Admin Guide Enterprise Random Password Manager Admin Guide v5.x Copyright © 2003-2015 Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If there are any problems in the documentation, please report them to Lieberman Software in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and product names are trademarks of their respective owners. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310.550.8575 Internet E-Mail: [email protected] Website: http://www.liebsoft.com iii CONTENTS INTRODUCTION ........................................................................................................................... 17 License Agreement ............................................................................................................................17 Limited Warranty ..............................................................................................................................18 Overview ...........................................................................................................................................19 Performance Notes ...........................................................................................................................20 Background and Goals .......................................................................................................................21 GETTING STARTED ....................................................................................................................... 23 Management Console .......................................................................................................................24 Management Console Menus ......................................................................................................26 Four Views ....................................................................................................................................28 Windows Systems View ........................................................................................................ 29 Windows Accounts View ...................................................................................................... 31 Accounts Store View ............................................................................................................ 33 SSH Keys View ...................................................................................................................... 35 Accounts View Display Options ............................................................................................ 37 Management Sets .............................................................................................................................41 Creating Management Sets ..........................................................................................................45 Adding Systems to a Management Set ........................................................................................49 Add from Domain - Dynamic ................................................................................................ 50 Add from Domain - Manual .................................................................................................. 54 Add From Network Browse - Manual ................................................................................... 56 Explicit Inclusions and Exclusions - Dynamic ........................................................................ 58 Import From Text File - Manual............................................................................................ 59 Add Systems by Name - Manual .......................................................................................... 60 Add From Active Directory - Dynamic .................................................................................. 61 Add From Active Directory - Manual .................................................................................... 69 LDAP Sources - Dynamic ....................................................................................................... 72 Add From IP Scan - Dynamic ................................................................................................ 75 Add From IP Scan - Manual .................................................................................................. 79 Add From Database Query - Dynamic .................................................................................. 79 Filter Options - Dynamic ....................................................................................................... 87 Options - Dynamic ................................................................................................................ 89 Excluding Systems From All Operations - Restricted Systems .....................................................92 Orphaned Systems .......................................................................................................................94 Program Settings & Options ..............................................................................................................96 Controlling Access to the Admin Console ....................................................................................96 Admin Console Delegation Permissions.......................................................................................99 Logging Options..........................................................................................................................104 Datastore Configuration.............................................................................................................107 Data Store Basic Configuration .......................................................................................... 108 Contents iv SQL Server Auto-Index Tuning ............................................................................................ 127 SQL Server Index Defragmentation .................................................................................... 129 SQL Server Generate Stats FullScan ................................................................................... 130 App Store Data Maintenance ............................................................................................. 131 Application Components ............................................................................................................133 Email Server Settings Overview .................................................................................................134 SMTP Settings: General ...................................................................................................... 135 SMTP Settings: Outgoing Server ......................................................................................... 139 SMTP Settings: Logging Options ......................................................................................... 145 Program Options ........................................................................................................................146 Program General ................................................................................................................ 146 Event Log Messages ........................................................................................................... 150 Password Check-in Options ................................................................................................ 152 Client Password Storage ..................................................................................................... 153 Heartbeat Monitor ............................................................................................................. 155 Service Start/Stop Timeouts ............................................................................................... 157 Program Options - External ........................................................................................................158 Active Directory Options .................................................................................................... 159 Logging Options .................................................................................................................. 160 Propagation & Discovery Options ...................................................................................... 162 SSH Settings ........................................................................................................................ 162 Thread Management .......................................................................................................... 163 Website Optimization Options ........................................................................................... 164 Encryption Settings ....................................................................................................................165 HSM Troubleshooting ......................................................................................................... 170 Discovery and Propagation ........................................................................................................176 Account Usage Search Elements ........................................................................................ 176 Alternate Administrators ...........................................................................................................178 Installing Support for Non-Microsoft Platforms .............................................................................181 Deferred Processing - Scheduled Jobs ............................................................................................183 Deferred Processor Service ........................................................................................................185 Zone Processing .........................................................................................................................187 Manual Zone Processor Installation ................................................................................... 192 Zone Processor Additional Requirements..................................................................................196 Job Queues .................................................................................................................................198 Retry Settings .............................................................................................................................200 Manage Web Application ................................................................................................................201 Web Application Settings ...........................................................................................................201 App Options ........................................................................................................................ 201 Password Access................................................................................................................. 206 Security ............................................................................................................................... 209 Account Elevation............................................................................................................... 213 Remote Sessions ................................................................................................................ 215 Console Display .................................................................................................................. 219 User Dashboards ................................................................................................................ 221 File Store Settings ............................................................................................................... 223 Contents v User/Session Management ................................................................................................ 225 Web Application Integration Notes ...........................................................................................228 Web Application Settings ...........................................................................................................228 Web Application - Updating Settings .........................................................................................229 Web Application Instances .........................................................................................................230 Authentication Servers ....................................................................................................................233 LDAP Servers ..............................................................................................................................235 Logging in with an LDAP Account ....................................................................................... 238 RADIUS Servers ..........................................................................................................................240 Logging in with a RADIUS Account ..................................................................................... 245 Two Factor Authentication Configuration ......................................................................................247 OATH 2-Factor ............................................................................................................................248 OATH Tokens ...................................................................................................................... 250 Additional OATH Resources ............................................................................................... 256 OATH With Existing Tokens ................................................................................................ 257 OATH Without Existing Tokens .......................................................................................... 261 Configuring OATH Requirements for Management Console Access .................................. 268 Configuring OATH Requirements for Web Interface Access .............................................. 270 InfoCrypt ....................................................................................................................................271 PhoneFactor ...............................................................................................................................275 RADIUS 2-Factor .........................................................................................................................280 RADIUS 2-Factor for Explicit Accounts .......................................................................................285 RSA SecurID ................................................................................................................................291 Configuring RSA SecurID ..................................................................................................... 296 RSA SecurID Configuration Verifier .................................................................................... 300 Configuring RSA SecurID Requirements for Management Console Access ....................... 301 Configuring RSA SecurID Requirements for Web Interface Access .................................... 302 Troubleshooting RSA SecurID Configuration ...................................................................... 306 SafeNet .......................................................................................................................................319 Report Generator / Output Settings ...............................................................................................325 Report File Output Type .............................................................................................................328 HTML Edit Dialog ................................................................................................................ 329 ENROLLMENT, ACCOUNT DISCOVERY, AND PASSWORD MANAGEMENT ..................................... 331 Enrolling New Systems and Devices ................................................................................................333 Databases ...................................................................................................................................334 DB2 ..................................................................................................................................... 334 Microsoft SQL Server .......................................................................................................... 335 MySQL & MariaDB .............................................................................................................. 337 Oracle ................................................................................................................................. 339 PostgreSQL ......................................................................................................................... 341 Sybase ................................................................................................................................ 343 LDAP Directories ........................................................................................................................345 IBM WebSphere .........................................................................................................................347 Configure IBM WebSphere for Enrollment ........................................................................ 349 Linux, UNIX, Main Frame & Other Operating Systems ..............................................................358 Contents vi AIX ...................................................................................................................................... 358 AS400 ................................................................................................................................. 358 ESX & ESXi ........................................................................................................................... 359 Linux, UNIX & Solaris .......................................................................................................... 360 OpenVMS ........................................................................................................................... 360 OS/390 ................................................................................................................................ 361 OSX ..................................................................................................................................... 362 TN3270 & TN5250 .............................................................................................................. 362 Tandem Realtime Systems ................................................................................................. 363 McAfee EPO ...............................................................................................................................364 Network Devices ........................................................................................................................368 CheckPoint ......................................................................................................................... 368 Cisco IOS & ASA .................................................................................................................. 368 Cisco Nexus & ACE .............................................................................................................. 369 DRAC - Dell Remote Access Control ................................................................................... 369 F5 ........................................................................................................................................ 370 Fortigate ............................................................................................................................. 371 Foundry .............................................................................................................................. 371 HP ....................................................................................................................................... 372 IPMI .................................................................................................................................... 373 Juniper ................................................................................................................................ 376 NetApp ............................................................................................................................... 376 Palo Alto ............................................................................................................................. 377 Oracle WebLogic ........................................................................................................................379 Configure Oracle WebLogic for Enrollment ....................................................................... 381 Oracle PeopleSoft.......................................................................................................................388 SAP .............................................................................................................................................389 Configure SAP Gateway for Enrollment ............................................................................. 393 Windows Systems ......................................................................................................................407 Custom Account Stores ..............................................................................................................408 Privileged Account & Account Usage Discovery .............................................................................413 Refresh Operations - Getting System Information ....................................................................413 Account Usage Discovery and Propagation ...............................................................................414 Windows Service Credentials ............................................................................................. 416 Windows Scheduler Task RunAs Identities ........................................................................ 418 Windows Scheduler AT Service Account ............................................................................ 420 COM+ Application Identities .............................................................................................. 422 DCOM Object RunAs Identities .......................................................................................... 424 IIS6 Metabase Account Info ............................................................................................... 426 IIS7 Account Info ................................................................................................................ 428 SCOM Run As Accounts ...................................................................................................... 431 Credentials in SQL Server ................................................................................................... 433 Accounts in .NET Config Files ............................................................................................. 437 String Replacements in Files ............................................................................................... 439 Run Arbitrary Process to Find/Update Credentials ............................................................ 443 SharePoint .......................................................................................................................... 452 IBM WebSphere Application Server ................................................................................... 456 Oracle WebLogic Server ..................................................................................................... 460 Contents vii SAP NetWeaver Server ....................................................................................................... 463 Aggregation of Multiple Base Types ................................................................................... 467 Update Logon Cache .......................................................................................................... 470 Update Auto Logon Account .............................................................................................. 472 Local Cache for Java Client ................................................................................................. 475 SQL Reporting Services ....................................................................................................... 477 Credential References in Arbitrary Locations ..................................................................... 479 Databases ...................................................................................................................................483 DB2 ..................................................................................................................................... 483 Microsoft SQL Server .......................................................................................................... 483 MySQL ................................................................................................................................ 484 Oracle ................................................................................................................................. 485 Sybase ................................................................................................................................ 486 IPMI ............................................................................................................................................487 IBM WebSphere .........................................................................................................................487 LDAP Directories ........................................................................................................................488 Linux, OSX, UNIX & Solaris .........................................................................................................488 McAfee EPO ...............................................................................................................................492 Oracle WebLogic ........................................................................................................................492 Oracle PeopleSoft.......................................................................................................................493 SAP .............................................................................................................................................493 SSH Key Discovery ......................................................................................................................493 SSH Access Rules ........................................................................................................................496 SSHD Configuration Settings ......................................................................................................497 Sudoers Configuration Settings ..................................................................................................499 Windows ....................................................................................................................................500 Custom Account Stores ..............................................................................................................504 Manage Passwords & SSH Keys.......................................................................................................505 Manage SSH Users Keys .............................................................................................................506 SSH Key Management ................................................................................................................512 Password Compartmentalization - 4 Eyes .................................................................................520 Enterprise Applications ..............................................................................................................528 SAP Password Change Jobs with Enterprise RPM .............................................................. 528 Middleware Password Changes .................................................................................................540 Middleware Password Change Jobs with Enterprise RPM ................................................. 540 LDAP Directories ........................................................................................................................552 LDAP Directory Changes with Enterprise RPM ................................................................... 552 Databases ...................................................................................................................................564 IBM DB2 Databases ............................................................................................................ 565 Microsoft SQL Databases ................................................................................................... 565 MySQL and MariaDB Databases ......................................................................................... 568 Oracle Databases ................................................................................................................ 570 Sybase Databases ............................................................................................................... 572 Database Password Change Jobs with Enterprise RPM ..................................................... 574 Windows Systems ......................................................................................................................585 Windows Password Change Jobs with Enterprise RPM ..................................................... 585 Contents viii Account Pooling for Windows Accounts ............................................................................ 600 Non-Windows OS and Device Connections ...............................................................................605 Response Files .................................................................................................................... 605 Response File Sections ....................................................................................................... 609 Linux, UNIX, Main Frame, & Other Operating Systems .............................................................613 Linux, UNIX & Solaris Systems ............................................................................................ 613 OSX Systems ....................................................................................................................... 617 VMware ESX Systems ......................................................................................................... 619 AIX Systems ........................................................................................................................ 626 OpenVMS Systems ............................................................................................................. 626 TN3270 & 5250 Type Systems ............................................................................................ 626 AS400 Systems ................................................................................................................... 633 OS/390 Mainframes ........................................................................................................... 636 Tandem Systems ................................................................................................................ 639 Linux, UNIX, MainFrame & Other Password Change Jobs with Enterprise RPM................ 640 Network Devices ........................................................................................................................651 CheckPoint Manager .......................................................................................................... 651 Cisco IOS & ASA .................................................................................................................. 653 Cisco Nexus & ACE .............................................................................................................. 656 DRAC - Dell Remote Access Control ................................................................................... 657 F5 ........................................................................................................................................ 660 Fortigate ............................................................................................................................. 661 Foundry .............................................................................................................................. 664 HP Switches ........................................................................................................................ 666 IPMI .................................................................................................................................... 668 Juniper ................................................................................................................................ 671 NetApp ............................................................................................................................... 673 Palo Alto ............................................................................................................................. 676 Network Device Password Change Jobs with Enterprise RPM ........................................... 677 Custom Account Stores ..............................................................................................................688 Custom Account Store Password Change Jobs with Enterprise RPM ................................ 688 Private and Shared Passwords ........................................................................................................702 Adding Non-Managed Passwords to the Password Store - Administrator ................................703 Adding Non-Managed Passwords to the Password Store - Web Administrator .......................708 Adding Private Passwords to the Password Store - Web User ..................................................711 Shared Credential Lists ...............................................................................................................715 Creating New Password Lists.............................................................................................. 716 Password List Permissions .................................................................................................. 721 Adding Passwords to a List ................................................................................................. 728 Two Ways to Retrieve a Shared Credential ........................................................................ 733 Viewing and Editing Existing Jobs ....................................................................................................739 Jobs Monitor ..............................................................................................................................740 Editing Existing Jobs ...................................................................................................................742 Systems Page ...................................................................................................................... 743 Account Name Page ........................................................................................................... 746 Password Settings Page ...................................................................................................... 749 Password Verification Page ................................................................................................ 752 Contents ix Propagation Settings Page ................................................................................................. 754 Propagation Scope Page ..................................................................................................... 757 Schedule Page .................................................................................................................... 760 Job Log ................................................................................................................................ 762 PASSWORD RETRIEVAL & WEB PORTAL ..................................................................................... 765 Managing Delegation ......................................................................................................................766 Delegation Rules and Permissions .............................................................................................767 Delegation Configuration Through the Web Interface....................................................... 769 Delegation Configuration Through the Management Console .......................................... 781 Import and Export Delegation Rules .................................................................................. 837 Login ................................................................................................................................................845 Main Page ........................................................................................................................................847 User Session Settings ......................................................................................................................849 Four Ways to Get A Password .........................................................................................................862 Password Recovery - Viewing the Password ..............................................................................862 Password Request ......................................................................................................................866 Password Checkout To Group ....................................................................................................873 Password Recovery - Remote Session, No Password Display ....................................................875 Password Request & Recovery - Using the SDK .........................................................................879 Self Recovery ...................................................................................................................................883 Personal Password Store .................................................................................................................883 Verifying Stored Passwords .............................................................................................................884 Viewing Stored Passwords from the Console .................................................................................887 Viewing Password History ..........................................................................................................889 Website Admin Tools ......................................................................................................................894 Site Settings ................................................................................................................................894 Live Activity ................................................................................................................................919 Delegation Tools ........................................................................................................................919 Additional Website Uses .................................................................................................................922 System Status and Information ..................................................................................................922 Account Information ..................................................................................................................923 IPMI Web Operations .................................................................................................................927 Account Elevation - Self Service .................................................................................................929 Account Elevation - Help Desk ...................................................................................................930 Access to Existing Jobs ...............................................................................................................933 Privileged User Management Integration ..................................................................................935 File Store ....................................................................................................................................938 Uploading a New File .......................................................................................................... 938 Controlling Access To Files ................................................................................................. 940 Opening Files ...................................................................................................................... 942 Web Application Access with Portable Devices ..............................................................................945 Email Notifications ..........................................................................................................................945 Contents x Interface Customizations ................................................................................................................946 AUDITING AND ALERTING .......................................................................................................... 951 Dashboards......................................................................................................................................953 Web Activity Chart .....................................................................................................................953 Web Call Duration Chart ............................................................................................................955 Web Service Call Duration .........................................................................................................957 App Operation Metrics...............................................................................................................958 Web Activity ....................................................................................................................................960 View Web Activity from the Web Console .................................................................................960 View Web Activity from the Management Console ..................................................................961 View Web Activity from PowerShell or Web Service .................................................................961 Compliance Reporting .....................................................................................................................963 Permissions Reporting ...............................................................................................................964 Compliance Reports ...................................................................................................................965 Configure a Reporting Database ................................................................................................966 Generating Reports in the Management Console .....................................................................969 Generating Reports in the Web Site ..........................................................................................971 ALERTING AND INTEGRATION USING EVENT SINKS ..................................................................... 975 Event Sink Events List ......................................................................................................................977 Pre-built Integrations ......................................................................................................................985 ArcSight ......................................................................................................................................985 QRadar .......................................................................................................................................985 RSA enVision ..............................................................................................................................986 BMC Remedy ..............................................................................................................................990 BMC Remedy Mappings ..................................................................................................... 996 CA Service Desk Manager ..........................................................................................................998 CA Service Desk Mappings ............................................................................................... 1001 HP Service Manager ................................................................................................................ 1003 HPSM Mappings ............................................................................................................... 1006 Microsoft System Center Service Manager ............................................................................ 1007 SCSM Mappings ................................................................................................................ 1009 ServiceNow ............................................................................................................................. 1011 ServiceNow Mappings ...................................................................................................... 1014 Event Sink Creation ...................................................................................................................... 1015 Log File .................................................................................................................................... 1023 Registry Value ......................................................................................................................... 1024 Named Pipe ............................................................................................................................. 1026 COM Call .................................................................................................................................. 1028 Email ........................................................................................................................................ 1030 Windows Event Log ................................................................................................................. 1033 SysLog ...................................................................................................................................... 1035 MSMQ - Microsoft Message Queuing ..................................................................................... 1037