Integrating with ManageEngine PAM360

Advantages of Endpoint Central-PAM360 integration

The Endpoint Central-PAM360 integration empowers administrators with advanced privilege elevation and delegation management. This functionality enables effective oversight of resources on organizational endpoints. Using crafted rules, administrators can identify and manage privileged users, accounts, and resources across PAM360 resources.

Pre-Requisites

1. You should be on Endpoint Central build 11.3.2404.1 or above.
2. The user responsible for configuration should hold administrative privileges in both the Endpoint Central application and PAM360.
3. In order to leverage Endpoint Central within PAM360 effectively, it is crucial that the user currently logged into PAM360 exists within Endpoint Central with an identical username. If the user is authenticated via Active Directory, their corresponding account in Endpoint Central should align with the same domain name. This synchronization ensures seamless integration and functionality across both platforms.
4. For this integration to work, Endpoint Central should be running in secured HTTPs port/mode only.
5. As Endpoint Central is running in the HTTPs mode, the identity of the system needs to be verified through a valid SSL certificate, which has to be imported into the PAM360 certificate store. Follow the steps listed below:
    
   1. Stop the PAM360 service.
   2. Open the command prompt and go to the <PAM360-Installation-Directory>/bin folder.
   3. Execute the command - importCert.bat <Absolute Path of the Endpoint Central' Certificate>
   4. Now, start the PAM360 service again.

Role - Manage Endpoint Central

By default, users assigned the Privileged Administrator and Administrator roles can configure and manage Endpoint Central in PAM360. Alternatively, you can grant these same responsibilities to users by creating a custom role with the Manage Endpoint Central privilege enabled. Users assigned this custom role will be able to configure and manage Endpoint Central via PAM360.

Generation of API Key

To integrate PAM360 with Endpoint Central, it is necessary to generate an API Key from Endpoint Central. To generate the authentication token, perform the steps that follow:

1. Log in to Endpoint Central.

2. Go to Admin and select API Key Management under Integration.

   

3. Click Generate Key.

   

4. Select the application PAM Integration.

5. Click Generate Key to generate the required API key for establishing communication with PAM360.

   

6. Copy the API key generated for configuring Endpoint Central in PAM360 and close the box.

   

Configuring Endpoint Central & PAM360

To ensure the expected functionality and perform endpoint privilege management capabilities via the PAM360 environment, configuring Endpoint Central & PAM360 is necessary. To do so:

1. Login to the PAM360 user account.

2. Go to Admin -> Privilege Elevation, and select Application Control.

   

3. Click Configure.
4. In the dialogue box that opens,
    
   • Input the server name where the Endpoint Central is installed (e.g., in-qaauto-92dt).
   • Enter the HTTPS port number configured for Endpoint Central (default is 8383).
   • Paste the copied API key generated from the Endpoint Central console in the Authentication Token.
   • Click Generate for generating the PAM360 Authentication Token and copy the generated token.

   • Click Enable.

     

5. Open Endpoint Central console and navigate to Admin -> PAM360 Integration Settings under Integrations.

   

6. Input the server URL where PAM360 is hosted and paste the copied Authentication Token from the PAM360 console.

7. Verify the PAM360 certificate details and click Trust this Certificate.

   

8. Click Save.

   

Note: Once configured, you can also edit the above details using the Edit Configuration button present at the top pane of the left Endpoint Central column.

Configuration and Management Failure Scenarios

Encountering difficulties while configuring or managing Endpoint Central in PAM360 can result from various factors. It is essential to address these issues to ensure effective and efficient utilization of the Endpoint Central feature.

1. Mismatched Privileged Roles
    

   If a user attempts to manage Endpoint Central via PAM360 but lacks a corresponding privileged role in Endpoint Central, issues may arise. Users should possess similar privileged roles in both platforms to access and manage Endpoint Central seamlessly.

2. Unauthorized Access and Privileges
    

   Configuration or management of Endpoint Central without the appropriate privileges can lead to unauthorized access attempts. Users should be granted the necessary privileges to avoid encountering issues while configuring or managing Endpoint Central within PAM360.

3. API Key/Authentication Token Update Requirement
    

   Changing the API Key/Authentication Token on either server disrupts the functionality of the Endpoint Central-PAM360 integration. This is because the previously generated authentication token becomes invalid. To ensure smooth operation, it is essential to update the configuration with the newly generated API key/authentication token in the corresponding server.

4. Username Discrepancy
    

   If a user attempting to access Endpoint Central does not have the same username as in PAM360, issues may arise. Consistency in usernames across platforms is necessary to facilitate seamless access and utilization of Endpoint Central functionalities.
   Addressing these potential failure scenarios comprehensively ensures the effective and efficient deployment and usage of Endpoint Central within PAM360, enhancing overall security management capabilities.