Privileged Account Manager 3.7 includes new features, improves usability and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website. To download this product, see the Micro Focus Downloads website.
The following sections outline the key features and functions provided in this version, as well as the issues resolved in this release:
PAM now offers a new dashboard that serves as a single, quick access console, enabling PAM administrators to quickly identify any potential security issues and administrative tasks that need immediate attention.
For more information about the dashboard, see the Contextual Help in the administration console.
In addition to existing Advanced Authentication methods, PAM now supports RADIUS Client method.
For more information, see Supported Authentication Methods
in the Privileged Account Manager Administration Guide.
PAM now supports Multi-Factor Authentication using a RADIUS server, enabling easy integration with any third-party RADIUS supported Multi-Factor Authentication products.
For more information, see Multi-Factor Authentication
in the Privileged Account Manager Administration Guide.
Database monitoring capabilities are now extended to the IBM Db2 database.
For more information about configuring privileged access to databases, see Privileged Access to Databases
in the Privileged Account Manager Administration Guide.
Credential checkout capabilities are now extended to the IBM Db2 database. PAM supports only the TCP protocol in this release.
For more information about configuring privileged access to databases, see Privileged Access to Databases
in the Privileged Account Manager Administration Guide.
PAM now enables credential checkout for Microsoft Azure in addition to other cloud services such as Red Hat OpenStack and Amazon Web Services (AWS). To get privileged access to these cloud services, you can now check out privileged account credentials from the user console.
For more information about configuring password checkout for Microsoft Azure, see Enabling Credential Checkout for Microsoft Azure
in the Privileged Account Manager Administration Guide.
Minimum access duration of emergency access request and credential checkout is reduced to 1 hour from 6 hours.
PAM now supports credential checkout for Windows, Linux, and AIX local accounts.
For more information, see Configuring Credential Checkout for Applications
in the Privileged Account Manager Administration Guide.
PAM now enables Submit User to connect to target systems. The administrators can now provide privilege access to multiple users with a single command control rule.
For more information, see Secure Shell Relay Usage Scenarios
in the Privileged Account Manager Administration Guide.
OpenSSH has been upgraded to version 7.9p1.
LDAP users (Microsoft Active Directory, NetIQ eDirectory, or OpenLDAP) can now get administration privileges for PAM framework through their LDAP group membership. This ability significantly simplifies the configuration process for providing framework roles to LDAP users.
For more information, see Assigning Framework Roles for LDAP Users
in the Privileged Account Manager Administration Guide.
PAM now provides short quick reference videos that serve as self-learning tutorials for PAM administrators.
To access these videos, in the administration console, click <user_name> at the top-right corner and select Getting Started.
PAM now enables you to export keystrokes in a CSV format.
Privileged Account Manager 3.7 includes software fixes that resolve the following issues:
Privileged Sessions Are Not Audited When Secure Boot is Enabled
Changes Made in the Backup Manager Through REST API Are Not Replicated in the Primary Manager
Access As Column of Approved Windows Emergency Access Session Does not Display the Domain Name
Users in the Account Group Are Not Authorized to Access the pcksh Session
NPAM Service Commands Do Not Work In SUSE Linux Enterprise Server 12 or Later
SSH Relay to a SSH Target Host Fails if You Use a Custom Port Other Than Port 22
Audits are now captured successfully when Secure Boot is enabled. (Bug 1105024)
Changes made in either the Backup Manager or the Primary Manager using REST API are replicated in all the other managers.(Bug 1101042)
Issue: The approved emergency access sessions listed under Windows tag does not display the domain name in the Access As column. Instead, it displays only the user name. For example: Instead of Domain/Administrator, Access As displays only Administrator. (Bug 1147175)
Fix: Access As column now displays domain name/user name.
Issue: Users who are part of an account group are not authorized to access the pcksh session when the account group is added to the runuser of the pcksh policy. (Bug 1131566)
Fix: Users in the account group are authorized to access the pcksh session.
The random agent crash issue observed on multiple Windows servers has been fixed. (Bug 1134687)
After registering the license, you now see the license information without a re-login. (Bug 1096076)
Issue: In the administration console, when you search for unregistered hosts by clicking Hosts > List Unregistered Hosts > IP Range, the Failed to list unregistered agents error is displayed. (Bug 832747,790444,1104360)
Fix: The unregistered hosts are displayed correctly.
SSH Relay adds a root login entry instead of PAM user login entry in the syslog of PAM server. To overcome this issue, the default log level of Syslog is set to QUIET. For more information, see the Knowledge Base Article 7023749.(Bug 1126023)
The NPAM service commands such as start, stop, restart, and status now work in SUSE Linux Enterprise Server 12 or later. (Bug 1041284)
SSH Relay to custom ports on target SSH hosts works successfully. (Bug 1155401)
When secondary authentication after login, is in progress, accessing PAM through another tab displays the login screen. (Bug 1146114)
Privileged Account Manager 3.7 fixes the issue of potentially unsafe CBC encryption (CVE-2019-0169).
For more information, see Disabling CBC Mode.
Support for old APIs (such as, SPF.Util, and Java APIs) will be discontinued from the next major release of PAM.
For the list of supported REST APIs, see https://<PAM_IP>/rest_api.
For information about hardware requirements, supported operating systems and browsers, see Privileged Account Manager 3.7 System Requirements and Sizing Guidelines.
For information about installing Privileged Account Manager 3.7, see the Privileged Account Manager Installation Guide.
You can upgrade to Privileged Account Manager 3.7 from Privileged Account Manager 3.6 or later. When you upgrade PAM to version 3.7, rollback of packages to PAM 3.6 or an earlier version is not supported.
WARNING:When you upgrade an Application SSO package from a previously installed version, the target server reboots automatically. Plan your downtime accordingly.
For information about upgrading to Privileged Account Manager 3.7, see Upgrading Privileged Account Manager in the Privileged Account Manager Installation Guide.
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Section 6.1, Privileged Single Sign-on to Microsoft Edge is not Supported
Section 6.3, Secure Shell Java Terminal Displays Random Characters Instead of the Typed Characters
Section 6.4, Unable to Refresh Data In Access page While Using Internet Explorer 11
Section 6.5, Time Zones Are Different In Reports and Keystrokes
Section 6.7, Moving Multiple Objects Does Not Work in Command Control Console
Section 6.8, RDP Relay Does Not Work When Network Level Authentication Is Enabled
Section 6.10, PAM Fails to Send Emails When SMTP Has SSL and Authentication Enabled
Section 6.11, Cannot Launch SSH Relay Session From User Console in FIPS Mode
Workaround: Use any supported browser other than Microsoft Edge. (Bug 1155981)
Issue: In some rare scenarios, replication in Command Control module is inconsistent due to which the Backup Manager inconsistently processes the newly created Command Control rules, hence they are intermittently failing. (Bug 1039518)
Workaround: Promote the existing Primary Command Control module so the replication thread pushes the latest configuration to all the Backup Managers.
For more information, see the Knowledge Base Article 7022994.
Issue: SSH Java terminal displays random characters instead of the typed characters on Java SSH relay connection to certain network switches. (Bug 1086870)
Workaround: Use alternative SSH clients such as command line SSH or PuTTY, or MobaXterm, instead of Java SSH.
Issue: When you click Refresh in the Access page, the updated data is not displayed.(Bug 1095367)
Workaround: Click Refresh in Internet Explorer browser instead of Refresh in the Access page.
Issue: For certain Linux and Unix sessions, the time zone for Start Time is different in the Reports and Keystrokes. (Bug 1041802)
Workaround: There is no workaround at this time.
Workaround: Install PAM License immediately after deploying PAM manager. If license is added later, re-register the agents after you add a new license. (Bug 1100050)
Issue: Selecting and moving multiple objects by using the Shift/ Ctrl key does not work. (Bug 915307)
Workaround: There is no workaround at this time.
Issue: RDP Relay fails with the error The remote computer requires Network Level Authentication, which your computer does not support. when Network Level Authentication (NLA) is enabled on the host. (Bug 774061)
Workaround: Perform the following to disable NLA on the remote desktop session host:
Click Control Panel > System > Remote Settings.
Deselect Allow connections only from computers running Remote Desktop with Network Level Authentication and click OK.
For more information about using PAM application SSO where NLA can be enabled, see the Knowledge Base Article 7020137
Issue: Audited Command Filter and Session End Filter are not available in the new administration console. (Bug 1130821)
Workaround: Continue using Audited Command Filter and Session End Filter in the old administration console. For Session End Filter, the alternate solution is to use Session Start Filter with the before and after match conditions in the new administration console.
Workaround: Use an SMTP server that does not have SSL and Authentication enabled. (Bug 1128134)
Workaround: Launch SSH relay session using any standard SSH clients.(Bug 1109771)
Issue: When SLES 12 SP4 is upgraded to the latest krb5 package, the Password Management and Windows Credential Checkout stops working. (Bug 1158344)
Workaround: Downgrade the krb5 package to the one supplied with Base SLES 12 SP4. This functionality is validated against the krb5-1.12.5-40.28.2.x86_64 package.
For more information, see the Knowledge Base Article 7024313.
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
Product documentation, Knowledge Base articles, and videos: https://www.microfocus.com/support-and-services/
The Micro Focus Community pages: https://www.microfocus.com/communities/
© Copyright 2019 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/.