A credential vault is a storage location for shared accounts and resource credentials such as, user IDs and passwords. Privileged Account Manager uses the Enterprise Credential Vault database to manage and secure details and credentials of various domains. This solution helps you not to rely on a third party component for database as credential vault supports embedded database. A privileged user can use these credentials to connect to the endpoints such as systems, databases, and applications. You can encrypt this database. By default, the credentials are securely stored in an encrypted form. On the home page of the console, click Credential Vault to view all the credentials of the resources available in Privileged Account Manager.
On the home page of the console, click Credential Vault.
Click +Add.
Select one or more resources based on your requirement.
Application
Applications
SSO
Certificate Issuer
PKI
SSH
Cloud
Amazon Web Services
Database
Oracle
Microsoft SQL Server
MySQL Server
Sybase
PostgreSQL
MariaDB
IBM DB2
Key
SSH Keys
Windows Keys
VMWare Keys
Custom Keys
LDAP/Active Directory
Active Directory
NetIQ eDirectory
OpenLDAP
Linux/Unix/Network Device
SSH: Select from the following Terminal types.
ansi
Linux
vt100
vt220
xterm
xterm-256color
Telnet
Windows
Windows Host
Click Credential Vault > Resources > Name > Credentials to add the Username, Password and Privileged Type. Resource Details displays more information about the resource such as Resource Name, Type, and Extended Attributes.
Consider you have a number of resources and want to filter only specific type of keys. Select the resource from the left pane and you can view all the resource type on the right pane.
For more information about Resources, see Resource Pools.
To delete a resource, you can select the delete icon for the resource or select one or more resource for bulk deletion and click Delete.
To modify a resource, you can select the edit icon against the resource and modify.
Extending the schema by defining the attributes for resources. These attributes help the resources to hold different values. You can filter and search resources based on the attributes. Consider you have a high number of similar type of Resources at a specific location, but there is no way to filter those resources. You could use extended attributes such as, location to filter out specific resources from specific location.
You can add these extended attributes by clicking Credential Vault > Extended Attributes. You can only add five attributes. After you add the extended attributes you can define them in the resources with values.
NOTE:At least one resource should be present only then the Extended Attributes button will be enabled.
Go to Resources > Add Resource. You can also click Extended Attributes icon on the right pane of Credential Vault tab from the home page of Privileged Account Manager. You can add only a maximum of five entries for extended attributes.
If you want to define the Extended Attribute for an existing resource:
Click the edit icon on the Resource name row. The Edit Resource page is displayed
Select Extended Attributes from the left pane.
Click Define. The extended attributes you have created are displayed.
Select the attribute/attributes that you want to add for the resource.
Click Define.
Define the value for the selected attributes.
If you have already mapped a value for a specific resource, it is displayed for you to select. If you are entering a new value, you can enter that at this point.
Click Finish.
The value you added and the Extended Attribute is updated and displayed in the Resources page.
NOTE:Another way to define Extended Attributes is when you are creating a Resource. Click Credential Vault > Resource > +Add and Save. The maximum attributes you can enter are five.
After you have defined the extended attributes, the values are displayed on the screen for easy filtering. For example, if you select the location attribute of Bangalore from the left pane of the console, the resources located in Bangalore are displayed on the right pane.
NOTE:You must always provide a unique value for the attribute.
You can click single resource you wish to modify, or select multiple resources and update the extended attributes at one go.
Select the resource attributes you want to update from Credential Vault > Resource page. Click Modify Resource Attributes. Move the slider to the right to allow you to enter the value in the Enable Edit column, provide a value and click Save. The attribute is then applied for all the selected Resources. For example you have selected 100 resources and want to update the attribute value such as, department=finance, you can do this at one go. The attribute value will be applied to all the selected 100 resources as a batch update.
NOTE:When you click Modify Resource Attribute and do not define any value the attribute removes the previous value, if any.
You can either delete a single resource or select multiple resources and delete at one go.
Select the resources for which you want to delete the resource attributes from Credential Vault > Resource page. Click Delete Resource Attributes. Select the attributes to be deleted from the Delete the Resource Attribute(s) page. Click Delete. The deletion now is applicable to all the selected Resources. For example you have selected 100 resources and want to delete the attribute value such as, location=India, you can do this at one go. The attribute value will be applied to all the selected 100 resources as a batch deletion.
The following use case illustrates the work flow of Credential Vault user journey:
This use case helps you to configure the Oracle database vault type using the following procedure:
Click Credential Vault > Resources > +Add New and select the resource.
In the General tab, specify the name of the database. This name is used along with the Credential to authenticate. If you do not provide the correct domain name, user authentication fails.
Complete the details.
Connection Details
Connect String: You can specify the string that will reset the password in the database and check in the password.
Connect As: Select SYSDBA. If you want Privileged Account Manager to perform the password check in process then, to check the connection to the database server, click Test Connection or select Default.
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
Never
You can use this option if you do not want to change the password after every credential check-in.
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
Internal
Use this option, if you want Privileged Account Manager to manage password change.
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
Password Policy
User Name
Password
Click Next.
In the Proxy Connector tab, complete the details.
Database IP Address: Specify the IP address or the Host Name of the Database.
Database Port: Specify the Database port number.
Connection Protocol: Select TCP or TCPS.
Database SSL Version: In case you have selected TCPS, specify if it is Any Database SSL version, or the specific one from the dropdown list.
DBAudit Servers: You can either select All or Selected server. Specify the proxy port.
Click Next.
In the Custom Attributes tab, click Add.
In the Name field, specify the name of the custom attribute. For example, Expiration date.
In the Value field, specify the value for the attribute. For example, the date you want the entity to expire.
Repeat the steps through 4-6 for any other custom attributes you want to add.
Click Next.
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
Click Finish.
Enter Privileged Account Manager user credentials and log into the user interface.
Click icon on Privileged Account Manager console My Access > Checkouts icon against the Oracle resource.
A Credential Checkout pop-up page is displayed. Enter Access Duration, Email ID, and Reason for accessing the resource and click Check Out.
NOTE:From Privileged Account Manager 4.2 onwards, an option is provided for you to select the user or the role whose password can be checked out. To see this option, you must have added privilege type. Additionally you should have already enabled Allow selection by user option from Access Control > Assignments > Permissions > Checkout Options page. For more information see, Section 5.1.3, Defining Privileged Type for a Credential.
Note the credentials provided and open Oracle server and enter the same credentials in the Credential Checkout page and click sign in. Now the you are successfully logged into the AWS Database and can proceed with completing the tasks.
You can check-in the credentials after the use of the credentials using the following procedure.
Enter Privileged Account Manager user credentials and log into the user interface.
Click icon on Privileged Account Manager console My Access > Check-in icon against the Oracle resource. The message "Credentials Checked in successfully" is displayed. Now you can verify and note that you can no longer access the Oracle database using the earlier credentials.
The administrator can monitor this activity by navigating to Reports > Built-in Reports > Credential Checkouts to access the report using the Privileged Account Manager console.
This resource filter feature simplifies search-ability in scenarios where there are 1000s of locations with more than 400 odd location-based networks.
Consider Mike, a network administrator. The operational equipment such as sensors, actors, and controller is located in the production network. Privileged Account Manager is located in both the office network and in the standard client. But there is no connection between office network and internal network. Mike requires access to a resource from the production network. He uses his network device to access Privileged Account Manager. He selects the credentials based on the three components of location, network, and resource. Consider Mike has 1000s of Resources based out of same location with the same application type. It gets challenging to select the specific resource. You can type the Resource type in the Find Types search field for easy filtering. You can also select a combination of Key Type, Location, and Department for further granular filtering.
Consider Susan, a network administrator in a chemical plant. A resource is added in the production environment and Susan has to add that resource along with the credentials in Privileged Account Manager. She can define a privileged type for a single resource. She can categorize the credentials in the resource based on the attributes such as finance, HR, or engineering.
You can assign a role for a credential. For example, consider that Luke is a Shift Leader of a chemical plant. What is the privileged role you want to assign to Luke based on his responsibilities? If you want to delegate both modify and delete permissions, you can assign an Admin role to Luke. In a similar way if Susan is a Shift Leader also in the chemical plant, to distinguish her role from Luke’s and based on her responsibilities, you can assign an Associate’s role to Susan. This is referred to as Privileged Type of the Resource. A string is associated with a credential and this value will be displayed during credential checkout. An administrator can restrict the credential based on the privileged type.
While checking out a credential, as an administrator you can select which role or user credential you want to check out.
NOTE:Privileged Type is mainly used for Check-in and Check-out for Application and Database. For other functions you can store it to use as a filter etc...
Follow the procedure to add the privilege type.
Go to Credential Vault.
Click an Application or Database credential count from the second column. The Credentials page is displayed.
Click + icon.
In the Add Credential page enter the User Name, Password and Privilege Type.
Click Add.
The credential gets listed under the Privilege Type column. These credentials are populated when you are checking out a resource’s credentials or if you wanr to change a specific user’s password from > My Access page.
Clicking on the root path (/) allows you to View Policy.
You must click +Add Policy to create a policy for the specific resource group from the Policy and Path Details page. Specify the details in the Create Policy dialog box.
Name: Specify a name for the policy.
+Add Add the groups by selecting from Local or LDAP Groups.
The policy that you created will be applicable for the specific groups you have selected, ex: API users.
Only if the user is a path administrator or a owner for a path, he will be able to view the respective path, else the user gets the “access denied” error. A user should be part of a permission to be able to view the path. To get the appropriate permission, create a user group with the following mandatory permissions. Go to Users, click edit to modify Permissions. Under Credential Vault, select the following:
View Credential Vault Console
View Resources and Credentials in Credential Vault
Add and Modify Resources and Credentials in Credential Vault
You can create path using the following procedure:
Go to Credential Vault.
From the left pane, click +.
Add the Path name.
Add the groups by selecting from Local or LDAP Groups.
Enable Recursive if you want to populate the resources of the select path recursively.
Click Create.
You can configure privilege type clicking Credential Vault > Resources. If you have defined credentials in the vault, you can use the credential as the privilege type. Edit any resource to define the privilege type. The privileged type attribute allows the user to access only certain privileges attributed to that role.
Follow the procedure to add the privilege type.
Go to Credential Vault.
Click an Application or Database credential count from the second column. The Credentials page is displayed.
Click + icon again the Resource Count column
In the Add Credential page enter the User Name, Password and Privilege Type.
Click Add.
The credential gets listed under the Privilege Type column. These credentials are populated when you are checking out a resource’s credentials or if you want to change a specific user’s password from > My Access page.