NetIQ Privileged Account Manager 3.5 includes new features, improves usability and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website. To download this product, see the Micro Focus Downloads website.
The following sections outline the key features and functions provided by this version, as well as the issues resolved in this release:
In addition to credential checkout, Privileged Account Manager now provides the capability to single sign-on (SSO) to any enterprise application managed by Privileged Account Manager. You can now monitor and record sessions to enterprise applications without installing the agent in the target. You can get SSO access to resources, such as enterprise applications, databases, mainframes, Windows servers, Linux or UNIX severs, and network devices using the appropriate application clients. For more information about privileged access to enterprise applications using SSO, see the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.
This is an add-on feature. Therefore, you must purchase additional license to use this feature.
Using Application to Application Password Management (AAPM), an application can get privileged access to any application managed by Privileged Account Manager to perform automated or scheduled tasks. This eliminates the need to include the application credentials in clear text in scripts and configuration files. For more information about AAPM feature, see the section Application to Application Password Management in the Privileged Account Manager Administration Guide.
Database monitoring and credential checkout capabilities are now extended for the following databases:
Sybase
MySQL
MariaDB
PostgreSQL
For more information about configuring privileged access to databases, see the section Privileged Access to Databases in the Privileged Account Manager Administration Guide.
Privileged Account Manager now provides a new HTML5-based responsive user console, which replaces the old Myaccess console. The new user console includes the following additional features:
Tagging Resource Accesses: You can now group resource accesses and give a customized label to the group. These groups help you to identify and search the resource accesses easily. For more information about tagging the resource accesses, see the context-sensitive help in the user console.
Context-Sensitive Help: These are task-based help files embedded in the user console to improve usability. To view the context-sensitive help, click the question mark icon on the appropriate user console page.
You can now access the user console using the URL https://<PAM server host name/IP address>/pam.
In addition to the old administration console, this release provides a new HTML5-based responsive administration console. To access the new administration console, use the URL https://<PAM server host name/IP address>/pam. You must have the administrator role to access the new administration console.
The new administration console includes only the following:
You can access all other features from the legacy administration console.
The Access Dashboard is now referred as Access. In the Access tab, you can perform the following:
View the access requests from the user and perform appropriate action on the request, such as approve, deny or revoke.
Review credential checkouts and force check-in the credentials if required.
View, request, and access the resource accesses granted to you. These user console capabilities are now included as part of the administration console to make all the features available to the administrator in one console.
The Reporting Console is now referred as Reports. The Reports tab now contains only the Session Reports which includes some predefined reports such as All sessions, Disconnect sessions and so on. You can click the appropriate report to view the report data and perform the following:
Customize the predefined report and save as a new report.
Filter the report data based on a set of filtering criteria.
Export the report to a CSV file.
Privileged Account Manager provides REST APIs for integrating with any third-party applications such as ServiceNow.
Using Privileged Account Manager REST API, you can perform the following:
Policy management
User management
Credential Vault management
Application credential check-in and check out
The REST API documentation is now available in the new administration console and the new user console. To view the REST API documentation, click the logged in user name and then click REST API on the administration or the user console.
Using Application to Application Password Management (AAPM), you can integrate an application with any application managed by Privileged Account Manager to perform automated or scheduled tasks. For more information about the AAPM feature, see the Application to Application Password Management section in the Privileged Account Manager Administration Guide.
The video conversion mechanism is optimized and the default frame rate is set to 5. This reduces the temporary disk space requirements of agents.
Privileged Account Manager now provides an option to off-load the video generation process to dedicated video off-load agents. This makes your agents lightweight by consuming less CPU and RAM. Off-loading the video generation operation is highly recommended when you are using SSH relay with X11 forwarding and privileged access to applications using SSO. For more information about configuring video off-load, see the section Video Off-Load in the Privileged Account Manager Administration Guide.
SSH relay is now enhanced to support privileged access to target resources, such as network switches, and mainframes using the Telnet protocol.
Privileged Account Sniffer is now enhanced to discover service accounts in Windows computers that are standalone or part of a domain. In addition, the user interface of the tool is also enhanced for better user experience. For more information about Privileged Account Sniffer, see the section Discovering Privileged Accounts in the Privileged Account Manager Administration Guide.
Privileged Account Manager can now send emails even when an SMTP server mandates authentication for sending emails.
There are several updates to the Privileged Account Manager supported platforms. For the complete list of supported platforms, see Privileged Account Manager 3.5 System Requirements.
Privileged Account Manager 3.5 includes software fixes that resolve several issues.
Command Control Authorization Fails When the Command Included in Rule Is not Enclosed in Asterisks
Summary of Added Target Systems Page is Blank after Importing Domain configuration
LDAP Authentication fails When Password Contains Multiple '$' Characters
Unable to Start or Stop Privileged Account Manager Services Using systemctl Command
Audit Events Are Not Sent For Commands executed in PCKSH or CPCKSH with Enhanced Access Control
Secure Shell Relay Connection Fails for credential type SSH Key
SSH connection Fails to some HP Switches When the Banner is Enabled on A Target Server
Windows NPUM Manager Crashes when RDP is Attempted to a Citrix Host with NPUM Agent Installed
Session Recordings Are Trimmed when Screen Scaling is Set to 125% or Higher
Unable to Disconnect Session Or Customize Screen Size from User Console
Launching a New Page from Admin Console Does Not Require Re-authentication
Incorrect permissions on Some of the Directories in Backup Package Manager
You can either enter the full path of the executable or include the executable name inside asterisks as per your requirement. You need to enclose the path of executable in double quotes if path of file includes a space. (Bug 1097864)
X11 forwarding is supported on CPCKSH SHELL by setting the /usr/bin/pcksh to -o x11forwarding. (Bug 598519)
In the Privileged Account Sniffer tool, after importing domain configuration, the Summary of Added Target Systems page displays the complete configuration available in the imported XML file. The imported domain configuration updates all the fields in the Domain Details page except the Password field. You can initiate the discovery from the Summary of Added Target Systems page.(Bug 1062456)
LDAP passwords can have multiple '$' characters and authentication will be successful. (Bug 1018428)
Issue: Privileged Account Manager service in SLES 12 or RHEL 7 cannot be started or stopped by running systemctl start npum and systemctl stop npum commands. (Bug 1014058)
Fix: When you install Privileged Account Manager 3.5, you can start or stop Privileged Account Manager services by running the systemctl start npum or systemctl stop npum commands. You can use systemctl status npum command to view the status.
Issue: Commands executed in PCKSH or CPCKSH with Enhanced Access Control are not included with command arguments of a command in auditing. (Bug 1039296)
Fix: Commands executed in PCKSH or CPCKSH with Enhanced Access Control are included with command arguments of command in auditing.
Issue: Secure Shell (SSH) relay connection fails with the following error: no matching mac found (Bug 1078801)
Fix: SSH relay connection works as expected and does not display an error.
The SFTP connection using WinSCP works as expected.(Bug 1086893)
Issue: SSH connection fails for credential of type SSH key when it is created with empty passphrase. (Bug 1050805)
Fix: SSH Connection is successful when it contains empty passphrase.
SSH to a target server with banners enabled and to HP switches works. (Bug 1084662)
Privileged Account Manager can be accessed by using the https://<hostname of PAM server>/PAM URL on all browsers. (Bug 1030579)
Privileged Account Manager can do an RDP Relay to machines with Citrix server installed and monitor a session. (Bug 785165)
Issue: During Direct RDP sessions, end users are unable to connect to servers and get disconnected from the session. This happens when Secondary authentication option in a direct RDP policy of Privileged Account Manager is set to No. (Bug 1096734)
Fix: During Direct RDP sessions, users get connected and their sessions are monitored by PAM irrespective of the setting of the secondary authentication flag, in Privileged Account Manager policy.
You can use the Run as Privileged formatting option to get elevated access to a target application, based on user’s policy defined in Privileged Account Manager. (Bug 1096551)
Issue: Privileged Account Manager does not monitor the following on Windows Server:
Windows Explorer is not always monitored.
Folder and File operations from Windows Explorer are not monitored at the command level.
In a reconnected session, applications that were running prior to the disconnection are not monitored. (Bug 1056100)
Fix:
During a fresh login in Windows session or a reconnected Windows session, PAM agent monitors the operations done using Windows explorer. PAM agent also would monitor the activities done in applications that were already running in a reconnected session.
File or folder operations like creation of a file are monitored at command level, like CreateFile <filename>. For delete operations on file or folder using Windows GUI, the operation is monitored using GUI audits like Delete menu clicks.
Issue: When screen scaling is set to 125% or higher on the computer from where RDP session is initiated to the target system, then the videos captured for the monitored session are trimmed and the entire screen is not captured. (Bug 1069198)
Fix: Even when screen scaling is set to 125% or higher, Privileged Account Manager records the entire screen in video captures. Ensure that the latest Microsoft Windows patches are installed on the computer for this feature to work as expected.
You can configure the screen size of the remote desktop session. To configure from the My Access page, click Predefined Tags > Windows. Select a resource and click Access Details > Display Configuration and specify the screen size.(Bug 1067339)
You can click a Windows SSO session to launch a remote desktop session window and close the window to disconnect the session.
Issue: Command Control reports does not contain authorization rule name. (Bug 1064886)
Fix: Command Control reports displays authorization rule name. To display Authorized Rule name from meta data, add $<AuthorizedRule>$ in the rule's user message.
Issue: Launching new pages does not require re-authentication and logging out of open session logs you out of all open sessions. (Bug 1076347)
Fix: Launching new pages from Admin Console displays the login page.
Issue: Syslog Settings when edited by unauthorized users does not display an error. (Bug 1059034)
Fix: The fields in the Syslog Settings page are disabled for unauthorized users.
File and folder permissions have been corrected in Backup Package Manager.(Bug 1092678)
For information about hardware requirements, supported operating systems and browsers, see Privileged Account Manager 3.5 System Requirements.
For information about installing Privileged Account Manager 3.5, see the Privileged Account Manager Installation Guide.
You can upgrade to Privileged Account Manager 3.5 from Privileged Account Manager 3.2 or later.
For information about upgrading to Privileged Account Manager 3.5, see Upgrading Privileged Account Manager in the Privileged Account Manager Installation Guide.
NOTE:Branding of the user console is not supported in Privileged Account Manager 3.5. Therefore, any customizations made to the user console will not be available after upgrading to 3.5.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Section 5.1, Privileged Single Sign-on is not Supported in Microsoft Edge
Section 5.2, Secure Shel Java Terminal Displays Random Characters Instead of the Typed Characters
Section 5.3, Unable to Refresh Data In Access page While Using Internet Explorer 11
Section 5.4, Time Zones Are Different In Reporting Console and Output
Section 5.6, Audit videos do not Play in Microsoft Edge Browser
Section 5.9, Newly Created Reports are not Listed Under My Views in Internet Explorer 11 Browser
Section 5.10, New sessions are not Updated in Session Table in Internet Explorer 11 browser
Section 5.12, The Run as privileged user Option Is Not Displayed on a Windows 2012 Server
Section 5.15, The Changes to the Syslog Settings Do Not Get Applied
Section 5.16, Cannot Uninstall Privileged Account Manager 3.2 Through Windows Add/Remove Programs
Section 5.17, NPAM Service Commands Does Not Work In SUSE Linux Enterprise Server 12 or Later
Workaround: Use Microsoft Internet Explorer 11 to enable Privilege Single Sign-on in browsers with Local Group Policy configured. (Bug 1079379)
Issue: SSH Java terminal displays random characters instead of the typed characters on Java SSH relay connection to certain network switches. (Bug 1086870)
Workaround: Use alternative SSH clients such as command line SSH or PuTTY, or MobaXterm, instead of Java SSH.
Issue: When you click Refresh in the Access page, the updated data is not displayed.(Bug 1095367)
Workaround: Click Refresh in Internet Explorer browser instead of Refresh in the Access page.
Issue: For certain Linux and Unix sessions, the time zone for Start Time is different in the Reporting Console and a playback of the session. (Bug 1041802)
Workaround: There is no workaround at this time.
Workaround: Install PAM License immediately after deploy PAM manager. If License is added later, re-register the agents after you add a new license. (Bug 1100050)
Workaround: Audit videos can be viewed in other supported browsers. (Bug 1037322)
Workaround: There is no workaround at this time.(Bug 1094124)
Issue: When you use Privileged Account Manager in Microsoft Edge of Firefox Quantum, after you install AAF 6.0, you are unable to enroll biometric devices. (Bug 1097960)
Workaround: There is no workaround for Firefox Quantum at this time. For the workaround while using Microsoft Edge, see .
Use browsers other than Internet Explorer 11. To view the list of supported browsers, see Privileged Account Manager 3.5 System Requirements. (Bug 1100985)
Use browsers other than Internet Explorer 11. To view the list of supported browsers, see Privileged Account Manager 3.5 System Requirements. (Bug 1100970)
Issue: Selecting and moving multiple objects by using the Shift/ Ctrl key does not work.
Workaround: To move multiple objects, you can use shift + select the required objects, or use Select All. (Bug 915307)
Issue: When you right-click Start on a Windows 2012 server, the Run as privileged user option does not get displayed. (Bug 901032)
Workaround: To workaround this issue, right-click the application in the folder where the application is installed to execute Run as privileged user.
Issue: When Command Control Objects are added simultaneously in large numbers, the objects do not appear in the console. This is an intermittent behavior. (Bug 908307)
Workaround: There is no workaround at this time.
Issue: In the administration console, when you search for unregistered hosts by clicking Hosts > List Unregistered Hosts > IP Range, the Failed to list unregistered agents error is displayed. (Bug 832747)
Workaround: Ensure that when you install Agents, you register it with the Manager for Privileged Account Manager.
Issue: In the Reporting console of Privileged Account Manager when you save the changes to syslog settings, such as select SSL, or Allow Persistent Connections, the changes are not applied. (Bug 895993)
Workaround: To workaround this issue, restart Privileged Account Manager.
Issue: Uninstalling Privileged Account Manager 3.2 through Windows Add/Remove Programs displays an error. This issue occurs only when the Privileged Account Manager is upgraded to 3.2 using Privileged Account Manager 3.2 installer. (Bug 1029461)
Workaround: Uninstall Privileged Account Manager through command line or Privileged Account Manager 3.2 installer.
Issue: The NPAM service commands such as start, stop, restart and status does not work in SUSE Linux Enterprise Server 12 or later. (Bug 1041284)
Workaround: To workaround this issue, perform one of the following:
Reboot the system using the following command:
reboot
(or)
shutdown -r now
Kill and restart the NPAM process using the following command:
pkill unifid
/etc/init.d/npum start
After performing one of the preceding steps, you can verify the NPAM process running status by executing the following command:
/etc/init.d/npum status
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
© Copyright 2009-2018 Micro Focus or one of its affiliates. All Rights Reserved.