The password checkout feature can be customized for the applications such as Salesforce, and so on. You can use the policy template for the supported applications such as, LDAP Password Checkin-Checkout, and Active Directory Password Checkin-Checkout then customize it as per requirement. For more information about adding a policy template refer, Adding a Policy Template. To enable password checkout for any other application, you need to add the account credentials of the application server to the enterprise credential vault. Perform the following to enable password checkout feature for applications:
Create a privileged account for the application server:
On the home page of the console, click Enterprise Credential Vault.
In the left pane, click Credential Vault.
In the middle pane, click Add Account Domain.
If you have imported a policy template for password checkout, a sample account domain gets created with the name DOM-APP_<application name>. You need to modify the sample account domain by clicking Modify in the details pane.
In the right pane, Specify the following information:
Name: Specify the name of the application domain. The name of the domain should be followed by an underscore (_) and the application name.
For example, if a SAP server is on the 172.16.0.1 domain, you need to specify the Account Name as 172.16.0.1_SAP. If you do not provide the correct domain name, user authentication fails.
Type: Select Application
Sub-Type: This field gets auto populated with the application name that you have specified in the Account Name field. For example, if you have specified the Account Name as abc_pqr_Salesforce. the Sub-Type field will be auto-populated as Salesforce.
Host: Specify the IP address of the of the host server. Also provide the port number.
Password Reset: Select the appropriate option that can be used for password check-in. You can specify either of the following:
Script: Specify any perl script to reset the account password for the application. For the password reset scripts, see Password Reset Scripts. The perl script should return 0 when the reset is unsuccessful or 1 when the reset is successful. You can add more attributes to the script. To add a custom attribute to the script, use the custom fields that you define in Add Custom Fields.
Delegate to Identity Manager: You can delegate the password check-in process to Identity Manager. On selecting this option, the IDM (Identity Manager) driver for PAM takes care of generating random password and synchronizing the password to IDM. The PAM driver checks-in the new password to PAM. IDM takes care of synchronizing password on the applications through the respective application driver. For more information refer the Driver Implementation guide on the PAM documentation page.
NOTE:Before delegating password check-in to Identity Manager ensure that the PAM driver and the application driver are operational.
Never: You can use this option if you do not want to reset the password.
Password Policy: Select the appropriate password policy. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer, Specifying Password Policies.
Create Command for subtype: Select this check box to create the command for the application. For example if the application is ABC_PQR a command is created for the application, APP PQR, which you use for the application rule.
If you have imported a policy template for application password checkout, the command is created automatically.
To add additional fields, use Add Custom Fields.
Click Add to save the account domain details.
Add the application server account credentials. For more information refer, Adding Shared Account Credentials in the Account Domain
These credentials are provided to the user when they checkout the password for the application. The available credentials are provided to the users and if all credentials are used, then the user who checks out password later will get a message that all credentials are in use. The user can try to connect after some time.
Create rule. For information about creating rule, refer Adding a Rule.
If you have added the policy template, this rule gets created automatically.