Password Manager Pro Agents
(Feature available only in Premium and Enterprise editions, steps applicable only for build 10302 and later)

For steps to install the agent for versions 10301 and earlier, click here.


Notes:

  1. Password Manager Pro agent will work only on Redhat versions up to 7.9, and CentOS (upto build 11300).
  2. For Go agent, from build 11301, the AMD64 version is supported for Ubuntu, Centos, RedHat, Debian, and other Linux flavors, and the ARM64 version is supported for Redhat.
  1. Overview
  2. Communication between the PMP Server and the PMP Agent
  3. Steps to Install PMP Agents

    3.1 Prerequisite

    3.2 Downloading PMP Agents

    3.3 Installing Windows Agent/Windows Domain Agent - 32bit, 64bit and C#

    3.4 Installing Linux Agent - 32bit, 64bit and Go

    3.5 Configuring Agent Settings

  4. Discovering Local Accounts using the PMP Agent
  5. Finding Tasks Awaiting Execution by the PMP Agent

1. Overview

Deploying the Password Manager Pro (PMP) agent allows you to establish connections with remote resources that are not connected to the PMP server, and manage them from PMP. The PMP agent is available for Windows, Windows domain, and Linux servers. The agent package, available for download in the PMP web interface, contains the necessary executable/configuration files and an SSL certificate used for the HTTPS communication between the agent and the PMP web server. Once deployed in the target machines, the agents will communicate with Password Manager Pro and effect password changes. By using this option, you can change the password of a remote resource directly from the Password Manager Pro web interface.

The PMP agent is useful in the following cases:
  • When the PMP server runs in a Linux system, and password reset has to be carried out for a Windows machine.
  • If the target systems are in a Demilitarized Zone(DMZ) or a different network to which PMP server does not have direct connectivity.
  • If the required administrative credentials are not stored locally in the PMP server to execute remote password resets.
  • To change the password of domain accounts without the domain controller's admin credentials.

2. Communication between the PMP Server and the PMP Agent

All password-related communication between the PMP server and the agent is carried out securely over HTTPS. Since the agent always initiates the connection, the communication is one-way. The agent residing in the target machines only needs access to the PMP web interface, thereby only the PMP web server needs to be available for the agent. Since the agent uses the outbound traffic to reach the login page of PMP, there is no need to punch firewall holes or create VPN paths to allow inbound traffic for the server to reach all the deployed agents.

The agent will periodically ping the PMP web server through HTTPS to check if any operation is pending for execution. By default, the agent pings the server once every 60 seconds but the interval can be changed according to requirements. Once the agent contacts the PMP web server, the server will trigger the list of tasks to be carried out by the agent in the remote resource. Once the tasks have been executed, the agent will notify the results to the PMP web server.

Note: Since the tasks are triggered by the web server only upon contact from the agent, the time taken for successful task execution will depend on how quickly the agent can connect with the PMP web server.

3. Steps to Install PMP Agents

3.1 Prerequisite

Before installing the agent, ensure that the account that you use to install the agent in the remote host has sufficient privileges to carry out password modifications.

3.2 Downloading PMP Agents

  1. Navigate to Admin >> PMP Agents.
  2. You will see the agent packages for both 32-bit and 64-bit versions of the following operating systems:
    • Windows
    • Windows Domain
    • Linux
  3. Click the required agent package.

  4. In the pop-up that appears, copy the Agent Key using the copy icon beside it. This Agent Key is necessary to install the PMP agent in the target system and it can be used one time only. Once the Agent Key is supplied for an installation, it will become invalid. (Supplying the Agent Key is applicable from build 10302 and above only)
  5. To keep a single key active for a specified amount of time, select the option Allow the key to be active for: X hours and specify the number of hours (up to 24). Now, the same Agent Key can be used for any number of agent installations within the specified time.

    Note:

    1. Please do not share this key as it might cause the unauthorized use of the agent.
    2. Navigate to the <PMP Installation Folder>/conf/system_properties.conf directory and mention the following command to extend the key validity up to 999 hrs.
      • agent.gpo.time=999
  6. Click Download Agent. Once the agent package .zip file is downloaded, unzip the contents.

3.3 Installing Windows Agent/Windows Domain Agent - 32bit, 64bit and C#

The following are the commands to be executed in the target system for the Windows agent and the Windows Domain agent.

  1. Install
  2. Start
  3. Update
  4. Stop

Notes:

  1. You need administrative privileges in the target system to execute the above commands.
  2. Despite having similar installation steps, the agents for Windows and Windows Domain are not interchangeable, i.e., do not install the Windows agent in a Domain Controller machine and vice versa. The reason is as follows:
    • Once the Windows agent is installed in a machine, it will discover and list all local accounts available in that machine so that password reset can be done for those accounts.
    • Whereas, Windows Domain agent is meant for a domain controller machine and it will not discover any accounts from the machine in which it is installed.

3.3.1 Using Command Prompt
(C# Agent is applicable from build 11301 and later only)

The following steps are applicable for Windows Agent/Windows Domain Agent - 32bit, 64bit and C#.

i. To Install the Agent and Start as a Windows Service:

  1. Open a command prompt and navigate to the PMP agent installation directory.
  2. Execute the command 'AgentInstaller.exe install <Agent Key copied from the PMP UI>'.
  3. Now, the agent will be successfully installed in your machine.

ii. To Start the Agent as a Windows Service:

    1. Open a command prompt and navigate to the PMP agent installation directory.
    2. Execute the command 'AgentInstaller.exe start' to start the agent.

iii. To Update the Windows Agent:

In case the PMP agent was previously installed by a different admin user, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added as a resource under the new admin user without the need to uninstall and reinstall the agent. However, the new admin will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PMP agent installation directory.
  2. Execute the command 'AgentInstaller.exe update <Agent Key copied from the PMP UI>'.
  3. The agent will be added as a resource in the server.

iv. To Stop the Agent:

    1. Open a command prompt and navigate to the PMP agent installation directory.
    2. Execute the command 'AgentInstaller.exe stop' to stop the agent.

iv. To Uninstall the Agent:

    1. Open a command prompt and navigate to the PMP agent installation directory.
    2. Execute the command 'AgentInstaller.exe remove'.
    3. Now, the agent will be uninstalled from your machine.

3.3.2 Using PMP Agent Installer
(C# Agent is applicable from build 11301 and later only)

The following steps are applicable for Windows Agent/Windows Domain Agent - C# only.

After downloading the C# agent, extract the folder and navigate to PMPAgent >> bin.

i. To install the Agent in windows or Windows Domain:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PMP Agent Installer wizard appears on the screen.
  3. Select the Install option.
  4. Mention the Installation Key and Installation Path. Click Next.

  5. In the Configurations page, mention the required details and click Next.

  6. In the Operations page, check if the first two conditions are met and click Install.

You have now successfully installed the C# agent.

ii. To Start the Agent as a Windows Service:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PMP Agent Installer wizard appears on the screen.
  3. Click the Operations icon.
  4. Right-click the three dots beside Agent Service Status and click Start.
  5. From here, you can also Stop, Restart the agent and Go to the Service Console.

iii. To Update the Agent in Windows or Windows Domain:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PMP Agent Installer wizard appears on the screen.
  3. Select the Reinstall option.
  4. Mention the Installation Key and Installation Path. Click Next.

  5. In the Configurations page, mention the required details and click Next.

  6. In the Operations page, check if the first two conditions are met and click Next to reinstall the agent.

You have now successfully reinstalled the C# agent.

iv. To Uninstall the Agent in Windows or Windows Domain:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. In the wizard that appears, select Uninstall and click Next.

  3. In the Operations page, check if the first two conditions are met. Click Uninstall.

You have now successfully uninstalled the C# agent.

3.4 Installing Linux Agent - 32bit, 64bit and Go
(Go Agent is applicable from build 11301 and later only)

The following are the commands to be executed in the target system for the Linux agent.

  1. Install
  2. Start
  3. Update
  4. Stop
  5. Remove

Notes:

  1. You need root privileges in the target system to execute the above commands.
  2. PMP Agent supports the Linux flavors with default OpenSSL library only.
  3. Go Agent supports all Linux flavors.

i. To Install the Linux Agent:

    1. Open a command prompt and navigate to the PMP agent installation directory.
    2. Execute the command 'sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PMP UI>'. (bash command applicable for Go Agent only)
    3. Now, the agent will be successfully installed in your machine.

ii. To Start the Agent as a Linux Service:

    1. Open a command prompt and navigate to the PMP agent installation directory.
    2. Execute the command 'sh installAgent-service.sh/bash installAgent-service.bash start' to start the agent. (bash command applicable for Go Agent only)

iii. To Update the Linux Agent:

In case the PMP agent was previously installed by a different admin user, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added under the new admin user without the need to uninstall and reinstall the agent. However, the new admin will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PMP agent installation directory.
  2. Execute the command 'sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PMP UI>'. (bash command applicable for Go Agent only)

iv. To Stop the Agent Running as a Linux Service:

    1. Open a command prompt and navigate to PMP agent installation directory.
    2. Execute the command 'sh installAgent-service.sh/bash installAgent-service.bash stop' to stop the agent. (bash command applicable for Go Agent only)

v. To Uninstall and Remove the Agent:

    1. Open a command prompt and navigate to the PMP agent installation directory.
    2. Execute the command 'sh installAgent-service.sh/bash installAgent-service.bash remove'. (bash command applicable for Go Agent only)
    3. Now, the agent will be uninstalled from your machine.

3.5 Configuring Agent Settings

Open the agent.conf file available in the downloaded agent package. The following are the parameters listed in the .conf file:

  • AgentType: This indicates that it is a PMP agent.
  • ServerName: This is the server/IP Address which the PMP agent will try to reach to contact the PMP server.
  • ServerPort: This indicates the port in which the PMP server is running. If you have changed the default port of PMP to any other port such as 443, the same port number must be updated here.
  • ScheduleInterval: By default, the agent pings the server once in every 60 seconds. To configure the time interval at which the agent should ping the PMP web server, modify the time interval value in seconds.
  • UserName: This is the admin user account under which the agent server will be added as a resource.
  • OSType: Denotes the OS which the agent belongs to - Windows/Windows Domain/Linux.

Password Manager Pro allows the restriction of user accounts that are added via agents (C# and Go) during account discovery, using regex patterns. To do the same, use the below UserQuery and accountFilter commands:

  • UserQuery: To filter the accounts in Linux (Go Agent).

    UserQuery = awk -F: '&#36;1 ~ /&#94; *admin/ {print&#36;1 }' /etc/passwd // to discover accounts that starts with admin.


  • accountFilter: To filter accounts in Windows/Windows Domain (C# Agent).

    accountFilter = &#94; *admin // to discover accounts that starts with admin.

    Note: Windows Domain agent will not automatically add user accounts unless you specify the pattern in the account filter.


  • fetchDisabledAccount: To fetch disabled accounts in Windows/Windows Domain (C# Agent).

    fetchDisabledAccount = True

The commands UserQuery, accountFilter and fetchDisabledAccount are applicable from build 11301 and later only.

Once any of the above parameters are modified, restart the agent service.

4. Discovering Local Accounts using the PMP Agent

When the agent is started for the first time on the target machine, it will automatically add the machine as a resource in PMP and discover the local accounts. After the discovery, you can reset the passwords of the local accounts. To learn more about resetting passwords using the PMP agent, click here.

5. Finding Tasks Awaiting Execution by the PMP Agent

Follow the below steps to find the tasks have been triggered by the user but awaiting execution by the PMP agent.

  1. Click the bell icon in the top panel of the interface for viewing Notifications.
  2. Under Agent Alerts, you will find the different statuses of the agent:
    • The number of password reset and password verify actions triggered.
    • Status of password reset actions triggered earlier.
    • Status of password verify actions triggered earlier.

  3. The notifications are user-specific i.e., users will be notified of only those tasks that they have triggered.

©2022, ZOHO Corp. All Rights Reserved.

Top