18.2 Database Access Through PAM Proxy

You can use this feature to protect a database by controlling and monitoring the activities of the users who connect to the database through database connector. A database connector acts as a proxy between the user’s database client and the database server. This PAM proxy IP address and port number must be communicated to the user to whom you are providing access.

Figure 18-1 Database Connector

After you provide database access through PAM proxy, you can allow the user to log into the database using:

  • Their own database credentials.

  • Credentials checked out from PAM.

    In this method, you are enhancing the database security by allowing PAM to manage database credentials. To configure credential checkout through PAM, see Database Access Through Credential Checkout.

For configuring the database access thrpogh PAM proxy to monitor the database activities, perform the following:

18.2.1 Prerequisite

  • Direct access from database client to the database server should be blocked.

    The database server should only accept the data transfer through the Privileged Account Manager server.

  • If the database is connected over SSL to the Oracle database, import Privileged Account Manager certificate to the database client’s wallet.

  • If the database is connected over SSL to the Microsoft SQL server, import Privileged Account Manager certificate to the database client.

  • If the database is connected over SSL to Microsoft SQL server, ensure that the Microsoft SQL server supports TLS 1.2.

18.2.2 Adding Database Connectors

You can add the database connectors for any required agent which has the dbaudit module to connect to the supported database.You can add any number of database connectors to an agent listed on the Database Connectors page.

Adding Database Connector for Oracle

  1. On the home page of the console, click Hosts.

  2. In the left pane, click Database Connectors.

    The Database Connectors page displays all the agents that have dbaudit package installed with the list of connectors.

  3. Click Add on the bar for the required agent.

    If you have already added a connector, you can modify it as required by clicking the required connector field.

  4. Specify the following:

    • Type: Select Oracle from the drop-down menu.

    • DB Proxy Port: Specify the port on which the Privileged Account Manager accepts the connection from database clients to connect to a specific database server. Privileged Account Manager maps this port number to a specific database that has a specific DB address and DB Port.

    • DB Server Address: Specify the IP address or host name of the Oracle database.

    • DB Server Port: Specify the port number of the Oracle database.

    • Connection Protocol: Select TCP for non-SSL connection or TCPS for an SSL connection.

    • DB SSL Version: Specify the SSL version used on the Oracle database server.

    NOTE:

    • To use SSL, import the Privileged Account Manager certificate to the database client’s wallet.

    • If you are using Oracle 11.x or earlier versions of Oracle for an SSL connection, PAM supports only the TLS1V0 SSL version.

    • If you are using Oracle 12.x, PAM supports the TLS1V0, TLS1V1 and TLS1V2 versions.

  5. Click Save.

    When you save the configuration, the agents containing the dbaudit package restarts.

Adding Database Connector for Microsoft SQL Server

For Microsoft SQL Server database you can add a Microsoft SQL Server database connector using the port number or using the Microsoft SQL Server instance.

Adding Database Connector Using Port Number

  1. On the home page of the console, click Hosts.

  2. In the left pane, click Database Connectors.

    The Database Connectors page displays all the agents that have dbaudit package installed with the list of connectors.

  3. Click Add on the bar for the required agent.

    If you have already added a connector, you can modify it as per requirement by clicking the required connector field.

  4. Specify the following:

    • Type: Select Microsoft SQL Sever from the dropdown menu.

    • Use with Instance: The Use with Instance checkbox is selected by default. Uncheck this to configure the connector with the database port number.

    • DB Proxy Port: Specify the port number on which the Privileged Account Manager accepts the connection from database clients to connect to a specific database server. Privileged Account Manager maps this port number to a specific database that has a specific DB address and DB Port.

    • DB Server Address: Specify the IP address or host name of the Microsoft SQL server.

    • DB Server Port: Specify the port number of the Microsoft SQL server.

    • Network Packet Size: The default value is 4096. You can enter any value within the range 512 to 16000.

      NOTE:You need to enter the same value as specified here in the client, while connecting through this connector.

Adding Microsoft SQL Server Connector Using Named Instance

  1. (Optional) If you know the Microsoft SQL Server instance name, perform the following:

    1. On the home page of the console, click Hosts.

    2. In the left pane, click Database Connectors.

      The Database Connectors page displays all the agents that have dbaudit package installed with the list of connectors.

    3. Click Add for the required agent.

    4. Specify the following:

      • Type: Select Microsoft SQL Sever from the dropdown menu.

      • Use with Instance: The Use with Instance checkbox is selected by default.

      • DB Proxy Port: Specify the port number on which the Privileged Account Manager accepts the connection from database clients to connect to a specific database server. Privileged Account Manager maps this port number to a specific database that has a specific DB address and DB Port.

      • DB Server Address: Specify the IP address or host name of the Microsoft SQL server.

      • Instance Name: Enter the Database Instance name and click Fetch Details.

        NOTE:The SQL Server Browser service should be enabled in the SQL Server for which the instances are being fetched.

      • DB Server Port: Specify the port number of the Microsoft SQL server.

      • Dynamic Port: Click the Dynamic Port checkbox if a dynamic port is set for the configured server.

      • Network Packet Size: The default value is 4096. You can enter any value within the range 512 to 16000.

        NOTE:You need to enter the same value as specified here in the client, while connecting through this connector.

  2. (Optional) If you do not know the Microsoft SQL Server instance name, you can search and fetch the instance as follows:

    1. On the home page of the console, click Hosts.

    2. In the left pane, click Database Connectors.

      The Database Connectors page displays all the agents that have dbaudit package installed with the list of connectors.

    3. Click Microsoft SQL Server Instances.The Microsoft SQL Server Instances window is displayed.

    4. Enter the host name or the IP for which you want to fetch the instances and click Fetch.

      NOTE:The SQL Server Browser service should be enabled in the SQL Server for which the instances are being fetched.

    5. Select the desired instance and click Ok.

      NOTE:Click the Dynamic Port checkbox if a dynamic port is set for the configured server.

    6. Click Save.

Adding Database Connector for Other Databases

Perform the following for adding the connectors for the databases MySQL, PostgreSQL, MariaDB, and Sybase:

  1. On the home page of the console, click Hosts.

  2. In the left pane, click Database Connectors.

    The Database Connectors page displays all the agents that have dbaudit package installed with the list of connectors.

  3. Click Add on the bar for the required agent.

    If you have already added a connector, you can modify it as required by clicking the required connector field.

  4. Specify the following:

    • Type: Select the desired database from the drop-down menu.

    • DB Proxy Port: Specify the port number on which the Privileged Account Manager accepts the connection from database clients to connect to a specific database server. Privileged Account Manager maps this port number to a specific database that has a specific DB address and DB Port.

    • DB Server Address: Specify the IP address or host name of the database.

    • DB Server Port: Specify the port number of the database.

    • Connection Protocol: Select TCP for non-SSL connection and TLS for an SSL connection.

      This option is visible only for the databases for which you can choose the connection methods.

      Databases

      Connection Protocols

      Sybase

      You can choose TCP or TLS (SSL Connection) connection protocol.

      MySQL and MariaDB

      Privileged Account Manager dynamically selects the protocol based on the database client and database server configuration.

      PostgreSQL

      Privileged Account Manager supports only TCP protocol in this release.

    • Enable SHA Cipher Suites: This option allows Privileged Account Manager to use SHA cipher suites lower than SHA256 for communicating with database client and server.

      By default, this option is enabled because most of the third party database clients use SHA cipher suites for SSL communication.

  5. Click OK.

    When you save the configuration, the agents containing the dbaudit package restarts for the connector configurations to take effect.

18.2.3 Adding Rules for Database

After adding the appropriate database connector, you must add rules to provide access to the database. You can add the database rule manually or by using the policy template. :

  1. On the home page of the administration console, click Command Control.

  2. To add a rule and provide the access to supported databases, perform the following:

    1. (Conditional) To add the rules automatically using policy template, perform the following:

      1. In the Command control pane, click Rules.

      2. In the details pane, click Add Policy Template and then select the required policy from the drop-down list. For example, select Oracle DB Session to add rules for Oracle database.

      3. Click Import.

        When you click import a new rule is added and based on the type of policy selected, the appropriate command is also added to the rule. You can further edit the rule as required.

    2. (Conditional) To add the rules manually, perform the following:

      1. In the Command control pane, click Rules.

      2. In the details pane, click Add.

      3. Specify a name for the database rule, then click Add.

      4. To configure the rule, select the rule, click edit icon in the details pane.

        Configure only the following:

        Session Capture: Select On to capture the activities done by the user.

        Authorize: Select Yes, then select Stop from the drop-down list.

      5. Click Modify.

        The settings that are defined for the rule are displayed in the console.

      6. In the middle pane, click the Commands icon.

      7. From the list of commands, drag the required database command and drop it to the database rule.

        NOTE:In case the user needs to have restricted access for specific instances of Microsoft SQL Server, you can create custom commands and drag it to the database rule. For example, if you want to provide restricted access to user for one of the two instances, then you need to add <DBMSSQLAccess> InstanceName1 under Commands field when creating the custom command.

18.2.4 Managing Database Connectors

You can remove or edit the database connectors for any required agent which has the dbaudit module to connect to the supported database.

Viewing Database Connectors

To view a database connector, perform the following:

  1. On the home page of the Administration console, click Hosts.

  2. In the middle pane, select the root domain, Hosts.

  3. In the left pane click Database Connectors.

    The Database Connectors page lists all the agents and its connectors on which dbaudit module is installed.

  4. (Conditional) If you can view only the agents, but not the connectors then you can click on the bar. The page expands the view and displays all the database connectors for the specific agent.

    It expands the view and all database connectors for the specific agent gets displayed.

  5. (Conditional) If you want to expand the view to display all the connectors for all the agents, click Expand All.

  6. (Conditional) If you want to collapse the view to display only the agents that contain the dbaudit package, click Collapse All.

If any agent that contains the dbaudit package is offline, Privileged Account Manager displays the agent with offline message on the database connectors page.

Removing Database Connectors

To remove a database connector, perform the following:

  1. On the home page of the Administration console, click Hosts.

  2. In the left pane, click Database Connectors.

    The Database Connectors page displays all the agents that have dbaudit package installed with the list of connectors.

  3. To delete a connector, click on the required connector for the required agent, then click Remove > Save.

Modifying Database Connectors for an Agent

You can add, remove, or modify the database connectors for any specific agent that has the dbaudit module. To add or modify connectors for multiple agents through a single page, see Adding Database Connectors.

To view, add, remove, or modify the database connector for a specific agent, perform the following:

  1. On the home page of the administration console, click Hosts.

  2. In the left pane, click Database Connectors.The Database Connectors page displays all the agents that have dbaudit package installed with the list of connectors.

  3. Click on the dbaudit package to display the Modify and Remove options.

  4. Click Modify to display the Modify Database Connector window.

    NOTE:For Microsoft SQL Server database connector, Database Address and Instance Name fields cannot be modified. The Instance Details will be displayed.

  5. Click Remove to delete an added connector.

    If you have already added a connector, you can modify it by clicking the required field.