 onwards, it is mandatory to retain the pam360_key.key file in the file path specified in the manage_key.conf file for a seamless operation. PAM360 continuously accesses this file to ensure uninterrupted operation. If the pam360_key.key file is not available in the specified path, the service may not startup or certain features such as database backup will not function.

Best Practices

  • Always ensure robust protection for the encryption key with multiple layers of security, such as using Windows File Encryption and stringent access controls. Since only the PAM360 application requires access to this key, it is imperative that no other software, script, or individual can access it under any circumstances.
  • It is crucial to securely back up the pam360_key.key file independently. You will need this key to recover PAM360 backups. If the key is misplaced or lost, PAM360 will not start.
  • Additionally, if you store the database_params.conf file in a different location, you must copy it back to the original location (i.e., <PAM360 Installation Folder>/conf/) before performing any application upgrades.

3. Rotating the PAM360 Encryption Key

Even if you securely manage the encryption key outside of PAM360, it is best practice to periodically change the encryption key. PAM360 provides an easy option to automatically rotate the encryption key.

3.1 How Does the Key Rotation Process Work?

PAM360 looks for the current encryption key in the pam360_key.key file, located in the path specified in the manage_key.conf file under the <PAM360 Installation Directory>/conf. The rotation process will only proceed if the key is present in the specified path. Before rotating the encryption key, PAM360 takes a copy of the entire database to prevent data loss in case of any issues during the rotation process.

During key rotation, all passwords and sensitive data are first decrypted using the current encryption key and then re-encrypted with the new key. The new key is then written to the pam360_key.key file at the location specified in the manage_key.conf file. If any error occurs while writing the key, the rotation process is aborted.

3.2 Steps to Rotate the Encryption Key (if you are NOT using High Availability)

  1. Ensure the current encryption key (pam360_key.key file) is present at the location specified in the manage_key.conf file. Also, ensure PAM360 has read/write permissions for accessing the pam360_key.key file.
  2. Stop the PAM360 server.
  3. Open the command prompt and navigate to the <PAM360-Installation Directory>/bin directory. Execute RotateKey.bat (on Windows) or sh RotateKey.sh (on Linux).
  4. Based on the number of managed passwords and other parameters, the rotation process will take a few minutes to complete.
  5. Start the PAM360 server once you see the confirmation message.

3.3 Steps to Rotate the Encryption Key (if you are USING High Availability)

  1. Navigate to Admin >> Business Continuity >> High Availability in the PAM360 web interface. Ensure high availability and replication status are active.
  2. Check if the current encryption key (pam360_key.key file) is present at the location specified in the manage_key.conf file. Also, ensure PAM360 has read/write permissions for accessing the pam360_key.key file.
  3. Stop the PAM360 Primary server and ensure the PAM360 secondary server is running.
  4. Open the command prompt on the PAM360 Primary installation, navigate to the bin folder in the installation directory directory, and execute RotateKey.bat (on Windows) or sh RotateKey.sh (on Linux).
  5. Based on the number of managed passwords and other parameters, the rotation process will take a few minutes to complete. You will see a confirmation message upon successful completion.
  6. Copy the new encryption key from the Primary installation and paste it into the location specified in the manage_key.conf file. This is where the Standby server will fetch the pam360_key.key file.
  7. Start both the primary and standby servers.

4. Updating PAM360 Web Server Certificates from Web Console

To update the PAM360 web server certificate from the web console, follow these steps:

  1. Navigate to Admin >> Server Settings >> PAM360 Server.
  2. On the PAM360 Server page that opens, install your keystore file belonging to the SSL certificate and/or change the default PAM360 server port.
  3. To update your SSL certificate, select the type of the keystore file (JKS, PKCS12, or PKCS11) from the Keystore type drop-down menu.
  4. Browse for the keystore file on your system and upload it in the Keystore Filename field.
  5. Enter the password for your keystore file in the Keystore Password field.
  6. If you want to change the default PAM360 server port, enter the new port number in the Server Port field.
  7. Click Save and restart PAM360 after saving the changes.
    server-certificate

5. Configuring Simple Mail Transfer Protocol (SMTP)

Setting up the Simple Mail Transfer Protocol (SMTP) server is essential for delivering important messages to users. PAM360 uses email to notify users about their account details, such as username, password, and the URL to access the PAM360 application. Therefore, it is crucial to configure the SMTP server before onboarding users. PAM360 offers the following options:

  1. Existing SMTP mail server in your organization
  2. Microsoft Exchange Online

Caution

If you choose Microsoft Exchange Online as the mail server, OAuth 2.0 authentication is required for all email communications sent from the product.

Refer to the Mail Server Settings documentation to know more about the configuration and setup.

6. Adding Users into PAM360

Best Practice

Ensure you change the password of the default admin user or delete the account after adding another administrator user.

Onboarding users is a crucial step in setting up your PAM360 account. PAM360 allows you to onboard users manually or import them from various sources such as a file, Active Directory, Microsoft Entra ID, or LDAP. Detailed instructions for each method can be found through the provided links. Using the administrator account, you can add or import users and assign them roles based on their required permissions. PAM360 offers six predefined user roles but also provides the flexibility to create custom user roles. These custom roles enable you to modify access and permissions according to your organizational needs.

Additionally, PAM360 allows you to organize users into groups based on factors like designation, department, or location, facilitating efficient user management and simplifying permission assignments.

Furthermore, PAM360 supports the creation of API user accounts necessary for application-to-application password management. Users with administrator privileges can add API users. For detailed steps on adding an API user, click here.

6.1 Enabling Two-Factor Authentication

Two-Factor Authentication (TFA) is a security mechanism that requires users to provide a secondary authentication factor to access their PAM360 account. Enabling TFA enhances account security by adding an extra layer of protection. Once TFA is enabled, users must authenticate using the selected TFA mechanism after logging in with their username and password. Administrator accounts have the ability to set up and disable TFA.

PAM360 supports various TFA mechanisms, including OTP via email, Google Authenticator, and Duo Security. Administrators can choose any of the supported mechanisms and configure them accordingly. Refer to this document for detailed steps on setting up two-factor authentication.

7. Adding Resources into PAM360

The first step in password management with PAM360 is adding your resources to the PAM360 database. Resources refer to the servers, applications, or devices whose user accounts and passwords will be managed by PAM360.

Resources can be added manually or imported from a file along with their user account and password information. Depending on your needs, you can set up the password reset method to be either remote or agent-based. For ease of management, resources can be grouped together to perform bulk operations. Additionally, you can create nested resource groups, maintaining a hierarchical structure for navigational convenience.

By default, only the user who added the passwords can view and edit them. However, you can share resource passwords with other PAM360 users or user groups as needed. This allows users to access and modify passwords that are owned by them or shared with them.

7.1 Access Control Approval Workflow

After adding resources, administrators can implement an access control workflow for enhanced security. Upon successful authentication into PAM360, users gain access to passwords owned by them or shared with them. In some cases, administrators might want to grant temporary access to passwords for specific users for a limited time.

Set up the access control workflow according to your organization’s requirements.

However, if you are a user responsible for viewing assigned passwords, no additional configuration is needed. You can directly view and edit the passwords of the resources or accounts if you have the necessary permissions.

8. Setting up Disaster Recovery

To set up disaster recovery, follow these steps:

  1. Configure Database Backup: Schedule regular backups of the entire PAM360 database.
  2. Export Resource Information: Export resource information in a readable format of your choice to maintain copies.





Top