20.2 Password Management for Windows, Active Directory, Linux, and Network Devices

For changing these resource passwords, PAM uses tasks. Tasks contains the script that must be executed for password change and the scheduling option required to execute the script. The tasks are associated to a vault. For more information about vaults, see Contextual Help. By default, every vault will have a password change task associated with it. This task is executed for the credentials in the vault which has the Password Change option set to Yes.

In addition, if you want to perform any automated task after password change, it can be added as a service task. For example, if you want to perform backup after changing the account password, it can be defined as a service task. These service tasks are custom tasks for which you need to create a custom script and add it in the task. For more information about the template for creating a custom script, contact Customer Support.

  • For Windows and Active Directory:

    PAM provides out-of-the-box scripts to change password of Windows local machine and Active Directory.

    In addition to windows account password change, PAM also provides the capability to change the password of service accounts. PAM provides out-of-the-box scripts to change password of service accounts, such as such as Windows Services, COM+, Task Scheduler, and IIS Pool. For other service accounts, you can define a custom script for password change and associate it to a service task.

    These service account tasks are executed only for those credential which have the appropriate service account associated with it. This association can be defined when adding a credential. When you are adding a credential for active directory, PAM provides a capability for you to define the machines where the credential is used for service accounts. This will help in end to end password change of the Active Directory accounts.

  • For Linux and Network Devices:

    PAM provides out-of-the-box script to change password of Linux and Network devices that can be connected using SSH protocol. PAM can rotate both the password or the SSH key that is configured for a credential.

    If you want to change password of associated service accounts, you can define a custom script for service account password change and associate it to a service task.

For more information about configuring tasks and scripts, see Contextual Help.

The following section explains in detail the prerequisite for configuring Password Management and also the checklist for configuring Password Management in an upgraded environment of PAM.

20.2.1 Prerequisites

  • Ensure that the Task Manager module is installed.

    • The task manager component of PAM (taskmanager) is supported only on Windows, SLES 12 (64-bit), SLES 15 (64-bit), RHEL 7.5 (64-bit), or RHEL 8(64-bit).

      NOTE:

      • For RHEL 8 (64-bit) and RHEL 7 (64 bit), install the redhat-lsb-core package.

      • For RHEL 8 (64-bit) and SLES 15 (64-bit), install the lsb-release package.

    • If you want to configure task manager on a separate agent, you must first install Privileged Credential Manager package (prvcrdvlt) and Access Manager package (auth), and then install Task Manager (taskmanager) module in the agent.

    • If you have multiple host domains in PAM, you must have Task Manager module installed on every host domain.

      For more information about installing a package in PAM, see Installing Packages on a Host.

    • If you have configured a Windows machine as task manager, ensure the following:

      • Powershell 4.0 or later must be installed in the Windows machine where you are installing the Task Manager module.

      • Windows Remote Management (WinRM) service must be running on the Windows machine. To start winrm service, use the command:

        Enable-PSRemoting –force

      • Add target machine, where the password must be changed, to the WinRM trusted host. To add all servers as trusted host, use the command:

        winrm set winrm/config/client '@{TrustedHosts="*"}'

      • Set the PowerShell execution policy to Remotesigned using the command:

        Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

  • Ensure the following is done on the target machine where the password must be changed.

    • In Windows machine:

      • Powershell 2.0 or later must be installed in all the windows target machines as PAM uses PowerShell scripts to change password.

      • Windows Remote Management (WinRM) service must be running on the Windows machine. To start WinRM service, use the command:

        Enable-PSRemoting –force

      • IP address of the task manager must be added to the trusted host of the target machine. To add trusted host, use the command:

        winrm set winrm/config/client '@{TrustedHosts="x.x.x.x"}'

    • In AIX machine, configure the following:

      • Specify AcceptEnv LC_ALL in the sshd_config file.

      • Restart sshd service.

20.2.2 Configuring Password Management

To configure PAM to change (rotate) password of any resource, you must set the Password Change option value in the resource configuration to Yes and ensure that all the password change tasks are enabled. If the password change option is set to yes in a resource, this configuration will be inherited by all credentials in that resource. However, you can override them in the credential configuration. To modify the password management option of a resource, click Credential VaultVault Type Vault Nameedit icon next to the required resource.

20.2.3 Configuring Password Management in an Upgraded Setup

After upgrading PAM, if you want to enable password management, perform the following:

 

Tasks

Go To

  1. Review the prerequisites and ensure all the required configurations are complete.

Prerequisites

  1. Review all password change and service tasks associated with the vault and update when the task must be scheduled for execution.

Credential Vault > Vault Type > Vault Name > Associated Task > click edit icon next to the task

  1. (Conditional) By default, the out-of-the-box password policy provided by PAM is associated with every vault. You can choose to use the default policy or create a new policy and associate with the vault.

Credential Vault > Password Policies > Help icon

  1. Perform the following on all the resources:

    1. Edit the resource and set the Password Change option as Yes. Also, review and modify all password management options, such as reconcile account and so on.

      These password management values will be inherited by all credentials in the resource.

    2. (Conditional) If you do not want PAM to change reconcile account password, set Password Change option as No in the appropriate resource credential.

      We recommended you to set Password Change to No for reconcile account. Also, you must have one local administration account, which is not managed by PAM to resolve any password change issue.

    3. (Conditional) For Windows, if the credential is used as a service account, you must edit the credential and modify the service association.

    4. (Conditional) For Active Directory, if the credential is used as a service account in any of the Windows machine, you must add the Windows machine to the credential and update the service association.

Credential Vault > Vault Type > Vault Name > click edit icon of the required resource

Credential Vault > Vault Type > Vault Name > Resource Name > click edit icon of the required credential

20.2.4 Disabling Password Management

You can disable password management at task level or resource level.

  • At resource level, you can disable password rotation (change) of all credentials or a specific credential in a resource.

    To disable password management of all accounts in a resource, edit the resource configuration and set the Password Change to No. Similarly, to disable password management for a credential, edit the credential configuration and set the Password Change to No.

  • At task level, you can disable the password change task of any vault to stop execution of the task.

    Before you disable any task, review and resolve all the errors related to the task in the failed reports page. As the reports relates to failed reports are not displayed when the task is disabled.