Password Manager Pro Release Notes
Version 12.1 (12101)
Hotfix
24th June 2022
Security Fixes
- A remote code execution vulnerability that allowed an adversary to exploit the host via XML-RPC has been fixed.
- An authentication bypass vulnerability that allowed an adversary to create arbitrary directories and ample small-sized files in the Password Manager Pro server has been fixed.
Version 12.1 (12100)
Major
25th May 2022
New Feature
Password Manager Pro now supports creating schedules for automatically discovering the new privileged
accounts during Linux, Network Devices, and VMware discovery.
Enhancements
- Earlier, the users could only configure SAML for the Primary server as the service provider. From now on, the Secondary server can be set up as a separate service provider, allowing users to log in to the Secondary server using SAML when the Primary server is down/unavailable.
- The API handling code is enhanced to support the V3 API format of ServiceDesk Plus MSP.
- Dropbox SDK has been updated from version 3.0.3 to version 5.0.0. From now on, a short-lived access token will be used.
- Administrators can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.
- Earlier, Password Manager Pro did not have any approval process for VNC passwords. Hereafter, Password Manager Pro will allow validations, such as Access Control and Helpdesk for VNC passwords.
Note: After upgrading to 12100, all VNC resource passwords will be added to an account - "_VNCACCOUNT_" under their respective resources. Users can take VNC connections directly from this account for the respective resources.
- From build 12100, the Password Manager Pro administrators can modify the messages in access control workflow dialog using message templates.
- Earlier, users could auto-logon to resources using the logged-in AD account alone. From now on, auto-logon is possible through the logged-in LDAP and Azure AD user accounts as well.
- MFA Reset Option for Privileged Administrators
From build 12100, administrators can reset Multi-Factor Authentication (MFA) for the users, and the users will also be able to reset MFA for themselves.
- SAML Single Logout
Password Manager Pro now supports SAML Single Logout, which automatically terminates all related sessions established using SAML SSO once the user logs out from the PMP UI.
- New REST API
A new REST API, 'Reset Two-Factor Authentication', has been added. It is of ideal use for REST API users with an admin role or a custom role with admin operation to automatically reset the Two-Factor Authentication configured for the end-users by supplying their username - for example, when a user loses their phone configured with PAM360 MFA.
- In addition to TLS 1.1 protocol, Password Manager Pro now communicates to agents through TLS 1.2 protocol.
Behavior Change
From now on, users can launch VNC connections through their respective VNC accounts from the Resources tab only.
Bug Fix
From build 11103, when proxy server configuration was enabled in Password Manager Pro, users using the latest version of Duo TFA experienced a premature authentication time-out. This issue has been fixed.
Version 12.0 (12007)
Hotfix
14th April 2022
Bug Fix
From build 12005 onwards, Password Manager Pro server machines experienced performance issues due to a
high volume of PMP Agent requests in environments where the PMP agents were deployed to the end-points.
This issue is fixed now.
Security Fix
An authentication bypass vulnerability (CVE-2022-29081) affecting ManageEngine Password Manager Pro
builds from 10103 upto 12006, has been fixed. It occurred due to an improper URI check that allowed an
adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application,
and invoke the following operations:
- Restart the service.
- Apply server certificates.
- Access the dashboard details.
- Get existing license details.
- Apply new license to the product.
- Fetch event logs.
- Set up synchronization schedules.
- Create new certificates.
- Create and download CSR.
Version 12.0 (12006)
Minor
1st April 2022
Bug Fixes
- From build 12005, the global keyword search returned all the resources instead of the filtered
search results based on the specific search keyword entered. This issue has been fixed.
- From build 12000, users could not launch RDP sessions using Windows Domain accounts if the 'Reason'
field in the 'Auto logon using other domain accounts' wizard contained special characters, such as #
in it.
Version 12.0 (12005)
Minor
28th March 2022
Upgrade
Apache Log4j has been upgraded to the latest version 2.17.2.
Enhancements
- From this build onwards, we have enhanced our security checks against Path Traversal, Local File
Inclusion, Stored XSS, Reflected XSS, and DOM XSS vulnerabilities.
- From this build onwards, three new default query reports have been added under the 'Resources'
category - Resources with Accounts, Resources with Types, and Resources with Ungrouped Passwords.
Bug Fixes
- From build 12004, when the 'Windows Remote Desktop' option was disabled under 'Auto Logon Helper'
for a particular resource type, the 'Record RDP Sessions' checkbox did not appear in the 'Add/Edit
Account' wizard even when the 'RDP Console Session' option was enabled for that resource type. This
issue has been fixed now.
- From build 12004, the 'Record SSH/Telnet Sessions' checkbox was not available for the 'Windows
Domain' sync type. This issue has been fixed now.
- From build 12004, the 'SSH Port For Auto Logon' option was not visible in the 'Edit Resource' wizard
for Network resource types such as Fortigate, VMware Vcenter, and Brocade. This issue has been fixed
now.
Version 12.0 (12004)
Minor
23rd February 2022
Customer Reported Issues
- From ManageEngine ADSSP build 6117 onwards, the integration with Password Manager Pro was broken.
This issue has been fixed.
- From build 12000 onwards, the administrators were unable to delete custom roles. This issue has been
fixed.
- From build 12000 onwards, when users newly configured ‘Purge Audit Records’ and the specified number
of days was set to 0, to disable purging, Password Manager Pro removed all the audit records. This
issue has been fixed now.
Version 12.0 (12003)
Minor
24th December 2021
Enhancement
From build 12003, the API user host name has been modified to be case-insensitive.
Bug Fixes
- From build 12000, administrators were unable to import users through AD. The issue has been fixed.
- From build 12000, the 'Password' field under 'Personal tab >> Custom Categories' that has to
be hidden, was visible. The issue has been fixed.
- From build 12000, while configuring replication, the login failed if the login name was in the
format - 'domainname\loginname'. The issue has been fixed.
- From build 12000, Password Manager Pro failed to load when the user logins via SAML SSO. The issue
has been fixed.
Version 12.0 (12002)
Hotfix
4th December 2021
Security Fix
We have fixed an authentication bypass vulnerability (CVE-2021-44525) that affects ManageEngine
Password Manager Pro, versions up to 12001, and allows an adversary to gain unauthorized access to the
application and invoke actions through specific application URLs.
Version 12.0 (12001)
Hotfix
26th November 2021
Bug Fix
After installing build 12000 in non-English machines, users could not access Password Manager Pro. This
issue has been fixed.
Version 12.0 (12000)
Major
18th November 2021
Enhancements
- The internal security framework has been upgraded to the latest version to reduce the occurrence of
vulnerabilities and improve overall security.
- The PostgreSQL server has been upgraded from version 9.5.21 to 10.18.
- The Apache Tomcat server has been upgraded from version 8.5.32 to 9.0.54.
- The Rubyrep tool has been upgraded from version 1.2.0 to 2.0.1.
- Password Manager Pro has now migrated to the OpenJDK platform, version 1.8 .0_252.
- In addition to supporting the JTDS JDBC driver to connect to the SQL server, Password Manager Pro
now supports Microsoft JDBC driver, version 8.4.1.
- We have implemented a patch integrity verification, which will henceforth require importing an SSL
certificate (available as a downloadable file) whenever the product is upgraded using the PPM file. It
is only a one-time operation. For the upgrade instructions and PPM download links, click here.
- Password Manager Pro allows users to add accounts via the Windows Domain agent when the account
filter is provided using regex patterns.
- Henceforth, if an administrator restricts a user from setting up the encryption passphrase for their
personal passwords (under 'General Settings'), the user can set up an 'encryption key' for their
personal passwords from the 'Personal' tab. They are also free to choose between whether to store or
not store the encryption key or use Password Manager Pro's encryption key.
- It is now possible to move the RESTAPI users to the client, and the supported client organizations
with complete access can manage resources and accounts.
- The six system-created audit schedules - 'Resource Audit Purge Schedule', 'Resource Audit Digest
Schedule', 'UserAudit Purge Schedule', 'UserAudit Digest Schedule', 'TaskAudit Purge Schedule', and
'TaskAudit Digest Schedule' have been merged into a single schedule - 'Audit Purge and Digest'
Schedule.
- The system-created scheduled task 'Audit Update Schedule' has been renamed as 'Dashboard Chart
Activity Schedule'. It is available under 'Admin >> Manage >> Scheduled Tasks'.
- Previously, when the 'Purge Audit Records' option was enabled, all the audit records older than the
specified number of days were purged. From build 12000 onwards, users can choose to retain or delete
audit records based on the operation type.
- From now on, MSP admins will be able to replicate audit operation type settings and audit purge
settings across all client organizations.
- New REST APIs
This release comes with a bunch of new REST APIs for the following operations: Associate a resource to
a resource group, Dissociate a resource from a resource group, Fetch resource groups associated with a
resource, Delete a resource group, and Fetch ResourceGroupID.
Version 11.3 (11301)
Minor
24th September 2021
Enhancement
Two new agents have been introduced in build 11301 - C# agent for Windows/ Windows Domain and Go agent
for Linux. Password Manager Pro will henceforth allow users to restrict user accounts that are added via
agents (new agents only) during account discovery, using regex patterns.
Bug Fixes
- Earlier, the agent key validity could be set only up to 24 hours. Now, the agent key validity can be
set up to 999 hours via system properties.
- Earlier, Windows Firewall settings prevented multiple agent discovery in machines. This issue has
been fixed now.
- Earlier, while choosing the database, lengthy database connection names were only half visible in
the UI. This issue has now been fixed by adding a tooltip with the full database name.
- From build 11200, users imported via AD were unable to login into Password Manager Pro using local
authentication. This issue has been fixed.
Version 11.3 (11300)
Major
12th August 2021
New Features
- Renewal of Certificates
A 'Renew' option has been newly added under 'Certificates >> Certificates' that allows users to
initiate the renewal of Self Signed, Root Signed, Microsoft CA Signed, and Agent-signed certificates,
and also the certificates issued by the third-party CAs.
Upon renewal, the renewed certificates will automatically inherit the deployed servers and their
credentials.
- Discovery from UNC Shared Path for Windows, Linux, and Mac OS
Password Manager Pro now supports SSL certificate discovery from UNC (Universal Naming Convention)
shared paths for Windows, Linux, and Mac OS machines. Use this feature to discover SSL certificates
stored in a folder path within a server that is accessible by Password Manager Pro. After the
discovery, Password Manager Pro will consolidate the newly-discovered SSL certificates in its
certificate repository. This option is available during scheduled certificate discovery as well.
- Certificate Discovery in DMZ Machines using the KMP Agent
It is now possible to discover the SSL certificates from directories in remote machines that are not
directly accessible by Password Manager Pro—all through the KMP Agent. This option is available during
scheduled certificate discovery as well.
- Browser Deployment of Certificates
Users will now be able to deploy SSL certificates in browsers from Password Manager Pro for the
following server types: Windows, Linux, and MacOS.
- SSH Key Association using "Elevate to root user" Option
This release comes with a new "Elevate to root user" option. Now, as a security measure, it is
possible to restrict users from directly accessing root users by disabling the root user login.
Enabling this option elevates a user login from a non-root user to a root user and associates keys to
all other users on the server.
- RestApi
The new REST API, 'Deploy Certificate', has been added.
- SSL Certificate Rediscovery
Password Manager Pro now allows you to rediscover SSL certificates from the same source using the
server details entered during the previous discovery operation.
- Integration with Buypass Go SSL and ZeroSSL
Password Manager Pro now integrates with Buypass Go SSL and ZeroSSL—two certificate authorities that
use the Automatic Certificate Management Environment (ACME) protocol to provide free, secure SSL
certificates. Users can now request, acquire, create, deploy, renew, and automate the end-to-end
management of SSL/TLS certificates issued by Buypass Go SSL and ZeroSSL, all directly from the
Password Manager Pro web interface.
- Integration with ManageEngine Mobile Device Manager (MDM) Plus
Password Manager Pro now integrates with ManageEngine Mobile Device Manager (MDM) Plus. This
integration uses ManageEngine MDM APIs to discover and deploy SSL certificates to and from the mobile
devices managed by your MDM server. Password Manager Pro then lets you filter the discovered SSL
certificates based on the OS type such as iOS, Android, Windows, Chrome OS, Mac OS, and Apple tvOS. It
is also possible to export reports of the MDM certificates managed in the Password Manager Pro
repository within a selected period. Additionally, you can schedule periodic generation of MDM
certificate reports.
- Manager Pro allows you to globally modify the access level of the shared certificates.
- New REST API's, 'Share SSL Certificate to User', 'Share SSL Certificate to User Group', 'Share SSL
Certificate Group to User', 'Share SSL Certificate Group to User Group', 'Revoke SSL Certificate from
User', 'Revoke SSL Certificate from User Group', 'Revoke SSL Certificate Group from User', 'Revoke SSL
Certificate Group from User Group', 'Create SSL Certificate Group', 'Delete SSL Certificate Group',
'Edit SSL Certificate Group', 'Generate an Agent Install Key', have been added.
Enhancements
- Users can now view all the certificates associated with a particular agent by clicking the 'Host
Name' of the agent listed under Certificates >> Certificates >> Windows Agents'.
- Now, users can discover certificates issued by a particular 'Microsoft Certificate Authority' just
by entering the MSCA name in the text box provided, during discovery. Remember, this additional option
will be available for Password Manager Pro installations in Windows server machines only.
- Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed
certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a
registered base-domain.
- Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional
fields followed a fixed format. Now, the customization settings configured for notification emails in
'Admin >> SSH/SSL Config >> Notification Settings' will be applied to the emails sent via
email addresses in the additional fields as well.
- Password Manager Pro now supports scheduled SSL discovery and MS Certificate Store Discovery tasks
with the KMP agent.
- Previously, the certificates due for expiry in 10 days or less got automatically renewed. Now, users
will be able to customize the number of days to auto-renew the certificates before they expire.
- From now on, during CSR signing of SSL certificates using the KMP agent, it is possible to specify
the Agent timeout value, in seconds.
- Henceforth, users will be able to select specific Certificates or Certificate Groups while
generating the 'SSL Certificates Report' Schedule type (under 'Admin >> SSH/SSL Config >>
Schedules >> Add Schedule').
- Users will now be able to add and edit the deployed servers list under 'Certificates >>
Certificates >> Multiple Servers (icon)'. Newly added servers will be mapped with the latest
certificate version in the certificate repository.
- Password Manager Pro now supports IP range discovery for MS Certificate store discovery
('Certificates >> Discovery >> MS Certificate Store') using the PMP service with the
domain Admin account. This allows administrators to discover certificates across networks.
- Password Manager Pro now supports 'Load Balancer' Certificates discovery for Citrix devices. From
build 11300 onwards, Password Manager Pro also supports scheduled certificate discovery from
Linux-based load balancers such as BIG-IP F5, Nginx, and Citrix.
- Certificates and CSR generation pages have been enhanced with the Random Password generation
feature.
- Users can now select up to five certificate templates while performing template-based SSL
certificate discovery.
- Users can now bypass proxy server settings while performing SSL certificate discovery. If this
option is selected, Password Manager Pro will bypass the proxy server and directly perform online
certificate discovery. This option is available during scheduled certificate discovery also.
- Earlier, after certificate renewal, users will have to deploy MSCA/-self-signed certificates
manually. Now, it is possible to deploy these certificates automatically if the user credentials are
available.
- Users will now be able to choose the 'Certificate type' [CER/DER/P7B/CRT] and 'Keystore type'
[JKS/PKCS/PEM/KEY] while deploying certificates to Windows and Linux machines and while exporting
certificates.
- Now, it is possible to renew MSCA type Certificates with a new private key if a private key not
available already.
- From now on, Password Manager Pro supports ClouDNS to complete domain control validation while
acquiring certificates from public Certificate Authorities.
- Support for AES256-encrypted PKCS12 Keystores while adding certificate Keystores.
- MSCA Discovery with KMP Agent using Multiple Templates
Users can now select up to five certificate templates while performing agent-based certificate
discovery of local CA certificates. Before using this enhancement, please ensure the KMP Agent is
upgraded to version 11300.
- Search-Enabled Custom Columns
From build 11300 onwards, Password Manager Pro allows you to search within custom columns for SSL
Certificates and SSH keys.
- Multiple Servers List
Now you can include multiple servers for certificates in SSL certificate expiry notifications.
- GoDaddy Certificates Import
From now on, users can directly import the existing certificates from their GoDaddy account into the
Password Manager Pro repository.
- Local Disassociation of Keys
It is now possible to dissociate keys locally if remote dissociation fails for users whose access has
been discontinued.
- APIs - Serial Number as the Mandatory Field
Earlier, the Serial Number field, which was optional in the below APIs, has now been made mandatory;
To get a certificate, To get certificate keystore, and To delete a certificate.
- Serial Number in the getCertificateDetails Rest API
In the getCertificateDetails Rest API, Serial Number has been added as an optional field; filling it
fetches the details of that particular certificate alone.
- Henceforth, the SSL certificates can be manually mapped with deployed servers list to any server
directly from Certificates >> Certificates >> More >> Add Deployed Server'.
- From now on, certificates/CSRs/certificate groups will have an email field to which the SSL expiry
email notifications can be sent, where the expiry notification email address can be provided while
creating the Certificate and CSR.
- A new option - Deploy to Microsoft certificate store user account, has been added, which facilitates
the deployment of the Microsoft Store deployed certificates to the respective user accounts, besides
deploying to the computer accounts.
- The SSL Certificate Expiry notification, set up under 'Admin >> SSH/SSL Config >>
Notifications Settings >> Expiry', will now include Issuer, FingerPrint, and Serial Number
fields in the Certificate Expiry email.
- From build 11300, the 'Certificates Audits' tab will be available under the 'Audits' tab, where, all
the certificates audit related to all the users will be displayed.
- New REST APIs 'Get Password Policies' and 'Get Resource Types' have been added.
Bug Fixes
- The KMP agent got duplicated when re-installed from a different IP address. This has been fixed.
- The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
- The issue in MSCA auto-renewal with the EC key has been fixed.
- Get Templates issues that existed with the non - English languages have been fixed.
- Under 'Admin >> SSL Certificates >> IIS Binding', binding list retrieval failed for
bindings with a protocol other than HTTP/HTTPs. This issue has been fixed.
- Earlier during Digicert import, Password Manager Pro failed to import client/personal certificates
into Password Manager Pro. This issue is now fixed.
- Earlier, the date format had the month as a part of the value, due to which sorting did not work.
Now, this issue has been resolved by modifying the date format in the CSV file to be the standard date
format.
- Earlier, while discovering certificates using a load balancer, there were problems with commands
other than the standard Linux commands. This issue has been fixed.
- Get templates issue has been fixed for CA name-based fetch.
- Previously, the proxy configuration was not supported in GlobalSign integration, due to which users
with proxy were unable to use the integration. This issue has been fixed now.
- Earlier, it was possible to add or modify IISBinding only by giving the 'hostname'. This issue has
been fixed, and now 'hostname' is not mandatory to create or update IISBinding.
- Earlier, MSCA templates showed the OID instead of the template name. This issue is fixed.
- During SSL discovery, discovery from servers with mutual authentication failed. This issue has been
fixed now.
- MSCA discovery, when carried out using an agent without any filter, failed. This issue is fixed now.
- There was an issue in exporting the certificates as password-protected zips when password protection
for exports was enabled under 'Privacy Settings'. This issue has been fixed now.
- There was a failure in Linux deployment from the ServiceDesk Plus request. This issue has been fixed
now.
- Earlier, when the custom settings option 'View Support Information' was enabled for a custom user
role, the users with that role were unable to access the 'Support' option from the profile drop-down.
This issue is fixed now.
- Earlier, when a new category was created with the same name as an existing one from the 'Personal'
tab, the product did not display an error message. This issue is fixed now.
- Earlier, if the name of a category seen from the 'Personal' tab contained the special character
'&', the contents of the category were not visible in the display area. This issue is fixed now.
- Earlier, when a new resource was created using the 'Create Resource' API, and the 'Resource URL'
field was left blank, users could not edit the resource attributes in the Password Manager Pro UI.
This issue is fixed.
Behavior Change
From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab.
However, the existing users can manage their already added certificates from the History section, which
has now been moved under the 'Column Chooser'.
Security Fixes
- An XSS vulnerability (ZVE-2021-0956) that occurred during Load Balancer discovery has been fixed.
- A SQL injection vulnerability identified in the PostgreSQL password reset functionality is fixed.
- A path traversal vulnerability identified in the role report section is fixed by adding proper
validation steps for the download file path of the report.
- Earlier, users could reopen a closed remote SSH session window from the browser history page and
reinitiate the remote connection without requesting for the password of the resource again. This issue
is fixed.
Version 11.2 (11201)
Hotfix
16th July 2021
Bug Fix
- In 11200, users could not make connections using Windows domain accounts, configured with Access
Control, even if the users had the access approval. This issue has been fixed.
Note: All the requests raised for Windows domain accounts in 11200, though valid, cannot be
used to make remote connections, hence users will have to re-request for those accounts post the 11201
upgrade.
Version 11.2 (11200)
Major
7th July 2021
Enhancements
- New Query Reports
Two new default query reports for users having access to the browser extension and users who don't
have
access to the browser extension have been added.
- New Resource Type
We have introduced a resource type, Cisco Nexus OS.
- New Rest APIs
This release comes with a bunch of new RESTAPIs: Fetch UserGroupID, Configure Remote Password Reset
for
Linux resources, Share Resource and Share account to User Group.
Behavior Changes
- The API handling code which earlier responded to the V1 API format of ServiceDesk Plus On- Premises
and ServiceDesk Plus Cloud will henceforth respond to their V3 API format.
- The Authentication mechanism of ServiceDesk Plus Cloud has been updated from the older Authtoken
based
method to OAuth 2.0. In addition, from now on, it is possible to validate entries in the ticketing
system columns against the entries in Password Manager Pro to check for any mismatches. Earlier, it
was
possible to check the entries in Password Manager Pro alone.
Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus
Cloud,
this upgrade pack will disable the integration and delete the complete integration data. You will have
to
reconfigure the ticketing system again. So, make sure you have a backup of the advanced configurations
in
the form of screenshots for reference purposes.
Bug Fixes
- When the PMP and KMP agents were installed in the same machine, the data used for the agents'
authentication was stored in the same place in the registry, causing the overwriting of the agents'
data, thereby making the agents non-functional. This issue has been fixed.
- The automated scheduled task introduced for dashboard optimization caused the database connections
to
become unavailable, for some time, for a few users. This issue has been fixed now.
- When Two-Factor Authentication was enabled, the legal banner and the privacy policy banner links in
the Login page (enabled from the 'Rebrand' wizard) did not show up/work. We have resolved this issue.
- Earlier, for some users, after configuring Duo TFA, the requests that were supposed to be sent to
the
PMP access URL were directly sent to the Password Manager Pro server. This issue has been fixed now.
- Earlier, the 'Edit User' action did not work for certain users. We have resolved this issue.
- Previously, the password entered in 'Importing users from AD wizard >> specify the user name
and
password manually' did not get saved due to a password encoding issue. This issue has been fixed.
- Earlier, users were able to export offline passwords even when the export password was disabled
using
the export URL. This issue has been fixed now.
Security Fix
- A user enumeration issue has been fixed (CVE-2021-33617).
- Users with access to the Password Manager Pro server, running in a machine with a few policies
configured, were able to view the IIS web.config passwords as cleartext in the event log
(ZVE-2021-1797).
Version 11.1 (11104)
HotFix
4th May 2021
Security Fix
There existed a vulnerability from version 9.7.0 that permitted the retrieval of masked non-website
resource type passwords as clear-text, by capturing the API call of the Password Manager Pro browser
extension and replacing the password ID of website account passwords. This vulnerability occurred under
any or all of the following circumstances; with the user type roles only, with the password masking
option
enabled by the Admin under 'General Settings', and only to the shared passwords. This issue reported by
Sandeep Saxena (CVE-2021-31857), has been fixed.
Enhancement
As an extension to the above fix, a new option has been introduced under 'General
Settings >> Password Retrieval', which allows Autologon for URL-configured
non-website resources via the browser extension, even if the plain text view of
passwords is disabled. With this, users will have the flexibility to enable or disable the
Autologon functionality carried on via the browser extension for which the URL is
configured.
Version 11.1 (11103)
Minor
1st April 2021
Enhancement
- Duo-TFA SDK Update
The third-party Two-Factor Authentication software Duo Security is now
upgraded from v2 to
v4. Once the PMP application is upgraded to build 11103, the Duo Security update will be
applied automatically to the existing integration.
Bug Fixes
- Earlier, users faced an issue with the mouse scroll during RDP and VNC remote
sessions initiated through Google Chrome version 89. This issue has been fixed.
- Earlier, when password synchronization was enabled for any organization (MSP or a
Client ORG), Password Manager Pro executed the task only for the organizations
under MSP. This issue has been fixed now.
- Earlier, users were unable to use the operators >= and <= in the LDAP search filter
queries during user import from an LDAP domain. This issue has been fixed.
Security Fixes
- Earlier, a security vulnerability (ZVE-2021-0870) allowed unauthorized personnel to pull the Super
Admin's email address by accessing the URL - /SuperAdminAlertList.ec, through API.
This vulnerability has been fixed.
- A Cross-Site Scripting (XSS) issue found in the Query report description has been
fixed.
- A Cross-Site Scripting (XSS) issue found in the User Password Change page has been
fixed by ensuring proper output encoding for the password policy.
- A Cross-Site Scripting (XSS) issue found in the edit LDAP server details page has been
fixed.
Version 11.1 (11102)
Minor
12th March 2021
Security Fix
A Cross-Site Scripting (XSS) issue (ZVE-2021-0768) that occurred in the web app connection page has
been fixed.
Version 11.1 (11101)
Minor
3rd March 2021
Enhancements
Password Manager Pro is now available in the Portuguese language.
Bug Fixes
- Earlier, in schedules, created for AD groups during resource or user discovery, groups with an
ampersand (&) in their names could not be edited. This issue has been fixed.
- In earlier builds, the Password Manager Pro dashboard froze and the server ran out of memory due to
the overload of audit data. This issue has been fixed.
- In build 11002, in the 'Account Addition' password field, the character & was displayed as &.
This
issue has been fixed.
- From build 11000, users could not create the Password reset Listener. This issue has been fixed now.
Version 11.1 (11100)
Major
17th February 2021
Enhancements
- Enhanced Password Policy
Enhancements have been made to the existing password policy by introducing new constraints and
additional features which include; improved default attributes for Strong and Medium password
policies,
the introduction of password limit, the addition of new attributes, such as password similarity and
sequences, ability for Admins to add and manage up to 5 dictionaries, Dictionary word check, Obvious
Substitution (LEET) word check, Password Strength Meter, Sample Password Generator, New Password
Generator, etc. These would be of great help to administrators in setting highly secure password
policies.
- Access Control & Domain Account Restrictions
Earlier, a user with access to a domain account can log into any resource shared with them using the
domain account. Henceforth, it is possible to implement Domain account restrictions for target
resources, i.e., Windows domain account users can be granted access to specific resources alone, which
they actually want to access, instead of all resources shared with them. Please note that from this
release, the Password Request API for domain accounts alone has been blocked.
Bug Fixes
- In build 11002, when the Admin users from the MSP org scheduled reports in the Client org, they
received Zero bytes reports. This issue has been fixed now.
- From build 11002, Additional fields were missing from the Bulk edit page of resources. This issue
has
been fixed now.
- From build 10500, users with the Password Administrator role were unable to perform 'change role' or
'delete user' operation - to change to a Password user or a Password Auditor, even when no resources
or
accounts were present under 'Transfer Approver privileges. This issue has been fixed now.
- In build 11004, while generating a custom report, say, a report containing all the resources present
under a Dynamic resource Group, no results or a blank page was displayed. This issue has been fixed.
Security Fix
- When users configured X-Forward-For in Password Manager Pro, there was a possibility to bypass web
access restriction by setting the X-Forward-For header manually. This issue has been fixed now.
Version 11.0 (11004)
Minor
17th December 2020
Enhancement
-
It is now possible to reset passwords under the following categories, either
individually or in bulk, from 'Resources >> Password Explorer >> Admin Actions';
Expired Passwords, Conflicting Passwords, and Policy Violations.
-
The SAML SSO configuration, already available for MSP organizations, is now
made available to Client organizations as-well, thereby allowing client
organizations to build their own SAML setups.
-
During the 'User Access Token' method of Azure AD user import, it was not
possible to get the 'Oauth' token when TFA is enabled. To overcome this, a new
Authentication mode of Azure AD user import - 'App-Only Access Token' has been
introduced in this release.
Bug Fix
In build 10501, during AD sync, the resource or user removed from an AD resource/user
group still showed up in the Password Manager Pro resource/user group. This issue has
been fixed now.
Version 11.0 (11003)
Minor
10th November 2020
Enhancement
It is now possible to 'retry' the periodic password reset of Resource groups by configuring
password reset retry settings, which include the number of retries and retry interval. If this
setting is enabled, the password reset will be re-attempted after every failure at the
specified retry interval within the specified number of attempts.
Bug Fixes
- Earlier, there was an issue in the User Group Report. The resources part of the
dynamic resource groups did not display their resource names properly in the
Resource access details section of the report. This has been fixed now.
-
The RDP connection issue related to ServiceDesk Plus has been fixed.
- The issue in enabling and disabling the Bulk two-factor authentication has been
fixed.
Security Fix
Cross-Site Scripting (XSS) issues in the following places have been fixed: VNC
connection page, recorded session playback, RDP Shadow feature, Auto logon
helper list, and Resource Types Filter.
Version 11.0 (11002)
Minor
28th September 2020
Security Fix
A Reflected Cross-Site Scripting (XSS) vulnerability, found in the Query Report feature, has been
fixed.
Bug Fix
Post 11001 upgrade, when a username having a special character such as, '@' was copied, the character
was
replaced with '%40'. This issue has been fixed now.
Version 11.0 (11001)
Minor
19th September 2020
Security Fixes & Enhancements
- A Cross-Site Scripting (XSS) issue that occurred in the following places has been fixed: Login
screen,
AD import page, User group name, Perform password reset page, LDAP and SMART CARD and Configure Remote
Password Reset add resource type page, edit account page, configure access control view, Resource
types
Filter, Change Password Window, Password History, Organization name, Resource Types, Custom Role,
Associate resources, Create/Edit schedule view, Copy Resource Attribute, all Discovery Profiles, all
Copy Personal Account attributes, Username, Password Policy Name, Copy account name, Trash password,
Chat history, SQL connection page, TFA page, and while exporting offline passwords.
- Missing Function Level Access Control (MFLAC) issue in the Import SSH key function and user Delete
action has been fixed.
- A SQL injection vulnerability identified in the recorded sessions Dashboard, Reports, and Audit has
been fixed.
- Any user having the audit ID of any chat was able to see the chat history. This issue has been
fixed.
- Password Manager Pro now comes with a comprehensive Cross-Site Request
Forgery (CSRF) protection that restricts attackers from executing any or all of the
following operations: Deleting and restoring trashed resource, Deleting and
restoring trashed user, Changing the victim's default landing screen, Creating SSH
keys, Editing authorize key, and Enabling/Disabling TFA.
Bug Fix
- There was an API related issue which prevented the browser plug-in of the Ticketing system from
accepting ticket IDs with white spaces. This issue has been fixed now.
- Renaming of the Comodo products as Sectigo by 'The SSL Store' was causing issues while renewing or
reissuing Comodo orders, which has been fixed now.
Version 11.0 (11000)
Major
11th August 2020
New Features
- Expiry Notifications for SSL Certificates
Now, use Password Manager Pro to discover, import, and configure expiry notifications for SSL
certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS
Identity
and Access Management (IAM).
- Self-signed Certificates Auto Renewal
Password Manager Pro now supports automated renewal of self-signed certificates along with Microsoft
CA
certificate renewal.
- SSL Certificate Deployment and Binding - IIS Server
From now on, you can both deploy a certificate to the IIS server and also bind it to the desired
website
in the IIS, all from the Password Manager Pro interface itself, without the need to access the IIS
server separately. Also, an option has been provided to automatically restart the IIS server for the
deployment and binding to take effect, thereby eliminating the need for the manual restart from the
IIS
end.
- Additional Fields
Password Manager Pro now brings you the 'Additional Fields' feature, configured from 'Admin >>
SSH/SSL Config', and used to include any additional information about SSH keys and SSL certificates
stored in the repository. There are four different categories of Additional Fields: character,
numeric,
date, and email. Users can choose to add or remove the Additional fields from SSH and SSL views. While
creating an Additional field, users can choose whether it is applicable for SSH/SSL/both, and also
customize the emails mentioned in it.
- Column Chooser
This version of Password Manager Pro comes with the 'Column Chooser' feature that allows users to show
or hide columns at runtime, and also rearrange the columns from the current view via drag-and-drop.
- Pretty Good Privacy (PGP) Keys
PGP encryption is used to enhance cryptographic privacy and authentication for online communication by
encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression,
hashing,
and public-key cryptography to boost confidentiality. Now, Password Manager Pro brings you this PGP
functionality in the form of PGP key generation, where the keys are used to encrypt the data like
emails, texts, etc. Create, store and manage PGP keys under 'Admin >> SSH/SSL'. Modify the key
description anytime, export private/public keys, export keys to multiple email ids, and generate,
view,
and schedule reports. You can also send expiry notification emails to admins. This feature allows you
to
share and collaborate information securely among your trusted groups of users and businesses.
- GlobalSign
Password Manager Pro now supports integration with GlobalSign SSL a trusted Certificate Authority and
a
leading cloud-based PKI solutions provider. This integration enables users to request, acquire,
import,
deploy, renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by
GlobalSign, directly from the Password Manager Pro web interface.
- Certificate Deployment using Agent
Password Manager Pro can already deploy and bind certificates to IIS servers belonging to the domain,
where Password Manager Pro also resides. Now, Password Manager Pro can also deploy certificates to IIS
servers in demilitarized zones and also bind them to websites in IIS, all using an agent. This makes
Password Manager Pro more scalable, as it can deploy and bind certificates in IIS servers,
irrespective
of whether they are in the same or different domain.
- CSR Signing using Agent
In addition to the already available two sign types, namely, 'MS Certificate Authority' and 'Sign with
Root', used to sign certificates from Password Manager Pro, a third sign type 'MS Certificate
Authority
with Agent' has been introduced. This new sign type is mainly used to sign certificates originating
from
a distinct domain, i.e., other than the domain to which Password Manager Pro belongs.
- Integrating with Ticketing Systems
Password Manager Pro now integrates with enterprise ticketing systems namely ServiceDesk Plus
(on-premise) and ServiceNow. This integration ensures that automatic service requests are created in
the
ticketing environment to notify administrators of SSL certificates that are at the risk of expiring
and
certificates that are deemed vulnerable after a vulnerability scan in Password Manager Pro. Users can
set notification policies to govern the frequency of service request creation for expiring and
vulnerable tickets.
- New Certificate Format - PEM
A new certificate format, Privacy Enhanced Mail (PEM), has been added, in addition to the already
available certificate export formats, Keystore and PFX, where the PEM format is used for digital
certificates and keys, deployed in web server platforms (e.g., Apache).
- Support for GoDaddy DNS
Password Manager Pro now supports GoDaddy DNS to complete the domain control validation procedure
while
acquiring certificates from public Certificate Authorities, along with the already available DNS
support
types, Azure DNS, Cloudflare DNS, Amazon route 53, and RFC2136 Update. Using GoDaddy DNS, users can
update the DNS record for GoDaddy domain validation from the Password Manager portal itself.
Enhancements
- Password Manager Pro now provides additional insights on agent activity such as heartbeat interval,
latest response time and operation performed.
- For scheduled SSL expiry tasks, users now have the option to choose whether or not, to receive email
notifications when no certificates in that particular schedule are nearing expiration.
- Password Manager Pro offers automatic bundling of individual private key (.key) files and
certificate
files (.cer/.pem) into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
- Two extra categories have been added to the criteria-based certificate group creation: AWS service
and
Certificate template.
- Now, it is possible to use the Password Manager Pro service account credentials for authentication
while deploying certificates in Windows servers.
- Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and
minutes) to the certificates created, after which the certificate auto-expires. This eliminates the
need
for compulsory permanent access credentials to access target systems and also explicit access repeal.
- It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address
combination.
- The option to filter certificates based on the key length and signature algorithm within specific
expiry days has been added to the 'getAllSSLCertificates' Rest API.
- It is now possible to customize notifications and their intervals. Users can now choose not to
receive
notifications regarding the expired certificates, and send a separate email and customized subject per
certificate, from 'Admin >> SSH/SSL >> Notification Settings'. The same actions can be
done
while creating new schedules under 'SSH/SSL >> Schedules >> Add Schedule', where you have
to
select the Schedule Type as 'SSL Expiry'.
- Earlier, Password Manager Pro allowed signing and deployment of certificates only from Windows
systems. Now, it is possible to perform certificate signing and deployment to Windows systems from
Linux
installations through agents.
- It is now possible to provide customized subjects in 'Schedules'. Also, users can tailor schedules
by
adding custom email content and a unique signature.
- In RestAPI, the fetch details format is modified in such a way that the "details" attribute holds
all
the data. The following is the modified API list; GetCertificateDetails, getallsslcertificates,
getAllSSLCertsExpiryDate, sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey,
GetSSHKeysForUser and GetAllAssociatedUsers.
- This release comes with an exclusive page for 'Windows Agents', accessible from the 'Certifcates'
tab,
from where users will be able to perform all agent-specific operations such as SSL Discovery using
agent, deployment of SSL certificates in certificate groups using agent and CSR Signing with MSCA
agent.
- Certificate deployment in multiple servers has now been made simpler by using an agent, provided the
agent is running in the server to be deployed, and both the agent name and the server DNS name are the
same.
- Now, auto-renewal of certificates is possible for the 'MSCA using agent' sign type as well, from
'Admin >> SSL Certificates >> Certificate Renewal'.
- The 'Certificate Sign Report' comes with the following MSCA/Third party CA signing details;
Certificate Authority, Certificate Template, Sign Type column.
- The 'Certificate Renewal report' comes with the 'Renewed By' column relevant to MSCA and 3rdPartyCA
renewal details.
- A new option 'Reissue Certificate' has been added under 'Certificates >> GlobalSign' that
allows
users to request GlobalSign to reissue an SSL certificate.
- The new 'GlobalSign Orders Report' allows the GlobalSign orders to be added as individual reports,
which provide a detailed view of certificate orders requested from the GlobalSign CA.
- From now on, users can add a "Key Comment' while importing a new SSH key and editing an existing key
from the repository. Also, users can avail the checkbox "Update comment in associated users" to update
the Key comment to the associated end servers automatically.
- Now, it is possible to add additional properties to a certificate while creating it, by using the
'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage
properties, and add them to the new certificate. Examples for the Key Usage properties include;
Digital
Signature, Decipher Only, Encipher Only, and Certificate Sign.
- The DigiCert CA page has been enhanced with a new menu 'Show' that has four options, Expired,
Revoked,
Rejected, and Others, used to filter the DigiCert CA list view.
- Now, while adding or modifying the Certificate Groups, it is possible to set 'additional fields'
also
as one of the 'By Criteria' filters for certificates.
- New REST APIs 'GET CSR list' and 'Sign CSR' have been added.
- The 'Expiry Notification' has been enhanced with the custom mail content, 'Title' and 'Signature'.
- The 'Certificate Renewal Report' page under 'Reports >> Certificate Reports' now comes with a
column chooser.
- Users can now view all the certificates associated with a particular agent by clicking the 'Host
Name'
of the agent listed under 'Certificates >> Windows Agents'.
- It is now possible to discover certificates issued by a particular 'Microsoft Certificate Authority'
just by entering the MSCA name in the text box provided, during discovery. Remember, this additional
option will be available for Password Manager installations in Windows server machines only.
- Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed
certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a
registered base-domain.
- Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional
fields followed a fixed format. Now, the customization settings configured for notification emails in
'Notifications' and 'Schedules' will be applied to the emails sent via email addresses in the
additional
fields as well.
Bug Fixes
- Previously, certificate deployment failed if the field "Store Password" contained a space character
while creating certificates from 'Certificates ? Create'. This issue has now been fixed.
- Previously, when there was a "space" character present in a certificate group name, attempting to
fetch the SSL certificates report pertaining to that group from the Reports tab threw the following
error: "Invalid field format". This has now been fixed.
- Previously, even after the certificate private key was imported and attached to a certificate in the
Password Manager Pro's certificate repository, the "Export Keystore/PFX" was still disabled. This has
now been fixed.
- During AD User certificate discovery and Root certificate signing performed from the Password
Manager
Pro interface, the 'Connection Mode' got saved as 'No SSL' only, even if the 'SSL' mode was chosen.
This
issue has been fixed now.
- Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be
supported by MSCA signing.
- During certificate creation, all values entered in the SAN field were all together categorized as
'DNS' only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
- Earlier, during Digicert integration, import of code signing and client/personal certificates got
failed. This issue has been fixed now.
Security Fix
- Earlier, for SSH and SSL related API calls, the Authentication token was passed as a request
parameter. From 11000, all SSH and SSL related API calls require the Authentication token to be passed
in the request header only.
Version 10.5 (10501)
Minor
19th June 2020
Enhancement
We have upgraded the PostgreSQL server to version 9.5.21.
Bug Fixes
- In the MSP edition, the MSP icon at the top of the console displayed only 25 organizations under it
instead of showing all available organizations. This issue has been fixed.
- Password users were unable to click the Resource Group name under the Connections tab. This issue
has
been fixed now.
Version 10.5 (10500)
Major
3rd June 2020
Enhancement
Previously, it was possible to configure access control settings at the resource level only, and the
same
settings were applicable for all the accounts under the resource. Now, it is possible to set password
access control independently for each account under a resource, without affecting the access control
configurations of other accounts in the resource. This ability to set unique configurations for each
account helps users maintain unparalleled security levels for each account, based on requirements.
Remember, the account-level access control configuration takes higher precedence over the resource-level
access control configuration.
Security Fix
- A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the
Resource
name while masking password, theme type, skin color, Category name of the Personal tab, web app
connections, and user sessions of the Audit tab, has been fixed.
- A local File Intrusion issue that occured during the MS store discovery has been fixed.
Version 10.4 (10406)
Hotfix
15th May 2020
Version 10.4 Build 10406 (Hotfix) 15th May 2020
Security Fix
From the build 10103, an unauthenticated servlet vulnerability found in our internal framework that
posed
the risk of less-impactful entries getting inserted in the integration system configurations table,
remotely, has been fixed.
Version 10.4 (10405)
Hotfix
29th April 2020
Security Fixes
- A SQL injection vulnerability identified in "Audit Reports" has been fixed.
- A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the user
input has been fixed.
- Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL,
which posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to
maintain optimal security.
Bug Fix
From the build 10300, when a set of resources is shared with a user(s) with varying access permissions,
and when different access permission is granted for one of those resources, the access permission of all
the other resources also got changed. This issue has been fixed now.
Version 10.4 (10404)
Minor
13th April 2020
Security Enhancement
The internal security framework has been upgraded to improvise the max-occurrence validation of
parameters.
Bug Fixes
- From the build 10403, in certain customer environments, resolving the hostname from the request took
more time than expected, which caused slowness in the Password Manager web console. This issue has
been
fixed now.
- From the build 10400, Super Admins could not bulk transfer the ownership of resources and
encountered
an error "owner alone can transfer the resources". This issue has been fixed.
- In the build 10400, during the remote password reset, an exception was thrown while discovering MS
SQL
accounts by supplying domain accounts. This issue has been fixed now.
Version 10.4 (10403)
Minor
2nd March 2020
Security Enhancement
-
The PMP agent had an unquoted service path with spaces as follows:
PMP_Agent : c:\Program Files\PMPAgent\PMPAgent.exe, which could pave way for
an attacker to gain elevated privileges by inserting an executable file in the path. This
issue has been fixed.
-
Due to an inadequate CSRF protection to the URL, there was a risk of attackers changing user roles in
Password Manager Pro. This issue, reported by Luka Sikic of INFIGO (CVE-2020-9346), has been fixed.
Bug Fixes
-
In general, during AD sync, access to Password Manager Pro will be locked only for those AD users, who
were removed from user groups or OUs. But, from build 9700, during the AD sync, all AD user accounts
in
the user group/OU were locked in Password Manager Pro. To handle this, we have provided a new option
under 'Admin >> General Settings >> User Management', by enabling which it is possible to
lock the deleted user accounts alone during the AD Sync.
-
During RDP sessions, it was not possible to copy texts using the keyboard shortcut
'Ctrl+C'. This was due to a breakage in the content security policy header enabled in
build 10401. This issue has been fixed.
-
From build 9700, while updating LDAP details, LDAP users alone got removed from the
user group. This issue is fixed now.
-
After password retrieval/ access, particularly in large numbers, the 'Password Activity'
module in the dashboard kept continuously loading, which resulted in CPU spike and
system lag. This issue has been fixed.
-
From build 10001, while choosing the domain account, the Search bar corresponding
to the Account Name did not function properly. This issue has been fixed.
-
Earlier, when a huge number of resources were loaded into Password Manager Pro,
the Mail server settings and Two-Factor Authentication settings wizards did not load
properly. This issue has been fixed now.
Version 10.4 (10402)
Hotfix
7th January 2020
Security Enhancement
Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally
authenticated users. Now, as a security practice, we have exerted the following measures, applicable for
installations under the 'Program Files' directory:
- No inherited permissions are allowed for data and configurations directories.
- "Authenticated Users" permission has been excluded entirely.
- Only the CREATOR OWNER, SYSTEM, Installation User, NT AUTHORITY\Network Service and Administrators
groups will have the Full Control over the directories and also can start PostgreSQL.
Kindly see our best practices guide for more information.
Bug Fix
In certain scenarios, an exception was thrown during the backup process and the file 'pg_hba.conf'
became
empty. This caused trouble in viewing the Password Manager Pro web console. This issue has been fixed
now.
Version 10.4 (10401)
Minor
5th December 2019
Enhancements
- Remote File Transfer - Linux
Earlier, it was possible to transfer files from remote Windows machines only during Remote Desktop
Protocol (RDP) sessions launched via the Password Manager Pro interface. Now, from the build 10401,
you
will be able to transfer files to remote Linux
machines as well, using Secure Copy Protocol (SCP) by launching SSH sessions directly from the
console. However, unlike Windows, the remote file transfer is one way in Linux, i.e., to the target
machine only.
- APIs Added
Two new APIs for "Sharing a resource to a user" and "Sharing a account to a user" have been
introduced in this release.
Bug Fixes
- While adding a resource manually, when more than 100 characters were entered in the 'Location'
field,
which can originally hold up to 250 characters, the 'Edit Resource' page failed to show up. This issue
has been fixed now.
- The 'Account Addition API' did not work for MySQL, MS SQL and Postgre SQL database resources alone.
This issue has been fixed now.
- From Password Manager Pro build 9100, password reset did not work for the AWS IAM account alone.
This
issue has been fixed now.
Version 10.4 (10400)
Major
18th October 2019
New Features
- Integration with DigiCert SSL
Password Manager Pro integrates with DigiCert a leading TLS/SSL, IoT and various other PKI solutions
provider. Users can request, acquire, create, deploy, renew and automate the end-to-end management of
SSL/TLS certificates issued by DigiCert, all directly from the Password Manager Pro portal.
- CSR Templates
It is now possible to create and use predefined templates for CSR (Certificate Signing Request)
generation.
- Option to Exclude Certificates
Users can now choose to ignore certain certificates during the SSL discovery or manual addition of
certificates into the Password Manager Pro repository. A new option is added under 'Admin
>> SSH/SSL >> Exclude Certificate', which you can utilize to add the
certificates
to be excluded, by specifying their Common Name and Serial Number.
- Support for RFC2136 DNS Updates
Password Manager Pro now supports RFC2136 DNS updates to complete domain control validation while
acquiring certificates from public certificate authorities (CAs).
Option to modify the email id of the Let's Encrypt account, used by Let's Encrypt to send email alerts
of expiring certificates.
Enhancements
- Earlier, it was possible to associate a SSH key with a user account only when the target system was
reachable from the Password Manager Pro server. This was troublesome when the target system was
inaccessible. Now, from the Password Manager Pro build 10400, an option is provided for Linux resource
types that users can opt to force map SSH keys to user accounts, even if the target systems are not
reachable.
- Users can now use Password Manager Pro to sign CSRs (either using your internal Microsoft CA or a
root
certificate) as and when they are generated.
- Password Manager Pro now supports file-based discovery for scheduled SSH and SSL discovery tasks.
- A new dashboard widget to provide data about SSL configuration vulnerabilities has been added.
- Support is enabled for the discovery of SSH keys with ECDSA and ED25519 signature algorithms.
- A new REST API to view the private key passphrase of SSL certificates has been added.
Bug Fixes
- During OpenLDAP and Novell Directory import, new users' domain names were not updated properly,
which
caused login exception. This has been fixed now.
- AzureAD did not work when the proxy server was configured in Password Manager Pro. This has been
fixed
now.
Version 10.3 (10302)
Minor
23rd September 2019
Enhancement
Redesigned Password Manager Pro Agent
The Password Manager Pro (PMP) agent is used to connect with and manage remote resources that are not
attached to the PMP server. Earlier, the agent was downloaded from the PMP console and straight away
deployed in target systems. Now, from build 10302, each time while installing the agent on a remote
server, you will have to provide a unique 'Agent Key', generated and copied from the PMP console while
downloading the agent. The keys are for single use only and will be automatically revoked after that. If
you wish to install a key in multiple servers, you can keep the key active for the number of hours
specified.
Version 10.3 (10301)
Minor
9th September 2019
New Features
Integration with ManageEngine Analytics Plus
ManageEngine Password Manager Pro integrates with ManageEngine Analytics Plus, an on-premises reporting
and business intelligence service. The PMP-Analytics Plus integration brings about out-of-the-box
analytics on resources, user accounts and audits. Analytics Plus sources data from PMP via its API using
user login credentials. The reports are generated automatically with up-to-date data, and you can gain a
complete overview of the reports from the PMP-specific dashboard of Analytics Plus. You can also set
timeline filters.
Version 10.3 (10300)
Major
22nd August 2019
New Features
Password Manager Pro Plugins for Chef and Puppet
Introducing new plugins for Chef and Puppet CI/CD platform, in addition to Jenkins and Ansible. Both
Chef
and Puppet use the Master-Slave architecture, where communication happens via an SSL-based secure
encrypted channel. Dedicated external app plugins are provided for both the plugins, so that the code
pulls the passwords directly from Password Manager Pro during run time, instead of storing them as plain
texts within script files. This combats security threats to resources, enhances the security of
passwords
and eliminates the need for users to modify the code when passwords are changed. The plugins thereby
improve the overall security in organizations' DevOps pipeline and also impose consistent rotation and
automatic update of the new passwords in the respective remote devices.
Enhancements
- Bulk Resource/Account/Resource Group Sharing
Previously, it was possible to share only a single resource, or an account, or a resource group, with
user(s) or user group(s). Now, users with proper permission can share resources, accounts and resource
groups, in bulk, with user(s) or user group(s).
- Access Control Enhancements
- Earlier, it was possible to set only two admins as approvers for password request under Resource
Actions >> Configure Access Control >> Miscellaneous Settings. From now on, Admins can
set 'n' number of admins (5 by default and 10 as maximum) as approvers for password request. The
default approver count can be altered under General Settings.
- Admins can now configure auto-approval for different days with different time configurations
(Maximum of 3 different time configurations per day), under Resource Actions >> Configure
Access Control >> Auto Approval. It is possible to configure the same time for every day and
also different time configurations for different days.
- New API Added
A new API to generate passwords using existing policies in Password Manager Pro is added.
Version 10.2 (10200)
Major
29th July 2019
New Features
-
SSL Discovery
- Agent-based Discovery
Password Manager Pro now supports agent-based SSL discovery that allows administrators to discover
and import certificates present across a network by installing one or more instances of agent
software on target systems. The agent, which is available as a compressed package with all the
necessary configurations in password Manager Pro interface, once installed in the required end
servers, performs certificate discovery and updates the certificate database.
- Load Balancer Certificate Discovery
Password Manager Pro now allows administrator users to discover and consolidate SSL certificates
deployed to Linux based load balancers such as Nginx and F5 through a process tunnelled via SSH.
- Option to Login to Certificate Store and Microsoft CA using Service
Accounts
A dedicated option is provided for the Administrators to make use of the Password Manager Pro
service account credentials to log in to target systems, while performing Certificate Store and
Microsoft CA discovery, without having to manually enter them.
-
SSH and SSL Discovery
- Subnet Discovery
Password Manager Pro now provides subnet discovery option for SSL certificates, allowing
administrators to discover the certificates from specific subnetworks within an IP range.
- Option to Exclude IP addresses
Users can now choose to exclude specific IP addresses when performing bulk discovery from an IP
address range.
- Key-based Authentication for Certificate Deployment
Password Manager Pro now provides an additional key-based authentication functionality (apart from the
conventional password authentication), which users can leverage to deploy certificates to
password-less
Linux end servers.
- Support for Amazon Route 53 DNS
In addition to Azure and Cloudflare DNS, Password Manager Pro now supports Amazon Route 53 DNS to
complete the domain control validation process when acquiring certificates from public CAs.
-
New SSH Key Types Added
From now on, two additional SSH key types - ECDSA and ED25519 will be available for selection while
creating new SSH keys, out of which, rotation is possible for the key type ED25519.
-
Option to Use Existing Password Manager Pro Account during Certificate Deployment
While deploying certificates to target web servers, a dedicated option is provided for the users to
use
an existing Password Manager Pro account, instead of entering the credentials.
- New Rest APIs Added
Two new REST APIs are newly added; REST API to add certificates to Password Manager Pro certificate
repository and REST API to delete ssh keys.
Bug Fixes
- Earlier, when a certificate was deployed to two servers, and if one of the deployed servers was
deleted, the "Multiple Servers" icon was still shown. This has now been fixed.
- Formerly, when multiple certificates were discovered from a single resource, and when the DNS name
of
one of the certificates was changed, the DNS names of all the other certificates also got changed.
This
has now been fixed.
- Earlier, when the scheduled discovery operations for SSH and SSL failed, there were a few instances,
where the audit records were not updated properly. This has now been fixed.
- Previously, during the following processes Microsoft Certificate Store discovery, server certificate
upload, and Radius server configuration (server secret field), if a password, containing special
characters, was entered, a "harmful content" error was thrown. This has been fixed.
- Earlier, certificates without an original common name (with the SAN name as the common name, by
default) failed to update, after running a scheduled discovery. This issue has now been fixed.
- Previously, the 'Days' filter in the SSL Expiry Report failed to render correct results. This has
now
been fixed.
Version 10.1 (10104)
Minor
15th July 2019
Bug Fix
When PMP configured with MS SQL database was upgraded to the latest version 10103, and an attempt was
made using ConfigureReplication.bat/.sh to reconfigure High Availability, replication failed to
initialize
between the primary and secondary databases, due to failure in publisher creation in the primary server.
Version 10.1 (10103)
Minor
26th June 2019
New Features
- Integration with ManageEngine ADSelfService Plus (ADSSP)
Earlier, when the ADSSP's privileged domain account password was reset in PMP, the new password had to
be manually updated in ADSSP. If not, ADSSP still retains the old password, thereby restricting the AD
users from performing tasks such as password reset, account unlock, etc. With PMP-ADSSP integration,
the
privileged domain account details of ADSSP will be mapped with the domain account details in PMP. So,
whenever the password reset of ADSSP's privileged domain account is performed in PMP, the new password
will be automatically updated in ADSSP as well.
- Integration with ManageEngine ServiceDesk Plus (SDP)
Technicians using SDP often need to access target machines (or resources) manually to resolve issues,
which involves security-related challenges, such as sharing sensitive passwords for authentication,
etc., especially while using the privileged accounts. They also had the pain of jumping between
machines
to perform different tasks. With this integration, accessing the remote systems from the ServiceDesk
Plus portal is just a click away for the Technicians. Administrators can now provide the advantage of
secure remote access to the target machines (or resources) only to the authorized Technicians, without
sharing the credentials. The Technicians can remotely access the target endpoints (or resources) from
the ServiceDesk Plus portal without having to log in to PMP each time to fetch the credentials.
Enhancement
- Option to add the recorded RDP session link to the "Change" description in ServiceDesk
Plus
From now on, while integrating Password Manager Pro with the ServiceDesk Plus ticketing system, in
addition to the option "Use ChangeID for Validation", a new option to allow PMP to add the link to the
recorded RDP session to the "Change" Description of ServiceDesk Plus will be available.
Bug Fixes
- In PMP build 10102, the Periodic Password Export could not be scheduled, when either of the options
'Once', or, 'Day(s)' or 'Monthly' was chosen. This issue is fixed now.
- In PMP build 10101, when a custom resource type was created (under Admin >> Resources >>
Resource Types >> Add) using the "Existing Resource Type" category and applied to the resources,
the password reset failed for the Domain accounts in the resource. This issue is fixed now.
- While handling a security fix in build 10102, the URL of PMP Agent was mistakenly blocked along with
a
few other URLs. This interrupted the communication between the Agent and the PMP server, which in turn
suspended the Agent-related activities in PMP. This issue is fixed now.
- Password Manager Pro provides the option to configure remote password reset through a landing server
for Cisco devices such as Cisco Catalyst, Cisco IOS, and Cisco CAT OS. From PMP build 10001 onwards,
when an existing landing server was selected to perform the remote password reset for a resource, the
settings though appeared to be saved did not get saved actually. This issue is fixed.
- In addition to using account credentials to launch a remote SSH connection, Password Manager Pro
also
allows the remote connections to be tunnelled through private keys. From PMP build 10001 onwards, when
the private key option is enabled or disabled for a Linux-based resource type (Linux, Cisco IOS, Cisco
CatOS, Cisco PIX, Juniper NetScreen OS, HP Procurve and VMware ESXi), the auto-logon helper option for
that resource got disabled, thereby entirely removing the option to launch a remote connection. This
issue is fixed.
Version 10.1 (10102)
Minor
4th June 2019
Enhancements
-
Support for ECDSA key in the new OpenSSH private key file format
In Password Manager Pro, SSH connections can be initiated using both passwords and keys. And the
product
already supports key-based authentication using RSA and DSA keys. Now that OpenSSH has introduced the
new ECDSA key format, Password Manager Pro will also support the ECDSA key format for SSH connections
with this upgrade.
-
Support for the latest versions of Sybase ASE for Remote Password Reset
Earlier, we had support only for the older version of Sybase ASE database, version 12.5, to carry out
the Remote Password Reset. Now, we have enhanced our support to the newer versions of Sybase ASE
database, from version 15 & above.
Security Fixes
-
Earlier, the common unique Authentication token (generated during installation) was used for all the
mobile and extension logins. Hereafter, each login to the mobile and extension will have a unique
Authentication token.
- The Captcha authentication is introduced as a security check in the Login page and Personal
Passphrase
page of Extension, to limit the number of failed login attempts.
- Earlier, during API calls, the Authentication token was passed as a request parameter. Hereafter,
each
API call made to the application requires the Authentication token to be passed in the request header.
Bug Fix
- PMP - MSP Edition is designed to create a Resource group named "Default Group" when an MSP Admin is
assigned to manage any client ORG. In our earlier versions, if an MSP Admin is removed from managing a
client ORG and then re-added, another "Default Group" was created under their ownership, causing
duplication. This issue has now been addressed. When an MSP admin is removed and readded to manage a
Client ORG, PMP will match the existing "Default Group" of this admin and continue to retain the same
without creating a duplicate group.
Note: Some of the security enhancements rolled out in this
version
will take effect only when both the server-side and the client-side applications (Browser extensions and
Mobile apps) are updated. Therefore, we recommend the users to upgrade the PMP application and
subsequently update the browser extensions and mobile apps in their respective systems and mobile
devices.
Version 10.1 (10101)
Minor
10th May 2019
Security Fix
It's been long since we started using "C:/ManageEngine" as the default installation directory. But,
this
gave rise to the vulnerability that any locally authenticated user was able to view/add/delete/modify
files
under "C:/ManageEngine". Hence, as a security practice, we have switched to "C:\Program
Files\ManageEngine\PMP" as the default installation directory. We recommend all our customers to have
their
installations under "C:\Program Files\ManageEngine\PMP" only. Instead, if you wish to install Password
Manager Pro under any other folder, please go through our best practices guide for the necessary precautions to be taken.
Version 10.1 (10100)
Major
6th May 2019
New Feature
-
Integration with public Certificate Authorities (CAs)
Password Manager Pro facilitates end-to-end life cycle management of certificates obtained from
trusted
certificate authorities (CAs), enabling users to request, consolidate, deploy, renew and track
certificates issued by multiple commercial CAs, all from a single interface. This functionality,
powered
through a seamless API integration with The SSL Store one of the largest platinum partners of world's
leading CAs, provides the users with the option to acquire the certificates from the following
third-party
CAs and manage them directly from Password Manager Pro's web interface: Sectigo (formerly Comodo),
Symantec, Thawte, Geotrust, and RapidSSL.
Enhancement
-
Unlike the earlier versions of Password Manager Pro, the "Search" field under the
"Users" tab has now been enhanced to search for usernames using both the First and
the
Last Names.
Bug Fixes
-
Earlier, when accounts were added through API, the "Password" field did not support
the
special characters; < > [ ]. Henceforth, the users will be able to create
passwords
using the above mentioned special characters, while adding accounts through API.
- Previously, the DNS-based domain control validation procedure was unsuccessful for Let's Encrypt
sub-domain certificate requests. This issue is fixed now.
- Earlier, CSR/Certificate creation was failing, if comma separated values were provided for the
Organization or the Organization Unit. This issue is fixed now.
Version 10.0 (10001)
Minor
11th April 2019
Enhancements
- High Availability Monitoring for PostgreSQL Database Server
Password Manager Pro now comes with more advanced HA management and monitoring capabilities for
PostgreSQL
database server with various notification options under "Admin >> High Availability". The
all-in-one, dashboard-style GUI enables monitoring the availability of your Primary and Seconday
servers
and the associated databases. You can switch the view from the Primary to Secondary server, and
vice-versa, anytime, which allows an effective tracking of your servers and their performance. You
will be
able to view the following in the HA GUI; the HA summary, the status of the servers and the associated
databases, the replication pending count, and the connection lost and connection resumed times. You
can
also modify the Secondary server details.
-
Support for SAML-based SSO Configuration for Azure AD Users with Multi-Factor Authentication
(MFA)
In earlier versions, though it was possible to use SAML-based Single-Sign-On (SSO) from the Microsoft
Azure portal for Azure AD users, the authentication did not happen when Multi-Factor Authentication
(MFA)
was enabled in Azure AD. Now, it is possible to use the SAML-based authentication with Azure AD as the
Identity provider coupled with Azure MFA.
Bug Fixes
- Password Manager Pro supports Active Directory-based Single-Sign-On that works via NTLMv2. While
this
was working fine in older versions, the NLTMv2 authentication against the Computer Object was failing
in
version 10.0. This issue is now addressed and the AD SSO feature works fine now.
- In Password Manager Pro version 10.0, the "Advanced Search" field did not return the intended
results
for the keyword entered using the AND/OR-based search criteria. This issue is fixed and the "Advanced
Search" is fully functional now.
- From Password Manager Pro version 9.7, when a user was deleted from AD / LDAP / Azure, instead of a
single notification email, there was a continuous triggering of emails from Password Manager Pro,
during
every sync. This issue is fixed.
- From Password Manager Pro version 9.8, in specific cases, while viewing the resources under a
Dynamic
Group, other resources out of the group (belonging to the logged-in user) were also displayed along
with
the resources belonging to the selected group. This issue is fixed.
- From Password Manager Pro version 9.9, when the local authentication for AD users was disabled
(under
"Admin >> Settings >> General Settings >> User Management"), the local
authentication
got disabled for "all users". This restricted the users from accessing Password Manager Pro using
their
local admin credentials and an 'Incorrect Username/Password' error was thrown. This issue is fixed.
- In Password Manager Pro version 10.0, the "Download" button did not work while transferring a file
from
a remote machine to a local machine via RDP connection. This issue is fixed.
Version 10.0 (10000)
Major
26th March 2019
New Features
- Linux Resource Discovery using SSH
Earlier, Password Manager Pro supported Telnet-based discovery alone for Linux endpoints. Now it
supports
SSH protocol as well for resource discovery. By providing SSH login credentials, the Admins will be
able
to discover the Linux endpoints using an IP Address / IP Range.
Note: Telnet-based discovery will eventually be deprecated as it is not a secured
protocol.
- "Let's Encrypt" Wildcard SSL Certificate Management Support
Password Manager Pro already supports SSL certificates signing by "Let's Encrypt" Certificate
Authority.
Recently, they have upgraded their protocols to enable support for wild card certificate signing as
well.
Hence, from now on, the PMP users will be able to get their wildcard SSL certificates signed by "Let's
Encrypt" CA and manage the same.
- SSL Certificate Discovery from SMTP servers
Password Manager Pro already allows discovery of SSL certificates from Certificate Stores, Microsoft
CA
and Active Directory. In addition to this, the SSL certificates can now be discovered from SMTP
servers as
well.
- SSL Certificate Discovery as a Scheduled Operation
Earlier, importing of SSL certificates from the Microsoft Certificate Store was an on-demand
operation.
Now, it is possible for Admins to create scheduled tasks (under Admin >> SSH/SSL >>
Schedule
>> Add Schedule) to automatically discover and import the certificates from Microsoft
Certificate
Store and certificates issued by Microsoft Certificate Authority.
- Import Certificate Signing Requests (CSRs)
Though it was earlier possible to import a key or a certificate inside Password Manager Pro, the
Certificate Signing Requests (CSRs) had to be generated inside the application only. Now, PMP allows
importing (under "Certificates >> Create CSR >> Import") and managing of CSR files,
generated
externally, by forwarding them to trusted certificate authorities and tracking their status.
Enhancements
- Crumbling of SSH Session Recordings
Formerly, the SSH session recordings were stored as encoded, individual files. This might cause
performance issues when the SSH session time is stretched, as the file gets constantly updated in
real-time. From now on, the recordings out of extended SSH sessions will be stored as multiple files
and
rolled over. This should provide a smooth SSH session experience and also a zero buffer time during
the
session playback.
- Remote Password Reset for Weblogic Server
Apart from the endpoints listed here, Password Manager Pro can now reset, verify
and
manage the passwords of Weblogic application servers as well. It is possible to manage the passwords
of
all the Weblogic server versions, as the password reset is performed with the help of JMX service.
- RDP Gateway Enhancements
Password Manager Pro employs "SparkGateway" from Remote Spark for establishing RDP Gateway sessions.
The
bundled version of SparkGateway, updated in this version, comes with enhanced file transfer
functionalities. This allows users to leverage file transfer improvements while opening RDP
connections
using PMP.
- Option to Retain SSH Keys in Target End-points while Deleting the same from Password Manager
Pro
vault
Heretofore, when an SSH key was deleted from the Password Manager Pro vault, the same was removed from
the
associated Unix/Linux endpoints as well. From this version, Admins have the option (in the SSH key
delete
confirmation window) to choose whether to remove a key from the endpoint, while deleting it from
inside
the vault.
Bug Fixes
- While using Internet Explorer, the RDP sessions had intermittent freezing issues and lag, especially
when the sessions were idle for 10-15 mins.
- Due to an encoding issue, the SSH sessions did not work, when the users whose AD username begins
with
the character 'u' logged into the Password Manager Pro.
- When the option "Generate unique password for every account(Recommended)" was selected under "Groups
>> Actions >> Periodic Password Reset", new passwords generated were based on the resource
group password policy, instead of account password policy. This has been fixed now.
- From version 9000, the "User Authentication Failed" report under "Dashboard >> User Dashboard
>> User Activity" displayed 'No audits found' message due to a filter issue. This has been fixed
now
to show the valid data.
- Earlier, a new web app connection always replaces an existing connection (when launched through the
"Connections" tab). This is fixed now, and each connection launches in new tabs.
- Password Manager Pro uses SCP protocol for deploying SSH keys in target end-points. Previously, only
the
"To" file information was sent along the SCP request which worked fine. But in the recent SCP
versions,
the "From" file information has also been made mandatory. So now, Password Manager Pro sends both "To"
and
"From" information of the SSH key files, thus ensuring proper completion of file deployment.
- In earlier versions of Password Manager Pro, while deploying SSL certificates in Microsoft Internet
Information Services (IIS) server, the private keys exported along with the certificates were
corrupted.
This is fixed now.
- Previously, while signing a certificate using custom Root CA, a security error was thrown when the
"SAN"
field was blank. This is now fixed, and the certificates can be signed, even when the SAN field is
left
empty.
Security Fix
We have renovated the security framework of Password Manager Pro. The following are some of the major
changes and enhancements:
- In earlier versions, Password Manager Pro primarily relied on "Blacklisting" for securing the
product
URLs from Injection and other script attacks. With this release, the security framework has been
updated
to use "Whitelisting" of the necessary URLs, which maximizes product security.
- The validation of JSON array parameters has been intensified for optimal security.
- A few checks with respect to file uploads (e.g., limit and size) are included to keep load attacks
at
bay.
Version 9.9 (9901)
Minor
13th February 2019
Bug Fixes
- In v9900, PDF generation did not work for reports that contained graphs based on resource details.
This
has been fixed.
- From v9700 till v9900, application login did not work for users if their username or password
contained
non-ASCII characters. This encoding issue has been fixed.
Password Manager Pro Release 9.9 (9900) (23rd January 2019)
This release introduces DevOps support in Password Manager Pro with new plugins for Jenkins and Ansible
pipelines. Additionally, provisions to perform password resets for SSH-based resources through custom
command inputs have also been added amid other new features and enhancements.
New Features & Enhancements
- Plugins for DevOps Containers - Jenkins and Ansible
The Password Manager Pro plugins developed for credential management in Jenkins and Ansible help
improve
security in organizations' DevOps pipeline. The plugins ensure that required credentials are retrieved
securely from Password Manager Pro's vault every time when an automation schedule is run through the
tools, instead of being embedded in plain text within script files. Moreover, with the credentials
stored
in Password Manager Pro, you can also enforce regular rotation and automatic update of the new
password in
the respective remote device.
- Build Password Reset Workflows with SSH Commands
Now extend Password Manager Pro's reset provisions to support remote password changes for SSH-based
resources in your environment without the need for a CLI terminal. Quickly build command workflows
using
built-in or customized SSH sets and map them to respective SSH device accounts to execute password
resets
in a simple and effective manner. This new addition to Password Manager Pro's reset capabilities
enables
you to enforce automatic password updates for resource types that are not supported out-of-the-box by
the
application.
- Two-factor Authentication Support
From v9900 onwards, Password Manager Pro readily integrates with the following services to provide
two-factor authentication support for application login.
- Microsoft Authenticator
- Okta Verify
- RESTful API Updates
- New API to get audit details.
- Resource and account creation APIs enhanced to include password policy association.
- Resource and account edit APIs enhanced to include password policy association.
Bug Fixes
- From v9200 till v9803, passwords checked out under a time-sensitive access request did not get
checked
back in automatically upon access expiration if a Password Manager Pro server restart took place in
between. This has been fixed.
- From v9802 till v9803, users could not raise password access requests when they and the environment
in
which Password Manager Pro server was installed were in different time zones. This has been fixed.
- [MSP Edition] From v9802 till v9803, while configuring access control for a resource in a particular
client organization, the user groups list in the configuration window also displayed the user groups
that
belonged to other client organizations. This has been fixed.
Version 9.8 (9803)
Minor
14th December 2018
Bug Fixes
- Earlier, while configuring remote password reset and auto logon actions for Windows, Windows Domain,
and
Linux resources, administrators could view the accounts of resources that they had no access to.
However,
only the account names were visible in this case and there was no password exposure involved. This was
applicable for bulk configurations as well. This has been fixed.
- From v9700, the PDF file for user activity, user access and password inventory reports that were
scheduled had file corruption error when delivered as an email attachment. This has been fixed.
- From v9700, during service startup, a server-side action resulted in Password Manage Pro's system
properties getting printed in the log files. The keystore password of the certificate that was used
for
HTTPS connections from the web server was also printed in plain text in the captured logs. This has
been
fixed.
Security Fix
- From v9700, for customers who had enabled the SSL certificate management
add-on
and invoked the certificate discovery from the GUI, it resulted in the credentials used for discovery
getting printed in the logs. This has been fixed.
Note:
The potential for exposure was limited only to customers matching specific conditions and a detailed
advisory was sent to customers to check for those conditions and in the unlikely case of the exposure
happening, the advisory included instructions to sanitise the exposure and fix the conditions.
Version 9.8 (9802)
Minor
4th December 2018
This release strengthens SSL certificate management in Password Manager Pro by introducing GoDaddy
integration and certificate sharing. Other enhancements include support for Traditional Chinese in
multi-language editions as well as the provision to auto logon to Cisco resources using Windows domain
accounts.
New Features & Enhancements
- GoDaddy integration for SSL certificate lifecycle management: Password Manager Pro
now
supports management of SSL certificates issued by GoDaddy certificate authority. This enhancement,
powered
through a seamless integration with GoDaddy's API, allows administrators request, consolidate, deploy,
renew, revoke and manage life cycles of certificates issued by GoDaddy certificate authority from a
single
interface.
- SSL certificate sharing among users: Password Manager Pro now allows sharing of SSL
certificates or certificate groups with users and user groups. This will enable administrators to
share
required SSL certificates with technicians and allow them to track the validity and expiration dates
for
their server certificates. The feature further allows the technicians to also raise a request with the
administrator to provision access to the private key of the shared certificate whenever required.
- Localization Support for Traditional Chinese: Introducing localization support for
Traditional Chinese in Password Manager Pro's multi-language editions, besides Chinese, Japanese,
Spanish,
German, French, Turkish, and Polish languages.
- RESTful API:
- New REST API to add dynamic resource groups.
- REST API to create resources enhanced with the option to enable key-based authentication for
Linux
resources.
- From v9802 onwards, Password Manager Pro's auto logon feature will list the Windows domain accounts
that
the user has access to, besides the local user accounts in Cisco resources. If the Cisco resource is
already set up to accept Windows domain account credentials for authentication, users can launch SSH
sessions to that resource using the domain accounts as well.
- From v9802 onwards, XLS exports of password inventory reports (both canned and custom) will include
a
new column that displays resource owner information.
- A new option has been added under Admin >> General Settings >> User Management to
restrict
users from adding privileged accounts to Password Manager Pro via browser extensions.
- Earlier, when two-factor authentication (TFA) was enabled, the login screen of Password Manager
Pro's
mobile applications and browser extensions asked for the username first and the primary password and
TFA
credential were then requested together in a fresh second screen. Henceforth, the user has to input
the
username and password (first-factor) in the login screen and then the TFA credentials in a new screen
upon
successful primary authentication.
Bug fixes
- From v8604, when an administrator edited resources in bulk from the Resources or Groups tab and
saved
the changes, the action also reset the password reset configurations to default for the selected
resources. This has been fixed.
- From v9702, while copy-pasting values stored as custom text fields (non-password) in the Personal
tab,
special characters were converted to their hexadecimal values during the action due to decoding
issues.
This has been fixed.
- From v9600, API user accounts with 'Full Access' permission over a resource were unable to add a new
account under that resource using 'Create Resource' REST API. This has been fixed.
- [IE browser only] From v9400, users were unable to view an account's password in clear text from
that
account's 'Passcard' link as well as in the 'Account Details' window. This has been fixed.
- Earlier, the symbol 'exclamation mark' ( ! ) was not included in the set of special characters
available
for password policies. Due to this, associating resources/accounts with a password policy that
enforced
the usage of only the symbol 'exclamation mark' ( ! ) under special characters resulted in passwords
being
set as 'unknown' during auto-generation. This has been fixed.
- Earlier, if the Password Manager Pro administrator had disabled the local authentication option for
all
users, users could still bypass the restriction provided that they used a valid local account username
and
password. This has been fixed.
Version 9.8 (9801)
Minor
2nd November 2018
Bug fixes
- From build 9700, Password Manager Pro moved to Apache Tomcat v8.5.27 which required the URLs to be
encoded in all the incoming requests, but, the Password Manager Pro agent kept sending plain URLs.
When
the URLs had special characters such as backslash ('\'), the requests kept dropping continually,
causing
the agent to repeat the process again and again. The same process occurred for thousands of agents and
ended up in a DOS attack on the Password Manager Pro server, thereby resulting in a busy CPU. This
issue
is now fixed by encoding the URLs used by the agent in all its requests. Hence, it is mandatory to re-deploy the agents
while upgrading to any build after 9800.
- From v9700, when the Password Manager Pro server starts and is not able to access the encryption
key, it
resulted in the passwords of the built-in 'admin' and 'guest' accounts being reset to their default
values. This condition existed only for installations running with PostgreSQL as the back-end database
and
is now fixed. It is always recommended to remove both these built-in accounts in production
installations
of Password Manager Pro.
Version 9.8 (9800)
Major
10th September 2018
This release brings forth integration support for HSM data encryption and YubiKey two-factor
authentication
as well as the provision to extend remote password capabilities beyond supported platforms via custom
plugins.
New Features & Enhancements
-
Data encryption and protection with SafeNet HSM
Password Manager Pro (PMP) now provides out-of-the-box support for SafeNet Luna PCIe HSM which gives
administrators the option to enable hardware-based data encryption for the application. This update
helps
administrators ensure increased data security levels by leveraging the integration to securely store
PMP's
encryption key in the SafeNet HSM appliance available in their environment.
-
Password Reset Plugin: Provision to add custom plugins to remotely reset passwords for
unsupported resource types
Password Manager Pro (PMP) now allows manual addition of custom reset plugins (created in the form of
an
implementation class) that can be invoked from PMP server to carry out remote password resets for
platforms that are not supported out-of-the-box, such as legacy resource types, in-house applications,
etc. Administrators can leverage this update to also configure access control for unsupported
resources
and enforce automatic reset of their passwords instantly upon usage.
-
Integration support for YubiKey two-factor authentication
From v9800 onwards, Password Manager Pro readily integrates with YubiKey a physical key made by
Yubico,
which ensures secure and strong user authentication, to provide two-factor authentication support for
application login.
-
Root-based certificate signing
Password Manager Pro now enables administrators to sign and issue SSL certificates to end-servers
within
the network environment, based on a root certificate that is trusted within the network.
-
Website domain expiry notification:
Administrators can now track upcoming
public
domain expirations in Password Manager Pro, facilitated via 'Whois Lookup'. They can also opt to
receive
periodic email notifications regarding the same.
-
New RESTful APIS
- To delete users with their usernames
- To add users to user groups
- To lock/unlock users
- To import SSH keys
- To associate/dissociate SSH keys
-
The REST API to create a new resource now additionally supports inclusion of "Domain Name" for the
resource being created. Also, the REST API to get a user's ID now supports special characters in the
passed username.
-
Henceforth, REST API calls to the PMP server will have a threshold policy. When a specific 'API' call
reaches the threshold number of 150 calls/IP address within a span of one minute, that API will be
locked
for a minute. However, this policy is not applicable to the 'GET' calls.
-
Users imported from Active Directory (AD) to Password Manager Pro will hereafter be provided the
option to
launch an RDP connection to Windows resources using their AD credentials even during cases when other
authentication methods (such as SAML SSO, local authentication) are used by the user in addition to AD
authentication.
-
Password Manager Pro now expedites domain validation for Let's Encrypt certificate renewal through
automated verification of DNS-01 challenges (for Azure and Cloudflare DNS).
-
Password Manager Pro now includes provisions to import certificate files to keystore by automatically
pinning its corresponding private key with the acquired certificate.
-
Audit logs for bulk password resets triggered at resource group level and modification of dynamic
resource
groups have been revised to include more information. The bulk password reset log now also captures
the
name of the resource group for which the reset action has been triggered, either on-demand or
scheduled.
The second log now thoroughly captures the criteria value changes carried out for the selected dynamic
resource group.
-
The "Transfer Ownership" option under the Users tab now lists the available PMP users in an
alphabetical
order to help expedite the operation.
Bug Fixes
- From v9600 till v9702, both on-demand and scheduled remote password resets for Oracle resources
failed
due to server-side issues. This has been fixed.
- From v9700 till v9701, when the MSP administrator imported an organization from a CSV file that also
included information for Account Manager, the detail was not added to PMP during the import. As a
result,
operations like manage organization, edit, and delete organizations could not be performed for the
imported organization. This has been fixed.
- From v9500 till v9702, if the user conducted a custom search in the Resource Audit section, cleared
the
results, and then tried to carry out a PDF export of all the audit logs in that section, the action
did
not work and instead a new tab with a blank white screen opened. This has been fixed.
- From v9600 till v9702, the search options in both User and Resource trash did not work. This has
been
fixed.
- Earlier, if a user had checked out the password of an access controlled resource for a specified
duration and the PMP server is restarted within that duration, the condition was automatically revoked
and
the user was able to continue using the password beyond the given time. This has been fixed.
- Earlier, when an administrator created a new API user and saved the details in Password Manager Pro,
the
saved host name was automatically changed to that user's IP address which led to connection issues
during
API calls. This has been fixed.
- Earlier, Linux resources added to PMP via REST API were not displayed in the list of available
resources
for "Public Key Association" in the SSH Keys tab. This has been fixed.
- Earlier, while trying to fetch the IDs of a resource and its account via REST API by providing the
resource and account names, resource names containing special characters were not allowed. This has
been
fixed.
Security Fix
- Earlier, a Remote File Inclusion (RFI) vulnerability in Password Manager Pro's landing server
configuration tab allowed the administrator to upload any file to any location in PMP server via the
image
file upload field. This has now been restricted to only image files, which can be saved only in the
predestined location.
Version 9.7 (9702)
Minor
27th July 2018
Bug Fixes
- From v9500 till v9701, while trying to export to PDF only the results obtained from a custom search
in
the Recorded Connections audit, the action did not work and instead all audit records in that section
were
exported. This has been fixed.
- In v9700 and v9701, while performing password reset for selected resource group(s), the "Generate
Password" option did not work when the user tried to specify a password to be used for all accounts.
This
has been fixed.
- [IE browser only] From v9400 till v9701, the option to enable/disable a schedule under Admin
>>
Scheduled Tasks >> Schedule Actions did not work if the global language choice for Password
Manager
Pro was not English. This has been fixed.
- Earlier, periodic password export could not be scheduled for a resource group when the username of
the
logged in user contained one or more special characters. This has been fixed.
- Earlier, the "Forgot Password" option available in the Password Manager Pro login screen did not
work
for users accessing the site via Firefox and IE browsers. This has been fixed.
- Earlier, when an auto logon helper was edited and the approval request was sent to a chosen
administrator, the corresponding notification email was not triggered to the administrator's inbox.
This
has been fixed.
Security Fix
- From v9702 onwards, Password Manager Pro master encryption key's cryptographic strength has been
enhanced by increasing the randomness of the character strings used.
Version 9.7 (9701)
Minor
29th June 2018
Features & Enhancements
New system role with privacy administration privileges
From 9701 onwards, a new system role named "Privileged Administrators" will be available in Password
Manager Pro. A privileged administrator will have the same capabilities as an administrator. Besides,
they'll also have the privilege to configure privacy and security controls available under Privacy
Settings,
IP Restrictions, and Emergency Measures in the Admin tab.
Night mode theme for Password Manager Pro
Password Manager Pro now allows its users to switch to a night-friendly mode which changes the
application's primary background color to black. The "Night Mode" option can be enabled by navigating to
the
user profile icon at the top right corner and selecting Personalize.
Major Bug Fixes
- In versions 9601 and 9700, SSH connections to remote systems (includes remote password reset
operations)
failed if Password Manager Pro was running on an Ubuntu server. This has been fixed.
- In v9700, if RSA SecurID and Duo Security were configured as the second authentication factor in
Password Manager Pro, users were unable to log into the application due to authentication error. This
has
been fixed.
- In v9700, when the administrator changed the default "Server Port" under Admin >> Password
Manager
Pro (PMP) Server and saved the settings without providing a certificate, the PMP service did not run
after
server restart. This has been fixed.
- In v9700, if AD user import was configured via LDAP integration with synchronization enabled, the
Password Manager Pro accounts of a specific set of users in that AD domain were accidentally locked by
the
application when the sync schedule was run. This has been fixed.
- In v9700, while trying to transfer ownership of resources from one user to another under the "Users"
tab, the action was unresponsive if the username of the current owner contained the slash symbol ( /
).
This has been fixed.
Minor Bug Fixes
- In v9700, when ownership of a resource group was transferred from one administrator to another, the
subsequent notification email sent to configured recipients did not display the name of the new owner.
This has been fixed.
- In v9700, while configuring notifications for a specific resource group, administrators were unable
to
select one or more user groups as notification recipients for the following password actions Password
Expired, Password Policy Violated, Password Out Of Sync. This has been fixed.
- In v9700, users were unable to view a retrieved password if they had earlier included a percent sign
( %
) in the "Reason for Retrieval" field while raising an access request for that password. This has been
fixed.
- From v9200 till v9700, when a user specified that they wanted to access the password "later" while
raising an access request for a resource for which auto-approval of requests was configured, the
corresponding email notification was not sent to the specified recipients. This has been fixed.
- From v9200 till v9700, if a user requested access to a resource more than once with different
timeframes
specified for each request's password checkout period, only the timeframe of the first logged request
was
recognized for that user. As a result, all subsequent access requests raised by the user for the same
resource were approved only with the already logged timeframe for password checkout. This has been
fixed.
Version 9.7 (9700)
Major
29th May 2018
This release introduces strong controls in Password Manager Pro for protecting personal data stored and
processed in the product, in compliance with privacy regulations.
New Features & Enhancements
Additional protection in web GUI while displaying personal data
Form fields that contain personal data such as Username, DNS Name, Email ID, Server Name and more will
henceforth be masked at all times to enhance protection. Additionally, when a specific user unmasks and
views any of the masked data fields, the action captured in the audit trails with a timestamp and the IP
address of the machine from which the user viewed the data.
Canned report to demonstrate GDPR compliance stature
Password Manager Pro now comes with a canned report that tells you the stature of your compliance with
specific requirements listed in Chapter 3 of the General Data Protection Regulation (GDPR), in terms of
how
users' personal data is handled within the product. This report, apart from providing a holistic view of
how
personal data is handled, will also prove useful while preparing for privacy audits.
Provision to authorize selective administrators with privacy administration privileges
From v9700 onwards, a new "Authorized Administrators" option will appear under Admin >> Settings.
This option can be used to authorize only the desired administrators with the privilege to view, access,
and
modify the following Password Manager Pro settings:
- Privacy Settings
- IP Restrictions
- Emergency Measures
Note:
When you upgrade to v9700 from earlier versions, users with the following roles will be automatically
assigned as authorized administrators:
- Default "Administrator" role
- Custom role with permission to access and modify "PMP Server Settings" under PMP Settings category.
Password protected exports
Administrators can now include an additional layer of password protection for export operations across
Password Manager Pro. This applies to,
- Resource and resource group exports (XLS file)
- Audit exports (PDF and CSV files)
- Report exports (XLS and PDF files)
The authorized administrator can either set a global passphrase which will be uniformly used for the
aforementioned export operations or allow the users to define their own passphrase for their exported
files.
Mandating administrator acknowledgement of data transfer while setting up integration with
third
party applications
Henceforth, when the Password Manager Pro administrator sets up integration with the services mentioned
below, the administrator will be required to acknowledge the data transfer from Password Manager Pro
server
for each respective integration.
- Cloud Storage - Dropbox, Box, and Amazon S3
- Two-factor Authentication - PhoneFactor, RSA SecurID, RADIUS Authenticator, and Duo Security.
Support for Encryption at Rest (EAR) while using MS SQL server as the backend database
For Password Manager Pro installations that function with a MS SQL server as the backend database,
Transparent Data Encryption (TDE) is supported henceforth to achieve EAR. TDE encrypts all the data and
log
files stored in the SQL server and the key used to encrypt the database is also secured further with a
certificate to enhance protection.
Backup file encryption
Database backup (.zip) files in Password Manager Pro-both on-demand and scheduled, will hereafter be
encrypted with the Password Manager Pro master encryption key and stored in the destination directory
securely. In case of Password Manager Pro installation running a remote MS SQL server database, the
backup
file will be encrypted only if the specified backup destination is within the server in which Password
Manager Pro is installed and not the remote machine.
Privacy controls for canned reports
Password Manager Pro now allows authorized administrators to configure privacy settings for canned
reports.
Administrators can choose from an exhaustive list of personal data, deciding whether each input in the
list
should be completely omitted from the reports or included as masked information.
IP restrictions
IP-based restrictions are now supported to limit inbound connections and minimize unwanted traffic to
Password Manager Pro server. Restrictions can be configured for web access, API calls, communication
from
native mobile applications, browser extensions, and Password Manager Pro agents deployed on target
machines.
The IP restrictions can be set at various levels and combinations, such as defined IP ranges or
individual
IP addresses. The authorized administrator can either whitelist or blacklist the set of desired IP
addresses.
Trash can for delete operations
Users and resources in Password Manager Pro can now also be moved to trash alternatively instead of
permanent deletion, along with the option to restore from trash when needed. The trashed users and
resources
will be retained by Password Manager Pro only until the next rotation schedule is carried out for the
master
encryption key.
Purging selective session recordings
Earlier, session recordings and chat logs could only be purged in bulk by configuring to delete
recordings
that are older than a specified number of days. From v9700 onwards, session recordings can also be
individually selected under Audit >> Recorded Sessions and purged. Additionally, chat logs for a
specific session recording can also be deleted while retaining the recording itself and vice versa.
Managing unidentified email addresses in Password Manager Pro
A new provision has been added to enable administrators to track and remove unidentified email
addresses in
Password Manager Pro which do not belong to any of the users in the application. This provision
currently
allows management of unidentified email addresses which are captured in "User Sessions" audit as well as
those that are configured as notification email recipients for scheduled tasks' completion statuses and
license expiry alerts.
Emergency Measures
In the rare scenario that a suspicious activity is sensed within Password Manager Pro but has not yet
been
identified, a set of recommended best practices that can be carried out have been added under Admin
>>
Manage >> Emergency Measures. The illustrative list of incident response actions give the
administrator a head start on stopping all inward and outward communication to and from Password Manager
Pro
server respectively, such as stopping API calls, blocking agent communication, and stopping the SSHD
server.
- Under rebranding, Password Manager Pro now provides an additional option to configure and display a
customizable privacy policy banner in the login page.
- Earlier, the "Total Passwords" count displayed in the dashboard did not include resources of the
type
File Store, Key Store, and License Store. From v9700 onwards, the count will include the
aforementioned
resources as well.
- While setting up user import from LDAP directories, Password Manager Pro administrators now have the
choice to also define the corresponding attribute labels for department and location as used in the
LDAP
directories.
- A new option has been added to Password Manager Pro MSP version under Admin >> General
Settings
>> User Management, which can be used to display the organization names of the client orgs in
the
organization drop down list (at the top right corner) instead of the orgs' display names.
- The option to delete client organizations has been added to Password Manager Pro MSP version. When a
client organization is deleted, all the resources and users added under it will also be deleted.
Bug Fixes
- In v9600 and v9601, due to an issue in Windows resource discovery, when the administrator tried to
import OU A, OU B was wrongly imported. This has been fixed.
- From v9000 till v9601, the password expiry date for accounts in the Passwords section was wrongly
displayed in the quick info beside each account. For instance, if the expiry date for account's
password
was May 25, it was shown as June 25 even though it did not affect the password from expiring on May
25.
This has been fixed.
- From v9000 till v9601, the owner of a criteria resource group was sometimes unable to view the
password
of an account associated with a member resource in that resource group. This happened when the
specific
resource is owned by another user who's a member of a user group with which the criteria resource
group
has been shared and the former owner is not a member of that user group. This has been fixed.
- From v8700 till v9601, if the administrator had disabled the default roles, Password Administrator
and
Password User using Role Filter in their instance, the disabled roles were automatically enabled when
their Password Manager Pro server was restarted.
- Earlier, user import from Active Directory groups did not work if Password Manager Pro secondary
server
was up instead of primary server. This has been fixed.
- Earlier, when an additional password field was added and used as an account attribute, the option to
copy the password to clipboard for that additional field was not available in the resource and account
details windows as well as in the Passcard screen. This has been fixed.
- Earlier, "Change Password" option was shown in the My Profile drop down menu for AD, Azure AD, and
LDAP
users even though it was not applicable to them. The option has now been removed.
Security Fix
- Earlier, PostgreSQL database password as well as the keystore password for HTTPS connections from
the
web server were stored in the configuration files as plain text. They have now been encrypted with
AES-256
algorithm for enhanced security.
Version 9.6 (9601)
Minor
08th May 2018
Bug Fixes
- Earlier, while creating a custom password policy, even if the administrator had set 'No' for the
requirement 'Enforce Numerals', numerals were still used in the newly generated passwords for
resources.
This has been fixed.
- In v9600, the Password Manager Pro web server did not start for users who were connected over HTTP
and
had to be redirected to a HTTPS connection. This has been fixed.
Note:
All data transmission between the Password Manager Pro user interface and the server are configured to
take place through HTTPS. Thus, as a security best practice, Password Manager Pro recommends and
supports
only HTTPS connections by default.
Security Fix
- SparkGateway, which comes bundled with Password Manager Pro to enable RDP connections to target
systems,
has been upgraded from v5.0 to v5.6 to support CredSSP protocol v6. This latest version released by
Microsoft contains security updates to address a remote code execution vulnerability (CVE-2018-0886)
that
existed in the protocol.
Version 9.6 (9600)
Major
04th April 2018
New Features & Enhancements
SQL and SSH Remote Terminal Sessions with Windows Domain accounts
- From v9600 onwards, users can launch SSH connections to Linux resources using Windows Domain
accounts
stored in Password Manager Pro's database. Remote password reset actions for Linux resources can also
be
configured by using a Windows Domain account for remote login to the Linux resources.
- Provision to remotely connect to a MS SQL server using a Windows Domain account has also been added.
Secure Cloud Storage Options for Anytime, Anywhere Access to Passwords
- Provision to export and automatically synchronize the password-protected, encrypted HTML files to
authorized users' Amazon S3 and Box accounts.
- Administrators can configure automatic deletion of the exported files in the users' Amazon S3 or Box
accounts after a set time period and also trigger password resets for all the resources contained in
the
file.
Active Directory - Synchronization Enhancements
Version 9600 introduces a revamp to the 'Synchronization Schedules' screen under Active Directory (AD)
configuration. The screen now includes a sidebar navigation tab that lists the AD domains that have
synchronization schedules configured and also offers a separate view of synchronization schedules
configured
for users and resources respectively. The enhancements include:
- Provision to schedule separate synchronization intervals for import of users and resources
respectively,
for any given domain.
- Provision to schedule separate synchronization intervals for multiple groups in a domain, for import
of
users and resources.
- Provision to schedule separate synchronization intervals for multiple organizational units (OUs) in
a
domain, for import of users and resources.
- Provision to set a custom display name for groups/OUs imported from AD domains. The original AD
names of
the groups/OUs will also be retained.
Microsoft CA Certificate Signing
Password Manager Pro now allows users to get certificate requests signed from Microsoft Certificate
Authority, thereby facilitating complete life cycle management for certificates issued by Microsoft
Certificate Authority.
CMDB Integration for SSL Certificates Synchronization
Administrators can now sync SSL certificates stored in Password Manager Pro's repository with
ManageEngine
ServiceDesk Plus CMDB and map certificates to specific servers / applications in the CMDB. This allows
them
to monitor their usage and expiration from ServiceDesk Plus' CMDB.
SSL Certificate Groups
This enhancement allows users to organize SSL certificates into logical groups based on various
criteria
and execute actions in bulk for the groups.
Localization Support for Turkish
Introducing localization support for Turkish in Password Manager Pro's multi-language editions, in
addition
to Chinese, Japanese, Spanish, German, French, and Polish languages.
Disable Password Resets for Privileged Accounts
This enhancement to account creation and edit actions under Resources tab allows administrators to
disable
both local and remote password resets for all or a specific set of accounts associated with a resource.
- Administrators can now set a non-administrative role-either system-owned or custom made, as the
default
user role in their Password Manager Pro installation. The default role will also be assigned
automatically
to users imported from CSV files/AD/Azure AD/LDAP, unless manually specified otherwise by the
administrator.
- Earlier, when the Password Manager Pro server (PMP) had a firewall or load balancing configuration,
the
PMP audit trails showed the IP address of the firewall/load balancer instead of the IP address of the
user's machine. From v9600 onwards, PMP will log the IP address of the machine, from which it was
accessed, in the audit trails instead of the firewall/load balancer IP address.
- For Password Manager Pro's MSP editions, the audit trails under Resource, User, and Task Audit tabs
now
also display the name of the respective MSP or client organization associated with the related
operation.
- Date based discovery filter for Microsoft Certificate Authority certificate discovery introduced.
- Option to separately track and manage various versions of the same SSL certificate (with the same
common
name).
- Option to import and map a private key to certificate.
Bug Fixes
- From v9200 till v9502, when a resource had access controls enabled and multiple users later
requested
access to that resource with different timeframes for password checkout, the timeframe of the last
logged
request alone was recognized and every user could get access to that resource only during that
timeframe.
This has been fixed.
- From v9200 till v9502, when a resource has access controls enabled for a particular user group, the
access controls did not apply to any new user(s) added to that user group later. Similarly, the access
controls still applied to a user even after they had been removed from that user group. This has been
fixed.
- From v9000 till v9502, when users who were either Password Users or Password Auditors launched an
SSH or
a SQL session, the option to initiate a chat with the administrator monitoring the session was not
displayed in the session terminal window for the aforementioned users. This has been fixed.
- From v8700 till v9502, under custom roles, the permission to add resources to a resource group in
Password Manager Pro was attached to the operation 'Add Resource Group'. This has been changed; the
permission is now attached to the operation 'Edit Resource Group.'
- From v9000 till v9502, under any sections of the Audit tab such as Resource Audit, User Audit etc.,
when
the user runs a filter or keyword search for a specific set of audit trails and later tries to export
the
obtained results alone, the exported PDF or CSV file instead contained all the audit trails. This has
been
fixed.
- From v9000 till v9502, if the users were enforced to provide a reason for password retrieval under
General Settings, the users could submit a blank space in the reason field and still retrieve the
password. This has been fixed.
- Earlier, remote password reset did not work for Oracle user accounts if the respective accounts'
names
began with a number or a special character. This has been fixed.
- Earlier, if a resource's DNS name contained more than a hundred characters, the corresponding
Resource
Actions icon did not work under the Resources tab. This has been fixed.
- Earlier, when users tried to manually change the password for an existing account of any resource,
they
were able to set a password that did not comply with the password policy defined for that resource if
password visibility is set to 'Show' under 'Show/hide Password'. This has been fixed.
- Earlier, when generating certificate signing requests with SAN names, the SAN names were not
updated.
This has been fixed.
- Earlier, there were issues with fetching the system locale on Microsoft CA discovery. This has been
fixed.
Security Fix
- Password Manager Pro's master encryption key generation process, which was identified as being weak
and
vulnerable due to relatively less entropy, has now been made stronger with the inclusion of a higher
entropy rate. This addresses and fixes the said vulnerability-the ability to roughly identify the
character pattern used to generate the master encryption key (provided that one has direct physical
access
to the server in which PMP is installed).
Version 9.5 (9502)
Minor
20th February 2018
Enhancements & Bug Fixes
- In v9500 and v9501, execution of password reset operations for Windows machines-via both agent-based
and
agent-less methods, occasionally resulted in an application server crash due to restrictions in
filtering
null values for 'Domain Name' fields. This has been fixed.
- In v9500 and v9501, user import from LDAP did not work for the following LDAP server types, except
MS
Active Directory-Novell eDirectory, OpenLDAP, and Others. This has been fixed.
- Henceforth, the following functions in Password Manager Pro can be carried out with PowerShell
scripts
instead of Task Scheduler service. The support to use PowerShell scripts has been provided as an
alternative, in order to overcome the limitations of using Schtasks commands.
- Fetching of Scheduled Tasks for Windows and Windows Domain resources.
- Scheduled Tasks password resets for Windows and Windows Domain resources.
Version 9.5 (9501)
Minor
31st January 2018
Bug Fixes
- In v9500, users with administrator privileges encountered a blank white screen for a few minutes
when
they logged into Password Manager Pro, due to product banner loading issues. This has been fixed.
- In v9500, A remote password resets for Windows workgroup machines failed as a result of the recent
replacement of VBScript scripts with .Net API calls. This has been fixed.
Version 9.5 (9500)
Major
11th January 2018
Feature Enhancements
- User Sessions
This enhancement allows administrators and auditors to view the list of user sessions for a specified
time
period. A user session includes all actions performed by a user, between a specific login and logout.
The
view also indicates currently active sessions with the option for administrators to forcefully
terminate.
This feature is an addition under the Audit tab and helps administrators with fine grained monitoring
and
control of user activity.
- Key Manager Plus Integration - Now available for all editions
From v9500 onward, all Password Manager Pro editions (Standard, Premium, and Enterprise) support Key
Manager Plus integration to help enterprises take complete control of their SSH and SSL environments
in
addition to passwords.
- Replication of Password Policies Across Client Organizations (MSP Edition)
This latest enhancement to the replication feature allows MSP administrators to quickly replicate MSP
organization's custom password policies across the client organizations.
Bug & Security Fixes
- From v8700 till v9402, during Windows resource import from Active Directory (AD) via discovery
function,
password administrators were unable to view and set up AD Synchronization in the Windows Discovery
Tasks
page, although they had the permission. This has been fixed.
- From v9000 till v9402, while moving accounts between resources, the search box provided within the
destination drop down menu did not work. This has been fixed.
- Earlier, during user import from an LDAP domain, the user groups in the domain were also wrongly
identified as individual user objects and listed under Password Manager Pro's 'Users' tab. This has
been
fixed.
- Earlier, with regard to LDAP authentication, users who were moved from one OU to another in their
Active
Directory (AD) domain could later not log into Password Manager Pro using their AD credentials. This
has
been fixed.
- The VBScript scripts used for the following functions in Password Manager Pro (PMP) have been made
obsolete and replaced by equivalent .NET API calls made from within the PMP application. This is to
ensure
the passwords never leave the PMP application space, even to Windows Task Manager or Process Explorer.
- Local and service accounts enumeration during Windows discovery.
- Fetching of service accounts and scheduled tasks for Windows and Windows Domain resources.
- Password change and verification as well as associated service restarts for Windows resources.
- Service accounts and scheduled tasks password resets for Windows Domain resources.
Version 9.4 (9402)
Minor
15th December 2017
Bug fixes:
- Earlier, while editing a resource via RESTful API, changing the type of the resource was not
supported.
The API has now been enhanced to allow the modification of this attribute.
- Earlier, while trying to add a new value or edit the existing value of a resource-level additional
field
via RESTful API, the action also reset the values of other additional fields of that resource and the
fields became empty. This has been fixed now.
- Earlier, in the MSP edition, while revoking a client org's 'Manage Permission' for a set of admins,
the
action could not be completed if the number of selected admins exceeded 25. This has been fixed.
- From v9400 till v9401, shared resource groups did not show under 'Password Explorer' for
administrators
and users alike. This has been fixed.
Version 9.4 (9401)
Minor
11th December 2017
Bug fixes:
- In v9400, 'Change Private key' was not working for users without Key Manager Plus license. This has
been
fixed now.
- In v9400, users without Key Manager Plus license continuously received Let's encrypt renewal
schedule
notification mails. This has been fixed now.
- In v9400, schedule execution failed in other organizations when running in MSP client org. This has
been
fixed now.
- From v9200 till v9400, RDP remote session was not working for users having user name starting with
the
letter 'U'. This has been fixed now.
- From v9000 till v9400, clicking upon 'Agent Alerts' notification, popped up 404 error. This has been
fixed now.
Version 9.4 (9400)
Major
30th November 2017
New Feature
Key Manager Plus Integration
The tight integration brings all features of Key Manager Plus right inside Password Manager Pro to
provide
a complete Privileged Identity Management solution.This help enterprises centrally manage, monitor,
control
and audit the entire life cycle of privileged passwords, SSH keys and certificates from a single user
interface.
Security fix:
- From v9000 till v9300, there were reflected XSS issues in the URLs 'SearchResult.ec and
BulkAccessControlView.ec'. This reflected XSS issue has been fixed now.
Bug fixes
- From v9000 till v9300, 'Export Passwords' option was listed under 'Resource Actions' even when
"Export/Offline Access - Allow admins and users to export password information to plain-text
spread-sheet
(.xlsx)" was disabled. This has been fixed now.
- From v8700 till v9300, Users, assigned with custom roles created with the privileges of a password
user,
were not able to invoke the 'Join Active Sessions' action under Audit -> Remote Sessions.This has
been
fixed now.
Version 9.3 (9300)
Major
7th November 2017
New Feature
- File Transfers Over Remote Desktop Sessions
Henceforth, in real-time Windows RDP sessions launched via Password Manager Pro's session gateway,
users
can securely transfer files from local machine to remote target machine, and vice versa.
Enhancements & Bug Fixes
- Password Manager Pro now uses captcha services during application login to enhance security. The
users
will be required to resolve a captcha when they enter an invalid username/password for five continuous
login attempts.
- Earlier, out of the remote sessions (RDP, SSH, and SQL) launched via Password Manager Pro's session
gateway, one or more of the sessions at random still continued to show under the 'Active Privileged
Sessions' tab even when those sessions had already been terminated by respective users. This has been
fixed.
- Earlier, the results for 'Find Out of Sync Passwords' action executed for a resource group showed
that
all passwords were in sync even when passwords for one or all of the Windows resources in that group
were
not in sync. The wrong results were captured in the audit records as well. This has been fixed.
- Earlier, when a user clicked on the 'Forgot Password?' link in the Password Manager Pro (PMP) login
screen to set a new password via email, the email could not be validated if the recipient's email
address
contained an apostrophe. This has been fixed.
- From v8600 till v9200, in Azure AD user/user groups import, only a maximum of 100 users/user groups
could be imported. This has been fixed to allow users/user groups import without any count limitation.
- From v8700 till v9200, users faced blank page issues when the custom role assigned to them did not
allow
specific actions in that page. For instance, under dashboard provisions, if a user is allowed to
access
only the user dashboard and not the password dashboard, clicking on the 'Dashboard' button in the left
navigation pane displayed a blank white screen upon loading. This has been fixed.
- From v9000 till v9200, under 'Resources' tab, the users faced specific search and page navigation
issues
after they had accessed a resource group displayed in the 'Password Explorer' tree view. The following
bugs have been fixed:
- In case of search, when a user used the in-line search option available for 'All My Passwords'
(or
any other tab under 'Resources'), then navigated to a resource group via the tree view and
returned
back to 'All My Passwords' page, the typed-in search term and the respective results were still
retained and displayed.
- When a user navigated between pages under tabs such as 'Passwords' or 'Favorites', then clicked
on a
resource group via the tree view and returned back to the tab accessed earlier, the page number (2
or
above) that had been selected previously was launched instead of the first page.
- From v9000 till v9200, the global search option in the top pane did not work properly when the
search
term contained the ampersand sign ( '&' ). For instance, if the search term was 'AT&T', search
results were returned only for 'AT', i.e. only for the characters before the sign. This has been
fixed.
- From v9000 till v9200, when the account name of a resource contained more than 140 characters, the
corresponding Account Actions and Resource Actions icons did not work for that account. This has been
fixed.
- From v9000 till v9200, when the URL length of a resource was more than 700 characters, the
corresponding
Resource Actions icon did not work. This has been fixed.
Version 9.2 (9200)
Major
12th October 2017
New feature
IIS Web.config discovery
Password Manager Pro can now identify the domain accounts which are used in the connection string of
IIS
web.config files that are stored in PMP. While changing the password of the domain accounts stored in
Password Manager Pro, it can automatically update the password in the IIS web.config files.
Enhancements and fixes
- Password Access Control Workflow has been upgraded. With this update:
- One or more user groups can be designated to approve password access requests.
- Earlier, some users can be excluded from access control. Now, you have an option to exclude both
users and user groups from access control.
- Users can specify when they want to access the password - now or later, while making a request
and
can also send a reminder mail before the access time.
- Similarly, administrator can specify when the user can access the password - now or later, while
processing the request.
- In addition, users can be enforced to provide reason for password retrieval.
- Reminder e-mail can be sent to the administrator to approve the password request before the
stipulated time.
- A grace time of upto 60 minutes can be provided to the user when the access time ends.
- Auto check-in time can be specified when the request is approved by the administrator.
- Maximum time period can be specified after which the pending access request becomes void.
- Password Manager Pro now integrates with ManageEngine ServiceDesk Plus by validating change request
in
addition to the ticket ID entered by the user in the ticketing system. And validated occurs only when
the
change ID provided is approved in ManageEngine ServiceDesk Plus.
- Password Manager Pro enables recording of RDP remote session launched from the product and you can
trace
the recorded RDP remote session through the resource name, user who launched the session, time at
which
the session was launched. In addition, start and stop audit for RDP remote session has been enhanced
now.
- In v9000 and above, the mail notification sent to the users about the access permission shared or
revoked contained blank values. This has been fixed now.
- In v9000 and above, 'resource actions' icon was not listed for user with custom role 'edit
resource'.
This has been fixed now.
- From v9200 and above, a resource can also be searched in the search column by providing the resource
URL. Earlier, a resource can be searched only by providing the resource name, description or resource
type.
- In v9000 and above, configure access control deactivation for resources in bulk was not working.
This
has been fixed now.
- In v9100 and above, when enabling two factor authentication - Duo security, the screen hangs at
'Initializing web client'. This has been fixed now.
- In v8704 and above, Secondary DNS field in WindowsDomain resource type was removed. This has been
fixed
now.
- Earlier, already existing resource type can be added again with change in alphabet case (lower case
or
upper case). This has been fixed now.
- Earlier, addon failed to auto-fill passwords to the websites in client org. This has been fixed now.
- Earlier, Access Snapshot was not working upon clicking 'View per page' to 50 / 75 / 100 resources.
This
has been fixed now.
- Earlier, Windows discovery fails when the username / password contained angular brackets and the
harmful
content audit has the actual password in clear text. This has been fixed now.
Version 9.1 (9101)
Minor
7th August 2017
Enhancements & Fixes
- SparkGateway that comes bundled with Password Manager Pro has been upgraded from v4.6 to v5.0. With
this
update, RDP sessions can now be launched over TLS 1.2 to machines in which previous TLS versions have
been
disabled.
- Earlier, while integrating Amazon Simple Email Service (SES) with Password Manager Pro under 'Mail
Server Setting', secure connections over SSL or TLS could not be configured. This has been fixed.
- From v8500 till v9100, Active Directory Single Sign-on could not be enabled if the 'Secondary Domain
Controllers' field held more than 100 characters. This is now changed to accept up to 250 characters.
- From v9000 till v9100, any resource/account/resource group access permission changes for user groups
were not notified via email despite the alert configuration under General Settings. This has been
fixed.
- From v9000 till v9100, the 'Edit User' screen did not load the Duo Username for Duo TFA-enabled
users.
This has been fixed.
- From v9000 till v9100, duplicate names could be assigned for two user groups by changing the name of
one
group in 'Edit Group Attributes' to match the other group's name. This has been fixed.
- From v9000 till v9100, users were unable to download files stored under the 'File Store' resource
type.
This has been fixed.
- When Password Manager Pro (from v9000 till v9100) was launched on Firefox 54, checkboxes weren't
displayed across multiple tabs such as Resources, Users, and Groups. This has been fixed.
Version 9.1 (9100)
Major
13th July 2017
New Features
- JIRA Service Desk Integration
Out-of-the-box support for Password Manager Pro to readily integrate with JIRA Service Desk
integration to
automatically validate service requests related to privileged access.
- Salesforce - New Resource Type Support for Remote Password Synchronization
Support for remote password reset and verification of Salesforce resources.
Enhancements & Fixes
- Replication of Additional Attributes for Default Resource Types Across Client Organizations
(MSP
Edition)
Earlier, MSP admins could only replicate the custom resource types in MSP org across all client
organizations. Now, MSP admins can also replicate any additional resource and account attributes added
to
the default resource types also across the client orgs.
- In v8000 and above, Mac account discovery for Linux resources did not work properly and only root
account were discovered instead of all user accounts. This has been fixed now.
- Earlier, while retrieving the list of resources that are owned/shared to an API user with RESTful
API,
only those resources with at least one account associated under them were retrieved. This API has now
been
enhanced to also retrieve resources without any associated accounts.
Version 9.0 (9003)
Minor
16th June 2017
Password Manager Pro Release 9.0 (9003) (16th June 2017)
Bug Fixes
- In v9000 and above, when an admin clicked on a resource group displayed in the 'Password Explorer'
tree
view and then tried to add a new resource, they were unable to proceed to the accounts addition step.
This
has been fixed.
- In v9001 and above, while discovering Windows resources in a domain, the local accounts of the
member
servers were not fetched automatically during the process. This has been fixed.
Version 9.0 (9002)
Minor
13th June 2017
Bug Fixes
- In v9001, the 'Domain Name' field was missing in the 'Add Resource' and 'Edit Resource' screens for
Windows resources. This has been fixed.
- In v9000 and above, in the Manage >> Scheduled Tasks UI, the 'Schedule Actions' menu icon did
not
respond for the 'Recorded Sessions Purge Schedule'. This has been fixed.
- In v9000 and above, users logged in to Password Manager Pro using a Firefox browser were unable to
change the default skin color of the application under 'Personalize' options. This has been fixed.
- In v9000 and above, the search option in the Organizations tab did not work for MSP editions. This
has
been fixed.
- In v9000 and above, when the GUI language was set as another option apart from English, the global
search option in the top pane did not work. For instance, when a particular resource was searched for,
all
resources were displayed instead in the results. This has been fixed.
Version 9.0 (9001)
Minor
2nd June 2017
New Features, Enhancements, Changes & Fixes
- Replication of Custom Resource Types Across Organizations (MSP Edition)
- MSP admins managing the resources of multiple clients can now replicate custom resource types in
MSP
org across all the client organizations. In addition, the MSP admin can choose whether the
password
reset listeners configured in the MSP org should also be replicated along with the custom resource
types.
- In v9000, the search option provided for 'Recorded Sessions' under Audits did not work for users.
This
has been fixed.
- In v9000, while copying usernames of resource accounts that consisted of the '@' sign, pasting the
same
resulted in invalid characters in the copied username. This has been fixed.
- In v9000, while editing resources in bulk, if any of the selected resources had notes stored under
them,
the notes field of that resource became empty once the edits were saved. This has been fixed.
- In v9000, when an existing custom report was edited and saved, the 'Mail Report as' option under
Schedule Report settings for that custom report was automatically reset to PDF from earlier configured
setting if any. This had been fixed.
- In v9000, under the Personal tab, passwords created using the password generator were displayed
twice
continuously when the user tried to view them. This has been fixed.
- In v9000, while adding a new custom listener, the save button did not work and the details could not
be
saved. This has been fixed.
- In v9000, after enabling two-factor authentication, the RADIUS username for a user continued to
appear
empty in the 'Edit User' window even though values provided for the same reflected in the database.
This
has been fixed.
- In v9000, while editing user details, the fields to add RDP and VNC ports in the 'Edit User' window
were
missing. This has been fixed now.
- In v9000, while editing IBM-AIX resources, the checkbox for pwdadm command execution was missing in
the
'Edit Resource' window. This has been fixed.
- In v9000, when two-factor authentication (TFA) is enabled, the option to edit TFA usernames in bulk
was
missing in the 'More Actions' menu under Users tab. This has been fixed.
- In v9000, during new resource addition, a DNS name consisting of underscore ( _ ) symbol was not
accepted and as a result, the resource could not be saved. This has been fixed.
- In v9000, while adding resources of the type website accounts, if 'Resource URL' value was defined
using
the format %DNS_NAME%, users faced an issue with launching the URL in a new browser tab. This has been
fixed.
- In v9000, while importing resources from a CSV file, if resources already existing in the Password
Manager Pro database were configured not to be imported, the next resource in the row below the
existing
resource was also not imported from the file. This has been fixed.
- In v9000, when a user clicks on the 'Forgot Password?' link in the Password Manager Pro (PMP) login
screen and requests for a new password, the corresponding email was sent twice to the user's address
if
they were using IE browser for PMP. This has been fixed.
- In v8601 and above, when two-factor authentication (TFA) is configured, the users faced login
failure
issues at random while signing in to their Password Manager Pro account. This has been fixed.
- Earlier, when a resource was shared with a user and the user eventually marked that resource as
their
favorite, the resource still showed up in the user's 'Favorites' and 'Recently Accessed' lists even
after
its share permission had been revoked. This has been fixed.
- Earlier, while creating a custom report of the types 'Resource Audit' or 'User Audit', if the user
had
set custom dates for 'Expiration Date' as well as added multiple criteria with an 'OR' setting, the
date
limits did not apply in such scenarios and the report was generated from all the audit records
available.
This has been fixed.
- Earlier, while fetching the list of services that are run using a Windows Domain user account, if
the
name of a particular Windows service consisted of a colon symbol ( : ), the characters present after
the
colon in that name were not fetched. This has been fixed.
- Earlier, MS SQL server replication for High Availability could not be configured if the username or
password of either the primary or secondary backend database contained a single quote ( ' ). This has
been
fixed.
Security Fixes
- XSS vulnerabilities found in 'Edit User' and 'Password Policies' features, which resulted in
unauthorized permission to execute arbitrary commands, have been fixed.
- Earlier, to reset the login password of one's Password Manager Pro account through 'Forgot Password'
method, the user had to click on the given link in the login screen, provide username and email
details,
and then the new password was directly sent to the provided email address. Henceforth, after providing
username and email details, the user will only receive a link to their inbox and will be able to
access
the new password upon clicking that link.
- The third party Java software library that comes bundled with Password Manager Pro to support NTLM
authentication has been upgraded from v1.1.22 to the vendor's latest release v1.2.0, which now uses
TCP
transport instead of SMB for MSRPC communications.
Version 9.0 (9000)
Major
28th April 2017
New Features, Enhancements, Changes & Fixes
- New User Interface
From build 9000 onwards, Password Manager Pro will switch to a new user interface (UI) in order
to improve user experience. The rich, modern look of the new UI embraces the flat design, and
includes enhancements to the speed and usability of the application. Users will be able to
navigate between tabs quicker than before and access data without multiple page reloads,
thereby equipping admins to get their jobs done faster. This simple and responsive design is
optimized across both mobile and web platforms to provide a wholesome experience to the user.
- Important Change in the Design of Criteria-based Dynamic Resource Groups
From build 9000 onwards, for criteria-based dynamic resource groups, criteria will be applied only
on the resources owned by the group owner and on the resources owned by the administrators
who have manage permission to the group. Criteria will not be applied on the shared resources.
This represents a significant change from the existing design. At present, criteria gets applied on
all resources that are owned by the user who is creating the group and on the ones shared with
"Manage" permission. Shared resources are being excluded in the new version. Once you move to
the latest version, some resources that were part of a criteria-based dynamic group created by
you would have been removed from the group due to this change.
In the new design too, administrators who have access to a dynamic group with "Manage"
permission (henceforth known as "Full Access" permission) shall be able to add the resources
owned by them to that group. That means, the resources owned by them shall become part of
the dynamic group upon satisfying the criteria.
Note: This change was introduced in PMP 8.0 for those who installed the full version
afresh. That
means, for customers who have directly installed builds 8000 and above, this behavior remains
the same. The above change will be felt only by customers who have been using Password
Manager Pro before the 8000 build was released.
- MIB Update for SNMP Trap Settings
This version includes an update to the MIB (MANAGEENGINE-PMP-MIB), which is integral to
SNMP trap configuration in Password Manager Pro. As part of the update, the OIDs used to
identify the VarBinds have been revised.
- In v7000 and above, while retrieving passwords, if the user was enforced to provide a reason as
configured by the admin, the user was able to retrieve passwords from "Pass Cards" and "All My
Passwords" UI by adding just a space in the reason field. This has been fixed.
- In v8600 and above, when Azure Active Directory (AAD) authentication was configured and
enabled for users, users from only one specific AAD tenant were able to log in to Password
Manager Pro using their AAD credentials while users in other tenants faced login errors. This has
been fixed now, by updating the value of the endpoint to which the sign-in requests are sent
from Password Manager Pro.
- In v8700 and above, role summary report could not be generated for a role if the respective role
name comprised Japanese characters. This has been fixed.
- In v8700 and above, admins using Password Manager Pro's Premium edition were unable to
create API users even though XML-RPC API/SSH CLI access and related operations were allowed
in the premium edition. This has been fixed.
- In v8700 and above, if an admin disables the "Personal" tab for users by unchecking the
respective option under General Settings, the option itself disappeared from view the next time
when the admin accessed General Settings. This has been fixed.
- Earlier, in MSP editions, client organizations that had been marked as favorite by respective users
were not displayed at the top of the list as they should be. Instead, the client org that one user
had most recently marked as their favorite was globally displayed at the top for all users. This
has been fixed.
- Earlier, while importing users from AD/Azure AD, when the admin specifies the users to be
imported as comma separated values, the action resulted in error if there was spacing after the
commas. This has been fixed.
- Earlier, when users share their resource group with other users, the former faced resource group
duplication issues in their UI dashboard whenever the latter added a new resource to that shared
resource group. This has been fixed.
- Earlier, while adding an account under a resource, the account could not be saved if the user had
earlier enabled a custom password field under "Account Additional Fields" and entered a
password containing specific special characters including Greater Than/Less Than ( "<", ">" )
symbols in that field. This has been fixed.
- Earlier, during manual resource addition operation, the user was able to add two different
accounts under the same name but different casing. However, while saving the added accounts,
the second account's user-provided password was automatically replaced with the first account's
password. This has been fixed.
- Customers who upgraded to 8700 from any of the older versions faced an issue with the
"Personal" tab, i.e. if they had earlier disabled the Personal tab for users, the provision was
automatically enabled for users after the upgrade. This has been fixed.
Password Manager Pro Release 8.7 (8704) (06th April 2017)
Security Fix
- In v8600 and above, after launching an RDP session, the users were able to view the shared RDP
password
in plain text by opening the page source of the respective session tab, even when they were not
authorized
to view the password. This has been fixed.
Password Manager Pro Release 8.7 (8703) (04th April 2017)
Issues & Fixes
- Earlier, when details such as role name, description etc. were provided in Japanese while creating new
user roles, the Japanese characters were not displayed in any of the corresponding role reports that
were
exported as PDF. This has been fixed.
- Earlier, when a scheduled password reset was carried out for a Windows domain account after password
expiry, the reset action results were at times audited as failed even though the password was
successfully
reset in the resource. This happened if the domain account had services and IIS app pools associated
with
it. This has been fixed.
Security Fix
- Earlier, when scheduled password reset was triggered for a Windows domain account, the new password of
the account was printed in plain text in the logs if the Log Level setting was configured as 'DEBUG'.
This
has been fixed.
Password Manager Pro Release 8.7 (8702) (09th March 2017)
Issues & Fixes
- Earlier, when users who use Password Manager Pro's Standard or Premium edition upgraded their
installation to v8700 and above, features that were unrelated to the edition they use were displayed in
the product GUI. This has been fixed now.
- In v8700 and above, remote sessions launched by users with user-type roles (that is,
non-administrators)
were not recorded even though session recording was configured globally for all users. This has been
fixed
now.
Password Manager Pro Release 8.7 (8701) (16th February 2017)
Enhancements & Fixes
- In v8700, under custom roles feature, when a group of users were moved in bulk from their current
roles
to an administrator-type role using "Change Roles", the operation failed during certain circumstances
owing to insufficient number of administrator licenses even though adequate licenses were in fact
available. This has been fixed now.
- Earlier, when super administrators carried out edits to their own profile such as password policy or
email ID changes, they lost their super administrator privilege automatically when they saved the edits;
and they were reverted to their old role. This has been fixed now.
- In v8700, when an administrator viewed the list of users who were members of a user group, the
database
values of the users' "Role" column were displayed in the web UI table view. This has been fixed now.
Security Fixes
- Earlier, while importing resources from a CSV file, when "Overwriting of existing resources" is
enabled
by a user along with a configuration setting to overwrite a resource only when it is owned by that user
resources owned by other users were overwritten in certain circumstances despite the owner check. This
has
been fixed now.
- A function level access control vulnerability resulted in unauthorized permission which allowed an
user
to lock their own Password Manager Pro account, This has been fixed now.
- A function level access control vulnerability resulted in unauthorized permission which allowed a user
to change their current role to another administrator-type role. When a user was assigned a custom role
with operational scope only to "Change user roles" and no other administrator privilege, that user could
change their own role to another administrator-type role that contained higher operational scope. This
has
been fixed now.
- An XSS vulnerability which resulted in unauthorized permission to execute arbitrary commands was found
in Password Policies feature. This has been fixed now.
- The internal security framework used for Password Manager Pro has been upgraded to the latest version.
Password Manager Pro Release 8.7 (8700) (6th February 2017)
New Features, Enhancements & Fixes
- Custom Roles : Option to create custom roles for users, with provision to define
operational scope for each role in a fine-grained manner. You can allow or restrict operations for the
custom role (from a list of 100+ options like adding resources, allowing remote access to resources,
creating policies etc.) and assign the role to desired number of users. To learn more custom roles, click here.
- In v8000 and above, while exporting password inventory report in .xls format for two or more resource
groups, the report was generated for only one random group instead of all selected groups. This has been
fixed.
- In v8603 and above, when a user selected a group of resources and attempted to bulk edit one/many of
the
resources' attributes, there was an issue while saving the edits. Specifically, the values present in
the
Notes field of all accounts associated to the selected resources were automatically overwritten with a
blank value, even when no edits were carried out by the user to that effect. This has been fixed.
- In v6300 and above, while integrating Password Manager Pro with a PhoneFactor system for two-factor
authentication, the option to 'Test Agent Connection' returned an error if the user had manually
specified
account credentials and agent service URL (this issue did not occur when the credentials had been stored
in Password Manager Pro). This has been fixed.
- In v8500 and above, when a password user tries to export in plain-text the resources in a resource
group
shared with him/her, the exported spreadsheet (.xlsx) was blank. This has been fixed.
- In v8505 and above, the 'Copy to Clipboard' option across the GUI did not work in Chrome browser. This
has been fixed.
- In v8601 and above, when a user tried to update password for scheduled tasks from Password Manager
Pro,
the reset failed due to a double quote missing in the reset command. This has been fixed.
- Earlier, users were unable to launch RDP connections from Password Manager Pro's web-interface when
the
respective username contained a space or the password contained a percent sign ( % ). This has been
fixed.
- Earlier, when details such as name, description etc. were provided in Japanese for resources, the
Japanese characters were not displayed in the PDF version of Canned and Query reports generated for the
respective resources. This has been fixed.
- Earlier, in the MSP edition, there was a configuration issue with the Replicate Settings option
available under Organization actions. The issue caused the User Group Settings to replicate time and
over
in the client org, with respect to the number of times the user clicks on Replicate Settings. This in
turn
interfered with the workflow of various options under User Group Settings. This has been fixed.
Password Manager Pro Release 8.6 (8604) (23rd January 2017)
Security Fixes
- In v8601 and above, users making use of LDAP authentication with two-factor
authentication enabled, were able to access their Password Manager Pro account by
supplying only the username for LDAP authentication and thereafter the valid second
factor credentials. This was possible because when anonymous binding is enabled, LDAP
server allows connection without credentials, if one knows the LDAP username. This
issue has been fixed.
Password Manager Pro Release 8.6 (8603) (30th December 2016)
Enhancements & Fixes
- Bulk edit option is now available for resources, which allows the administrator to select several
resources and edit them in bulk at the same time.
- Username mapping is now available for two-factor authentication options such as Duo Security and
PhoneFactor. This option allows you to map usernames between Password Manager Pro and two-factor
authentication services listed above.
- Earlier, integrity checks for password synchronization once enabled was carried out for all passwords
on
a daily basis by default. The administrator could only adjust the time at which the check should be
carried. Henceforth, integrity checks can be scheduled to be run at desired time intervals.
- Earlier, newly configured mail server settings could not be successfully saved if any of the given
e-mail ids consisted of '-' (hyphen). This has been fixed now.
- Earlier, in the Japanese version of Password Manager Pro, text inputs in the 'Reason' field syslog
messages sent from the tool were either incomplete or comprised of garbled characters. This has been
fixed
now.
- In v8500 and above, when resources with file attachments were shared with password users, the users
were
unable to download the attachment. This has been fixed.
Security Fixes
- A function level access control vulnerability resulted in unauthorized permission to edit Password
Manager Pro's default resource types. This has been fixed now.
- Earlier, if the option 'unique password generated through email' is configured for two-factor
authentication in Password Manager Pro, the OTP generated and sent to a user's email id during a login
attempt did not expire instantly upon one-time usage. The OTP could be reused multiple times for login
from different systems as long as the primary login session remained active. This has been fixed now.
- In order to negate the possibility of DOS attacks, threshold limits have been introduced for HTTP
operations (using POST method) from the web console. The threshold limits restrict the number of times
that a particular HTTP operation can be carried out per minute from a user ID.
PMP Release 8.6 (8602) (14th Dec 2016)
Bugs & Security Fixes
- In v8600 and above, when an administrator changed the web-server port number under
Admin-->Server Settings, the action caused a service failure after a restart. This issue has been
fixed.
- A function level access control vulnerability resulted in unauthorized permission to view other users'
personal passwords stored under a specific category, when the option "Allow users to create their own
passphrase" is disabled under General Settings. This has been fixed now.
PMP Release 8.6 (8601) (2nd Dec 2016)
New Features
- Lock Password Manager Pro Users
Option to temporarily prevent any user from accessing Password Manager Pro by locking down the
respective
account. The user accounts can be unlocked anytime, with all user settings intact including share
permissions.
- New REST APIs
- To edit resources.
- To edit/delete accounts
- Support for Duo Security Two-factor Authentication
Support for Duo Security two factor authentication for login to Password Manager Pro. Already, Password
Manager Pro supports Google Authenticator, PhoneFactor, RSA SecurID, a one-time, randomly generated
unique
password, and any RADIUS-compliant two factor authentication mechanism as the second level of
authentication for two factor authentication.
Enhancements
- Add Secondary Domain Controllers to a Windows Domain Resource
While creating a Windows Domain resource, users can add the DNS Name / IP Address details of secondary
(or
multiple) domain controllers associated with the resource. Once added, they can also auto log on to all
associated domain controllers using the same Windows Domain account.
- MSP Edition
- Earlier, the "Import Organization from CSV file" feature did not provide the option to attribute
an
"Account Manager" for the organization during the import itself. As a result, once organization
details were imported from the CSV file, the MSP admin had to separately assign an administrator in
Password Manager Pro as the Account Manager. Henceforth, an Account Manager column containing the
administrator "username" can be added in the CSV file itself and directly attributed to the new
organization during import.
- Earlier, when the administrator configured "Replicate settings across client orgs," the saved
settings were applicable only for new client orgs and not for existing orgs. As a result,
resource/user groups, share settings, and additional fields were not replicated in the existing
orgs.
Now, a new option has been introduced to sync the newly configured replication settings (except
additional fields) across existing client orgs as well, either all or desired.
- While creating new users via RESTful API, they can now also be added to a new or existing user group.
- Earlier, while adding a new resource with Password Manager Pro via RESTful APIs, API users had default
permission to specify another existing user as the resource owner. The API user could also edit a
resource
owned by other users. Now, an option has been introduced to disable API users from adding/editing
resources under other user's ownership.
- Earlier, while adding a new Windows Domain resource, the "Configure password reset for associated
service accounts and IIS AppPool accounts" section did not give further options for the user to
enable/disable password resets separately for service accounts, scheduled tasks, and IIS AppPool
accounts.
Password resets could be configured either for all or none of them, regardless of whether services/IIS
AppPools were run using the domain account. Now, new options have been introduced which allows the user
to
exclusively choose required password resets"among service accounts, scheduled tasks, and IIS AppPools as
well as service restart options.
- Earlier, when password resets for Windows Scheduled Tasks were carried out, users faced version
compatibility issues for Task Scheduler if the target Windows server edition was different from that of
server in which Password Manager Pro was running. To solve such platform issues, the Scheduled Tasks
password reset mechanism has been enhanced to also support Task Scheduler 2.0.
- Earlier, when two-factor authentication (TFA) was enabled, Password Manager Pro's login screen asked
for
the username first, and both primary password and TFA credential were requested together in a fresh
second
screen. Henceforth, the user has to input both username and password (first level of authentication) in
the login screen. Only when the primary authentication succeeds, the user will prompted for the TFA
credential in a new screen.
Bug Fixes
- In v8500 and above, while importing resources from Active Directory under "Resource Discovery" option,
comma separated values entered in the "Resources to import" field were not imported properly. Only the
first value was imported. This has been fixed now.
- In v8600, when a user group was restricted from storing their personal passwords in Password Manager
Pro, the users of that group were unable to retrieve their enterprise passwords. This happened only when
the global option to manage personal passwords was enabled under General Settings, but disabled for that
specific user group. This has been fixed now.
Security Fixes
A function level access control vulnerability resulted in unauthorized permission to edit Password
Manager
Pro's pre-defined password policies (Strong/Medium/Low/Offline Password Fil). In addition, the
vulnerability
also allowed the deletion of the password policy that has been set as default. This has been fixed now.
Password Manager Pro Release 8.6 (8600) (11th November 2016)
New Features & Enhancements
- Azure AD Integration
Introducing out-of-the-box integration with Azure Active Directory (AD), which allows users to login to
Password Manager Pro with their Azure AD credentials, in both Windows and Linux platforms. The
integration
also allows import of users and user groups from Azure AD to Password Manager Pro, and keeps data
synchronized through Azure AD sync schedules.
- Query Reports
This new addition to the Reports section now allows administrators to construct reports by writing their
own SQL statements. The statements can be used to directly query the Password Manager Pro database and
fetch required information to address unique reporting requirements.
- Store Recorded Sessions in an External Location
Video recordings of RDP, SSH, Telnet, and SQL sessions will hereafter be stored in an external location,
instead of Password Manager Pro database. Users can configure two external locations, one primary and
another backup, where recorded sessions will be stored automatically once the operation is audited in
Password Manager Pro, provided there is connectivity between the configured locations and Password
Manager
Pro server. For earlier recorded sessions stored in Password Manager Pro database, export options are
given to move them to the configured external location.
- Purging of Recorded Sessions now available, as a separate operation
Earlier, video recordings of RDP, SSH, Telnet, and SQL sessions could not be purged separately. The
sessions could be purged only as a part of user audit purge. But, purging user audit records just to
remove sessions also removed the operations details such as user account used to launch session, date
and
time, and more. Now, there are alternate options to configure purging of recorded sessions alone and
retain the audit details of the operation.
- Earlier, when the SSL certificate for the server was changed, RDP sessions could not launched
automatically and the user had to manually install the certificate again to initiate a session. Now, the
issue is fixed and new certificates will be automatically verified when RDP sessions are launched.
Bug & Security Fixes
- Server JRE that comes bundled with Password Manager Pro is upgraded from v1.7.0_71 to v1.8.0_102 due
to
security vulnerabilities in the older version. PostgreSQL and Tomcat server have also been upgraded to
the
latest versions 9.5.3 and 8.0.20 respectively.
- Maverick Legacy libraries used for SSH CLI in Password Manager Pro have been upgraded to the latest
versions.
- OpenSSL libraries used in Password Manager Pro have been upgraded from 0.9.8g to 1.0.2j, the latest
version released with vulnerability fixes.
- Reflected and stored XSS vulnerabilities which resulted in unauthorized permission to carry out
critical
operations were found in Landing Server configuration, Rebranding, and Reports features. This has been
fixed now.
- A vulnerability which resulted in unauthorized permission to delete Default Resource Types in Password
Manager Pro has been fixed.
- A CSRF vulnerability, which resulted in unauthorized permission to change the default resource type
set
for any resource, has been fixed.
Password Manager Pro Release 8.5 (8505) (18th October 2016)
Enhancements & Bug Fixes
- Option to trigger a bulk password reset in one click for all the resources that a specific user has
access to, i.e. resources owned by or shared with that user. This allows the administrator to reset all
passwords related to a specific user in case they leave the organization and then transfer those
resources
to another user.
- While evaluating Password Manager Pro with the 30-day trial edition, users can now switch instantly
between the different product editions available (Standard / Premium / Enterprise) and test the desired
edition.
- In Windows account discovery feature, an additional check has been introduced which allows the user to
choose not to import any disabled computer account in the Active Directory during the discovery process.
The user also has an option now to identify existing resources in Password Manager Pro that have been
marked as disabled in AD and delete them.
- Resources and groups can now be imported directly from KeePass (1.x and 2.x) to Password Manager Pro.
- Earlier, when cross-domain authentication is used for Windows discovery tasks, local accounts and
service accounts were not enumerated from the selected domain. This issue is fixed now.
- A new report named "Unshared Passwords" report has been added to the 'Canned Reports' section. The
report lists all the passwords that have not been shared with any user in Password Manager Pro.
Bug & Security Fixes
- Earlier, password integrity checks failed for certain target systems in agent mode as Password Manager
Pro server reported connection failure. This issue has been fixed now.
- Earlier, 'Rebranding' settings could not be edited when Password Manager Pro web-interface is
connected
using Internet Explorer. This issue is fixed now.
- In 'Personal Passwords' section, after a custom category is set as default, users could not add new
accounts or delete existing accounts in that particular category. This issue is fixed now.
- In v8500 and above, new resource addition operations could not be completed successfully if the DNS
Name
/ IP Address field contained the character "_" (Underscore). This issue is fixed now.
- Earlier, Windows account discovery tasks could not be completed if the admin password supplied to
carry
out the operation contained a double quote ("). This issue is fixed now.
Password Manager Pro Release 8.5 (8504) (19th September 2016)
Enhancements & Bug Fixes
- Earlier, upgrade packs could be applied only to Password Manager Pro's primary installation, and high
availability had to reconfigured every time after the upgrade. Henceforth, upgrade packs can be directly
applied to the secondary installation as well, without any need to reconfigure high availability.
- In v8500 and above, when Password Manager Pro server was restarted, personal password management
option
was getting enabled even in cases where it had been disabled by the administrator. This has been fixed.
- Earlier, there were AD sync issues while importing users and resources from different domains.
Resources/users from the wrong domain were imported for a few sync schedules when they were run again
after the first import operation. This issue is fixed.
- Earlier, in the MSP edition, while providing a user group with 'Manage Organization' permission for
different orgs, only 100 organizations could be allotted to that user group. This limit has been removed
now.
- In v8500 and above, while adding a new account under a resource, the add operation could not be
successfully completed if the 'Notes' field contained more than 230 characters. This issue is fixed.
- In v8500 and above, whenever a password is checked in by a user, the audit log for the check in
operation did not properly display the resource name (if the name contained characters like ' a m p
&
' ). This issue is fixed.
- Earlier, for any resource group, if the option 'Reset passwords upon expiry' was enabled, the option
did
not work for the resources within the group for which access control had been configured. This issue is
fixed.
- In v8500 and above, while adding a Linux resource, the add operation could not be completed if
'Private
Key' field was left blank. This issue is fixed.
Bug & Security Fixes
- Earlier, clear/copy to clipboard actions in the GUI were carried out with Flash support. For security
purposes, Flash elements have been removed for these actions and support is now provided through
JavaScript.
Password Manager Pro Release 8.5 (8503) (25th August 2016)
Feature Enhancements & Bug Fixes
- Earlier, when a domain admin account was shared with users for RDP auto logon to related domain member
machines, the users could use that domain account credentials to log in to the domain controller as
well.
Now, while sharing domain admin accounts with users for auto logon purposes, an optional check is given
to
prevent RDP connections to the domain controller resource.
- A new check has been introduced, while adding a Windows resource, to restrict users from using the
local
account of that resource to launch RDP connection, and instead use only the domain account to connect to
the resource.
- Earlier, when the last remaining user in an organization unit (OU) was removed in AD, the same user
did
not get removed from the corresponding user group in Password Manager Pro. This issue is fixed.
- Earlier, in the "Show Passwords" table under "All My Passwords," the selected column sort order did
not
persist for non-admin users once they navigated to other tabs. This issue is fixed.
- In Password Manager Pro Japanese edition, audit log for the operation 'Discovery Task Deletion' was
not
captured properly in the audit records. This issue is fixed.
- Earlier, under Passcard option, when the provided link is opened to access the concerned account, the
password could not be viewed properly if the Resource Name or Account Name shown in the GetPasscard page
contained a "space." This issue is fixed.
- Earlier, for Add Resource operations, account addition step failed if the concerned account's password
field contained specific characters (<>). This issue is fixed.
- Earlier, when users tried to reset Google Authenticator settings from the Password Manager Pro login
page, the option did not work due to case-sensitive issues or if the username contained '\' (Backslash).
This issue is fixed.
- In v8500, users were unable to add new resources under the pre-defined type 'PostgreSQL,' if they had
earlier created and saved 'PostgreSQL' as a custom resource type. This issue is fixed.
- In v8303, while importing OUs from Active Directory, all the resources in the 'Default Group' in
Password Manager Pro were automatically removed if the name of any of the OUs contained a comma (,).
This
issue is fixed.
- Earlier, in the UI screen, Admin-->Add Resource-->Add Accounts, when an account was added,
password of the added account was partially revealed along with the account name in the display box
beneath. This happened if the password contained both double quotes (") and greater-than sign (>), in
that order. This issue is fixed.
- Earlier, under "Scheduled Password Reset," while setting Password to use, the option "Assign the same
password to all user accounts, but change it during every schedule" did not work properly. Instead of a
same password, unique passwords were set for each account. This issue is fixed.
- Earlier, while using RESTful API to add or modify a resource, the users could not use the characters,
'<' and '>' in the account password. This limitation has been removed now.
Password Manager Pro Release 8.5 (8502) (27th July 2016)
Feature Enhancements & Bug Fixes
- Earlier, option to open direct RDP connections to target resources using multiple domain accounts was
available only under the Auto Logon tab. Now, the option is also available under 'Resources' and 'All My
Passwords' tab.
- Customers (except MSP edition users) in v8500 faced issues in saving new changes in 'Export Passwords
-
Offline Access' settings. This has been fixed now.
- Customers in v8500 were not able to save changes in User Settings for any user groups, if their
language
setting is not English. This issue has been fixed now.
- In 'Advanced Search' option, the search results were incorrect if the search text contained '&'.
This issue has been fixed now.
- Earlier, when users tried to reset Google Authenticator settings from the Password Manager Pro login
page, the option did not work if the username contained '_' (Underscore). This issue has been fixed now.
Security Fixes
- Earlier, net use command was used by Password Manager Pro agent (Windows) for password reset and
verify
operations. If 'Audit Process Creation' is enabled under 'Advanced Security Audit Policy Settings' for
the
Windows target machines, the reset and verify operation commands were captured in the Windows event
logs,
including new passwords in clear text. This has been fixed now, by using Windows APIs instead of net use
command for the agent to carry out password reset/verify operations.
Password Manager Pro Release 8.5 (8501) (9th July 2016)
Feature Enhancements
- Service Account Password Reset using Password Manager Pro Agents
Password Manager
Pro agent enhanced to support automatic propagation of password changes across dependent services
associated with a Windows domain account, when the respective account passwords are reset in Password
Manager Pro.
- Group Settings Replication during Organization Addition (MSP Edition)
While
creating
a new client organization, MSP admins can now replicate the user and resource group structures as
present
in the MSP org and other client orgs. Resource group to user group share settings can also be replicated
in the new org.
- Under 'Users' tab, new option to search for users by their 'First/Middle/Last Name' has been added.
Bug & Security Fixes
- Customers using v8500 faced slow performance issues while loading Two-factor authentication settings
in
the application's web interface. Page load time took 30-40 seconds. This has been fixed now.
- Earlier, while creating resources in Password Manager Pro, only HTTP and HTTPS schemes were allowed to
define 'Resource URL'. Now, Amazon S3 URL styles and other schemes are also supported.
- In version 8500, values entered in additional field columns/accounts and values copied to clipboard
were
displayed incorrectly due to encoding issues. This has been fixed now.
- In version 8500, while selecting default domain under User Management in General Settings, an invalid
input error was thrown if the default Domain Name field contained special characters. This has been
fixed
now.
- An XML eXternal entity (XXE) vulnerability identified in XML-RPC API has been fixed.
Password Manager Pro Release 8.5 (8500) (June, 2016)
Security Fixes & Enhancements:
- Password Manager Pro now comes with a comprehensive security filter that helps protect the solution
against a host of vulnerabilities, including cross-site scripting attacks (XSS) and cross-site request
forgery (CSRF). In addition, to prevent any unauthorized actions by genuine users (by manipulating the
parameters in the URLs), authorization check has been enabled for every single action involving a
database
query through URLs (CVE-2016-1161).
- New REST API to add API User.
Password Manager Pro Release 8.4 (8404) (May, 2016)
Security Fix
- Users making use of LDAP authentication were able to access their Password Manager Pro account through
PMP's browser extensions by supplying a blank password. This issue was found only in PMP's browser
extensions and NOT in the web version. However, since the fix involves changes in APIs
in
the web version, this security fix is being provided. Customers of all versions of PMP (till 8403), who
are using browser extensions with LDAP authentication should apply this fix, in addition to upgrading
the
browser extension separately.
Password Manager Pro Release 8.4 (8403) (April, 2016)
New Features
- IIS AppPool Password Reset: Support for automatically resetting the passwords of
associated IIS AppPool accounts when the domain account passwords are reset through Password Manager
Pro.
Optionally, the IIS AppPools can be restarted remotely by Password Manager Pro after the password
change.
- New REST APIs:
- To download certificates, licenses, and other files.
- To add license keys, digital certificates, documents, images and more
- To create multiple accounts that are associated with a specific resource id.
- To delete a specific user in Password Manager Pro.
- Transfer Approver Privileges: Option to transfer the privilege to approve password
access requests from one administrator to another in bulk. When an administrator leaves the organization
or moves to a different department, all the approval privileges of that administrator can now be
transferred to another administrator in a single click.
Enhancements & Bug Fixes
- Provision to customize password expiry report based on expiration date of passwords. With this option,
you can now generate the list of passwords that are about to expire during a specified period of time.
For
instance, you can find passwords that will expire in the next 5 days.
- Privileged accounts can now be marked as favorites from the search result view itself.
- Earlier, custom reports, once saved, could not be duplicated with additional edits. Now, 'Save as new'
option has been added to create duplicate copies of saved custom reports. Also, a direct link to create
custom reports has been added under 'Audit' tab.
- RESTful API to fetch account details has been enhanced to include password expiry status, compliance
status and reason in case of non-compliance, and configured policy for the accounts.
- Privileged accounts can now be marked as favorites from the search result view itself.
Earlier, when password compliance notifications were configured for individual resource groups, in
certain
rare scenarios, some compliant passwords were also notified as non-compliant. This issue has been fixed.
- Earlier, when the option "Allow all admin users to manipulate the entire explorer tree" had been
enabled
in "General Settings", all resource groups, including unshared groups were displayed in the explorer
tree
structure (only the names of the unshared groups were displayed in grey text; the underlying passwords
were not shown). Now, unshared groups can be hidden from view.
- Earlier, users had to manually go to 'Resources' tab and select the resource group name under 'Show
Resources of' option to view the list of resources in each group. Now, resource group names have been
hyperlinked to automatically take the user to 'Resources' tab and display the corresponding resources.
Security Fixes
- Earlier, while viewing old passwords from password history, it was possible to make changes to account
ID in the request URL and retrieve password history of unshared passwords (CVE-2016-1159). This issue
has been fixed now.
- Earlier, URL query string parameters were passed through HTTP GET method for 'Password Change' and
'Password Export' features, which was a concern since GET holds parameters in history. This has been
changed now by using HTTP POST for query strings instead of HTTP GET.
Password Manager Pro Release 8.4 (8402) (March, 2016)
Bug Fixes:
- In PMP builds v8400 and 8401, Active Directory synchronization for resources did not work properly.
This
has been fixed.
- Earlier, search based on account additional fields for criteria-based groups did not work on the 'Add
Resource Group' page. This has been fixed.
- Earlier, searching on numeric fields for criteria-based groups did not work with PostgreSQL as the
backend database. This has been fixed.
- Earlier, audit filter in the recorded sessions tab did not work with MySQL as the backend database.
This
has been fixed.
Password Manager Pro Release 8.4 (8401) (February, 2016)
Bug Fixes:
- In PMP 8400 build, it was not possible to configure single sign on as part of active directory
integration. This has been fixed.
- In PMP 8400 build, while importing users from an OU in AD, automated email notification was sent to
all
the imported users. This has been fixed.
Password Manager Pro Release 8.4 (8400) (February, 2016)Video
demo
New Features:
- Launch Direct Connection With Remote Databases: Provision to launch a direct
connection
to remote databases from PMP web-interface and execute CRUD queries without deploying any database query
tools. In addition, shadow the session in parallel and chat with other admins/ users present in the
session.
- VNC Support for Collaboration: Provision to remotely access and take control of
resources using VNC. By this way, administrators get direct access to the remote machine and could
collaboratively work with other users.
- Launching Administrative Console Session using RDP: Provision to launch an
administrative console session with remote resources using RDP.
Enhancements & Bug Fixes
- Earlier, there were some scrolling issues in the SSH console. This has been fixed with a new
interface.
- Earlier, AD User Sync feature was available only for Enterprise Edition. Now, this feature is
available
in all editions.
- Security Best Practices Enforcement
- Option to disable local authentication when AD/LDAP authentication is enabled.
- Password Manager Pro will enforce password reset in the following scenarios:
1. Change the login password after first login to PMP
2. When username itself is used as the password.
3. After exercising the forgot password option.
- When two-factor authentication is enabled globally, all new users who are imported/synced from
AD/LDAP will have two-factor authentication enabled by default.
- Earlier, password administrators also had the privilege to mark any password policy as the default
policy. Henceforth, only administrators will have the privilege.
Password Manager Pro Release 8.3 (8303) (December, 2015)
Enhancements & Bug Fixes
- Automatic synchronization of Active Directory OU details did not work in the following scenario:
When users / resources belonging to a sub-OU are imported into Password Manager Pro, the synchronization
for the same did not work after a subsequent import operation from any other OU or sub-OU. This has been
fixed. (Affects only those who started with PMP from build 8200 or later. Customers using previous
versions and the ones migrated to latest versions from builds prior to 8200 are NOT affected).
- Provision to use a named instance of MS SQL server as the backend database for PMP. This is supported
in
all scenarios - using MS SQL server as the backend database afresh, and when upgrading from PostgreSQL
or
MySQL to MS SQL.
- Earlier, there were issues in loading audit trails when the page contained a large amount of data.
Performance enhancements through optimizing SQL queries now result in showing the data 10 times faster.
Displaying about 1 million audit records now approximately takes two seconds. In addition, you can now
filter audit trails from primary and secondary servers and view them separately
Password Manager Pro Release 8.3 (8302) (November, 2015)
Enhancements & Bug Fixes
- Option to enforce password policy for personal passwords.
- Option to enforce users to guard their personal passwords with a passphrase, which will be used as the
encryption key for storing the personal passwords.
- Option to map username between PMP and Radius two-factor authentication service. This helps simplify
user management.
- A new report to capture the list of users who are not part of any user group.
Password Manager Pro Release 8.3 (8301) (October, 2015)
Bug Fix:
- In PMP build 8300 (only for the users who upgraded from earlier builds), search and sort did not work
in
some table views in the GUI. This has been fixed.
Password Manager Pro Release 8.3 (8300) (October, 2015)
New Features & Enhancements
- Automatic discovery of service accounts and group creation: When discovering Windows
accounts, PMP automatically fetches the service accounts associated with services present in the domain
members
- Password Manager Pro browser extension could be selectively enabled / disabled for specific users
alone
- Personal passwords can now be imported from CSV
- New REST API to add a resource to a new or an existing resource group while creating the resource
- Support for RSA On-Demand authentication as part of two factor authentication
- Provision to mark organizations as "Favorite Organizations" in Password Manager Pro MSP Edition
Bug Fix:
- Password Administrators can now view the list of users who are part of a user group
- Enhancements to global search and advanced search options. Results get displayed quicker now
- Earlier, there were issues in generating Password Inventory / Custom Password Inventory reports as
.xls
file. This has been fixed now.
- In PMP build 8200 (only for the users who upgraded from earlier builds with PostgreSQL as backend
database), there was an issue in associating password policies at the account level. This has been
fixed.
Password Manager Pro Release 8.2 (Build 8200) (August, 2015)
New Features & Enhancements
- Browser Extensions: Seamlessly auto-logon to websites and applications, launch RDP
and
SSH sessions, access existing passwords, and add new ones - all from PMP's extensions for Chrome and
Firefox browsers, without leaving the browser tab you're in.
- Chat While Monitoring Remote Sessions: While monitoring SSH/Telnet sessions,
administrators can chat with other admins/users who are in the session.The chat transcripts are also
recorded along with the session being recorded.
- Manage Schedules: Option to quickly view and edit all the schedules created in the
product single, centralized page.
- Password Policy: Option to assign password policies at individual accounts level.
Earlier, password policies could only be assigned at resources level.
Bug Fix:
- Earlier, while generating custom reports, there were some issues populating data when the criteria
chosen was "user group". This has been fixed.
Password Manager Pro Release 8.1 (Build 8102) (July, 2015)
Bug Fixes
- In PMP builds 8100 and 8101, there were issues in synchronizing active directory groups in PMP. This
has
been fixed
- In PMP builds 8100 and 8101, there was an issue with domain user password reset when the password
contained special characters. This has been fixed.
Password Manager Pro Release 8.1 (Build 8101) (July, 2015)
Bug Fixes
- A SQL injection vulnerability (CVE-2015-5459) identified in advanced search module of PMP has been
fixed.
- Earlier, exporting passwords as an encrypted HTML file for offline access did not work in
installations
with PostgreSQL as the backend database. This has been fixed.
Password Manager Pro Release 8.1 (Build 8100) (June, 2015)
New Features & Enhancements
- Failover Service with MS SQL Clusters: Option to configure redundant PMP
servers with a common MS SQL cluster, which in turn has multiple PMP database
instances bound to it for fail over. (While the 'High Availability' feature in PMP
requires two separate database instances to be mapped to the Primary and
secondary servers of PMP respectively, the 'Failover Service' functions with
redundant PMP server instances which have access to a common MS SQL cluster).
- Custom Encryption: Option to use custom encryption for data storage. By default,
PMP encrypts all passwords and other sensitive information using AES-256
symmetrical encryption algorithm. You can now plug-in your own implementation for
encryption and decryption.
- Password Explorer Tree Manipulation: PMP now retains the state of children
nodes in the password explorer tree and the last opened nodes will be persisted in
the database. This latest enhancement helps load pages much faster.
Changes & Bug Fixes
- Earlier, password expiry notifications were sent seven days prior to the expiry date.
This has now been made configurable.
- Earlier, there were issues in executing the "Forgot Password" option on the google
authenticator login screen. This has been fixed now.
- Earlier, there were issues in terminating the RDP sessions. This has been fixed.
Password Manager Pro Release 8.0 (Build 8001) (May, 2015)
Bug Fixes
- PMP web GUI did not work properly with Chrome 43. This has been fixed.
- In PMP 64-bit Windows installation, when upgrading to PMP build 8000 from 7600, there were problems in
carrying out remote reset of Windows and Windows Domain passwords. This has been fixed.
Password Manager Pro Release 8.0 (Build 8000) (May, 2015)
New Features & Enhancements
- Introducing Enterprise Edition: Designed for large enterprises, the Enterprise
Edition
combines enterprise-grade scalability, security, performance, and affordability facilitating highly
secure
and easy management of shared sensitive information. It also delivers robust functionality and advanced
integration capabilities required by global enterprises while maintaining ease of use throughout.
- Resource and Account Discovery: Discover flavors of Windows, Linux, VMware and
Network
devices along with the privileged accounts associated with them (Available in Enterprise Edition)
- Performance enhancements in Home and Resource tabs: Improved application performance
resulting in much faster responsiveness
- NERC-CIP Compliance Report: Automated, audit-ready compliance report for access
control
requirements of NERC-CIP
Changes & Bug Fixes
- An XML eXternal entity injection identified in XMLRPC API has been fixed.
- Earlier, when exporting reports (.xlsx) based on resource groups, the file size showed 0 KB. This has
been fixed.
- The underlying technique for remote password reset for IBM AS400 resources has now been changed to
SecureAS400 instead of AS400.
Password Manager Pro Release 7.6 (Build 7600) (March, 2015)
New Features / Enhancements:
- Password Manager Pro can now be installed on both Windows & Linux 64-bit machines. A separate
build
for 64-bit is now available. (High Availability set up requires that both primary and secondary
installations run with same builds).
- Ticketing system configurations can now be selectively enforced/exempted for resource groups. Earlier,
the setting took effect globally for all resources.
- While playing back recorded sessions, you can now skip any part of the recording and progress to any
point through the seek bar feature added to the RDP player.
- Session shadowing is now supported for TELNET sessions too.
Changes / Bug Fixes:
- Earlier, when Password manager Pro was installed in /opt directory in Linux CentOS6, PMP did not start
due to permission issue. This has been fixed.
- Password manager Pro now bundles Server JRE v1.7.0_71
- Earlier, there were erroneous text in role change email notification. This has been fixed.
- Earlier, there were issues in launching automatic connection to target systems when the user specifies
the currently logged in AD account to connect with the remote resource. This has been fixed.
- Earlier, when access control had been enabled, if a super admin tries to move an account from one
resource to another, it overwrites the account password with the account name. This has been fixed.
Password Manager Pro Release 7.5 (Build 7501) (Jan, 2015)
Enhancements & Bug Fixes:
- Out-of-the-box support for ManageEngine SDP MSP ticketing system.
- In PMP build 7500, as part of Active Directory integration (in Windows installations), when
resource/user groups are imported from AD with spaces in group/OU names, the credential given for
importing resources/users from the domain was written as a file name in the bin folder. This has been
fixed.
Password Manager Pro Release 7.5 (Build 7500) (Jan, 2015)
New Features / Enhancements:
- Ticketing System Integration: PMP provides the option to integrate a range of
ticketing
systems to automatically validate service requests related to privileged access. The integration ensures
that users can access authorized privileged passwords only with a valid ticket ID. This integration also
extends to PMP workflow, which helps in granting approvals to access requests against automatic
validation
of corresponding service requests in the ticketing system. PMP readily integrates with ManageEngine
ServiceDesk Plus, ServiceDesk Plus On-Demand and ServiceNow and provides option for integrating any
enterprise ticketing system.
- Backend Database Upgrade: PosgreSQL, the backend database bundled with PMP upgraded
from 9.2.1 to 9.2.4 .
- Option to enforce users to provide reason while retrieving passwords from password history.
- Option to export all certificate files with resource details.
- Option to clear password flags for IBM AIX accounts after successful password reset.
Changes / Bug Fixes:
- Earlier, in certain environments, connection to DropBox failed throwing SSL error when synchronizing
data from PMP for offline access failed. This has been fixed.
- Earlier, while creating criteria group with account additional fields, search inside group being
created
(to test the new group) did not work in PMP with MS SQL and Postgre SQL as backend databases. This has
been fixed now.
- Earlier, when importing users from CSV, same password was being generated for all users. This has been
fixed now.
- PMP MSP Edition: Earlier, Resource group replication did not work for client orgs
when
editing a resource group. This has been fixed.
PMP Build 7105 (Nov, 2014)
Bug Fixes & Enhancements
- A SQL injection vulnerability (CVE-2014-8499) identified in PMP has been fixed.
- A clickjacking vulnerability identified in PMP web application has been fixed.
- Earlier, when email notifications on change in access permissions had been disabled, two factor
authentication could not be assigned in bulk. This has been fixed.
- Earlier, disabling the option to receive email notifications (upon the occurrence of audit events) as
daily digest did not take effect. This has been fixed.
- Provision to view keyboard layout in other supported languages when launching remote RDP sessions from
PMP.
PMP Build 7104 (Oct, 2014)
Bug Fix
- In PMP build 7103, resource group deletion did not work.This has been fixed.
PMP Build 7103 (Sep, 2014)
New Features & Enhancements:
- Session shadowing: Total control on privileged sessions with support for 'session shadowing',
which enables administrators to closely monitor administrative access and terminate suspicious
activities.
- ISO/IEC 27001:2013 compliance report: Automated, audit-ready compliance report for access
control
requirements of ISO/IEC 27001:2013.
- Auto logon using other domain accounts: Provision to launch a direct RDP connection with target
resources using any domain account that is owned by / shared to the user. In addition, users can opt to
use the currently logged in AD account too to connect with the remote resource.
- Support for configuring the port at which the Remote Desktop Service is running on the remote host.
PMP
will launch RDP sessions through the port specified.
- Multi-language support now available for PMP mobile apps (iPhone & iPad) too.
- Provision to check the validity of digital certificates (x.509 certificates) stored in PMP and to
trigger alerts upon expiry.
Bug Fixes
- A filename Denial of Service Vulnerability (CVE-2014-9372) identified in PMP has been fixed.
- Earlier, the HTTPONLY attribute had not been set in some cookies that were used to track a user's
session. This has been fixed now. This ensures that it is not possible for the cookie to be accessed by
scripting languages.
- Earlier, when single sign on had been enabled, PMP agents were not working. This has been fixed.
- Synchronizing offline data with DropBox failed due to some changes at DropBox end. Configurations in
PMP
have been changed to fix that.
PMP Build 7102 (Aug, 2014)
Bug Fixes
- Earlier, the batch or script file ReplicationPack.bat/sh used for replicating PMP database (with MySQL
as back end database) was not working. This has been fixed.
- In PMP 7101, product license expiry alert was being triggered erroneously in certain scenarios. This
has
been fixed.
PMP Build 7101 (Aug, 2014)
New Features / Enhancements
- MSP admins managing the resources of multiple clients can now replicate resource or user group
structure
and certain settings across all managed client organizations.
- Option to enable /disable SSH session gateway, which allows launching remote terminal SSH sessions
from
browser.
- Actions such as sharing resources, transfer ownership and access control configuration can now be
performed from the search result view itself.
Bug Fix
- Earlier, fetch and update of the scheduled task passwords on the target Windows 2008 servers failed in
certain scenarios. This has been fixed.
- Earlier, if the username for logging in to PMP contained non-ascii characters, authentication failed.
This has been fixed.
- Earlier, password reset operation through REST API was getting executed even when access control had
been enabled for a resource. This has been fixed.
- Earlier, in PMP MSP edition, Cisco IOS password reset was not working in client organizations. This
has
been fixed.
Password Manager Pro Release 7.1 (Build 7100) (June, 2014)
New Features / Enhancements
Cloud Environment Password Management:
-
Password Manager Pro now extends password management to cloud environments. Cloud managers can securely
store, share, periodically change and control access to the management console or administration panel
passwords of Microsoft Azure, Google Apps, Amazon Web Services and Rackspace accounts from PMP.
-
This move helps safeguard cloud platforms from attacks on administrative accounts and overcome
information
security concerns besides tracking privileged account activity in the cloud to meet various regulatory
compliance requirements.
-
Four new resource types - Microsoft Azure, Google Apps, Amazon Web Services and Rackspace have been
added
in PMP.
New RESTful APIs:
- PMP already provides a good number of RESTful APIs, which help you to connect, interact and integrate
any application with Password Manager Pro directly. Three new APIs have now been provided to add users,
delete resources and approve/reject password access requests.
Share Resources from Home Tab & Global Search Results
- Option to share resources and accounts directly from 'Home Tab' and in Global Search results, avoiding
the additional navigation to the 'Resources' tab.
Bug Fixes / Changes
-
JVM crash issue fixed: In PMP 7002 & 7003, JVM crash was reported in certain
environments during AD authentication and windows password reset. This has been fixed.
- When using SAML 2.0 for user authentication and single sign-on through federated identity management
solutions, there was an issue when the web server certificate had been configured with a PKCS12
certificate. This has been fixed.
- Earlier, there was an issue in migrating the back-end database from MySQL to PostgreSQL resulting in
migration failure. This has been fixed.
-
The maximum characters count for BaseDN and Search Filter parameters for importing users from LDAP has
been increased to accommodate a larger strings.
PMP Release 7.0 (Build 7003) (June, 2014)
Changes & Bug Fixes
- Fixed a backdoor issue through which SQL Injection was possible in PMP.(CVE-2014-3997, CVE-2014-3996)
PMP Release 7.0 (Build 7002) (Apr, 2014)
New Features & Enhancements
- SAML 2.0 support: User authentication mechanism in Password Manager Pro has now been
strengthened with SAML 2.0 support. Password Manager Pro now integrates with federated identity
management
solutions for single sign-on. Technically, Password Manager Pro acts as the SAML service provider, and
it
integrates with SAML identity providers. The new integration helps leverage the identity provider's
authentication to access Password Manager Pro. Users who have deployed Okta, OneLogin or any other SAML
identity provider can automatically log in to the Password Manager Pro application from the respective
identity provider's GUI without supplying credentials, after configuring PMP with the identity provider.
- Session Shadowing: Session recording capability has been extended to enable real-time
monitoring of sensitive privileged sessions launched by users. Administrators may also terminate
sessions
in real time if any suspicious activity is found, giving admins complete control over privileged
sessions.
- Language Selection: PMP administrator can now select the language for all users in
'General Settings'. Password Manager Pro can be localized in Chinese, Japanese, Spanish, German, French,
Polish.
Changes & Bug Fixes
- Password Manager Pro now bundles JRE v7u51
- For privileged session management, Password Manager Pro acts as the Gateway for launching Windows RDP
and SSH sessions from the user's browser. These sessions are launched within a HTML5 compatible browser
and the connection to the end devices are tunneled through the PMP server that acts as the session
gateway, while also recording the session. In the latest versions of Chrome and Firefox, launching RDP
sessions did not work. The screen closes immediately after launching the session. This has been fixed.
- PMP v7001 was identified to be having directory traversal vulnerability. This has been fixed by
updating
the RDP gateway.
- Earlier, when PMP was installed in other language boxes, audit trails were getting recorded in the
respective language though the PMP web GUI was in English. This has been fixed.
- In v7001, when PMP license key with no multi-language support was installed, PMP stopped recording
audit
trails after a server restart. This has been fixed.
- Possibility for an XSS vulnerability (which can be triggered during authentication), was identified in
PMP v7001. This has been fixed.
- Earlier, when configuring PMP to run in FIPS 140-2 compliant mode, nss libraries were required to be
downloaded. Now, PMP uses nss v3.12.4 and it comes bundled with that.
PMP Release 7.0 (Build 7001) (Mar, 2014)
New Features & Enhancements
- Provision to localize Password Manager Pro (introduced in 7.0) has been enhanced now. PMP can be
localized in Chinese, Japanese, Spanish, German, French, Polish.
- Provision to set any resource type as 'default type', which will remain the default selection in 'Add
Resources' GUI
- PMP supports a good number of resource types for remote password reset. You can filter the types and
choose to display only the required ones in the 'Resource Type' drop-down in 'Add Resources' GUI.
- Provision to create a link to a shared password and enable authorized users to quickly access that
password as a pass card in the GUI
Bug Fixes, Changes
- When using PMP with MS SQL server as the backend database, under "Admin", the option to manage
encryption key was missing. This has been fixed.
- In build 7000, the text field to search custom fields was not getting displayed in resources page.
This
has been fixed.
- When sharing resources of the type 'File Store' with 'Modify permission, changing file was not
working.
This has been fixed.
- Due to a typo in message display, the result for 'Verify Password' was being shown as 'Not in sync',
when it was actually in sync. This has been fixed.
PMP Release 7.0 (Build 7000) (Jan, 2014)
New Features & Enhancements
- MSP Edition: A separate edition to help Managed Service Providers (MSPs) manage
the passwords of each of their clients separately, from a single management console. Passwords can be
securely shared between MSP administrators and their respective customers, making sure that users only
get
access to the passwords they own or ones that are shared with them. The solution offers the flexibility
to
entrust the control of the password vault to the MSP administrator, the end user or both, as desired.
- Data Center Remote Access Management: Provision to launch secure, one-click
SSH/Telnet access to remote devices in data centers with full password management. Typically, data
centers
limit direct access to remote devices via SSH connections due to security reasons and network
segmentation. Instead, data center admins working remotely must first connect to a landing server and
then
"hop" to the target system. Administrators can now configure landing servers and their login credentials
and then associate them with the resources being managed by Password Manager Pro. In turn, admins can
launch a one-click connection with the remote resources without worrying about the intermediate hops.
While the admin experiences a direct connection, Password Manager Pro automatically executes all of the
intermediate hops in the background, establishing a connection with each landing server and finally with
the remote resource.
- PMP Speaks Your Language: Provision to get PMP working in your language. At present
PMP
can be localized in Chinese, Japanese, Spanish, German, French, and Polish languages.
- Bulk Operation Support: Features like session recording, auto logon for web apps and
password reset can now be configured in bulk for many devices at one go.
- LDAP User Groups Synchronization: User groups in LDAP can now be automatically
synchronized at periodic intervals with the user database in PMP.
Changes & Bug Fixes
- When auto logon for web apps had been configured through PMP bookmarklet, certain web sites and
application do not allow auto submission of credentials for automatic login. To handle such cases,
provision has now been made only to auto-fill the details. Submission can be done by the users. This
can
be configured from Resource >> More Actions.
- Email notifications sent from PMP for password retrieval and change events did not contain the
reason
field. This has now been fixed
- Earlier, when PMP web interface is launched in Internet Explorer, the login name of the custom
categories created as part of 'Personal tab' were not getting displayed. This has been fixed.
- In PMP v6902, when access control workflow had been enabled, when a user checks-in a password after
exclusive use, it was not being reset. This has been fixed now.
- When using global search in PMP with PostgreSQL as backend database, extended ASCII characters typed
as search strings were not getting displayed. This has been fixed.
- Earlier, when PMP web interface is launched in Internet Explorer, there were problems in
playing back the RDP sessions recorded by PMP. This has been fixed.
- Earlier, there were issues in generating custom reports with User Audit as the base. This has been
fixed.
- Earlier, the alerts on the status of High Availability (in PMP with MySQL as backend database) were
not being sent. This has been fixed.
PMP Build 6904 (Nov, 2013)
Bug Fixes
- In PMP v6903, when access control workflow had been enabled, when a password user checks-in a password
after his usage, it was not being reset. This has been fixed now.
PMP Build 6903 (Sep, 2013)
New Features / Enhancements
- RADIUS / RADIUS-Compliant Authentication System for Two Factor Authentication: Option
to leverage RADIUS server or any RADIUS Compliant two Factor Authentication system (like Vasco Digipass)
for the second factor authentication.
- RESTful APIs: PMP now provides RESTful APIs, which help you to connect, interact and
integrate any application with Password Manager Pro directly. The APIs also allow you to add resources,
accounts, retrieve passwords, retrieve resource/account details and update passwords programmatically.
Bug Fixes
- At times, PMP login screen prompted users to enter the password again even when the password entered
was
correct. This has been fixed now.
- Earlier, there were issues in alphabetically sorting the entries in Resource tab and Home tab (when
using PMP with PostgreSQL as the backend database). This has been fixed.
- When Access Control Workflow had been enabled, in certain environments, resetting of passwords of
Netscreen devices after the end of the exclusive use period was not working. This has been fixed.
- In PMP v6902, when a user fails to check-in a password at the end of his usage period, PMP resorted
to
automatic check-in of passwords, but the password was not being reset. This has been fixed now.
PMP Build 6902 (July, 2013)
New Features / Enhancements
Google Authenticator for Two Factor Authentication
- PMP now provides the option to leverage Google Authenticator, a software based authentication token
developed by Google as the second factor of authentication. Already, PMP supports PhoneFactor, RSA
SecurID
and a one-time, randomly generated unique password as the second level of authentication for two factor
authentication.
Exporting Resource Groups
- Option to automatically export the resources belonging to specific resource groups by creating
scheduled
tasks. The data gets exported in the form of an encrypted HTML file.
Bug Fixes
- In PMP build 6901, there were problems in starting PMP when installed as secondary server in High
Availability architecture in Linux machines. This has been fixed.
PMP Build 6901 (June, 2013)
New Features / Enhancements
- Support for launching PMP web-interface in Internet Explorer 10
- The implementation procedure for "Custom Listener", which enables providing your own implementation
for
Password Reset Listener, has now been simplified with the enhancements in the GUI. You need not have to
edit the configuration files in PMP manually to enter the details about the implementation class. These
details can now be provided through entries in GUI
- Enhancements to bolster the overall security posture of the product
Bug Fixes
- Earlier, when the administrator had restricted the users from viewing the passwords in plain-text when
auto logon had been configured, in certain specific scenarios, there were issues in retrieving
passwords even when auto logon had not been configured. This has been fixed.
- Restrictions on the usage of weak ciphers in the product
PMP Release 6.9 (Build 6900) (May, 2013)
New Features / Enhancements
- PMP iPhone app is now available for download directly from App Store. Facilitates secure retrieval of privileged
passwords
and approval of access requests on the go. Provides offline access to privileged passwords too.
- "Custom Listener", a new feature that enables you to provide your own implementation for Password
Reset
Listener. With the provision to have your own listener implementation class (instead of just letting PMP
execute the listener script provided by you), Custom Listener offers complete flexibility to execute any
post password reset follow-up action.
- Provision for remote password synchronization of VMware ESXi resources through VMware vCenter API.
Bug Fixes
- Earlier, Active Directory User GUID check wan not included in AD authentication. This is included now.
- Administrators and Password Administrators can now filter and view all the resources that are owned by
them in the 'Resources Tab' by selecting the 'All owned resources' option.
PMP Build 6803 (Mar, 2013)
Bug Fix
- In builds 6800, 6801 and 6802, Password Manager Pro client session launched from Internet Explorer was
getting terminated intermittently. This has been fixed.
PMP Build 6802 (Feb, 2013)
Changes/Bug Fixes
- In builds 6800 and 6801 with PostgreSQL as backend database, the global search did not show results
properly for Password Users. This has been fixed.
- Users who wish to migrate to PostgreSQL as the backend database from MySQL are now required to
download
PostgreSQL-9.2.1-Windows.zip
(For Windows) / PostgreSQL-9.2.1-Linux.zip
(For Linux) and then run the migration script.
PMP Build 6801 (Jan, 2013)
Enhancements/Changes/Bug Fixes
- Support for migrating data from PMP running with PostgreSQL as backend database to MS SQL server.
Migrating data from MySQL to PostgreSQL is also supported.
- Build 6800 did not get installed properly when attempted to install in Linux as root user. This has
been
fixed.
- In build 6800, in some environments, the high availability status was not properly depicted. This has
been fixed.
PMP Build 6800 (Dec, 2012)
Enhancement/Change
- Support for PostgreSQL as backend database. From this version onwards, the product comes bundled with
PostgreSQL 9.2.1.
PMP Build 6701 (Oct, 2012)
Changes / Bug Fixes
- While adding the domain account as a resource, PMP provides the option to select the resource groups
for
service account reset. For every Windows system present in those groups, PMP will find out the services
which use this domain account as service account, and automatically reset the service account password
if
this domain password is changed. In PMP build 6700, when a Windows domain account was added, the
resource
groups selected for service account management were not getting saved. As a result, the service account
reset for the resources that are part of the selected resource groups did not work. This has been fixed
now.
PMP Build 6700 (Oct, 2012)
New Features & Enhancements
Privileged Session Recording
- Privileged sessions launched from Password Manager Pro can now be recorded, archived and played back
to
support forensic audits and let enterprises monitor all actions performed by privileged accounts during
privileged sessions. Password Manager Pro enables recording of Windows RDP, SSH and Telnet sessions
launched from the product.
Auto Logon for Web Apps
- Option for enhanced auto logon to web applications by installing PMP bookmarklet on the browser
bookmarks bar. PMP can be setup to auto-fill the login page of web applications with appropriate
username/password information, to allow users to login to those apps with just a few clicks, instead of
manually entering the information.
Manipulating Explorer Tree
- Provision to allow admin users to manipulate the entire explorer tree structure in any manner as they
wish. Once this is option enabled, PMP creates an organization wide, global explorer tree structure
containing the names of resource groups under a root node. Any administrator in PMP would be able to
create/edit the explorer tree structure of resource groups. The tree structure will be accessible to all
admins, password admins and end users. Admins and password admins can add their resource groups anywhere
into the global tree and the whole structure will be available for view to all the end users. If this
option is disabled, users can modify only their portion of the tree.
Password Access Control Report
- New report providing complete details about the password access control workflow scenario of your
organization. List of resources for which access control has been enabled, resources for which access
control is deactivated, resources for which the requests are automatically approved, list of password
release requests approved/denied etc are depicted.
Changes / Bug Fixes
- Earlier, when resources were imported from active directory, certain values like display name,
description and location were not properly populated in PMP. This has been fixed.
- Earlier, there were issues in adding additional fields (to enter password values) for resource types
such as license store, file store and key store. This has been fixed.
- Earlier, there were issues in editing the files that were added through custom fields. This has been
fixed.
PMP Build 6600 (July, 2012)
New Features & Enhancements
New Resource Types Support for Remote Password Synchronization
- Sun Oracle XSCF
- Sun Oracle ALOM
- Sun Oracle ILOM
- IBM AS400
Super-Administrator as 'Break Glass Account'
Provision to keep the super-administrator role as a break-glass account for emergency access to
passwords.
Hitherto, any administrator could change the role of another administrator (not himself) as
super-administrator. PMP now provides the option to prevent administrators from creating
super-administrators. Super-administrator role can be used as break glass account as explained below:
- Create a new administrator account in PMP and designate the new account as the Super-Administrator
- The new super-administrator will login and enforce the option of denying other administrators from
creating super-administrators
- The login credentials of this super-administrator will be sealed and kept in a safe to be opened
only
for emergency access
PMP Agents
- When PMP agent is deployed in target resources for remote password reset, the resource and all its
accounts will be automatically added to PMP
Provision to configure synchronization for deletion of accounts in PMP when the corresponding account is
deleted in the remote resource
Password History
- Password History now records the passwords of 'Failed' reset attempts too. This would be helpful in
tracing the passwords in rare instances when the password gets reset in the resource, but not changed in
PMP due to network issues.
New Browsers Support
- Support for launching PMP web-interface in Safari and Chrome
Reports
- Password Activity report now captures the list of resources for which automatic approval of access
requests has been configured
Bug Fixes & Changes
- PMP GUI has been given a facelift
- Resources imported from Active Directory now contain DisplayName, Description, Location and other
details
- Provision to notify users when a resource/resource group is shared or share permission is changed
- Earlier, when a file based additional field is created, Service Accounts could not be edited/saved
with
the Resource Groups for scanning. This has been fixed.
PMP Build 6504 & 6505 (June, 2012)
Bug Fix
- In PMP 6.5, when Active Directory authentication is used and when a domain account stored in PMP is
used
to automatically sync user information from AD, users were allowed to login regardless of the password
being correct. This has been fixed.
PMP Build 6503 (March, 2012)
New Features/Bug Fixes/Changes
- Encryption Key Rotation: Provision to change the master encryption key either
periodically as a best practice or at suspicion of key compromise. Fully automated steps to regenerate
new
key, decrypt all data with old key, encrypt them with new key and securely storing the new key.
- User Preferences Setting: PMP users can now set individual preferences for what view
should be loaded by default in the 'Home', 'Resources', 'Audit' and 'Reports' tabs in the web user
interface.
PMP Release 6.5 (March, 2012)
New Features & Enhancements
No-Frills Auto Logon for Launching Windows RDP and SSH Remote Terminal Sessions
- Leveraging the power of HTML 5, PMP 6.5 brings the first-in-class auto logon mechanisms for launching
Windows RDP, SSH and Telnet sessions. While current solutions require inconvenient and insecure methods
like end-point agents, helper programs at user desktop and browser plug-ins, the only requirement for
PMP's cutting-edge solution is a HTML 5 compatible web browser. Users can launch highly secure and
completely emulated Windows RDP, SSH and Telnet sessions from within the browser with a single click,
not
requiring any access to passwords
- Being HTML 5 compatible, users can launch Windows RDP and SSH sessions also
from
browsers in their tablet devices like iPad
- Provision for authenticating both with the local accounts as well as domain
accounts for the launched Windows RDP sessions
- A new sub-tab named 'Auto Logon' has been introduced in Home Tab for easily
locating the remote accounts and quickly launch one-click sessions
Secure, Offline Access to Passwords with Auto Sync
- Support for secure, offline access to passwords. Users will get an option to export the passwords in
the
form of an encrypted (AES-256 encryption) HTML file, which can be opened in browsers for offline access
- Provision to automatically synchronize the exported HTML file to users' mobile devices through
Dropbox.
From a single action in PMP user interface, the offline file lands in the users' Dropbox app in their
smart phones or tablet devices
- Admins can configure PMP to automatically delete the exported files to users' Dropbox accounts after a
set time period
- Admins can configure all passwords that were exported to be automatically reset in the remote systems
after a set time period
New Resource Types for Remote Password Synchronization
- Support for remote password reset and verification of VMWare ESXi and HP iLO
resources
Custom Fields
- Provision for creating additional fields to store file type input. Upto 4
files
of any type can be attached to every resource and every account within a resource
Bug Fixes & Changes
- The option to restrict the users from exporting passwords in plain-text has
been moved from 'General Settings' to "Admin >> Customize >> Export Passwords - Offline
Access" GUI. The option is also available in 'User' and 'User Group' tabs
- Earlier, there were issues in displaying custom fields when creating/editing
resources. This has been fixed.
- In the GUI to create copies of resources/accounts and in the GUI to move
accounts from one resource to another, the names of resources and accounts will henceforth be shown
in
alphabetical order
- Earlier, in some specific scenarios (where authentication was required) there
were issues in sending emails from PMP. This has been fixed.
- Earlier, in the case of auto logon helper (browser plug-in deployment model) there was an
issue
in launching direct connection to target systems. This has been fixed.
- Earlier, there were issues in launching PMP web-interface in Firefox 11. This has been
fixed.
PMP Release 6.4 - Build 6404
New Features / Bug Fixes / Changes
- Automatic Approval in Access Control Workflow
Provision for automatic approval of password access requests. Users need not have to wait for approval
by
authorized administrators while going through the access control process.
- RADIUS Server Authentication
RADIUS server can now be integrated with PMP for leveraging RADIUS authentication.
- List of Super Administrators
List of all super administrators will be displayed in the information bar to all administrators,
password
administrators and auditors
PMP Release 6.4 - Build 6403
Bug Fixes / Changes
- Invoking auto logon helper in turn downloads a browser addon file. The SSL certificate that ensures
trustworthiness of the addon has now been renewed.
- Earlier, user group activity report was not displayed properly on the dash board. This has been fixed.
PMP Build - 6402
New Features / Enhancements
- Dual encryption of passwords and files for extra security. Sensitive data are now encrypted once in
the
application (AES 256-bit) and once in database
- PMP can now be set-up to run in FIPS 140-2 compliant mode where all encryption in PMP is done through
FIPS 140-2 certified systems and libraries
- Provision to prevent the execution of malicious code/script in the application to combat cross-site
scripting
- Password Activity Report enhanced with details on the list of resources for which access control
workflow has been activated/deactivated and also the resources for which access control workflow has not
been configured
- New report depicting the resources / passwords that are not part of any resource group
- Provision to check integrity of passwords of a resource group with support for integrity verification
on-demand & scheduled
Bug Fixes / Changes
- Earlier, two options were provided for managing encryption key in PMP - you were allowed to either
leave
it to be managed by PMP or move it to a secure location / external drive and manage it yourself. Now,
the
option of leaving it to be managed by PMP has been removed. PMP does not allow the encryption key to be
stored within its installation folder. This is done to ensure that the encryption key and the encrypted
data, in both live and backed-up database, do not reside together. It is strongly recommend that you
move
and store this encryption key outside of the machine in which PMP is installed - in another machine or
an
external drive.
- Earlier, when exporting the personal passwords, the custom fields were not shown in plain-text. This
issue has been fixed.
- Earlier, through 'Admin >> Server Settings', when the PMP server port alone was changed, it
threw
an error. This has been fixed
- UTF-8 encoding support in MS SQL server
PMP Build - 6401
New Features / Enhancements
MS SQL Server as Backend Database
- Support for MS SQL server as the backend database in PMP.
High Availability Support with MS SQL Server
- Uninterrupted access to passwords by deploying redundant PMP servers and MS SQL database instances
AES 256 Encryption
- Support for AES 256 encryption for sensitive data when using MS SQL server as backened
Remote Password Reset of LDAP Servers
- Remote password reset support for LDAP servers belonging to the types Microsoft Active Directory,
OpenLDAP, Oracle Internet Directory and Novell eDirectory
Password Reset Schedules
- Option for assigning the same password to all the accounts of a group of resources and changing the
password automatically during every schedule
PMP Agents
- Prior to 6400, some of the communication between PMP server and agents was initiated by the
server,
which required the agents to keep a TCP port open. To eliminate this risk and the need to manipulate
firewall rules to allow traffic to a non-standard port on the agent side, the communication model is
changed where the agents always initiate communication with the server. The agents periodically check
for
tasks by opening a secure connection with the server and no longer need to have a port open in the
system
they are installed.
LDAP - PMP User Database Synchronization
- Whenever new users get added to the LDAP, provision to create synchronization schedules and
automatically add the users to PMP and keep the user database in sync.
Active Directory
- Support for using the same user credential to import information from multiple domains, based on the
privileges and trust setup in AD.
Copy Resources
- Provision to create copies of one or more resources to facilitate easy addition of identical resources
Copy/Move Accounts
- Provision to copy a single account or multiple accounts of a resource and adding the under one or more
resources
- Provision to move an account or multiple accounts of a resource to a different resource or resources
Configuring Server Settings, SSL Certificates through GUI
- Support for changing the PMP server port and SSL certificates from PMP GUI. This eliminates the need
for
manually editing the configuration files
Custom SSH/Telnet ports
- Support for using any custom port for SSH and Telnet for connecting to remote resources
Instant Backup
- Support for taking one-time backup of PMP database anytime
Performance Enhancements
- The client responsiveness in 'Home' tab and 'Resources' tab have been optimized
Changes / Bug Fixes
- Earlier, there was an option to send notifications to users after importing them from Active
Directory.
This option has now been removed.
- Earlier, in LDAP user import, the OU and other details entered were not persisted. Now, the details
are
saved and displayed
- Earlier, while creating scheduled tasks for custom reports, the option to send the report to the users
specified under 'other users' did not take effect. This has been fixed.
- Earlier, the password reset of Ubuntu resources did not work when 'sudo' had been used. This is fixed
- In Internet Explorer, there was an issue in auditing the reason entered by the users for retrieving a
password using auto logon helper. This has been fixed
- Earlier, there were issues in editing the properties of resource groups. This has been fixed.
- The issue in generating AD user schedules report as a PDF has been fixed
- The issue related to exporting personal passwords as XLS has been fixed
- In PMP build 6400, the share permissions to the user groups imported from Active Directory did not
take
effect. This has been fixed.
- In certain scenarios, generating the 'User Access Report' as a PDF did not work. This has been fixed
- Earlier, when password access control had been enabled, in certain scenarios, when a user made a
request
to access a password, there were issues in sending email notifications for approval to the
administrators.
This has been fixed.
- Earlier, in High Availability set up with MySQL, when the slave database was restarted, PMP raised an
alert stating High Availability was not alive. Now, in scenarios like this, PMP will double-check the
status before raising the alert
- In personal password management, the issue related to deleting the personal categories has been fixed
PMP Release 6.3
Enhancements
- High Availability configuration simplified by adopting automation through scripts
Changes & Bug Fixes
- Vulnerability related to the printing of sensitive data in mysql binlogs has been fixed by bundling
MySQL 5.1.50
- Earlier, there were problems in displaying the Active Directory synchronization schedule in GUI. This
has been fixed
- Earlier, in certain cases, the 'Edit User' provision for the users imported from LDAP did not work.
This
has been fixed
- Earlier, when SMTP settings were modified, the details were saved, but GUI did not reflect the
changes.
This has been fixed
- Earlier, when setting High Availability and Live Backup, DNS lookup for secondary server / slave
database threw error in certain environments. This has been fixed.
- Earlier, when multiple administrators were selected to approve password access requests in Access
Control Workflow, there were issues in sending email notifications for approvals. This has been
fixed.
- Earlier, there were some issues when authentication was required for configuring SMTP mail server
settings. This has been fixed.
- Previously, password integrity check for Windows local accounts (which were not present in
administrator
group) did not work. This has been fixed.
- Earlier, when synchronization schedule had been created for resource import from active directory,
newly
added user accounts were not imported. This has been fixed.
- Earlier, audit trails pertaining to failed password reset events for certain resources were not
recorded. This has been fixed now.
New Features / Enhancements
PhoneFactor Authentication
- ManageEngine has partnered with PhoneFactor, the leading provider of phone-based two-factor
authentication for two-factor security for Password Manager Pro. Already, PMP supports RSA SecurID
authentication and generating a one-time, randomly generated unique password as the second level of
authentication for two factor authentication.
Smart Card Authentication
- If you have a smart card authentication system in your environment (such as US DoD Common Access Card
(CAC)), you can configure Password Manager Pro to authenticate users with their smart cards, bypassing
other first factor authentication methods like AD, LDAP or Local Authentication.
Custom Reports
- Support for creating customized reports out of the canned reports and audit reports. You can specify
custom criteria and create customized reports as per your needs
High Availability
- Functional enhancements to High Availability architecture making it more stable and robust
Changes & Bug Fixes
- Hitherto, when synchronization schedule had been enabled for importing users from Active Directory,
changes in email addresses in Active Directory did not get updated in PMP. This has been fixed now
- Earlier, as part of automated password integrity check, PMP made three attempts to verify the
passwords
on target systems. This led to lockout scenarios due to the IT policy related to failed login attempts.
This has been changed now and PMP attempts to check password integrity only once
- Option to import resources from Active Directory with fully qualified domain name (fqdn) as the DNS
name
of the resource
- Verify password feature did not work for SYS accounts in Oracle 10g. This has been fixed
- Support to populate old password, when attempting to change the password of HP UX resources
- Option to specify the time period in minutes up to five digits while granting exclusive access to
passwords (when enabling access control workflow)
- Earlier, in 'All Passwords' UI, at times, password field was displayed as undefined. This issue has
been
fixed
- Earlier, when entering a reason for password retrieval had been made mandatory, in some cases, copy to
clipboard did not prompt reason column. This has been fixed
PMP Release 6.2 - Build 6201
New Features / Enhancements
SIEM Integration
- Provision for generating SNMP traps and Syslog messages upon the occurrence of any activity/event - be
it password access or modification or any other activity performed in the PMP application. The
traps/syslog messages can be sent to the SIEM tools, which can thoroughly analyze these events,
correlate
them with other network events and provide informative, holistic insights on the overall network
activity.
Two Flavours of APIs for A-to-A Password Management
- Completely revamped provisions for Application-to-Application Password Management, which help
eliminate
hard-coded passwords in enterprise environments. PMP provides two flavors of the API - a comprehensive
application API based on XML-RPC over HTTPS and a command line interface for scripts over secure shell
(SSH), using which any enterprise application or command line script can programatically query PMP and
retrieve passwords to connect with other applications or databases.
Local Service Account Password Rese
- Provision to find and reset all the local account passwords used for services and scheduled tasks in
Windows resources
Enhancements in Bulk Password Reset
- Provision for bulk password reset by selecting multiple resources / resource groups
- Provision for bulk update of passwords in PMP database alone without updating on the actual resources
Reports
- Enhanced dashboard reports providing details on currently logged in users
- Provision to export all reports in '.xls' format
High Availability
- Enhancements in High Availability setup with provision for alerts on failure events
Bug Fixes / Changes
- Earlier, after carrying out a search operation, if one accessed the 'Enterprise Passwords' tab, while
an
empty page was shown in Firefox, a warning page came up in Internet Explorer. This issue has been fixed
now
- Earlier, in Password Request-Release workflow, when the time limit for administrator approval was set
as
'0' indicating indefinite time period, the approval time period ended after some time. This has been
fixed
now
- Earlier, in certain cases, Windows remote password reset and password integrity verification failed.
It
has now been fixed
- Earlier, while implementing concurrency control in Password Request-Release workflow, the maximum time
period up to which the password was to be available exclusively for a particular user was specified in
hours. This has been changed to minutes to enable granting of exclusive privilege less than one hour
- Earlier, the view length of entries (passwords/resources) in PMP web-interface was not user-specific.
It
has been made user-specific now.
- Entries in password explorer tree in the 'Home Tab' are now sorted alphabetically
- Provision to control 'Manage Share' permissions for criteria-based resource groups
- Earlier, Single SignOn worked only with NTLM-v1. Now, it works with NTLM-v2 through integration with a
third party Java software library which provides advanced integration between Microsoft Active Directory
and Java applications.
- Earlier, MD5 algorithm was used for hasing the PMP user passwords for local authentication. Now, SHA
512
is being used.
- Earlier, when Single Sign-On was enabled, audit entries related to user login to PMP were not
recorded.
This issue has been fixed now
- Earlier, in certain cases, scheduled tasks were not being executed. This issue has been fixed now
- Earlier, help documentation for Application-to-Application Password Management through XML-RPC API
dealt
only with using XML-RPC in Java. Now, the procedure for using it in other programming languages added.
PMP Release 6.1 - Build 6104
New Features / Enhancements
Nested Resource Groups
- Option to arrange and maintain resource groups in hierarchical structure (groups, sub-groups) for
navigational convenience
Password Explorer
- 'Home' tab re-arranged in an intuitive way to provide easy access to the passwords owned and/or
shared.
The explorer contains the following components:
- All My Passwords
- My Recent Passwords
- My Favourite Passwords
- Nested Resource Group Tree
Remote Password Synchronization for Juniper Netscreen Devices
- Support for changing the privileged passwords of remote Juniper Netscreen devices from PMP GUI
Templates for Customizing Email Notification Content
- By default, PMP has a specific content for the email notification for various password actions. If you
want, you can customize the content and have your own content.
Export Passwords of Resource Groups
- Option to export the passwords of specific resource groups alone
Bug Fixes & Changes
- MySQL version upgraded from 5.0.36 to 5.079
- Earlier, when there were large number of passwords, loading of the dashboard took some time. This has
now been optimized
- Earlier, there were issues in carrying out password synchronization / verification using a single
account in Linux. This has been fixed.
- Earlier, when Active Directory authentication was enabled, there were problems in logging in to PMP
using the local authentication when a AD user was deleted. This has been fixed.
- Earlier, when a resource group name contained a single quote, the hierarchical arrangement of resource
groups were not properly shown. This has been fixed now.
- Earlier, when the 'Personal Password' option was disabled for a Password User, the Password Explorer
view became hidden. This has been fixed now.
- So far, no cipher was explicitly mentioned for encrypting the connection between the two MySQL
database
instances, used in high availability and live backup scenarios. Now this connection is also AES
encrypted
by choosing the DHE-RSA-AES256-SHA cipher for the SSL channel.
- The JDBC connection between the JRE (Java(TM) Runtime Environment) and the MySQL database is now
encrypted by default, to eliminate the need to set it up separately.
- All user input submitted in the user interface are centrally validated to check for and discard
harmful
inputs that could cause scripting attacks like cross-site scripting (XSS) irrespective of case of the
scripting content.
PMP 6002 - Bug Fixes & Changes
- All user input submitted in the user interface are centrally validated to check for and discard
harmful
inputs that could cause scripting attacks like cross-site scripting (XSS) or SQL injection.
- When password policies contained a special character in the policy name, there were issues getting the
policy work after editing it. This has been fixed now
- Earlier, the 'verify password' operation failed for Linux and HP-UX target systems in certain
environments. This has been fixed
- Earlier, the custom fields for accounts did not support special characters in name. This has been
fixed
- Earlier, administrators were permitted to allow exclusive password access to a user for a maximum of
99
hours. Now, it has been modified to enter three-digit figures (in hours)
- In PMP 6001, while carrying out high availability setup, there were issues in creating the replication
pack. This has been fixed
- Earlier, in PMP high availability set up, the /mysql/data folder was growing in size. This has been
fixed
PMP Release 6
New Features / Enhancements
Password Access Control Workflow
- Support for password request-release workflow to enforce enhanced access control in the product. The
user, who requires a password, will have to 'request the release' and one or more administrators will
authorize the request. Password will be made available for the exclusive use of the user for a
stipulated
period of time. It will be automatically reset thereafter and the user will thereby forfeit the access.
Two-Factor Authentication
- Option to enforce users to identify themselves with two unique factors through two successive stages
before they are granted access to PMP web-interface. While the existing authentication mechanism of PMP
(native authentication / AD / LDAP) will be the first authentication factor, the second authentication
factor could be either a unique password generated by PMP and sent through email or RSA SecurID one-time
token, which changes every sixty seconds. For RSA part, PMP has entered into a technology partnership
with
RSA, The Security Division of EMC (NYSE: EMC).
Firefox 3 Plug-in
- PMP plug-in for Firefox 3 to enable copying of passwords to the clipboard and to invoke various
operating system commands for automatically logging-in to target systems.
Flash 10 Support
- Support for copying of password to the clipboard when Flash 10 is used in conjunction with Firefox
Remote Password Reset
- Option to enter administrator credentials for resources / resource groups in bulk to configure
password
reset for target resources with ease
Password Policy
- Support to specify a password policy for many resources / resource groups at one go
PMP Login GUI
- If you have users from various domains, the PMP login screen will list-down all the domains in the
drop-down. For ease of use, you may specify the domain used by the largest number of users or the
frequently used domain in "General Settings". Once you do so, that domain will be shown selected by
default in the PMP login GUI
New OS Support
- Support for installing PMP in Windows Server 2008
Changes/Bug Fixes
Importing Resources
- Earlier, when importing resources, if the list of resources imported by you contains any of the
already
existing resources, they were ignored and not added to PMP. Now, option is provided to override this
rule.
Resource Type
- PMP supports managing the website login credentials. For ease of use, a new default resource type
named
'Website Account' has now been added
Active Directory Integration
- When users are imported from domain, by default, email notification is sent to all the imported users.
Now, an option has been provided to disable the Email notification.
- Earlier, if the password of the users imported from Active Directory contained special characters such
as &, %, authentication failed. This has been fixed.
Reports
- PMP carries out periodic checks to ascertain if the passwords stored in the system and the ones in the
actual resource are in sync with each other. The results are presented as 'Password Integrity Report'.
Earlier, the integrity check was being done at 1 AM everyday. Now, an option has been provided to
configure the integrity check timing.
Single SignOn
- Earlier, in IE 7, when Single SignOn was enabled and if PMP login failed, it was not possible to login
to PMP with any other user name. This issue has been fixed now.
Usage of Single Quote in Email Address
- Single quotes are now allowed in the email addresses in PMP
PMP Release 5.4
New Features / Enhancements
Remote password synchronization for Oracle DB Server and Sybase ASE
- Support for changing the privileged passwords of remote Oracle DB servers and Sybase ASE from PMP GUI
- Periodic password synchronization check with remote resources now supported for Oracle DB servers and
Sybase ASE
On demand check for Password Integrity
- Option to carry out 'on demand' verification to ascertain if the passwords stored in PMP are in sync
with the actual passwords of remote resources
New Resource Creation in A-to-A Password Management
- PMP now supports resource creation also as part of Application-to-Application Management. New
resources
can now be created using the Password Management APIs
Support for non-English characters
- PMP now allows non-English characters in the data stored in the database. The user interface too
allows
non-English characters.
Use of 'sudo' for Privilege escalation
- PMP now allows the use of 'sudo' for privilege escalation in Linux/UNIX systems while doing password
resets. This option is useful for systems where the 'root' login is disabled.
Agent-based password reset
- Remote password reset by deploying PMP agents in remote resources, is now supported for 'Windows
Domain'
resources
Audit Views
- The reason, as entered by the users for various password management activities, are now shown in a
separate column in all audit views
Changes & Bug Fixes
- While importing users from AD, added provision for capturing AD tree structure in PMP with proper
representation of OUs
- When Single Sign On was enabled, users connecting to PMP secondary server when Primary was running
fine,
were not redirected to the Primary. This issue has been fixed
- Earlier, when PMP primary server was powered off and reconnected again, it took a long time to do data
synchronization between primary and secondary. This has now been fixed
- Issue related scheduling report generation has been fixed
- Earlier, users with the role 'Password Administrator' were not able to schedule password resets and
password action notifications. This is now fixed.
- When password reset listener was invoked, PMP did not pass the old password of the respective resource
as one of the arguments as expected. This has now been fixed.
PMP Release 5.3
New Features / Enhancements
- Out-of-the-box PCI DSS Compliance Reports
- Option to force users to provide a reason to access passwords
- Provision to display a common message in PMP GUI to all PMP users in the GUI
- Option to hide passwords for password users and auditors when auto logon is enabled
- Support for configuring the database backup destination directory
Changes/Bug Fixes
- Domain Controller connectivity check is now done based on network connectivity
- All items in the drop-down lists in PMP have now been sorted alphabetically
- Issue related allowing users to choose their own encryption key for managing personal passwords, has
been fixed
PMP Release 5.2
New Features / Enhancements
Remote password synchronization for MySQL servers and HP ProCurve devices
- Support for changing the privileged passwords of remote MySQL servers and HP ProCurve devices from PMP
GUI
- Periodic password synchronization check with remote resources now supported for MySQL servers and HP
ProCurve devices
PMP in two editions
- PMP is now available in two editions - Standard and Premium. For more details, click here.
Reports in .xls format
- Support for generating all reports in .xls format
Changes / Bug Fixes
- If the PMP service is run with domain administrator privilege, passwords of all the local accounts in
the computer (present in the domain) can be changed without the need for supplying the old password.
- While providing authentication details in Mail Server Settings, it is now possible to select an user
account already present in PMP.
- Option to restrict users from providing their own encryption key for managing personal passwords (as
part of general settings)
PMP Release 5.1
New Features / Enhancements
Remote password synchronization for Cisco devices, MS SQL servers
- Support for changing the privileged passwords of remote Cisco devices and MS SQL servers from PMP GUI
- Periodic password synchronization check with remote resources now supported for Cisco devices and MS
SQL
server
Helper for automatic login to target systems
- Support for automatically launching remote systems, devices and applications from PMP GUI eliminating
the need for copy, paste of passwords
SSL connection with external identity stores
- Support for establishing connection with external identity stores and authentication systems (AD/LDAP)
over encrypted channel
Windows Scheduled Task Password Reset
- Support for resetting the passwords of Windows scheduled tasks along with Windows service account
password reset
- Windows service account and scheduled task password reset for multiple domains
Alerts for audit events
- Provision for sending notifications on the occurrence of any audit event
- Option for customizing the audit trails view
- Option to export audit records as PDF, CSV
Activity, integrity and compliance Reports
- Informative reports on passwords, sharing details, password usage, policy compliance, expiry details,
user activity, user access details etc
- Automatically examining remote resources for password integrity everyday and providing out of sync
reports
- Option for scheduling report generation and sending reports by email
- Option to periodically purge audit trails
Performance Improvements
- Performance tuning for improvement in client responsiveness
Changes & Bug Fixes
- Option to configure the timeout for display of passwords in plain text
- Notes field changed to accommodate more text
- Audit trails now capture traces on resource group addition, resource import from AD, password reset
reason entered by users, result of scheduled synchronization of data with AD and password policy change
details
- All default and custom fields included in the table column chooser
- Option to search by 'Domain Name' in advanced search
- Option to search the details entered in 'Notes' field
- Periodic synchronization of data in PMP with AD now includes user and resource group changes and
deletion
- Issue with regard to editing criteria-based resource groups fixed
- Issue related to providing manage share of resource group to a user group fixed
- Issue related to copying passwords having certain special characters to clipboard has been fixed
- Option to copy personal password account name to clipboard
- Option to automatically clear clipboard data periodically
- Earlier, Password Management API did not work if the resource names contained white spaces. This issue
has been fixed
PMP Release 5.0
New Features / Enhancements
High Availability Support
Uninterrupted access to passwords by deploying redundant PMP server and database instances
A-to-A, A-to-DB Password Management
Support for Application-to-Application/Database password retrieval and management by deploying 'Password
Management APIs'
Windows Service Account Reset
Support for automatically resetting the passwords of associated windows service accounts when the domain
account passwords are reset through PMP. Optionally the windows services could be restarted remotely to
force the password change immediately
Password Reset Listener
Support for invoking a custom script or executable as a follow-up action to Password Reset action in PMP
Super Admin Support
Any administrator could be made as a 'Super Administrator' with privilege to view and manage all
resources
in PMP
Encryption Key Management
Provision for securely storing the unique encryption key (generated during PMP installation) somewhere
outside PMP and instructing PMP to read it accordingly
Importing Users/Resources from Active Directory
- Provision for importing user accounts associated with the computers imported as resources from AD
domain
- Provision to import specific users, groups and OUs from AD
Resource Type Customization
In addition to adding custom fields it is now also possible to remove built-in fields for the various
resource types
Notification for Passwords Out of Sync
When the passwords present in PMP differ with those in the actual resource, notifications (informing the
out of sync) could be sent to desired recipients
Dashboard Reports
- The 'Home' page in PMP GUI depicts key aspects on passwords and users as dashboard reports
- Other Reports: Detailed and snapshot reports for resources and users
Changes & Bug Fixes
- Importing resources/ users from CSV has been simplified with the removal of format restrictions.
Entries
in your CSV file could be mapped to specific fields in PMP from GUI
- Earlier, to do remote password synchronization for Linux resource type, two accounts (one root account
& another remote login account) were mandatory. Now, this has been made optional through a
configuration in General Settings. Remote reset could be done with only one account
- The PMP client responsiveness for certain queries was slow. Performance tuning has now been done
- Clipboard utility for copying passwords in Firefox browser in Linux OS did not work. This has now been
fixed
- The animation effect during the display of user accounts has been done away with
- Listing of user names at various places in PMP has been standardized with the display of <First
Name> <Last Name> in order
- Display of various listings in PMP has been standardized with alphabetical sorting
- Earlier, there were issues in capturing user audit when working with AD and Single SignOn enabled.
This
has now been fixed
- The attribute 'DN' has been made configurable while integrating LDAP servers of type other than
Microsoft Active Directory, Novell eDirectory and OpenLDAP
- Earlier, creating criteria-based resource groups based on 'account name' did not work. This has been
fixed
- The issue in applying filters to search results spanning over more than one page in 'Home' tab, has
been
fixed
PMP Release 4.8 (Build 4803)
New Features / Enhancements
- Support for securely storing different file types such as a license key, digital certificate,
document,
image etc. in PMP database
- Notifications on password policy violations
- Alert/Warning via email seven days ahead of password expiry
- Provision to import user groups from AD and keep PMP user database automatically in sync with Active
Directory
- Provision to configure multiple domain controllers for redundancy in AD integration (user import and
authentication)
- Provision to import computers and computer groups from AD and keep the PMP resource database
automatically in sync with AD
- Support for importing users from Novell eDirectory interfaced through LDAP
- Delegating management of resources to other admins has been extended for criteria-based resource
groups
- Resource-based quick view of passwords in 'Home' tab
Bug Fixes
- Hitherto, 'search' in PMP was case-sensitive. It has now been made case-insensitive
- While logging into the PMP application, the users imported from Active Directory had to use the exact
case of the account name as present in the AD. This has now been made -insensitive
- PMP agent, when installed in a folder not having enough privileges, threw errors. This has been
fixed now.
- Issue related to LDAP authentication in OpenLDAP has been fixed
Changes
- The fields "Maximum Password Age" and "Reuse of old passwords" Password Policy Creation have been made
optional
PMP Release 4.7 - Build 4701
Bug Fix
- When logged in as AD user, agent download was not happening. This issue has been fixed.
PMP Release 4.7 (Build 4700)
New Features / Enhancements
- Real-time notifications for password events like password retrieval, modification, expiry and change
in
access permissions
- Automated remote password changing based on configured schedules and events like password expiry
- Provision for setting password expiry dates and generating alerts and reports on password expiry
- Provision for delegating management of resources to other admins (sharing management of resources)
- Policy to enforce not to use recently used passwords
- Remote password reset now supported for IBM AIX, HP UNIX, Solaris and Mac OS types through SSH /
Telnet
- Provision for creating policy with Windows style password complexity allowing one of numerals or
special
characters in the passwords
- Support for forcefully logging out users from PMP application based on pre-defined inactivity period
- Password generator now available during resource creation
- Password reset actions done through the 'Forgot Password' option in the login screen are now audited
- Provision for generating audit trails in PDF format and also to email the same
Bug Fixes
- Handled escaping of the apostrophes in inputs causing javascript errors (in user groups and resources)
- 'Forgot Password' features was accessible by typing the URL directly even if it was turned off. This
is
now fixed
Limitation
- The search in the product is now case sensitive
PMP Release 4.6 (Build 4600)
New Features / Enhancements
- Active Directory integration enhanced with provision for importing user groups
- Support for filtering and viewing passwords based on resource groups
- Provision for searching passwords and creating groups based on custom attributes
- Support for enabling windows single sign-on as part of AD integration. Users who have logged in to the
windows system using their domain account need not separately sign in to PMP
- Default Reports: password details report and password policy compliance report
- Option to generate reports in PDF format and to email the same
- Support for viewing all attributes of a resource from 'Passwords View'
- Provision for 'Live Backup' through replicated database. Whenever a change happens in the 'Master
Database', it will be instantaneously replicated to the 'Slave Database'
- New user role named 'Password Auditor' with privileges for viewing audit reports has been introduced
- Domain name included along with user names to keep AD users unique across domains
- Flexible general settings for switching on and off the following features on need basis:
- Displaying/hiding 'Forgot Password' link in login page
- Permitting/restricting personal password management for users
- Sending/restricting Email intimation of passwords upon PMP user creation
- Enforcing/exempting compliance to password policies
- Enabling/disabling of remote password synchronization
- Enabling/disabling local authentication along with AD/LDAP authentication
- Show/hide passwords in exported resources list
- Support for sending mails through public SMTP servers such as gmail and others
- Support for Windows Vista OS
- Custom attributes visible to all users who have access to the password
- During user creation, option for administrators to specify the password for the users
- Provision for bulk transfer of resources
- Revamped GUI with improved navigation
Changes
- Earlier, while adding resources, the entry for IP address/DNS Name of the resource was mandatory. It
has
been made optional now
- Provision for entering first name, last name while adding users
- Hitherto, while entering the password for an account, users were not prompted to confirm the same. To
ensure the correctness of password, confirmation dialog has been added now
- Latest version of MySQL (v 5.0.36) is now being bundled with PMP
- The professional evaluation version now allows adding up to 3 administrator users
Bug Fixes
- MySQL 'Access Denied' error in linux during server startup has been fixed
- Earlier, users could delete the default resource group automatically created by PMP. This has been
fixed