Working with PasswordManager Pro (PMP)

Contents

 

 

Overview

Having successfully installed PasswordManager Pro (PMP), you are now ready to work with it. After connecting the web interface with the PMP server, the PMP Home Page is displayed. The web interface is arranged in the form of six tabs. Through these tabs, you can perform various password management operations in PMP.

Important Terminologies

While working with PasswordManager Pro, you will come across some terminologies having unique meanings. It is worthwhile to take a note of those terminologies before proceeding further:

 

Term

Definition

Resource

Denotes the server/application/device whose user accounts and passwords are to be managed by PasswordManager Pro

Resource Group

Denotes the group to which a particular resource belongs. For example, if you have some Windows XP servers among a number of other windows servers, you can group all the XP servers as one resource group

User Account

Denotes the 'User Account' & 'Password' that are to be managed by PasswordManager Pro

User

Denotes the PasswordManager Pro user accounts created as part of PasswordManager Pro User Management.

User Group

Group of PasswordManager Pro Users

Password Policy

Refer to the explanation below

PMP

Abbreviation for PasswordManager Pro

 

Work flow in PMP

If you are an Administrator ..

If you are an administrator engaged in the job of setting up PMP in your environment and managing passwords, following is the ideal work flow:

 

  1. Setup Mail Server

  2. Add users who will use PMP

  3. Add resources whose passwords you want to manage

  4. Setup disaster recovery

 

 

User Addition work flow

 
 

Resource Addition work flow

 

The first step to actual Password Management in PMP starts with adding your "resource" to the PMP database. Here, resource denotes the server/application/device whose user accounts and passwords are to be managed by PMP.

 
 

Setup Disaster Recovery

 

If you are a Password User ...

If you are a Password user engaged in the job of viewing the passwords allotted to you, there is no need to carry out any configuration. You may directly view the passwords of resources/accounts and edit passwords if you have that permission.

User Management

As PMP serves as a repository for the sensitive passwords, fine-grained access restrictions are critical for the secure usage of the product. PMP provides role-based access control to achieve this.

 

In practical applications, information stored in PMP will have to be shared among multiple users. By default, PMP comes with four pre-defined roles -

 

 

 

 

Role

Operations

Manage Users

Manage Resources

Manage Passwords

View Passwords

Managing Personal Passwords

View Audit & Reports

Administrator

 

Password Administrator


 


 

 

Password User

Password Auditor

Irrespective of the role, the personal passwords remain exclusive to the individual user and other users have no control over them.

 

You can create as many users as you desire and define appropriate roles for the user. This section explains how to create users and assign roles for them.

Adding New Users

Note: User Addition can be done only by the Administrators.

From the Users tab, administrators can

New users can be added in four ways

 

By default, PMP stores all user data in the MySQL database and performs authentication using database lookups. When you integrate AD/LDAP as the authentication system, the default authentication of PMP would be replaced by AD or LDAP to authenticate a user's identity. At any point of time, only one mode of authentication could be employed in PMP.

Adding Users Manually

Integrating Active Directory & Importing Users

PMP provides the option to integrate with Active Directory in your environment and import users from there. Users who have logged into the Windows system using their domain account can be allowed to login to PMP directly (without separate PMP login).

 

There are four steps involved in completing the process of importing users from AD and assigning them necessary roles and permissions in PMP. Follow the three steps detailed below:

Step 1  - Importing Users

The first step is to provide credential details and importing users from AD. PMP automatically gets the list of the domains present under the "Microsoft Windows Network" folder of the server of which the running PMP is part of. You need to select the required domain and provide domain controller credentials.

 

To do this,

 

 

In the UI that pops-up,

 

  1. Select the required Domain Name, which forms part of the AD from the drop-down

  2. Specify the DNS name of the domain controller. This domain controller will be the primary domain controller

  3. In case, the primary domain controller is down, secondary domain controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used

  4. Enter a valid user credential (user name and password) having read permission in the domain controller

  5. By default, PMP imports all the users from AD. If you want to import only a particular user, enter the required user name(s) in comma separated form

  6. Similarly, you can choose to import only specific user groups or OUs from the domain. You can specify the names in the respective text fields in comma separated form

  7. Whenever new users get added to the AD, there is provision to automatically add them to PMP and keep the user database in sync. Enter the time interval at which PMP has to query the AD to keep the user database in sync. The time interval could be as low as a minute or it can be in the range of hours/days

  8. Click "Save". Soon after hitting this "Save" button, PMP will start adding all users from the selected domain. During subsequent imports, only the new users entries in AD are added to the local database

  9. In the case of importing organizational units (OUs), user groups are automatically created with the name of the corresponding OU with group name as <domainname>\OU

  10. During import, every user will be notified through email about their account, along with a password that will be used to login to PMP when AD authentication is disabled.

 

  • What will be role of the users imported from AD, in PMP?

 

The users added to the PMP database will have the role as "Password Users". If you want to assign specific roles to specific users, proceed with Step 2 below.

 

  • Can I handle both AD and non-AD permissions to login to PMP?

 

Yes. You can use both your AD and local (non-AD) passwords to login to the application. The choice can be made in the GUI login screen itself.

Step 2  - Assigning Roles

All the users imported from AD will be assigned the 'Password User' role by default. To assign specific roles to specific users,

 

Step 3   -  Enabling Authentication

The third step is to enable AD authentication. This will allow your users to use their AD domain password to login to PMP. Note that this scheme will work only for users who have been already imported to the local database from AD.

 

Note: Make sure you have at least one user with the 'Administrator' role, among the users imported from AD.

Step 4  -  Enabling Single SignOn

Users who have logged into the Windows system using their domain account need not separately sign in to PasswordManager Pro, if this setting is enabled. For this to work, AD authentication should be enabled and the corresponding domain user account should have been imported into PMP.

 

The IE browser supports this by default and follow the instructions below to get this working in Firefox:

 

Integrating LDAP & Importing Users

You can make PMP to work with a LDAP compliant directory (like Active Directory) in your environment, by following the steps explained below. Note that these steps can be performed in any order, but on the first time it is recommended to follow them in the sequence as given below.

Step 1 - Import Users

The first step is to provide credential details and importing users from LDAP.

 

To do this,

 

 

In the UI that pops-up,

 

If your LDAP server belongs to types other than Microsoft Active Directory/Novell eDirectory/OpenLDAP

 

If your LDAP server belongs to types other than Microsoft Active Directory/Novell eDirectory/OpenLDAP, yon need to enter three more details to authenticate the users:

 

 

 

  • What will be role of the users imported from LDAP, in PMP?

 

The users added to the PMP database will have the role as "Password Users". If you want to assign specific roles to specific users, proceed with Step 2 below.

 

Step 2  - Assign Roles

All the users imported from LDAP will be assigned the 'Password User' role by default. To assign specific roles to specific users,

 

Step 3  - Enable Authentication

The final step is to enable LDAP authentication. This will allow your users to use their LDAP directory password to login to PMP. Note that this scheme will work only for users who have been already imported to the local database from AD.

 

Note: Make sure you have at least one user with the 'Administrator' role, among the users imported from LDAP.

 

Importing Users from a CSV file

If you have the list of users in a text file, you can import the same to PMP database.  All the lines in the CSV file should be consistent and have the same number of fields. CSV files having extensions .txt, .csv and .xls are allowed.  

 

To import users from a CSV file,

 

 

Editing Users

You can edit the details pertaining to existing list of users to change details such as email id, access level, password policy, department and location.

 

To edit users,

 

 

Note: While changing the access levels, the following rule would be applied:

 

If you are an Administrator, you will not be allowed to change your access level (that means, the currently logged in administrator's access level cannot be changed).

 

Deleting Users

Administrators can delete those users who are no longer required. The delete operation is a permanent one and cannot be reverted.

 

Note: PMP will allow to delete users only if the user/users do not own any resource. If the user(s) own any resource, you need to first transfer the ownership of all the resources to some other Password Administrator.

 

To delete a user or users,

 

User Groups

Users can be grouped together for easier management. User grouping helps in carrying out operations in bulk on all the resources of the group. The resources added to PMP can be assigned to a user group.

 

To add user groups,

 

 

In the Add User Group UI that opens,

 

 

 

  • What happens for a new user who gets added to an already existing group?

 

The new user will become part of that group and automatically inherit all the properties and permission levels of the group.

 

 

Adding Resources

The first step to get started with Password Management in PMP is adding your "resource" to the PMP database.

To add your resource,

Addition of resources to be managed in your setup falls under three steps. The first steps involves entering details about the resource such as its name, its DNS Name/IP, type, location etc. The second step

 

Step 1:  Adding Resource Details

 

 

Storing Digital Certificates, Licence Keys, Files, Documents, Images etc.

 

Different file types could be securely stored in the PMP repository along with the passwords. To store a license key or a certificate or a document etc. you need to select the 'Resource Type' as explained below:

 

By default, PMP supports the following file stores:

Certificate store
: to store any private / public keys, digital certificates and digital signature files
 

License key store: to store any software license keys
 

File store: to store any digital content (documents, pictures, executables etc)

You can create any new resource type as pert your requirements.

 

Resources of the above types are managed and shared the same way as other resources. During retrieval, a link to the file is provided for it to be saved locally to the disc.

 

 

  • What is the need for Password Policy field here?  

 

This question naturally arises when you are in the process of adding a resource. The following example would provide the answer: If your intention is to have accounts with strong passwords, others with admin privileges should not disturb this intention while changing the password. So, this step is crucial though it does not have a direct bearing on resource addition.

 

  • Can I add my own custom fields for resources?

 

Yes, you can. You can have up to 20 additional custom fields to resources. To add a custom field, go to "Resources" tab and click the button "Customize Resource" in the drop-down under "More Actions"
 

  1. Character/list - for text inputs

  2. Numeric - to store numeric inputs

  3. Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate

  4. Date & Time - to store date and time inputs

 

  • Can others see the resources added by me?

 

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, if you decide to share your resources with other administrators, they will be able to see tham.

 

Step 2: Adding Account Details - (User Account & Password to be Managed)

 

The second step is to add the user accounts and their passwords of this resource that are to be shared between multiple users. Notes can be added to each account.

 

 

  • Can I add my own custom fields for accounts?

 

Yes, you can. You can have up to 20 additional custom fields to accounts. To add a custom field, traverse to "Admin >> Customize >> Accounts -Additional Fields". Your additional fields can be in any of the following four formats -

 

  1. Character/list - for text inputs

  2. Numeric - to store numeric inputs

  3. Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate

  4. Date & Time - to store date and time inputs

 

The required user name and password have now been added to the PMP repository. Users who are authorized to access the resource, will be able to view the information.

 

Step 3: Remote Password Synchronization (applicable only for Windows, Windows Domain & Linux)

 

PMP provides the option to remotely change the password of select resources. As of now, this facility is available for changing the password of only those resources that belong to the type Windows, Windows Domain, Linux, IBM AIX, HP UNIX, Solaris and Mac OS. Using this utility, you can change the password of a server present in a remote location, from the PMP web interface itself.

 

You can avail this facility in two ways:

 

 

If the remote resource has restrictions such as a firewall, you would require deployment of agents. Otherwise, you can do password synchronization without deploying agents.

 

You may proceed with Step 3 only if you intend to do password synchronization without deploying agents. You need to specify the credentials to be used to login to the resource and effect the changes. For Windows it is not necessary to separately specify administrator accounts to perform password reset from remote and hence this step is not required. For Windows domain controller, Linux, IBM AIX, HP UNIX, Solaris and Mac OS specify the accounts that will be used to login from remote to perform password reset. For other type of resources this step is not applicable.

 

To specify the credentials & enable remote synchronization,

 

Resource Groups

Resources can be grouped together for easier management. The grouping can be done either by specifying a set of criteria or by specifying individual resources. When you provide a criteria, whenever a new resource is added that matches the criteria, it also becomes part of that group.

 

Resource groups created by the administrator users can be shared with other users or user groups. Whenever resources get added or deleted from a group, it affects the password access shared through the group. That is, users who are shared with the group can see passwords of only the resources that are part of the group at that point in time.

Password policy can be specified for the resource groups, which will be used for password generation for resources of that group. Note that a password policy specified for a resource will override the group-level setting.

 

The resource grouping helps in carrying out operations in bulk on all the resources of the group.

 

To add resource groups,

 

 

In the Add Resource Group UI that opens,

 

 

Creating groups based on matching criteria,

 

 

Creating groups based on resources,

 

 

  • What is the precedence order for Password Policy?

 

Password policy specified at the lowest level will have precedence. For example, consider that you have set "Low" as the policy for a resource and that particular resource is part of a Resource Group having the policy as "Strong". This particular resource will continue to have the policy "Low" even though it is a member of the group having "Strong" as the policy.

 

  • How do I view the resources belonging to a particular Resource Group?

 

To view the resources belonging to a particular Resource Group,

 

  • go to "Resources" tab

  • select the required Resource Group (whose resources you want see) from the drop-down "Show Resources of"

  • all the resources belonging to that group will be displayed

 

 

Password Synchronization using PMP Agents

PMP provides the option to remotely change the password of select resources by deploying PMP agents. As of now, this facility is available for changing the password of servers - Windows, Windows Domain and Linux alone. Using this utility, you can change the password of a server present in a remote location, from the PMP web interface itself.

 

The agent could be used in target machines to which the PMP server can connect and effect password changes. All password related communication is over HTTPS and is secure. The agent is useful in cases when,
 

Downloading the PMP Agent

The PMP agent package is dynamically created by the PMP server to include the SSL certificate of the PMP server, that is used for the HTTPS communication between the server and the agent. So, the only place to download the agent is from the 'Admin' tab of the PMP web GUI. The agent package is a zip file containing the necessary executables, configuration files and the SSL certificate. Download the agent based on the OS of the target and just unzip the package.

Installing the PMP Agent in Windows

The package has all the necessary configuration already created by the server. Make sure the account in the system in which the agent is installed has sufficient privileges required to modify passwords.

To install the PMP Agent as a Windows service,

 

 

To stop the agent and uninstall the Windows service,

 

 

Configuring the port

 

The default port in which the agent listens to the triggers from the server for password reset is 5768. To change this to a different value,
 

Installing the PMP Agent in Linux

The package has all the necessary configuration already created by the server. Make sure the account in the system in which the agent is installed has sufficient privileges required to modify passwords.

 

To install the agent as service
 

 

To start the agent
 

To stop the agent

 

 

To uninstall the agent as service
 

 

Configuring the port

 

The default port in which the agent listens to the triggers from the server for password reset is 5768. To change this to a different value,
 

To remotely change the password,

Troubleshooting  

If the password changes do not take effect in the target systems, check

 

Importing Resources

Importing Resources from Text File

You can import resource details from a CSV file using the import wizard. All the lines in the CSV file should be consistent and have the same number of fields. CSV files having extensions .txt, .csv and .xls are allowed.

 

To import users from a CSV file,

 

 

  • Importing Resources takes time ...

 

When you try to import a large number of resources, it would take a while to import all of them to PMP inventory. When the importing process is in progress, you will notice the rotating gif at the RHS end. Once, it is done, you will notice the message "Resources Imported Successfully".

 

  • My resources have additional fields ..

 

You can import the additional fields too. But, prior to importing the resources, you need to add those custom fields to PMP.

 

  • I do not have some of the fields that are listed mandatory for PMP in my CSV file..

 

That is not a problem. Only 'Resource Name' and 'Account Name' fields are mandatory. So, you can import whatever you have.

 

Importing Resources from Active Directory

You can import the computers in your domain and the user accounts part of those computers as resources in PMP.

 

To import resources from domain,

 

 

The first step is to provide credential details and importing resources from AD. PMP automatically discovers and lists all the Windows domains from the Windows domain controller of which the running PMP is part of. You need to select the required domain and provide domain controller credentials.

 

In the UI,

 

  1. Select the required Domain Name from which the resources (computers) are to be imported

  2. Specify the DNS name of the domain controller. This domain controller will be the primary domain controller.

  3. In case, the primary domain controller is down, a secondary domain controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the listed secondary domain controllers will be used

  4. Enter a valid user credential (user name and password) having admin privilege or the name of the user present in Domain Admins group

  5. By default, PMP imports all the computers from AD. If you want to import only a particular computer, enter the required user name(s) in comma separated form

  6. Similarly, you can choose to import only specific resource groups (i.e. computer groups) or OUs from the domain. You can specify the names in the respective text fields in comma separated form. PMP resource groups will be created with the name of the corresponding AD computer groups, prefixed by the domain name.  

  7. Whenever new computers get added to the AD, there is provision to automatically add them to PMP and keep the resource database in sync. Enter the time interval at which PMP has to query the AD to keep the resource database in sync. The time interval could be as low as minutes or it can be in the range of hours and days

  8. Click "Import". Soon after hitting this "Import" button, PMP will start adding all computers

 

Editing Resources

At any point of time, you can edit any of properties of the resource added by you. To edit a resource, go to the "Resources" tab and click the "Edit" icon present against the resource name. In the UI that pops-up, edit the required property and click "Save". The required change will get reflected in the view.

 

Note: When you edit a resource, the account details that are part of the resource will remain unaffected.

 

Viewing Account Details

To view the accounts that are part of a resource, go to the "Resources" tab and click the particular resource name. The accounts would be displayed.

 

Viewing Passwords

 

By default, passwords are shown in hidden form behind asterisks. Just click the asterisks to view the password in plain text. The passwords are shown for 10 seconds only. After that, they will be automatically hidden. If you want to view, you need to click again.

 

Copying Passwords

 

PMP leverages clipboard utility of browsers to copy passwords when you intend to copy and paste passwords. Click the copy icon present by the side of the passwords to copy them. The copied passwords will be available for pasting for 30 seconds.

 

Changing Passwords

 

To change the passwords of user accounts, click the "Change Password" icon against the account name. In the UI that pops-up, enter the new password and confirm the same and then click "Save". Here, password policy set by the administrator for this resource would get enforced. For example, if the administrator has set "Strong" as the password policy, you would be allowed to change the password only if you enter a password which is strong enough in accordance with the PMP settings.

 

If your account belongs to the type "Linux" or "Windows Domain", you have the option to synchronize the new password in the remote resource too. In this case, if there is a failure in updating the password in the resource, password changes will not be saved locally also.

 

Editing Account Details

 

At any point of time, you can edit the details of any of the accounts. To edit an account, go to the "Resources" tab, click the resource of which the account is a part and the click the "Edit" icon present against the account name. In the UI that pops-up, edit the required property and click "Save". The required change will get reflected in the view.

 

Viewing Password History

 

The history of changes done to the passwords are captured in the form of password history. Information such as the old password, modified by whom, from which machine and the time at which it was modified are all captured in history. To view password history of an account,  go to the "Resources" tab, click the resource of which the account is a part and the click the icon present beside the "Last Modified" column. In the UI that pops-up, password history would be displayed.

Sharing Resources / Resource Groups Among Users

You can share your resources and passwords / resource groups with other users and user groups. When you share a resource, all the passwords of that resource are shared. Similarly, when a resource group is shared, all the resources part of that group will be shared. While sharing the resources / resource groups, you can set privileges for the user(s) who get the share:

 

View only privilege

Modify Privilege

Manage privilege

User can only access the password

User can both access and modify the password(s) that are shared. The Modify privilege does not allow the other users to change any other attribute of the resource.

You can delegate complete management of a resource group and the associated resources. This includes providing share permissions to other users also

 

You can share

 

 

Note: Manage privilege can be assigned only at resource & resource group levels. Not available for individual accounts.

 

 

You can perform the sharing operation in any combination from the above list.

 

Case 1: Share a particular account(s) to a User or User Group

 

 

Note: When you share a particular account to a user group, the account will be visible to all the members of the group. Also, the permissions granted to the user group (view/edit) will be applicable for all the members.

 

 

Case 2: Share a resource to a User or User Group

 

 

Note: When you share a particular resource to a user group, the resource and all its accounts will be visible to all the members of the group. Also, the permissions granted to the user group (view/edit) will be applicable for all the members.

 

 

Case 3: Share a Resource Group to a User or User Group

 

 

Note:

 

(1) When you share a particular Resource Group to a user group, the Resource Group will be visible to all the members of the user group. That means, all the resources with their respective accounts would be visible to all the members of the user group. Also, the permissions granted to the user group (view/edit) will be applicable for all the members.

 

(2) Precedence for Share Permissions: The share permission ('view' or 'view & modify') set for a password overrides that of its resource, which in turn overrides that of the resource groups which the resource is part of. (Lowest level takes highest precedence). Similarly, the share permission provided to an user overrides that of a user group the user is part of.

 

Transferring Ownership of Resources / Resource Group

You can transfer the resources that you own to other administrator users. With a 'transfer' you no longer have any access to that resource unless the new owner shares the password access to you. The shares that you enabled before to other users will remain intact.

 

To Transfer the ownership of Resources

 

 

To Transfer the ownership of Resource Groups

 

 

Note:  The ownership of default resource group and the criteria-based resource groups (the resource groups that were created based on some criteria) cannot be transferred.

 

Passwords View

You can view all the passwords that are owned by you and the ones that are shared to you from the "Home" tab.

 

To view the passwords,

 

 

Managing Resource Types

You can add as many resource types as you require and manage such resource types from the "Admin" tab. Apart from adding custom resource types, you can provide your own icons for the types, edit the existing types and delete resource types from the database.

 

PMP provides the option to store digital files, certificates, images and documents too. By default, PMP comes with the following resource types under two broad categories:

 

Operating Systems

 

  1. Windows

  2. Windows Domain

  3. Linux

  4. Mac

  5. Solaris

  6. HP UNIX

  7. IBM AIX

 

Digital Files/Keys/Licences

 

  1. File Store

  2. Key Store

  3. License Store

 

You cannot delete/edit the above ten default resource types.

 

To add a new resource type,

 

 

To edit a resource type,

 

Deleting Resources

You can delete those resources that are no longer required from the PMP's resources list. If you delete a resource, all the accounts and passwords that were part of that resource would also be deleted permanently. The entries would be removed from the database once and for all.

 

To delete a resource,

 

Exporting Resources

You can export the available resources, their account names and passwords to a flat file.

 

To export resources,

 

 

Note: In the exported file, the account details and passwords are shown in plain text. So, exercise care to store the file in a secure location.

 

Scheduled Password Rotation

Shared administrative passwords are prone to misuse even in a very secure environment and periodic rotation of passwords is very much needed. Manually changing the passwords one-by-one would prove to be laborious. PMP helps in automating the process of changing the passwords periodically for which remote password reset is supported in PMP. Scheduled Password Rotation can be done only at the resource group level.

 

The prerequisite for using this feature is the proper configuration of password synchronization either by agentless mode or by deploying agents in the remote resource.

 

Multiple options are available to set the periodicity of password rotation. Notifications are generated both before and after the password reset task is run, with a consolidated report of the results for each password.  

 

To add a schedule for rotating passwords of the resources of a group,

 

 

Step 1  Settings for sending notification prior to password rotation,

 

When a password is scheduled to be rotated at a specified time, the users who have access to the present password(s) are to be informed about the rotation operation beforehand - say for example, a day prior to the rotation. Apart from the users directly connected with the passwords to be rotated, any other user could also be informed of the scheduled rotation on need basis.

 

Pre-Notification Timing

 

 

 

 

Step 2  Specify the new password to be used

 

You have the option to specify the new password(s) to be used for resources after rotation. You can either choose to allot randomly generated, unique passwords to the accounts based on the password policy set for the group or you can allot a new, common password to all the resources (in accordance with the password policy already specified for the group).

 

Select the required choice and click "Next"

 

Step 3  Specify the rotation schedule

 

Actual creation of the schedule for password rotation is done in this step. The schedule can be for one-time rotation or it could be for a recurring one at periodic intervals. Depending on your requirements, choose any one among the options - Once / Days / Monthly / Never. After selecting the option, specify other details as required and click "Next"

 

Step 4  Settings for sending notification after password rotation

 

Immediately after the completion of password rotation process, notification could be sent to all those who have access to the passwords regarding the completion of the rotation.  Apart from the users directly connected with the passwords to be rotated, any other user could also be informed of the rotation on need basis.

 

 

 

Note: Password reset tasks scheduled for a password belonging to different groups do not affect each other.

 

Windows Service Account Password Reset

Windows service accounts might be associated with some Windows domain accounts. In such cases, the service accounts would be making use of the passwords of the domain accounts. While rotating or resetting the passwords of the domain accounts managed in PMP, it is essential that the passwords of the associated services should also be changed. In certain cases, you will require to restart the services also. The windows service account reset feature of PMP helps achieve this precisely.

How does windows service account reset work?

For every Windows domain account for which the service account reset is enabled, PMP will find out the services which use that particular domain account as service account, and automatically reset the service account password if this domain password is changed.

How to setup Windows Service Account Password Reset?

Prerequisite: Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:

 

(1) Windows RPC service should have been enabled

(2) Windows Management Instrumentation (WMI) service should have been enabled

 

Windows service account reset can be configured right at the stage of resource addition or afterwards by editing the resource. Both the scenarios have been explained below:

While adding the resource

Step 1: Providing Resource Details

 

 

Step 2: Providing Domain Account Details - (Domain Account whose associated service accounts are to be reset)

 

The second step is to add the domain accounts whose associated Windows service accounts are to be reset when the password of the domain account is modified.

 

 

Enabling Windows Service Account Reset for the already added resources

For the already added resources of resource type "Windows Domain", you can enable Windows service account reset by editing the resource and the respective domain account.

 

To enable service account reset for the already added resources,

 

Viewing Service Account Status

For any windows domain account (for which you have enabled Windows service account reset), you can view the list of associated service accounts and information on whether the service accounts were reset upon the corresponding domain account reset.

 

To view this information,

 

 

Note: Whenever the password of the domain account is changed, the windows service account associated with it will also be changed. In case, you have created schedules for rotating domain accounts, the service account reset will also follow the schedule.

 

Password Action Notification

Any action performed on a password, be it just a password access or modification or changing the share permission or when the password expires or when password policy is violated, notifications are to be sent to the password owners and/or to those who have access to the passwords or to any other users as desired by the administrators. The 'Password Action Notification' feature helps in achieving this.

 

You can configure E-mail notification on the occurrence of specific events as mentioned above. When password shares are changed and when passwords expire, in addition to notifications, there is option for password reset action to be performed by the PMP server. When a password belongs to multiple groups and each group has different actions configured, every distinct action will be performed once.

 

To add a schedule for rotating passwords of the resources of a group

 

 

When passwords are accessed

 

As mentioned earlier, when a user views a password, notification (informing the access) could be sent to desired recipients.

 

If you want to make use of this action,

 

 

 

When passwords are changed

 

As mentioned above, when a password is changed, notification (informing the change) could be sent to desired recipients.

 

If you want to make use of this action,
 

 

 

When password share is changed

 

In multi-user environments, passwords are shared among multiple persons. In such a scenario, when a password permission of a password is changed, notification (informing the change) could be sent to desired recipients.

 

If you want to make use of this action,

 

 

 

When passwords expire

 

To enhance password security, passwords of sensitive accounts would be rotated periodically. In such a scenario, validity period is set for a password. When the validity ends, the password expires and a  notification (informing the expiry) could be sent to desired recipients.

 

How do I set Password Expiry for a resource?

 

Password Validity Period could be set through password policies. The three default policies - low, medium and strong have password age values of 15, 10 and 5 days respectively. If you make use of any of these policies, you need not set expiry dates explicitly. In case, you require to have some other value for password age, create a new password policy and enter the required value for the parameter Password Age, which depicts the time limit (in days) up to which the password is valid.  After the validity period, the password  would expire and it has to be reset. Associate the new policy with the resource for which the password expiry has to be set.

 

 

If you want to make use of this action,

 

 

 

When password policy is violated

 

If you have defined a password policy and if the passwords are in violation to the policy defined, notifications (informing the violation) could be sent to desired recipients. The notification would be sent everyday.

 

If you want to make use of this action,

 

 

 

When passwords in PMP go out sync with those in the resource

 

When the passwords stored in PMP differ with those in the resource, notifications (informing the out of sync) could be sent to desired recipients. The notification would be sent everyday.

 

If you want to make use of this action,

 

 

Password Reset Listener

Password Reset is one of the important operations performed by the PMP. After resetting the password of resources/accounts in PMP, there might be requirements to carry out some follow-up action automatically. This could be done using the Password Reset Listeners.

 

For Example:

 

How does Password Reset Listener work?

Whenever the password of an account is modified in the PMP repository, you can configure PMP to invoke a script or executable supplied by you. The script or the executable is called the Password Reset Listener. The listener will be invoked even for local password changes and for resources for which remote password reset is not supported. It can be configured for each resource type, including the user defined resource types. Thus, the password reset listener mechanism is very helpful for resource types for which PMP does not support remote password reset by default.

 

 

The script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP. When an administrator adds a password reset listener, PMP does not invoke it unless it has been approved by another administrator. The same process if followed when the password reset listener details are edited by an administrator. These operations can be performed by any two administrators and are audited.

 

The password reset listener is invoked from a separate thread so that it does not impact the password reset process of PMP. The password reset listener script supplied will be stored in the same database as the other information, which provides security as well as backup, if it is configured for the PMP database.

How to setup Password Reset Listener?

Prerequisite

 

Before setting up the password, keep your custom script/executable ready. PMP has no control over the script other than invoking it and also does not process the result of the script. So, take care of all your requirements while creating the script.

 

 

To set up Password Reset Listener,

 

 

As explained above, the listener script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP.

 

The listeners can be added only by PMP administrators. The listeners thus added have to be approved by some other administrator. So, the listener created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.

 

If you are an administrator and requested by another admin to approve a listener, you need to navigate to  "Admin" >> "Customize" >> and click "Password Reset Listener" and click the link present under "Approval Status". Once it is approved, the listener will take effect.

 

 

The listener creation and approval events are all audited in PMP.

 

High Availability

In mission-critical environments, one of the crucial requirements is to provide un-interrupted access to passwords. PMP provides the 'High Availability' feature just to ensure this.

How does High Availability work?

Example Scenarios

Scenario 1 - Primary & Secondary in different geographical locations and WAN Link failure happens between the locations

 

Assume that the Primary Server is in one geographical location 'A' and Secondary is deployed in another location 'B'. The users in both the locations will be connected to the Primary and will be carrying out password management activities. At any point of time data in both Primary and Secondary will be sync with each other. Assume there happens loss of network connectivity between the two locations. In such a scenario, users in location 'A' will continue to remain connected with the primary and will be doing all operations. Users in location 'B' will be able to get emergency read-only access to the passwords from Secondary. Once the network between the two locations is up again, data in both the locations will be synchronized.

 

Scenario 2 - Primary & Secondary within the same network & Primary goes down

 

In case, the Primary crashes or goes down, the users in location 'A' & 'B' can rely upon the emergency read-only access to the passwords from the Secondary.
 

What happens to Audit Trails?

 

In the high availability scenarios mentioned above, audit trails will be recorded as usual. In scenario 1, as long as there is network connectivity between the two locations, the audit trails will be printed by the primary. When users connect to the Secondary, it will print operations such as 'password retrieval', 'login' and 'logout'. When the two locations get back network connectivity, the audit data will be synchronized. In scenario 2, when the primary crashes, the 'password retrieval', 'login' and 'logout' done by the users in secondary will be audited. Other audit records will already be in sync at the Standby.

How to set up High Availability?

Prerequisite

 

Primary & Secondary Setup

 

Before trying High Availability, you should have both Primary and Standby installations of PMP in place. Install one instance as 'Primary' by choosing the option 'Install as Primary' during the last stage of installation. Similarly, install another instance as 'Secondary' in a remote server by choosing the option 'standby' during installation.

 

 

Step 1 - Changes in Primary Installation

 

 

 

 

Step 2 - Changes in Secondary Installation

 

 

Step 3 - Enabling Database Replication

 

 

Step 4 - Start Primary and Secondary

 

Verify High Availability setup

After carrying out the above steps, you can verify if the High Availability setup is working properly by looking at the message in "Admin >> General >> High Availability" page of Primary server. If the setup is proper, you will see the following:

 

Connection Status: Alive and High Availability Live is in progress now

Secondary server is running in host: <Host Name>

 

Database Backup

Data stored in PMP database are of critical importance and in any production environment, there would be constant requirements for backing up the data for reference purposes or for disaster recovery.  To achieve this, PMP provides two features:

Live Backup

Whenever there happens an addition or modification of the entries in the PMP database, the data gets immediately backedup. PMP achieves this live backup by leveraging the database replication feature offered by MySQL.

A live 'slave' database could be configured in a remote location and it will get instantaneously updated whenever the 'master' database running with PMP undergoes a change. At any point of time, the data in both the databases will be in synchronization with each other. In the unlikely event of any disaster to the primary database, you can rely on the slave database and recover the data.

To enable Live Backup,

Prerequisite

 

Step 1: Setup master and slave databases

 
 

Step 2: Start master and slave databases

 
 

Step 3: Start PMP server

 
 

Verify Live Backup Setup

 

After carrying out the above steps, you can verify if the Live Backup setup is working properly by looking at the message in "Admin >> General >> Database Backup" page. If the setup is proper, you will see the following:

 

Connection Status: Alive and Live Backup is in progress now

Slave database is running in host: <Host Name>

Recovering data from slave when master database crashes

In the rare event of master database crash, you can recover data from the slave database.

 

To recover the data,

 

 

 

 

 

 

 

 

Note: Once you recover the data from the slave and give life to the master database, the slave database will no longer be valid. Just delete the mysql folder in the remote machine. If you want to have the Live Backup enabled again, you need to follow the steps once again.

Scheduled Backup

You can schedule database backup to be executed at any specific point of time.

To schedule database backup,

 

In the UI that opens up, select the schedule option - day, weekly or monthly.

To schedule backup in specific day(s) interval,

  1. If your requirement is to backup the database contents in specific day intervals - say, once in three days, this option would come in handy. You can choose any interval between 1 and 28 and also specify the time at which backup has to be taken.
  2. To enable this option, click the radio button "Day"
  3. Select the day interval
  4. Select the time at which backup has to be taken
  5. Backed up data are stored as a .zip file under <PMP_Home>/backUp directory. Every time backup is executed, one backup file will be created. You can specify the maximum number of such backup files to be kept in this directory. For example, if you choose "10" in the drop-down against the field "Maintain latest --- backups only", only the latest 10 backup files would be kept under this directory
  6. Click "Save". The required backup schedule is created

 

  • Where does the backup data get stored? Is it encrypted?
     

All sensitive data in the backup file are stored in encrypted form in a .zip file under  <PMP_Home/backUp> directory. It is recommended that you backup this file in your secure, secondary storage for disaster recovery.
 

  • What is the best option for database backup schedule?
     

Database backup operation is both time and resource consuming. Hence, it is recommended to schedule it to run during off-peak traffic timings. While the operation is in progress, no configuration change could be performed in PMP.

 

  • Can I replicate the data to another server and have the permissions stay intact?

    Yes. PMP application is stateless and all the data are stored in the database and just replicating the database against a fresh installation of the application gets you all the data intact.

 

To schedule backup on a specific day every week,

  1. If your requirement is to backup the database contents on a specific day every week - say, on Mondays, this option would come in handy. You can choose any day from Sunday to Saturday and also specify the time at which backup has to be taken. To enable this option,
  2. click the radio button "Weekly"
  3. select the day of the week
  4. select the time at which backup has to be taken
  5. Backed up data are stored as a .zip file under <PMP_Home>/backUp directory. Every time backup is executed, one backup file will be created. You can specify the maximum number of such backup files to be kept in this directory. For example, if you choose "10" in the drop-down against the field "Maintain latest --- backups only", only the latest 10 backup files would be kept under this directory
  6. Click "Save". The required backup schedule is created
 

To schedule backup on a specific day every month,

  1. If your requirement is to backup the database contents on a specific date every month - say, on 13th, this option would come in handy. You can choose any date from 1st to 31st and also specify the time at which backup has to be taken. To enable this option,
  2. Click the radio button "Monthly"
  3. Select the date of the month
  4. Select the time at which backup has to be taken
  5. Backed up data are stored as a .zip file under <PMP_Home>/backUp directory. Everytime backup is executed, one backup file will be created. You can specify the maximum number of such backup files to be kept in this directory. For example, if you choose "10" in the drop-down against the field "Maintain latest --- backups only", only the latest 10 backup files would be kept under this directory
  6. Click "Save". The required backup schedule is created

Disaster Recovery

In the event of a disaster or data loss, you can restore the backed up data to the PMP database. To restore the data, PMP provides scripts.

Restoring the data

For Windows

 

 

For Linux

 

 

Important Note: Data backed up from PMP running on Windows can be restored only in Windows.

 

Password Management API

If you have applications in your infrastructure that require connecting to other applications using a password, they can query PMP to retrieve the password. This way, the application-to-application (A-to-A) passwords can also follow good password management practices like periodic rotation, without the trouble of manually making the updates at many places. Same procedure can be used for Application-to-Database password management (A-to-DB).

How does A-to-A / A-to-DB Password Retrieval & Management Work?

The web API exposed by PMP forms the basis for A-to-A Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application. PMP makes it easier for applications by providing a command line script that abstracts the complexities of using the web API. The command line scripts invoke libraries that use the web API.

How to setup Password Management API?

When you want an application to use the PMP web API, first you should register the application with PMP, providing specific details on the application. PMP will then create an integration toolkit containing the libraries and the command line scripts. The application can then use the toolkit to perform password operations on the PMP repository. Follow the procedure detailed below to do this:

 

Step 1 - Downloading API Toolkit

 

 

 

Term

Definition

Application Name

Name of the application in which you wish to deploy A-to-A password management using PMP

DNS Name/IP Address

This is required to establish communication between the application and PMP

OS Type

Select the operating system in which the application runs. Only those operating systems that are listed in the drop-down are supported by PMP (at present Windows & Linux are supported)

Operation Allowed

Specify the password management operations you wish to allow for the application - it can be for retrieving passwords alone, resetting passwords alone or both retrieval and reset.

Inherit the permissions of

You need to set the password access permissions for the application. The application cannot be allowed to manage all passwords. It has to be allotted specific passwords accessible to it. PMP already has a comprehensive, well-defined access permissions for users. The application may be permitted to inherit the same access levels of one of the users of PMP. Select the name of the user from the drop-down.

 

 

 

Step 2 - Setting up PMP API in the application

 

As mentioned above, the application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application. To make these settings,

 

Create SSL client certificate & private key

 

 

Configurations for PMP API

 

 

Step 3 - Creating truststore in PasswordManager Pro Installation

 

 

Important Note: The client certificate & private should be compulsorily present in the application server in which you want to use A-to-A / A-to-DB password management.

 

Commands to be included in your application for automatic A-to-A / A-to-DB password management

The above steps represent the completion of PMP API installation in the application. For automatic A-to-A password management, you need to use the following commands in your application invoking the API.

 

For Password Retrieval

 

Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

 

PMP_API.bat/sh RETRIEVE <Resource Name as present in PMP> <Account Name as present in PMP>

 

Executing the above command will return the password alone.
 

 

For Password Reset

 

Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

 

PMP_API.bat/sh RESET <Resource Name as present in PMP> <Account Name as present in PMP> <New Password>

 

Executing the above command will try to do remote password reset. If the operation succeeds, it will change the password in PMP too and will return the message "Password changed successfully". In case, remote password reset fails, it will not change the password in PMP and will return the message "Password reset failed".

Rebranding PMP

If you want to replace the PMP logo appearing on the login screen and on the web-interface with that of yours, you can do so from the web-interface itself. It is preferable to have your logo of the size 210 * 50 pixels.

 

To rebrand the logo,

 

Changing the PMP login password

Users having an account with the PMP, can change their own password and email ID. The "Edit Account settings" tab facilitates changing of password and email ID. Using this tab, the currently logged in user can change his/her password and email ID alone.
 

To Change Login Password,
 

 

Note: If you do not want to display the 'Forgot Password' option, you can very well turn it off. See the section "General Optional Settings" for details.  

 

Password Policies

Password policies help you define the characteristics of passwords of various strengths, which can then be used to enforce strong passwords on resources. Apart from the default policies, you can create your own based on your requirements. The built-in password generator can generate passwords compliant to the defined policies.

 

Password Generator randomly generates password based on the rule set by the administrator - for example, minimum number of characters, alphanumeric characters, mixed case, special characters etc. Every password input field in PMP has the password generator along-side and the policy that is set as system default will be used to generate passwords, unless directed otherwise.

 

Password policy for PMP can be centrally managed from the "Admin" tab:

 

 

You can create you own password policy based on your requirements. To create a password policy,

 

 

  • How does a Password Policy get enforced in PMP?  

 

This question naturally arises when you are in the process of adding a resource. The following example would provide the answer: If your intention is to have accounts with strong passwords, others with admin privileges should not disturb this intention while changing the password. So, this step is crucial. If you want to enforce policy at time of resource addition itself, see "General Optional Settings" for details.

 

 

Audit

As PMP deals with sensitive passwords, it comes with an effective auditing mechanism to record who accessed what resource and when along with trails about every single action performed by the user. All operations performed by users on the GUI are audited with the timestamp and the IP address from where they accessed the application. The list of operations that are audited include

 

 

PMP provides two types of audit reports:

 

Resource Audit

All operations pertaining to 'resources' are captured under 'Resource Audit' and the following details are displayed when you traverse to Audit >> Resource Audit:

 

 

Exporting Resource Audit Trails as PDF Report

 

The Audit Trails could be exported as a PDF file. You can store it in a secure location for reference purpose. Click the button "Export Logs" to export the trails as PDF.

User Audit

All operations pertaining to 'users' are captured under 'User Audit' and the following details are displayed when you traverse to Audit >> User Audit:

 

 

Exporting User Audit Trails as PDF Report

 

The Audit Trails could be exported as a PDF file. You can store it in a secure location for reference purpose. Click the button "Export Logs" to export the trails as PDF.

 

  • Does PMP record Password viewing attempts and retrievals by users?

 

Yes, PMP records all operations performed by the user including the password viewing and copying operations. From audit trails, you can get a comprehensive list of all the actions and attempts by the users with password retrieval. The list of operations that are audited (with the timestamp and the IP address) includes:
 

    • User accounts created, deleted and modified
    • Users logging in and logging off the application
    • Resources and passwords created, accessed, modified and deleted

 

  • Can Audit Logs be deleted?

 

No, Audit Logs cannot be deleted. Since the audit trails in PMP represent a crucial record for all actions with user accounts and passwords, to prevent misuse, there is no provision to delete the audit logs.

 

  • How are the audit logs protected against modification?

 

All the audit records are stored in the MySQL database. To ensure security, the MySQL server has been configured not to accept connections from remote hosts. In addition, the password to access the MySQL server is randomly generated for every PMP installation. So, unless people gain entry into the database, the audit records cannot be modified.

 

Reports

PMP provides three types of reports -

 

Password Inventory Report

This report provides a snapshot of details about the total number of resources, passwords, resource types and users present in PMP. Besides, it provides details about the ownership of each password/resource and details about the time at which the passwords were accessed.

 

There are three sections in this report:

 

Password Inventory Summary

 

This section lists down the details in summary about the total number of resources, passwords, resource types and users present in PMP.

 

Password Inventory by Resource Type

 

This section provides a pie-chart showing the distribution of passwords in accordance with the resource type.

 

Password Ownership & Access Details

 

This section lists down the ownership details of resources and passwords in tabular form. You can make a search in this report by clicking the icon present at the top-right hand corner of the table.

 

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

Password Policy Compliance Report

This report provides a snapshot of details about the passwords that comply to the password policy set by the administrator and the ones that do not comply. Besides, it provides details about the ownership of each password.

 

Also, in the case of the passwords which are found to be non-compliant, details about non-compliance are also provided. This helps in taking the required corrective action immediately to make them compliant.

 

There are three sections in this report:

 

Password Policy Compliance - Summary Report

 

This section lists down the details in summary about the total number of passwords, total number of passwords that comply to the policy and total number of passwords that are non-compliant.

 

Policy Violation by Resource Type

 

This section provides a pie-chart showing the number of passwords that are non-compliant to the defined policy based on the resource type.

 

Password Compliance - Detailed Report

 

This section lists down the compliance details of all the resources (whether they are compliant with the defined policy or not). It also depicts the number of violations in each resource and the ownership details of resources and passwords in tabular form. You can make a search in this report by clicking the icon present at the top-right hand corner of the table.

 

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

Password Expiry Report

This report provides information about the validity details of passwords. In other words, it provides details about the passwords that have expired and the passwords that are valid.

 

There are three sections in this report:

 

Password Expiry - Summary Report

 

This section lists down the details in summary about the total number of passwords, total number of expired passwords and total number of valid passwords.

 

Password Expiry by Resource Type

 

This section provides a pie-chart showing the number of expired passwords in each resource type.

 

Password Expiry - Detailed Report

 

This section lists down the expiry/validity details of all the resources. It also depicts the number of expired/valid passwords in each resource and the ownership details of resources and passwords in tabular form. You can make a search in this report by clicking the icon present at the top-right hand corner of the table.

 

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

 

Optional General Settings

In PMP, there are certain important features such as enforcement of password policy, 'Forgot Password' option to reset PMP user passwords, email notification on PMP user creation or role modification, provision for managing personal passwords, exporting resources, remote password synchronization etc.

 

While these features are very much needed for certain organizations, some others find them a hindrance. To cater to the needs of these two sets of user, PMP strikes balance through the general optional settings.

 

To access the settings page,

 

 

Enforce password policy during resource or password creation

 

By default, when you are adding your resource to PMP, it does not check for compliance to the password policy already defined by the IT administrator. It is enforced only at the time of doing change password. In case, you wish to check policy compliance at the time of resource / account addition itself, just click this checkbox. Once you click this, you will be permitted to add your resource / account only if the password is in accordance with the policy defined.

 

Include passwords when resource details are exported to CSV format

 

When you export PMP resources to a CSV file, by default, password of the accounts are included in plain text. In case, for security reasons, you wish to mask the password in the report, you can do so by unchecking this checkbox. Once you uncheck this option, the passwords would be masked in the exported CSV file.

 

Show 'Forgot Password' option in the login screen  

 

If a PMP user forgets his/her login password, they can rely on the 'Forgot Password' option, which sends a new login password to that user via email. By default, this option remains enabled. If you do want to display this option, uncheck the checkbox. Once you do this, from the login onwards, this option would not be visible to all the users.

 

Allow 'Local Authentication' when AD/LDAP authentication is enabled  

 

As explained earlier, PMP provides three types of authentication - LDAP authentication, AD authentication and PMP's local authentication. By default, PMP allows local authentication along with LDAP or AD authentication. If you want to strictly the restrict to LDAP or AD authentication alone, uncheck the checkbox. Once you do this, the PMP users would be allowed to login using their workstation password alone.

 

Default selection for user initiated remote password change action

 

One of the important capabilities of PMP is Remote Password Synchronization, which enables users to change password of a resource in PMP console and apply the change in the remote resource instantaneously. This remote synchronization of passwords can be done for resources of the type Windows, Windows Domain and Linux. By default, when you try to change the password of an account belonging to the above three types, the remote synchronization option is enabled. If you want to disable this option, click the radio button "Do not apply changes to the resource". At any point of time, you can override this option while invoking the change password option.

 

Notify users through email during account creation or modification  

 

By default, whenever a new user account is added in PMP or an existing account is modified, an email is triggered to the respective user with information about the login password in the case of new user addition and details of changes (in the case of account modification) are sent. If you want to disable this option, uncheck this checkbox. Once you do this, emails will not be sent on user addition or modification.

 

Allow users to manage their personal passwords

 

PMP provides personal password management feature as a value addition to individual users to manage their personal passwords such as credit card PIN numbers, bank accounts etc while using the software for enterprise password management. The personal password management belongs exclusively to the individual users. If you do not want to allow personal password management for your PMP users, uncheck this checkbox. Once you do this, the 'Personal' tab will not appear in the PMP GUI.

 

Enforce users to provide a reason when changing the resource password

 

When resource passwords are changed by a user, by default, it is not mandatory to add a comment providing the reason for the change. However, enforcing the users to enter a comment would be a good practice and aid in auditing user actions. If you want to enforce this, select this checkbox. Once you do this, users will be prompted to enter a comment as reason when attempting change password.

 

Setting inactivity timeout for workstations left unattended

 

As PMP users are dealing with sensitive passwords, from the information security point of view, it would be hazardous to allow the web-interface session to remain alive if users leave their workstation unattended. Inactivity timeout could be configured by specifying the time limit in minutes. If a user is inactive with the GUI for the specified time limit, the user will be automatically logged out of the session.

 

Enforce users to provide two different accounts for use with remote password reset for UNIX / Linux resources

 

To enable remote password synchronization for UNIX/Linux resource types, you can enforce users to provide two different accounts for password reset. If you do not opt this, users will be allowed to enable remote synchronization with just one account.

 

Provision for storing personal information

There is provision for storing passwords of personal applications in the PMP web interface. For example, you can store personal email account information, credit card numbers, banking accounts, contact addresses, phone numbers, email ids etc. These information can be accessed only by the respective user. Secure storage, retrieval and viewing of details are assured.

Deciding the encryption key, the first step

Before you start adding your personal details, choose how secure you want PMP Pro to maintain your personal passwords. All your personal passwords will be encrypted and stored in the database. Tell PasswordManager Pro about the encryption key to be used by choosing one of the options given below. This is a one time configuration which cannot be changed later, so make your choice carefully.

 

Option 1: Use my encryption key and do not store it (recommended)

 

All your passwords will be encrypted using the key supplied by you and the key will not be stored in the PMP database. To access your personal passwords you will have to supply this key every time and if you forget this key you will lose all your passwords. This is useful in cases where you store sensitive personal data.

 

If you want to choose this option, go to "Personal Tab" and click the option and enter the encryption key in the text field.

 

Option 2: Use my encryption key and store it

 

All your passwords will be encrypted using the key supplied by you. The key will be stored securely in the PMP database. During the subsequent password retrievals, you need not specify the key and it is also not necessary that you remember this key.

 

If you want to choose this option, go to "Personal Tab" and click the option and enter the encryption key in the text field.

 

Option 3: Use PMP's  Encryption Key

 

All your passwords will be encrypted with the same key as the enterprise passwords. You do not have to supply or remember any encryption keys.

 

If you want to choose this option, go to "Personal Tab" and click the option and enter the encryption key in the text field.

Storing Personal Accounts

After choosing the encryption key, you can proceed with adding your personal accounts such as web accounts, bank accounts, credit card accounts and personal contacts list. You can also add your own categories depending on your needs.

 

For all the above, there is provision to add custom fields in accordance to your requirements.

 

Note: There are four default categories - Web Accounts, Banking, Credit Cards and Contacts. These categories cannot be deleted. However, the custom categories created by you can be deleted at your will.

 

Web Accounts

To add a New Web Account,

 

 

Can I add Custom Fields?
 

Yes, you can have any number of additional custom fields. To add a custom field, click the button "Customize Fields". Your additional fields can be in any of the following four formats - Character/list, Numeric, Password, Date&Time. A maximum of nine character/list fields could be added. Four numeric fields, three password fields and four date&time fields could be added. Once you click "Save", the custom fields get added to the web accounts column. Custom fields, once added, cannot be deleted.

 

To Delete Accounts,

 

 

Note: Once you delete accounts, they will be deleted from the database once and for all. So, exercise care before deleting accounts.

 

Banking Accounts

To add a New Account,

 

 

Can I add Custom Fields?
 

Yes, you can have any number of additional custom fields. To add a custom field, click the button "Customize Fields". Your additional fields can be in any of the following four formats - Character/list, Numeric, Password, Date & Time. A maximum of nine character/list fields could be added. Four numeric fields, three password fields and four date&time fields could be added. Once you click "Save", the custom fields get added to the web accounts column. Custom fields, once added, cannot be deleted.

 

To Delete Accounts,

 

 

Note: Once you delete accounts, they will be deleted from the database once and for all. So, exercise care before deleting accounts.

 

Credit Card Accounts

To add a New Account,

 

 

Can I add Custom Fields?
 

Yes, you can have any number of additional custom fields. To add a custom field, click the button "Customize Fields". Your additional fields can be in any of the following four formats - Character/list, Numeric, Password, Date & Time. A maximum of nine character/list fields could be added. Four numeric fields, three password fields and four date & time fields could be added. Once you click "Save", the custom fields get added to the web accounts column. Custom fields, once added, cannot be deleted.

 

To Delete Accounts,

 

 

Note: Once you delete accounts, they will be deleted from the database once and for all. So, exercise care before deleting accounts.

 

Personal Contacts

To add a New Web Account,

 

 

Can I add Custom Fields?
 

Yes, you can have any number of additional custom fields. To add a custom field, click the button "Customize Fields". Your additional fields can be in any of the following four formats - Character/list, Numeric, Password, Date & Time. A maximum of nine character/list fields could be added. Four numeric fields, three password fields and four date & time fields could be added. Once you click "Save", the custom fields get added to the web accounts column. Custom fields, once added, cannot be deleted.

 

To Delete Accounts,

 

 

Note: Once you delete accounts, they will be deleted from the database once and for all. So, exercise care before deleting accounts.

 

Creating Custom Categories

Apart from the four default categories explained above, you can create any number of additional categories to store other information. For instance, if you wish to store details about the properties owned by you, just one more category could be added. You can have your own names for the columns.

 

To create a custom category,

 

 

Note: If any of the custom categories are no longer required, you can delete them by clicking the "X" mark against their name in the "Manage Categories" page. Once you delete the categories, they will be deleted from the database once and for all. So, exercise care before deleting.

 

 


Copyright 2006, AdventNet Inc. All Rights Reserved.