Password Safe Administration Guide

Prévia do material em texto

PowerBroker Password Safe
Administration Guide
Version 6.8 – December 2018
Revision/Update Information: December 2018
Software Version: BeyondInsight 6.8
Revision Number: 2
CORPORATE HEADQUARTERS
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2018 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another
language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or
consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other
legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names
of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned
in this document.
Contents
Overview 9
Securing the Perimeter Within 9
BeyondInsight Password Safe Architecture 9
PowerBroker Password Safe Scalability 9
Active/Active DeploymentModel 10
Password Safe Public API 11
PowerBroker for Windows Integration 11
Supported Platforms 12
Port Requirements 13
Getting Started 14
Logging on to the Console 14
Selecting a Display Language 14
Navigating the Console 14
Changing Your Logon Password 15
Resetting Your Password 15
Configuring Password Safe System Settings 16
Configuring Global Settings 16
Mail Templates 17
Creating a Password Rule 18
Ticket Systems 19
API Registration 19
Managed Account Aliasing 21
Agent Configuration Details 21
Configuring the Password Change Agent 21
Configuring the Mail Agent 22
Session Monitoring 22
Password Test Agent Configuration 23
Access Policies 23
Creating an Access Policy 23
Configuring a Connection Profile 26
Using a Predefined Connection Profile 28
Managed Account Caching 28
Onboarding Systems and Accounts 29
Onboarding Workflow 29
Creating a Functional Account 29
Overriding a Functional Account Password 30
Adding a System 30
Configuring Password Management Settings 32
Adding an Account 33
Adding a System Using a Smart Rule 34
Adding Accounts Using a Smart Rule 35
Managed Systems 38
Contents
Password Safe Administration Guide iii © 2018. BeyondTrust Software, Inc.
Setting the Account Name Format 38
Importing an SSH Key Using a Smart Rule 38
Managing the SSH Keys 39
Viewing Managed System Details 40
Managed Accounts 42
Viewing Managed Accounts 42
Viewing Managed Account Details 42
Deleting Managed Accounts 43
Unlinking Managed Accounts 44
Changing Passwords for Managed Accounts 44
Configuring Subscriber Accounts 45
Configuring Password Reset for Managed Accounts 45
Using aManaged Account as a Retina Scan Credential 45
Using DSS Authentication 47
Generating and Distributing the Key 47
Creating a Functional Account with DSS Authentication 47
Creating a Functional Account on the UNIX or Linux Platform 49
Testing the Functional Account 49
Setting DSS on the Managed Account 50
DSS Key Auto Management 51
Get the Public Key 53
Creating a DSS Key Rule 53
Session Monitoring 55
Setting up Session Monitoring 55
Configuring Listen Host and File Location 55
Setting Session Monitoring Screen Resolution 55
Personalized Notification Images 56
Password Masking 57
Viewing Recorded Sessions 58
Viewing Recorded Sessions in a Multi-Node Environment 59
Keystroke Logging 59
Enhanced Session Auditing 60
Keystroke Search 63
Keystroke for Active Sessions 63
Session Frame Export 63
Admin (Ad Hoc) Sessions 64
Concurrent Sessions 65
Active Sessions 66
Locking an Active Session 66
Terminate an Active Session 67
Terminate and Cancel an Active Session 68
Archiving Recorded Sessions 68
Archiving Sessions and Restoring Archived Sessions 69
Remote Proxy Sessions 69
Viewing Agents 70
Contents
Password Safe Administration Guide iv © 2018. BeyondTrust Software, Inc.
Displaying Nodes in Password Safe 70
AddingWindows Components 71
Windows Systems Managed Accounts 71
Adding a Directory 72
Adding Directory Accounts 72
Adding Directory Accounts Manually 73
Discover Active Directory Accounts with an Active Directory Query 73
Linked Accounts 74
Creating an Active Directory Functional Account 74
Adding Windows Services 75
Set up the Service Report 75
Prepare the Services 75
Run a Scan on the Service Assets 75
Troubleshooting Changes 76
Adding Applications 78
Adding an Application 78
Encryption Module for RemoteApp 79
Associating the Application to aManaged Account 80
Setting up the Access Policy 80
Setting up the Role Based Access 80
Using AutoIt Passthrough 81
AutoIt Script Details 81
Adding SAP as aManaged System 82
Requirements 82
Setting up the Functional Account 82
Adding SAP 82
Changing Passwords on Managed Accounts 83
Adding a Cloud Application 84
Requesting an Application Session 86
SSH and RDP Connections 87
Requirements for SSH 87
Supported SSH Client Ciphers 87
Auto-Launch PuTTY Registry File 88
Supported SSH Session Protocols 88
Multiple SSH Sessions 88
Login Accounts for SSH Sessions 89
Manually Enabling Login Accounts 89
Enabling Login Accounts with a Smart Rule 90
Direct Connect 91
Requesting an SSH Session 91
Requesting an RDP Session 91
Using a Two-Factor Authentication Token 92
Troubleshooting Connections 92
RDP Sessions 93
Certificate Authentication 93
Contents
Password Safe Administration Guide v © 2018. BeyondTrust Software, Inc.
Smart Sizing 94
Font Smoothing 94
Configuring Ports 94
Adding Databases 95
Auto Discovery and Management for Database Instance 95
Manual Management for Database Instances 96
Managing Database Instance Accounts 100
Creating a Functional Account for a SQL Server Database 101
Permissions and Roles in SQL Server 101
Creating the Account in SQL Server 101
SQL Server Instance Port Retrieval 104
Adding a PostgreSQL Database Instance 105
Creating Accounts in PostgreSQL 105
Adding the PostgreSQL Instance to Password Safe 106
Configuring Settings on the Oracle Platform 107
Adding the Functional Account 107
Permissions for the Functional Account in Oracle 108
Creating the Functional Account in Oracle 109
Setting Up the Host 110
Using Encrypted Connections 111
Setting up a TOAD® Connection 111
Configuring a TOAD Connection 111
Requesting a TOAD Connection 113
Adding a Custom Platform 114
Creating a Custom Platform 114
Configure the Steps Tab 115
Cloning a Custom Platform 118
Exporting a Custom Platform 118
Importing a Custom Platform 118
Example of Linux Platform 119
Working with Smart Rules 120
Overview 120
Predefined Smart Groups 120
Considerations When Designing Smart Rules 121
Smart Rule Processing 121
Changing the Processing Frequency for a Smart Rule 121
Dedicated Account Smart Rule 123
Using Quick Groups 124
Changing Quick Groups in the Smart Rules Manager 125
Changing the Password for Users 125
Role Based Access 126
User Group Permissions 126
Password Safe Roles 127
Asset or Managed Account Smart Rule 128
Contents
Password Safe Administration Guide vi © 2018. BeyondTrust Software, Inc.
Creating a User Group and Assigning Roles 128
Recorded Session Reviewer and Active Session Reviewer Roles 129
Quarantine User Accounts 129
Setting the Refresh Interval on the Quarantine Cache 130
Configuring API Access 130
Creating a User Group with API Access 130
Managed Account Settings 131
Restricting Access to Password Safe Logon Page 131
Configuring Approvals 131
Using aManaged Account as a Credential 132
Configuring the Managed Account 132
Configuring the Query 133
Configuring the Group 134
LDAP Directory Groups 134
Logging in with LDAP Directory Account 135
Real Time Authorization 135
Multi-Node and Multi-Tenant Environments 137
Overview 137
Creating a Password Safe Agent 137
Assigning aWorkgroup to a Password Safe Agent137
Viewing Agents Assigned to aWorkgroup 137
Assigning aWorkgroup to aManaged Account 138
Which Agent Made the Last Change on the Account? 139
Multi Tenant 139
Synced Accounts in a Multi Tenant Environment 140
Third Party Ticket Systems 141
Configuring Remedy 141
Configuring CA Service Desk Manager 142
Using a Functional Account for Access 143
Using a PKI Certificate Access Policy 145
Configuring Jira Ticket System 147
Configuring ServiceNow 148
Reports in BeyondInsight Analytics and Reporting 152
Advanced Systems Integration 153
PowerBroker for Unix & Linux Integration 153
Example Policy 153
Password Safe Web Portal 155
Navigating the Password Safe Web Portal 155
Password Release Process 156
Request for Password Release 156
Reviewing a Password Request 157
Approving or Denying the Password Release 158
Retrieving a Password 158
Contents
Password Safe Administration Guide vii © 2018. BeyondTrust Software, Inc.
Authentication Mechanisms 159
Multi-System Checkout 159
Making the Request 159
Approving the Request for Multi-System Checkout 160
OneClick Feature 161
OneClick Bypass SSH Landing Page 161
Admin Sessions 162
Enforcing Session End Time 163
Requesting Remote Proxy Sessions 163
Appendix A 165
Remedy Connector 165
Exporting the CA Certificate 165
Importing the Certificate 169
LAN Manager Authentication Setting 170
How to Enable UAC Setting 170
Third Party Authentication 171
Smart Card Authentication 175
Configure Smart Card Authentication in BeyondInsight 175
Verify the Server Certificate 175
Verify the Web Server Certificate 176
The Default Web Site Bindings 177
BeyondInsight Configuration 179
RADIUS Multi-Factor Authentication Using Duo 181
Example Logon Page 182
Appendix B: Software Installation 183
Installation Overview 183
Installing Password Safe License 183
Appendix C: Email Notifications 185
Local Accounts 185
Domain Accounts 186
Contents
Password Safe Administration Guide viii © 2018. BeyondTrust Software, Inc.
Overview
Password Safe is supported on a UVM hardened appliance that creates and secures privileged accounts through
automated password management, encryption, secure storage of credentials, and a sealed operating system.
Configure Password Safe to monitor and manage passwords.
Securing the Perimeter Within
Password Safe is your privileged access management solution to ensure your resources are protected from insider
threats.
Using Password Safe, you can restrict access to critical systems, including assets and applications, keeping them
"safe" from potential inside threat risks.
BeyondInsight Password Safe Architecture
PowerBroker Password Safe Scalability
Note: Figures on UVMv20 assume memory/CPU are at maximum (32GB RAM | 2/4 CPU).
Maxed Managed Accounts Max Concurrent Sessions
UVM20 (Physical) 30,000 300
Overview
Password Safe Administration Guide 9 © 2018. BeyondTrust Software, Inc.
UVMv20 (Virtual) 30,000 300
UVM50 (Physical) 250,000 600
Active/Active Deployment Model
The Active/Active deployment model is available for any mix of hardware and virtual appliances as well as software
installation. It requires the use of an external database – we recommend Microsoft SQL Server AlwaysOn for
scalability, but Password Safe has also been tested against SQL Standard and Enterprise editions (2012, 2014, and
2016).
As many appliances as required can be configured to connect to the database. In this case, all appliances can be
used at once, and are fully redundant; if one goes down, you switch to an alternative. AlwaysOn Availability Groups
may be configured with a mix of synchronous commit and asynchronous commit replicas to provide real-time
database redundancy.
The following deployment sections are provided as a high-level overview scenario.
Single Site Deployment
A single site can contain a number of appliances for redundancy.
In this scenario, a pair of replicas are configured for synchronous commit within an external AlwaysOn Availability
Group - this provides database redundancy. Three appliances are connected to the external address of the
Availability Group. One is configured with a management console role, the other two are ‘worker nodes’. Access to
appliances can be made directly, or via load balancer. Both appliances can be used simultaneously; session
recordings will be stored on the appliance in use – recordings may optionally be sent to a separate archive server
based on disk utilization and/or retention.
Overview
Password Safe Administration Guide 10 © 2018. BeyondTrust Software, Inc.
Multi-Site Deployment
In this example, multiple datacenters are connected to an AlwaysOn Availability Group. It can be seen that many
more appliances can be added, each with varying roles: Scanners; Event Servers; Password Portals, Session
Managers; Password Management.
Behind load balancers, appliances can be added for redundancy and scalability; for example, session managers
configured to send recordings to archive servers can be brought down with no loss of data or functionality. In this
example, an additional async commit replica has been added to provide a DR capability. An additional appliance in
the DR site is pointed to the DR replica for retrieval of passwords if access to the main infrastructure is lost. As
many appliances may be added as required, and pointed at the availability group.
Note that only one manager service is supported but this may be configured to failover to a secondary appliance.
Also note that SQL Server has a single master model, therefore only one replica will have write access at any one
time; however, replicas may be located in multiple locations for the event of database failover.
Password Safe Public API
For a complete and comprehensive list of the Password Safe Public API, and details on how to migrate from v1 and
v2 of the API, refer to the PowerBroker Password Safe API Guide.
PowerBroker for Windows Integration
For information on PowerBroker for Windows integration, refer to the PowerBroker for Windows User Guide.
Overview
Password Safe Administration Guide 11 © 2018. BeyondTrust Software, Inc.
Supported Platforms
The following platforms can be added as managed systems.
Platforms
Active Directory AIX ASA firewall 5520
BIG-IP (F5) Checkpoint
Cisco Catalyst 2900 Switch (IOS 12 ) Cisco 1700 (IOS 12.3) Cisco 2600 (IOS 12.2)
Cisco 3700 (IOS 12.4(3)) Cisco 7200 (IOS 12.4) Cisco 7200 (IOS 15.0)
Cisco Cloud Services Router CSR1000V
(IOS-XE)
Cisco Nexus 1000v VXLAN Gateway
(NX-OS)
Cisco Secret
DRAC Fortinet
HP Comware HP iLO HP-UX
IBMi (AS400) Juniper Linux
Mac OSX MS SQL Server
Oracle 10g Release 2
(or later)
Palo Alto Networks RACF SAP NetWeaver
Solaris Sybase ASE
vSphere SSH vSphere Web API
Windows Windows SSH
PIX firewall 525( PIXOS) SonicOS
Overview
Password Safe Administration Guide 12 © 2018. BeyondTrust Software, Inc.
Port Requirements
Functionality Service ---> Protocol Requirements/Notes
System Discovery
User Enumeration nb-ssn| ms-ds 139|445* TCP
Hardware Enumeration nb-ssn| ms-ds 139|445* TCP
WMI Service running
on target
Software Enumeration nb-ssn| ms-ds 139|445* TCP
Remote Registry
service running on
target
Local Scan Services ms-ds 445 TCP
Password Change
Windows Password Change adsi-ldap 389 TCP
ms-ds (445/TCP) is
used as a fallback
Windows Update/Restart Services wmi 135 TCP
WMI Service running
on target
Active Directory Password Change adsi-ldap 389 TCP
ms-ds (445/TCP) is
used as a fallback
Unix/Linux/OS X ssh 22 TCP
Oracle oracle-listener 1521 TCP
MS SQL Server netlib 1433 TCP
HP ILO ssh 22 TCP
Dell DRAC ssh 22 TCP
Session Management
Remote Desktop rdp 3389 TCP
SSH ssh 22 TCP
Appliance
Mail Server Integration smtp 25 TCP
AD Integration idap 389 TCP
Backup smb 445 TCP
Time Protocol ntp 123 TCP
HA Replication (pair) sql-mirroring|https 5022|443 TCP
Overview
Password Safe Administration Guide 13 © 2018. BeyondTrust Software, Inc.
Getting Started
Logging on to the Console
Logging on to the console varies depending on the type of authentication configuredfor your BeyondInsight
system.
The following authentication types can be used:
l Password Safe Authentication - See Managed Accounts.
l Active Directory - Create a BeyondInsight user group and add Active Directory users as members.
l LDAP - Create a BeyondInsight user group and add Active Directory users as members. See "LDAP Directory
Groups".
l Smart Card - See "Smart Card Authentication".
l RADIUS - Configure multi-factor authentication with a RADIUS server.
l Third Party Authentication that supports SAML 2.0 - For configuration information, see "Third Party
Authentication".
For more information about configuring authentication, refer to the Authentication Guide.
Note: When working in the console, note that times displayed match the web browser on the local computer
(unless stated otherwise).
To log on to the console:
1. Select Start > All Programs > BeyondTrust > BeyondInsight > BeyondInsight Console.
Optionally, open a browser and enter the URL, https://<servername>/WebConsole/index.html
Note that a pre-login banner message might be configured on your system. You must click OK before you can
enter your credentials.
2. Enter your user name and password.
The default user name is Administrator and the password is the Administrator Password you set in the
Configuration wizard.
3. Click Login.
Selecting a Display Language
The BeyondInsight and Password Safe web portal can be displayed in the following languages:
English, Dutch, Spanish, French, Korean, Japanese, and Portuguese
You can select a language from the drop down on the Log In page or by clicking the Profile and preferences icon.
Note: The Language Settings menu is not available by default. A BeyondInsight Administrator must enable it in
Site Options.
Navigating the Console
When you log on to the console, the cards displayed provide easy access to your suite of features.
Getting Started
Password Safe Administration Guide 14 © 2018. BeyondTrust Software, Inc.
The cards displayed on the Home page vary depending on your license and the permissions assigned to your
console logon account.
Home page cards can include:
• Assets - Displays all the assets discovered during Smart Group processing. Create and manage Smart Groups.
Add assets to Password Safe management here.
• Password Safe - Access the Password Safe web portal. Users assigned access to the web portal can request
passwords and remote access sessions.
• Analytics and Reporting - Access reporting features to run analytics on collected data.
• Managed Accounts - Access and manage properties for managed accounts, managed directories, and managed
cloud applications.
• Configuration - Access configuration settings for the console and Password Safe.
Optionally, click MENU to expand a complete menu structure of the options available. Similar to the cards on the
Home page, the menu items change depending on the license.
Changing Your Logon Password
You can change your logon password for the console.
You cannot change your password:
• If you are logging on with Active Directory or LDAP credentials.
• If your account is currently locked out.
To change your logon password:
1. In the console, click the Profile and preferences icon, and then click Change Password.
2. Change your password, and then click Change Password.
The password must be at least 6 characters but no more than 64 characters.
Resetting Your Password
If you forget your console password:
1. Click the Forgot Password link on the Log In page.
2. Enter your Username
3. Click Reset Password.
You will receive an email from the console administrator. A reset link is provided in the email. Click the link to
change the password.
Note: Resetting the console password is not available to users logging on with Active Directory or LDAP
credentials.
Getting Started
Password Safe Administration Guide 15 © 2018. BeyondTrust Software, Inc.
Configuring Password Safe System Settings
To configure Password Safe, you must configure:
• System settings
• Agent information
Configuring Global Settings
Global settings apply to the Password Safe system.
To set the global options:
1. In the console, select Configuration.
2. Under Privileged Access Management, click PowerBroker Password Safe.
3. Click Global Settings.
4. Set the following:
– Old Password Retention. Minimum Retention Days – Set the number of days to retain old passwords.
The default is 30 days.
– Old Password Retention. Past Passwords – Set the number of days . The default is 5 days.
– Retention Period. Sent Mail Log – Set the number of days to store log entries for sent email. Valid entries
are 1–365. The default is 30 days.
– Retention Period. Admin Log – Set the number of days to store the administrator activity logs. Valid
entries are 30 - 365 days. The default is 90 days. 
– Retention Period. Password Change Log – Set the number of days to store password change logs. Valid
entries is minimum 5, maximum 1095 days and default 365 days.
– Retention Period. Password Test Results – Set the number of days to store success / failure results for
automated password tests. Valid entries are 10–90. The default is 30 days.
– Retention Period. System Event Log – Set the number of days to store system event logs. Valid entries
are 5–90. The default is 10 days.
– Ticket Settings - Required a Ticket System and Ticket Number for requests.
– Request Settings - Display who has approved sessions or Reason is required for new requests. Reasons is
required for new requests is selected by default.
– Locked Account Settings - Unlock accounts on password change.
– OneClick - Auto Select Access Policy.
– Regular Request / ISA - Bypass SSH Landing Page. This option is not selected (off) by default. When
enabled this will bypass the SSH landing page when doing an SSH Session / SSH Application Session and
instead directly open PuTTY. This setting applies to non -OneClick Sessions including Regular Requests / ISA
Requests / Admin Sessions.
– ISA Request - Select the check box to hide the Record Session check box on the Requests page in the
Password Safe web portal.
– RDP Sessions - Allows you to change the default port for all RDP sessions.
Configuring Password Safe System Settings
Password Safe Administration Guide 16 © 2018. BeyondTrust Software, Inc.
– Connecting to Systems Using - Allows you to choose how you want to connect to systems, ex. IP address.
– Session Initialization Timeout - Enter a value, in seconds, for the life of the session token. Range is 5 to
600 seconds. Applies to SSH, RDP, and application sessions.
– Allow user to select a remote proxy when creating sessions - Select the check box if you want users to
access specific BeyondInsight instances. For more information, see "Remote Proxy Sessions".
– Make Smart Card device available in remote desktop sessions - When selected, the user must log on to
the session using Smart Card credentials when configured for the system. The setting applies to all RDP
sessions and is turned off by default. Contact BeyondTrust Technical Support for more information on
using this feature.
– Remote Session Playback (Token Timeout) - When viewing sessions recorded on another node, the
secure token used to establish the connection is only valid for this configurable period of time. The default
value is 30 seconds.
Network traffic can create delays in establishing the connection. Increase the token timeout if you are
experiencing network timeouts. For more information on multi-node session playback, see Viewing
Recorded Sessions in a Multi-Node Environment.
5. Click Update.
Changes made to global settings will be captured in user auditing. To view the User Audit page:
1. In the console click Configuration.
2. Under General, click User Audits.
You will see the type of action performed, the Username who performed it, and 'PMMGlobal Settings' will be
indicated in the Section column. You can click i for the audit item to view more details about the action taken.
Mail Templates
Email notifications areused to alert users on particular Password Safe actions. For example, connection profile
alerts, release requests, and password check failures. For a complete list, see Appendix D: Email Notifications.
The subject line and message body for a template can be customized in Password Safe configuration.
To customize an email template:
1. In the console, select Configuration.
2. Under Privileged Access Management, click PowerBroker Password Safe.
3. ClickMail Templates.
4. Select a template type from the list.
Configuring Password Safe System Settings
Password Safe Administration Guide 17 © 2018. BeyondTrust Software, Inc.
5. Type the subject line text.
6. In the Message Body field, add the email text.
To use a message body tag, copy a tag from the Message Body Tags section to a location in the message body.
To include hyperlinks that link directly to the approval and denial pages for a file or password request, use the
:approvallink: and :denylink: message body tags.
7. Click Save.
Creating a Password Rule
Password Safe ships with a default password rule. You can change the settings for the rule but you cannot delete
the rule.
Ensure that the rules you create in Password Safe align with rule complexity and restrictions in place on the
managed system platform. Otherwise, Password Safe might create a password that does not comply with the rules
in place on the managed system platform.
To create a password rule:
1. In the console select Configuration.
2. Under Privileged Access Management, click PowerBroker Password Safe.
3. Click Password Rules.
4. Click + to create rule.
5. Enter a name and description.
6. Set the following parameters on your rule:
– Minimum and Maximum Characters – Drag the slider to select the shortest and longest password that can
be created. Valid entries are 4 to 128.
– Uppercase Requirements – The allowed or required use of uppercase characters.
– Valid Uppercase Requirements – Select the uppercase characters permitted.
– Lowercase Requirements – The allowed or required use of lowercase characters.
– Valid Lowercase Requirements – Select the lowercase characters permitted.
– Numeric Requirements – The allowed or required use of numeric characters.
Configuring Password Safe System Settings
Password Safe Administration Guide 18 © 2018. BeyondTrust Software, Inc.
– Non-Alphanumeric Requirements – The allowed or required use of non-alphanumeric characters.
– Valid Non-Alphanumeric Characters – Select the check boxes for the non-alphanumeric characters
permitted.
7. Click Create.
Ticket Systems
Password Safe can be configured to allow references to ticketing systems in the password release requests. This
provides a method to include information that can be cross referenced to an existing trouble ticket or change
control systefapim for auditing purposes, or to be used in the approval process. Password Safe does not interact in
any way with ticket systems, but provides a method to identify the system and ticket number associated with a
specific request.
In BeyondInsight, you can create a list of ticket labels. Later, when a user is requesting a password release, the
ticket systems are listed on the Ticket System menu.
To create a ticket label:
1. In the console, select Configuration > PowerBroker Password Safe.
2. Click Tickets Systems, and then click +.
3. Enter a name and description.
4. Click Create.
API Registration
BeyondInsight provides a way to integrate part of the BeyondInsight and Password Safe functionality into your
applications, using an API key.
Note that the API Registrations page is only available to BeyondInsight Administrators.
For more detailed information on API Registrations using the Auth/SignAppIn API function, see the BeyondInsight
and Password Safe API Guide.
To set up API Registration:
1. In the console, select Configuration.
2. Under General, select API Registrations.
3. Click Create API Registration to create a new registration.
4. Enter a name for the new registration and then click Create.
BeyondInsight will generate a unique identifier (API Key) that the calling application provides in the
Authorization header of the web request. The API Key is masked and can be shown in plain text by clicking the
Show Key icon next to the Key field. The API Key can also be manually rotated, or changed, by clicking the
circular arrow.
Note: Once the key has been changed, any script using the old key will receive a 401 Unauthorized error
until the new key is used in its place. Read access and rotation of the Key is audited.
5. To configure the new registration or modify an existing one, select the registration and then set the
Authentication Rule Options on the registration's Details page.
– Client Certificate Required: If enabled, a client certificate is required with the web request, and if not
enabled, client certificates are ignored and do not need to be present. A valid client certificate is any client
certificate that is signed by a Certificate Authority trusted by the server on which BeyondInsight resides.
Configuring Password Safe System Settings
Password Safe Administration Guide 19 © 2018. BeyondTrust Software, Inc.
– User Password Required: If enabled, an additional Authorization header value containing the RunAs user
password is required with the web request. If not enabled, this header value does not need to be present
and is ignored if provided.
Square brackets surround the password in the header. For example, the Authorization header might look
like the following:
Authorization=PS-Auth key=c479a66f…c9484d; runas=doe-main\johndoe; pwd=[un1qu3];
– Verify PSRUN Signature: The PSRUN signature is an extra level of authentication. It’s computed from the
factors using a shared secret between the client and server. PSRUN sends the signature as part of the
header during its API request. If enabled, the server will recompute the signature during factor validation
and compare it against the one sent by the client. If the signatures matches, the client’s identity is
considered verified. The signature effectively keeps the client in sync with the server. Changing the secret
on the server requires the client to be rebuilt and guarantees that out-of-date clients cannot authenticate.
6. On the registration's Details page, click Add Authentication Rule to create authentication rules. At least one IP
rule or PSRUN rule, providing a valid source IP address (IPv4 or IPv6), an IP range, or CIDR from which requests
can be sent for this API Key is required (one IP address, IP Range, or CIDR per line).
X-Forwarded-For rules can also be created, providing a valid source IP address (IPv4 or IPv6), an IP range, or
CIDR from which requests can be sent for this API Key. In a load-balanced scenario, IP Authentication rules are
used to validate the load balancer IP(s), and the X-Forwarded-For header is used to validate the originating
client IP. Existing rules cannot be changed from an IP Rule to a X-Forwarded-For Rule, or vice-versa.
If an X-Forwarded-For rule is configured, it is required on the HTTP Request (only a single header is allowed on
the request). If the X-Forwarded-For header is missing, the request will fail with a 401 Unauthorized error.
7. Click Create Rule.
For information on how to grant API access to BeyondInsight users, see "Role Based Access".
Configuring Password Safe System Settings
Password Safe Administration Guide 20 © 2018. BeyondTrust Software, Inc.
Managed Account Aliasing
Aliases are accessible using the API only. Two or more Managed Accounts must be mapped to an alias and can be
changed without affecting the alias name. An account can only be mapped to one alias.
Mapped accounts have three status values:
• Active – The account credentials are current and can be requested.
• Pending – The account credentials are current but the password is queued to change..
• Inactive – The account password is changing.
The list of mapped accounts are rotated in a round-robin fashion – typically in order of Last(Password) Change
Date. The preferred account, or the account whose status is Active and has the oldest change date, is returned on
the Alias API model.
Agent Configuration Details
You must configure the following agent settings:
• Change Agent
• Test Agent
• Mail Agent
• Session Monitoring. For more information, see "Session Monitoring ".
Configuring the Password Change Agent
BeyondInsight automatic password changes are controlled by the Change Agent that runs as a service on the
appliance. When the Change Agent runs, it checks the configuration to determine operational parameters of the
appliance. Logs provide a record of the Change Agent activities and messages, and indicate success or failure.
The following overview explains how the Change Agent runs:
1. The Change Agent retrieves a process batch from the database. A process batch consists of one or more
managed accounts that have been flagged for a password change.
2. The passwords are changed on the managed accounts, and the change is recorded.
Configuring Password Safe System Settings
Password Safe Administration Guide 21 © 2018. BeyondTrust Software, Inc.
3. The Change Agent waits a set period of time for a response from the change job and moves to the next process
batch in the database batch.
Recommendations
A small batch size (such as 5) and a short cycle time (such as 60 seconds), are recommended to maximize
efficiency. If a password change fails for any reason, it is reprocessed by the Change Agent according to the value
that is set for Retry failed changes in the Change Agent settings.
To configure change agent settings:
1. In the console, select Configuration > PowerBroker Password Safe.
2. Click Change Agent.
3. Set the following:
– Enable Change Agent - The agent is running by default. Click the Stop button to stop the agent when
BeyondInsight starts.
– Active Change Tasks - The number of accounts to change.
– Check the change queue every - The frequency at which BeyondInsight cycles the password change
queue.
– Retry failed changes after - The amount of time before a failed password change is tried again.
– Allow unlimited retries - Select the check box and then select the number of retries allowed.
4. Click Update.
Configuring the Mail Agent
BeyondInsight uses email to provide notification between Approvers and Requestors, error alerting, and general
information delivery.
To configure mail agent settings:
1. In the console, select Configuration > PowerBroker Password Safe.
2. ClickMail Agent.
3. Set the following:
– Send Mail every – Select the number of minutes that pass before emails are sent.
– Delete Messages after failed attempts – Set the number of times an email tries to send.
– Enable Mail Agent – Select to activate the mail agent when BeyondInsight starts.
4. Click Update.
Note: BeyondInsight allows you to stop and start the Mail Agent at any time by selecting the stop button next to
Mail Agent Status.
Session Monitoring
Session monitoring records the actions of a user while they are accessing your password protected assets. The
actions are recorded in real-time with the ability to bypass inactivity in the session. This allows you to view only the
actions of the user. For full details, see "Session Monitoring ".
Configuring Password Safe System Settings
Password Safe Administration Guide 22 © 2018. BeyondTrust Software, Inc.
Password Test Agent Configuration
The Password Test Agent allows you to manually test all managed accounts, including the functional account. The
test ensures that there is an open connection between the assets and Password Safe. BeyondInsight will send a
notification email.
Configure the test agent on the Password Test Agent Configuration page in BeyondInsight.
Access Policies
Creating an Access Policy
An access policy defines the time frame and frequency that users can log on to the Password Safe web portal and
request passwords, remote access sessions, or access to applications under Password Safe management.
An access policy is selected when you are configuring the Requestor role.
To create an access policy:
1. In the console, select Configuration.
2. Under Privileged Access Management, click PowerBroker Password Safe.
3. Click Access Policies.
4. Click +.
Note that you can hide unavailable policies.
Configuring Password Safe System Settings
Password Safe Administration Guide 23 © 2018. BeyondTrust Software, Inc.
5. Enter a name and description.
6. Select the Send email Notifications check box to send emails when a request is received for the policy. Enter
the email addresses and separate each with a semicolon.
7. Click Save.
8. To set scheduling settings, double-click on the Schedule grid or click Create New Schedule.
9. Configure the following scheduling parameters:
– Time - Select the time of day when the policy can be accessed.
– Recurrence - Select the frequency that the access is available.
If you select the Daily check box, and then select Every Day, you can optionally select the Allows multi-day
check-outs of accounts check box. This option allows the user continuous access to a granted request
over a span of days.
– Range - Select a data range.
10. Select a location:
– Any Location
– Restrict to Location - Select an address group from the list. A location is based on an address group that
you already created. By choosing Restrict to Location, a user can only action the active request from the
selected Address Group.
Configuring Password Safe System Settings
Password Safe Administration Guide 24 © 2018. BeyondTrust Software, Inc.
– X-Forwarded-For - Select an address group from the list. This field is an allowed value of X-Forwarded-For
header which was added by F5 load balancer or proxy. It uses address groups to verify if the IP address is
to be in that list. WebUrl and named host will be ignored. If X-Forwarded-For field has a value of 'Any',
then no X-Forwarded-For header is required or verified. In the case where it was configured, the X-
Forwarded-For header is required and its value should be in the list of IPs in the Address group.
In the case of a new configuration, this error message can be found the log:
"CheckLocationAllowed: XForwardedForHeaderValue 1.1.1.1 is not registered/trusted. Add this
XForwardedForHeaderValue to the TestGroupName Address group."
11. Select the type of access that you are permitting: View Password, RDP, SSH, or Application.
Additionally, select the following parameters as required:
– Approvers - Select the number of approvers required to permit access. Click the down arrow to auto
approve the request.
– Allow API Rotation Override - Select this check box for View Password type access, to allow API callers
such as Password Safe Cache to override the 'Change Password After Any Release' Managed Account
setting for View-type requests.
– Record - Select the check box to record the session.
– Keystroke Logging - Keystrokes can be logged during RDP, SSH, and application sessions. Clear the check
boxes to turn off keystroke logging. For more information, see "Keystroke Logging".
– ESA - Enhanced session auditing is on by default. Clear the check box to turn off enhanced logging. Applies
to RDP and application sessions. For more information, see "Enhanced Session Auditing".
– Concurrent - The Unlimited check box is selected by default and permits the user any number of
connections to occur at the same time. Clear the check box and enter a number to apply restrictions to
the number of sessions permitted at a time.
Configuring Password Safe System Settings
Password Safe Administration Guide 25 © 2018. BeyondTrust Software, Inc.
– Log off on Disconnect - Select the check box to automatically log off the user when the connection to the
session disconnects or the session window closes.
The check box applies only to RDP and application sessions.
– Force Termination - Select the check box to close the session when the time period expires. When Log
off on Disconnect is also selected, the useris logged off the session.
When the Requested Duration (as entered by the user on the Requests page in the web portal) is
exceeded the session ends if the Force Termination check box is selected for the access policy.
The default and maximum release durations are configured on the Managed Accounts page and Managed
System Settings page. For more information, see Adding a System Manually.
The check box applies to RDP, SSH, and application sessions.
For more information, see "Enforcing Session End Time".
– RDP Admin Console - Select this check box to show the RDP Admin Console check box when users create
an RDP-based request. The RDP Admin Console option allows administration of a Remote Desktop Session
Host server in console mode (mstsc /admin). This can be useful if the number of remote sessions is maxed
out on the host. Using the RDP Admin Console allows you to use a remote session without requiring other
sessions to disconnect. Running a remote session using the RDP Admin Console disables certain services
and functionality, such as, but not limited too:
– Remote Desktop Services client access licensing
– Time zone redirection
– RD Connection Broker redirection
– Remote Desktop Easy Print
Refer to Microsoft for more information on using mstsc /admin.
– Connection Profile - Select a profile from the list. For more information, see Configuring a Connection
Profile.
12. Click Save.
13. Select the Available for Use check box to activate the access policy.
14. Click Save.
Configuring a Connection Profile
Connection profiles allow Administrators to create a blacklist of keywords, host names and IP addresses. Each
blacklisted item can be given a separate action which is triggered when Requestors type a blacklisted item in an
active SSH session.
Administrators can choose to have Password Safe perform the following actions when a match occurs: 
• No Action – this should be selected when you only want to be alerted if a match occurs.
• Block – this will block the transmit of the command to the remote machine.
• Lock – this will lock the session for the Requestor.
• Block and Lock – this will perform both a block and lock as described above.
• Terminate – this will end the remote session.
Configuring Password Safe System Settings
Password Safe Administration Guide 26 © 2018. BeyondTrust Software, Inc.
Note: Connection policies apply to SSH and application sessions.
To configure a connection profile:
1. In the console, select Configuration.
2. Under Privileged Access Management, click PowerBroker Password Safe.
3. Under Access Policies, click Connection Profiles.
4. Click the + icon to create a profile.
5. Enter a name for the profile and an email address if you want to receive email notifications when a blacklisted
item is triggered.
6. To add a blacklisted item, select one of the following from the Match menu: Keyword, Hostname or IP
Address.
7. Enter the match criteria in the Value box.
8. From the Session Control menu, select the action to take when the blacklisted item is triggered.
9. Click Add. Each blacklisted item is displayed on a separate line.
10. After you save the connection profile, it must be applied on the access policy schedule. Select the access
policy, and then double-click the scheduling grid. Select the connection profile from the menu.
Configuring Password Safe System Settings
Password Safe Administration Guide 27 © 2018. BeyondTrust Software, Inc.
Using a Predefined Connection Profile
The following predefined connection profiles are available for an access policy: Lateral Movement and Suspicious
Activity.
The profiles are configured to match on keywords that might indicate suspicious behavior occurring on your
network.
If a match is detected on any of the keyword values then the session is blocked.
You can add or delete keywords in the predefined connection profiles.
Managed Account Caching
Managed account caching stores permissions for managed accounts every 60 minutes. Caching can speed the load
time of the Requests page in the Password Safe web portal.
Note: Users might gain or lose access to accounts during the caching interval. Permission changes are not
updated until the cache refreshes.
Turn on background caching only if you experience slow loading of the Requests page.
To change the cache setting:
1. In the console, select Configuration.
2. Under Privileged Access Management, click PowerBroker Password Safe.
3. ClickManaged Account Caching, and then set one of the following:
– Disable Caching - Caching is turned off by default. This is the recommended setting.
– Background Caching - Caching occurs in the background at 60-minute intervals.
Configuring Password Safe System Settings
Password Safe Administration Guide 28 © 2018. BeyondTrust Software, Inc.
Onboarding Systems and Accounts
Onboarding (or adding) a system and account to Password Safe places the system in the control of Password Safe.
Selected users can then request access to the managed systems.
A system and the associated account can be onboarded to Password Safe in any of the following ways:
• Manually - After an asset is added to the management console, you can add the asset to Password Safe.
• Smart Rules - Creating a Smart Rule with selected filter criteria, you can match on the systems that you want to
add to the console.
• Discovery Scanning - Using BeyondTrust Retina Network Security Scanning, you can run a discovery scan on a
selected range of IP addresses.
This chapter is a high-level view on adding systems and accounts. For details on adding a specific systems refer to
the appropriate chapter in the guide.
Onboarding Workflow
The following is a high-level overview on the steps to onboarding systems and accounts.
• Add the functional account - An account that can access the system with the privileges required to manage and
change passwords.
• Add the system - Computer where one or more account passwords are to be maintained by Password Safe.
Managed systems can be Windows machines, Unix/Linux machines, databases, firewalls, routers, iLO
machines, and LDAP/Active Directory domains.
• Add the managed account - Account on the managed system whose password is being stored and maintained
through Password Safe. Typically, managed accounts are “privileged accounts” that can perform administrative
tasks on the managed system. For example, root is likely to be a managed account on many Unix/Linux
managed systems.
After a system is added, you can configure settings that apply to the system you onboarded.
• Role based access - Create groups that permit users to:
– Log on to the Password Safe web portal
– Assign Password Safe roles: requestor, approver, etc.
• Create access policies - The policies permitting accounts to access the systems and request password releases,
application access, and session access.
Creating a Functional Account
A functional account on a managed system is required to manage passwords for accounts on that managed system.
Do not set up a functional account as a managed account.
Functional accounts have built-in management capabilities.
Passwords might fail to synchronize which can cause issues.
The settings vary depending on the platform type.
To create a functional account:
Onboarding Systems and Accounts
Password Safe Administration Guide 29 © 2018. BeyondTrust Software, Inc.
1. In the console, select Configuration > PowerBroker Password Safe > Functional & Login Accounts.
2. Click +.
3. Enter the following account parameters:
– Platform – Select the operating system.
– User name, Password, Confirm Password – Enter the credential for the account.
– Enable Automatic Password Management – Select the check box to change the password on that
functional account for each machine it is associated with at the designated frequency, time and date.
Note that these passwords cannot be retrieved through the Password Safe web portal.
– Password Rule – Select the password rule that you want to run on the managed system. The menuis only
activated when the Enable Automatic Password Management check box is selected.
– Alias – Provide an alias.
– Description – Enter a description for the account.
– sAMAccountName – Optionally, enter the user account name using the sAMAccountName format:
username.
– User Principal Name – Optionally, enter the user account name using the UPN format. For example,
username@domain.com.
Platform Specific Settings: UNIX, Linux, MacOSX
– Elevation – Select an elevated account to run as: sudo, pmrun, pbrun, pbrun jumphost.
Note: The following settings are not supported if you are using the elevated credential pbrun jumphost:
– DSS authentication
– Automatic password management
4. Click Save.
Overriding a Functional Account Password
Every managed system that uses a specific functional account has a unique password associated with that
functional account. The password on the managed system might be out of sync with the password in Password
Safe. Use Override Password to reset the password associated with the managed system.
Note: You can only override a password for a local functional account. The feature is not available for domain
functional accounts.
Adding a System
The settings vary depending on the type of platform.
To add an asset to Password Safe management:
1. On the Assets page, select the asset you want to manage and click the arrow.
2. Select Add to Password Safe from the menu.
3. On the Managed System Settings page, set the system settings.
Note: When an account is manually added to an asset, the default configuration of the account is set to that
which was configured on the managed system.
General settings that apply to any platform
Onboarding Systems and Accounts
Password Safe Administration Guide 30 © 2018. BeyondTrust Software, Inc.
– Platform - Select a platform type from the list.
– Name - Enter a unique name for the system.
– Enable Automatic Password Management - Select to automatically check and update managed account
passwords at a set frequency or after password releases. When you select automatic password changing,
you must select additional password management settings. See Configuring Password Management
Settings.
– Functional Account - Select a functional account from the list if already created. Click Add to create an
account now. Click Test to ensure the account credentials work correctly.
– Connection Timeout - The connection timeout value determines the amount of time in seconds that a
connection attempt to the managed system remains active before being aborted. In most cases, it is
recommended to use the default value (30 seconds). If there are problems with connection failures with
the system, this value can be increased.
– Default Password Rule - Select a Password Safe password rule or use the default rule. The rule provides
the requirements used by Password Safe to create passwords (for example, length and characters
permitted).
For more information, see Creating a Password Rule.
– Default Release Duration - The duration that can be requested during the request process. The default
value is 2 hours.
When the Requested Duration (as entered by the user on the Requests page in the web portal) is
exceeded the session ends if the Force Termination check box is selected for the access policy. For more
information on force termination, see Creating an Access Policy.
– Default Maximum Release duration - The maximum length of time that the Requestor is permitted to
enter on the Requests page. Applies to password and session requests.
– Description - Enter a description for the system.
– Contact e-mail - Enter the email address where Password Safe system notifications will be sent.
Platform specific settings
The following settings are dependent on the platform type selected.
– Account Name Format - Select an account name format from the list: sAMAccountName, UPN,
domain\account. For more information, see Setting Account Name Format.
– NetBIOS - The NetBIOS name is required when the account managing the task is a local Windows account.
– Port - Enter a port number to override the default port.
– Enable Login Account for SSH Sessions - Create a login account to allow the user to open an SSH session in
environments where remote shell access is not permitted, for instance the root account. See Login
Accounts for SSH Sessions.
– Login Account - Select the account name.
– Enforce elevation at system level - If using automatic password management, you can optionally select
this check box to elevate the functional account privileges.
– Elevation - Select an elevated account to run as: sudo, pmrun, pbrun, pbrun jumphost.
Onboarding Systems and Accounts
Password Safe Administration Guide 31 © 2018. BeyondTrust Software, Inc.
If you are using pbrun jumpost enter the IP address for the PBUL policy server that you want to connect
to. For more information, see Advanced Systems Integration.
Note: SSH Key EnforcementMode is not available if you are using pbrun jumphost.
– SSH Key Enforcement - Verifies SSH host keys from a known host. You can import SSH keys from a host
using a Smart Rule. See Importing an SSH Key Using a Smart Rule.
– None - No keys are imported.
– Auto Accept Initial Key - The first key imported is automatically accepted. Any new key imported
after the initial key must be manually accepted.
– Manually Accept Keys - SSH connections to the host are permitted for accepted keys only.
If a new key is detected from the host, the key is stored in the database and an email is sent to the
Administrators user group. The key must then be accepted or denied.
– Server Keys - Click to accept or deny the new key. Only accepted keys can connect to the host. See
Managing the SSH Keys.
– Default DSS Key Rule - If you are using DSS authentication for the system, select a key rule or use the
default. For more information, see Using DSS Authentication.
– Instance Number - (SAP only) - For more information, see Configuring SAP.
– SNMP Version, Community Value (Get), Community Value (Set) - (Xerox only) - The default settings for
Get and Set are used.
4. Click Save.
Note: You must save the system settings before you can select the Management tab or Local Accounts tab.
Configuring Password Management Settings
If you select the Enable Automatic Password Management check box, you must select password management
settings:
1. On the Managed System Settings page, click the Management tab.
– Check Password - When selected, compares the password that is stored in Password Safe with the
password on the managed system.
– Reset Password on Mismatch - Use with Check Password. The password on the managed account is reset
if a mismatch is detected. If the check box is not selected and a mismatch is detected, then a notification
email is sent to the system contact email address (if set up on the Managed System Settings page).
– Change Frequency, Change Time, Next Change Date - Set password change frequency and scheduling.
The password change frequency can be set to a maximum of every 999 days.
– Change password after any release - Select the check box to require that the password be changed after
every release.
– Duration of ISA releases of password - Select the duration for password releases to ISAs, up to a
maximum of 365 days. This is the amount of time that transpires between the initial ISA retrieval and the
automatic reset of the password (if enabled).
2. Click Save.
Onboarding Systems and Accounts
Password Safe Administration Guide 32 © 2018. BeyondTrust Software, Inc.
Adding an Account
You can add an account after the system is added to Password Safe management.
Note that there are additional settings when the platform you are adding is a UNIX or Linux based system.
Note: The following settings are not supported if you are using the elevated credential pbrun jumphost:
– DSS authentication
– Use this account's current password to change the password
1. Go to the Assets page in the console.
2. Click the arrow for the managed asset,and then select Edit Password Safe Details.
3. Click the Local Accounts tab on the Managed System Settings dialog box.
4. Click Add.
5. Fill in the account information.
General Settings
– System name - Automatically populated from the Managed System settings page.
– Account name, Password, and Confirm password - Enter the credentials for the managed account.
– Password Rule - Select a password rule. A password rule provides complexity restrictions when a
password is created for the managed account.
You can use the default password rule or create a rule. See Creating a Password Rule.
– Account description - (Optional). A description for the managed account.
– Workgroup - Select a workgroup from the list. Workgroups are typically used in active/active
configurations permitting a Password Safe agent a specific area of responsibility. Password changes are
then managed at the workgroup level. See Workgroups.
– Enable for API access - Select the check box if the managed account will be accessed by the Password
Safe API methods.
– Use this account's current password to change the password - Password Safe uses the current password
on the managed account to log on to the managed system to change the password. Select this check box
to use the managed account rather than the functional account to change the password.
– Send Release Notification Email to - When there is a password release request an email is sent to the
email account provided here.
– Default Release Duration - The duration that can be requested during the request process. The default
value is 2 hours.
When the Requested Duration (as entered by the user on the Requests page in the web portal) is
exceeded the session ends if the Force Termination check box is selected for the access policy. For more
information on force termination, see Creating an Access Policy.
– Maximum Release Duration - The maximum length of time that the Requestor is permitted to enter on
the Requests page. Applies to password and session requests.
– Allow this account to be used in BeyondInsight Accounts and Directory queries - Permits the managed
account to be used as a managed credential. See Using aManaged Account as a Credential.
Onboarding Systems and Accounts
Password Safe Administration Guide 33 © 2018. BeyondTrust Software, Inc.
– Allow this account to be used by the Retina Network Security Scanner, Scan credential description, Key
and Confirm Key - A managed account can be used as a credential when configuring a Retina Network
Security scan. See Using aManaged Account as a Retina Scanner Credential.
– Enable Automatic Password Changing/Testing - Select to automatically check and update managed
account passwords at a set frequency or after password releases.
When you select automatic password changing/testing, the following settings must be configured.
– Check Password - When selected, compares the password that is stored in Password Safe with the
password on the managed system.
– Reset Password on Mismatch - Use with Check Password. The password on the managed account is
reset if a mismatch is detected. If the check box is not selected and a mismatch is detected, then a
notification email is sent to the system contact email address (if set up on the Managed System
Settings page).
– Change Frequency, Change Time, Next Change Date - Set password change frequency and
scheduling. The password change frequency can be set to a maximum of every 999 days.
– Change password after any release - Select the check box to require that the password be changed
after every release.
– Duration of ISA releases of password - Select the duration for password releases to ISAs, up to a
maximum of 365 days. This is the amount of time that transpires between the initial ISA retrieval and
the automatic reset of the password (if enabled).
– Max Concurrent Requests - Select the maximum number of concurrent password requests for the
managed account. When configuring a managed account you can set the number of password requests
that can be made by the requester at one time.
Enter 0 for unlimited concurrent requests. The default value is 1.
The following platforms support concurrent password requests: Windows, Unix, Database, and Cloud.
– Applications - Select the application that the managed account can access. See Applications.
Platform Specific Settings: UNIX, Linux, MacOSX
– Authentication Type - Select Password or DSS. If you want to use DSS authentication, see Using DSS
Authentication.
– Allow Fallback to Password - Need to select Authentication Type of DSS to select this check box. The
password on the managed account is then used if the DSS key method fails.
– Enable Login Account for SSH Sessions - The Enable Login Account for SSH Sessions check box must be
selected on the Managed System Settings page for this check box to be active.
6. Click Save.
Adding a System Using a Smart Rule
You can add assets to Password Safe using an asset-based Smart Rule.
Before proceeding, consider the filter criteria to use to onboard the assets. There are several filters available,
including operating system and directory query.
Onboarding Systems and Accounts
Password Safe Administration Guide 34 © 2018. BeyondTrust Software, Inc.
Note: SSH key enforcement is not supported when using the pbrun jumphost elevated credential. The settings
display as available after pbrun jumphost is selected. However, the settings will not work with the elevated
credential.
To add a system using a Smart Rule:
1. Go to the Assets page, and then selectManage Smart Rules.
2. Select Asset based Smart Rule.
3. Select the filter criteria.
4. In the Perform Actions section, selectManage Assets Using Password Safe.
5. Select the platform and related settings. The settings are the same as when you add the system manually. For
complete descriptions, see Adding a System.
6. Select Show asset as Smart Group to display the Smart Group on the Assets page. This is helpful for grouping
assets and accounts by regions. Some restrictions apply.
7. Click Save.
Adding Accounts Using a Smart Rule
You can create a Smart Rule that discovers and adds Active Directory accounts to Password Safe.
The following procedure also shows how to link domain accounts to the system.
To add accounts using a Smart Rule:
1. On the Smart Rules Manager page, selectManaged Accounts based Smart Rule and then selectNew.
2. Select the filter Directory Query, Include accounts from Directory Query, select the query.
3. Under the Account Selection Criteria, selectMatch ALL Criteria or toMatch ANY Criteria.
4. Select the filtering criteria:
– Asset Smart Group - Select a Smart Group from the list.
– Child Smart Rule - Select a Smart Rule you want to filter the Child Smart Rules from.
– Dedicated Account - Select an account filter from the list. Enter a keyword to search on.
– Directory Query - Choose to Include or Exclude accounts from Directory Query.
a Select a Directory Query from the menu or create one.
b. Enter the frequency that the query runs. Leave the entry as 0 for a one time run.
c. Select the check box to discover accounts when the Smart Rule processes.
Onboarding Systems and Accounts
Password Safe Administration Guide 35 © 2018. BeyondTrust Software, Inc.
d. Select a domain.
– Managed Account Fields - This filter only applies to existing Managed Accounts.
a Select a filter: Account Name, Create Date, Description, Domain Name, Last Change Date or Last
Change Result.
b. Select an expression, and then enter a keyword to search on. (Example WIN for Windows)
– Managed System Fields - The Smart Rule will be filtered according to the Managed System you selected.
a Select a filter: System Name, Create Date, Last Update Date.
b. Select an expression, and then enter a keyword to search on. (Example WIN for Windows)
– Platforms - Select a platform or select the SELECT ALL check box.
– User Account Attribute - Select User Account Attribute, and then select an attribute filter:
– Privilege – Select is oneof or is not one of. Select All or one or combination of Administrator, Guest,
User.
– SID – Select an expression, and then enter a keyword to search on.
– Account Name – Select an expression, and then enter a keyword to search on.
– Password Age – Select an expression from the list, and then select age parameters to search on.
For every filter, select yes to discover accounts, and then select a Smart Group to search in.
5. Select the Use to discover new accounts for Password Management check box.
6. In the Perform Actions section, selectManage Account Settings. Adds the accounts that match on the criteria
to Password Safe. The settings are the same as when you add the accounts manually. For complete
descriptions, see Adding an Account.
Additional properties that can be set in Perform Actions:
– Assign workgroup on each account - Used with agent workgroups in multi-Active deployments, this action
allows you to define groups of accounts that will be assigned to specific password change agents.
Select a workgroup from the list, or select Any.
Onboarding Systems and Accounts
Password Safe Administration Guide 36 © 2018. BeyondTrust Software, Inc.
– Link domain accounts to managed systems - When used with Directory Accounts as the criteria, this
action creates a linked association between the Directory Accounts and the target Asset Smart Groups for
role based access control.
– Map Dedicated Accounts To - Use only when the Dedicated Account criteria is selected.
This action identifies the group of user accounts that will be used to match against the Dedicated Account
mask condition.
– Send an email Alert - Select to send an email alert when the Smart Rule processes.
The email will contain a summary of the results the managed accounts matched by the Smart Rule and any
changes since it's last execution.
– Set attribute on each account - Select to assign an attribute to managed accounts to filter and sort
managed accounts.
When viewing the Smart Groups on the Managed Accounts page, the groups are organized based on the
filters selected in the Smart Group.
You can use the default attributes that are available or create an attribute on the Configuration page.
When the Smart Rule runs, the attribute is applied to all managed accounts that match on the selected
filter criteria.
7. Select Show asset as Smart Group to display the Smart Group on the Assets page.
8. Click Save.
Onboarding Systems and Accounts
Password Safe Administration Guide 37 © 2018. BeyondTrust Software, Inc.
Managed Systems
A Managed System is any asset that is managed by Password Safe. To view all the assets managed by Password Safe
you can select the built-in Smart Group, All Assets, from the Smart Group menu in the console.
For a list of supported platforms, see Supported Platforms.
Setting the Account Name Format
When adding the following platforms as a managed system, you can set the user account format:
Windows, Linux, Oracle, MS SQL Server and Active Directory
The following format types are supported:
• Domain\Account name - Enter the domain and user account name.
• UPN - Uses the format name@DomainName
• sAMAccountName - Uses the Active Directory sAMAccountName
When you are adding managed systems using an asset-based Smart Group, the Account Name Format setting is
available when a supported platform is selected.
If the Smart Group already exists, you must remove the Manage Assets using Password Safe, then add the action
again before you will see the Account Name Format setting.
Importing an SSH Key Using a Smart Rule
You can import SSH keys from a host and accept the key on the Managed System Settings page.
Supported key types: RSA, DSA, ECDSA
To create the Smart Rule:
1. Go to the Assets page, and then clickManage Smart Rules.
2. From the Smart Rules Type list, select Asset Based Smart Rules, and then click New.
3. Enter a name, description, and category.
4. Create the filter settings. For example, create an address group that includes the IP addresses for the hosts.
5. In the Perform Actions section, selectManage Asset Using Password Safe.
The settings here are the same as when adding a system on the Managed Systems Settings page. For
descriptions for all the settings, see Adding aManaged System.
6. Select a key enforcement mode: Auto Accept Initial Key or Manually Accept Keys.
Managed Systems
Password Safe Administration Guide 38 © 2018. BeyondTrust Software, Inc.
7. Click + to add another action, and then select Show Asset as Smart Group.
8. Click Save.
Managing the SSH Keys
After the Smart Rule processes, hosts with SSH keys are populated in the Smart Group you created.
An email notification is sent to the Administrators user group when a key is imported. The email notifies the
Administrator that a fingerprint requires action, details about the fingerprint, and the asset the key is on. The
Fingerprint Verification email template can be modified on the Password Safe Configuration page. See Mail
Templates.
Accepting or Denying a Key
To accept or deny a key:
1. Go to the Managed Systems Settings page for the host.
2. Scroll to SSH Key EnforcementMode, and then click Server Keys.
3. Click Accept to permit connections using that key. Otherwise, click Deny.
4. Click Update.
5. After a key is accepted, click Test next to the Functional Account setting to verify the key with the functional
account.
Managed Systems
Password Safe Administration Guide 39 © 2018. BeyondTrust Software, Inc.
Adding a Fingerprint Manually
To add a key manually:
1. Go to the Managed Systems settings page for the host.
2. Scroll to SSH Key EnforcementMode, and then click Server Keys.
3. Click the Add SSH Key icon.
4. Click the pencil to edit and paste the fingerprint.
5. Click the check mark to save.
Note: The fingerprint must be unique. A red frame displays in the box if the key is already imported.
6. Click Accept.
7. Click Update.
Viewing Managed System Details
After the system is added to Password Safe management, you can review asset details on the managed system,
including: hardware, ports, processes, scheduled tasks, Smart Groups associated with the asset.
To view details on a managed system:
1. Log on to the management console, and then select Assets.
2. Click i for the asset. Alternatively, double-click the asset.
3. Click through the tabs to view more information.
Note: Click Edit to open the Managed System Settings dialog box to change settings on the asset.
Managed Systems
Password Safe Administration Guide 40 © 2018. BeyondTrust Software, Inc.
Managed Systems
Password Safe Administration Guide 41 © 2018. BeyondTrust Software, Inc.
Managed Accounts
Managed Accounts are user accounts which are local to aManaged System. Managed Accounts are associated with
assets that are managed by Password Safe.
Viewing Managed Accounts
When viewing the Managed Accounts on the console, only the first 100 Smart Groups are displayed. You can use
the search box to filter the Managed Accounts Smart Groups and select a category from the list to further refine
the number of Smart Groups displayed.
Viewing Managed Account Details
After the account is added to Password Safe management, you can:
• Review the settings assigned to the account
• View a list of password changes and the reason for the change
• Accounts that are synced to the managed account
• A view of the Smart Groups associated with the account, including last process date and processing status. You
can also view this information on the Asset Details page for the managed system.
Note that you can change any of the information for the managed account from the details page view.
To view details on a managed account:
1. Log on to the console, and then clickManaged Accounts.
2. Click i for the managed account.
3. Click the tabs to view more information.
Managed Accounts
Password Safe Administration Guide 42 © 2018. BeyondTrust Software, Inc.
Deleting Managed Accounts
You can delete managed accounts.
A message is displayed ifan account cannot be deleted. For example, a synced account cannot be deleted.
To delete managed accounts:
1. Log on to the console, and then clickManaged Accounts.
2. Delete accounts using any of the following ways:
– Select the check boxes for the accounts that you want to delete.
– Select the check box in the Account Name column to select the first 50 accounts in the list.
Optionally, click Preferences to change the number of rows displayed on the page. When you click the
check box in the Account Name column the number of accounts selected matches the number of records
configured in the Preferences.
– Click Select all to delete the first 1000 accounts. The maximum number of accounts that can be deleted at
one time is 1000.
When you click Select all, the number of items selected is updated to reflect the number of items in the
entire list.
3. Click Delete.
Managed Accounts
Password Safe Administration Guide 43 © 2018. BeyondTrust Software, Inc.
Unlinking Managed Accounts
You can unlink managed accounts. This feature applies to only Active Directory accounts linked to managed
systems.
If the accounts included in the unlink selection are not domain accounts then no action is taken on that account.
To unlink managed accounts:
1. Log on to the console, and then clickManaged Accounts.
2. Unlink accounts using any of the following ways:
– Select the check boxes for the accounts that you want to unlink.
– Select the check box in the Account Name column to select the first 50 accounts in the list.
Optionally, click Preferences to change the number of rows displayed on the page. When you click the
check box in the Account Name column the number of accounts selected matches the number of records
configured in the Preferences.
– Click Select all to unlink the first 10,000 accounts. The maximum number of accounts that can be unlinked
at one time is 10,000.
When you click Select all, the number of items selected is updated to reflect the number of items in the
entire list.
3. Click Unlink.
Changing Passwords for Managed Accounts
You can change password for managed accounts.
To change passwords on managed accounts:
1. Log on to the console, and then clickManaged Accounts.
2. Change passwords on accounts using any of the following ways:
– Select the check boxes for the accounts.
– Select the check box in the Account Name column to select the first 50 accounts in the list.
Optionally, click Preferences to change the number of rows displayed on the page. When you click the
check box in the Account Name column the number of accounts selected matches the number of records
configured in the Preferences.
– Click Select all to change the password on the first 10,000 accounts. The maximum number of accounts
that can be changed at one time is 10,000.
When you click Select all, the number of items selected is updated to reflect the number of items in the
entire list.
3. Click Change Passwords.
Any Managed Account can be synced to multiple accounts. These synced accounts become subscribers to the
Managed Account. The Managed Account and all of it's subscribers will always share an identical password. When
the password of the Managed Account or any of the subscriber accounts is changed, Password Safe automatically
changes the password of the Master Account and all of it's subscribers to a new password.
Once an account is synchronized as a subscriber account, setting modifications are limited to:
Managed Accounts
Password Safe Administration Guide 44 © 2018. BeyondTrust Software, Inc.
l Enable API
l Allow for use by Retina Security Scanner
l Application
Additionally, a quick view of subscriber accounts is provided on the Managed Account grid. A tab is visible in the
details window labeled Sync Accounts. This will give you a list of all accounts synced to that Managed Account.
Configuring Subscriber Accounts
1. Select a Managed Account and select Edit Account.
2. In the Managed Account Settings window select the Synced Accounts tab.
3. Select the check boxes for the accounts you want to sync.
4. Select the sync (+) icon:
5. To remove a synced account, select the accounts and then select the icon with the x.
Configuring Password Reset for Managed Accounts
Use the following set up information to permit a managed account to reset the password on their account but not
on any other managed accounts.
Create a user group and assign the following permissions and role:
• Management Console Access - Read
• Password Safe Account Management - Read. Do not assign Write. The Change button is not displayed for the
managed account user if the Write button is selected.
• Credential Manager role to a Smart Rule of accounts (for example, All Managed Accounts).
As the managed account user:
1. Log on to the console.
2. Go to the Managed Accounts page.
3. Double-click the account name to open the details.
4. Click Change.
Using a Managed Account as a Retina Scan Credential
A Managed Account can be used as a credential when configuring a Retina Network Security scan.
Note: Once the Retina Scanner option is enabled, the key must be specified again if the account is edited. It can
be the same key or a new one.
The following credential types are supported: Windows, SSH, MySQL and Microsoft SQL Server.
The following platforms are supported: Windows, MySQL and Microsoft SQL Server, Active Directory and any
platform with the IsUnix flag. (AIX, HP UX, DRAC, etc).
Managed Accounts
Password Safe Administration Guide 45 © 2018. BeyondTrust Software, Inc.
To add the Managed Account as a credential:
1. Go to the Managed Account Settings page for the managed system.
2. Select the check box Allow this account to be used by the Retina Network Security Scanner.
Note: The check box is not selected by default.
3. In the Scan Credential Description box, enter a name for the account that can be selected as the credential
when setting up the scan details. The name is displayed on the Credentials Management dialog box when
setting up the scan.
4. Enter a key and confirm in the box provided. Assign a key so that only users that know the key can use the
credential for scanning.
5. Click Save.
Later, when you are setting up the scan, you can select the managed account as the credential:
Managed Accounts
Password Safe Administration Guide 46 © 2018. BeyondTrust Software, Inc.
Using DSS Authentication
Applying DSS authentication on a managed system is a secure alternative to using password authentication. DSS
authentication is set on the functional account and managed account properties.
DSS authentication is supported on the following systems: Linux, AIX, HP-iLO, HP-UX, DRAC, MAC OSX,
Solaris, Juniper, RACF.
Generating and Distributing the Key
You can generate keys with PUTTYGEN.EXE on Windows and ssh-keygen from Unix based systems. Consult the
system documentation for other platforms.
The following example shows how to generate a 2048 bit RSA key pair with ssh-keygen. The user account that will
be used to perform the scan is admin.
# ssh-keygen –t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
/home/admin/.ssh/retina_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/retina_rsa.
Your public key has been saved in /home/admin/.ssh/retina_rsa.pub.
The key fingerprint is:
7f:5f:e3:44:2e:74:3c:c2:25:2b:82:7c:f8:0e:2a:da
#
“/home/admin/.ssh/retina_rsa” contains the RSA authentication identity of the user and should be securely
transferred to the system running your Retina scanner.
The file “/home/admin/.ssh/retina_rsa.pub” contains the RSA public key use for authentication. The contents of
this file should be added to the file “~/.ssh/authorized_keys” on all machines that the user wishes to scan using
public key authentication.
Creating a Functional Account with DSS Authentication
Before you can create the account you must generate a private key. Copying(or importing) a key is part of setting
the functional account properties with DSS authentication. See Generating and Distributing the Key.
To create a functional account with DSS authentication:
1. In the console, select Configuration > PowerBroker Password Safe.
2. Select a platform.
3. Select the elevation and enter a user name. Selecting an elevation is optional.
4. From the Authentication Type list, select DSS.
Using DSS Authentication
Password Safe Administration Guide 47 © 2018. BeyondTrust Software, Inc.
5. Click the Edit button.
6. Copy the key into the box or click Import New Key and select the file from your computer.
7. Click Save.
8. Continue to set the password parameters for the account.
9. Click Save.
Using DSS Authentication
Password Safe Administration Guide 48 © 2018. BeyondTrust Software, Inc.
Creating a Functional Account on the UNIX or Linux Platform
Create an account on the UNIX or Linux platform with a name like functional_account.
The command applies to Password Safe v6.4.4 or later.
To assign necessary privileges to the functional account, invoke the command 'sudo visudo' in the terminal and
place the following lines under the "root ALL=(ALL) ALL" line:
Note: Be sure to add sudo elevation to the functional account on the managed asset. These commands are
adjusted to reflect password changes and DSS key changes and are OS specific.
MAC OSX
functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/sed,
/usr/bin/tee, /usr/bin/passwd
UBUNTU/REDHAT
functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /bin/sed,
/usr/bin/tee, /usr/bin/passwd
SOLARIS
functional_account ALL=(ALL)NOPASSWD: /usr/bin/grep, /usr/bin/cp,
/usr/bin/tee, /usr/bin/sed, /user/bin/passwd, /usr/bin/rm
HPUX
functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp,
/usr/bin/sed, /usr/bin/tee, /usr/bin/passwd, /usr/bin/rm
AIX
functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/pwadm,
/usr/bin/tee, /usr/bin/passwd, /usr/bin/sed, /usr/bin/cp, /usr/bin/rm
Testing the Functional Account
The key can be tested under Managed System Settings.
To access the Managed System settings:
1. Go to the Assets page, and click the arrow for the asset.
2. Select Edit Password Safe Details from the menu.
3. Here you can test the functional account. You can also edit the functional account information and edit the key.
Select the Edit button to change this information.
Using DSS Authentication
Password Safe Administration Guide 49 © 2018. BeyondTrust Software, Inc.
Note: Editing the key here overrides the functional account key for this asset only.
Setting DSS on the Managed Account
An alternate and secure way to set up aManaged Account is with DSS authentication.
Using DSS Authentication
Password Safe Administration Guide 50 © 2018. BeyondTrust Software, Inc.
Before you can create the account you must generate a private key. Copying (or importing) a key is part of setting
the managed account properties with DSS authentication. See Generating and Distributing the Key.
To create a managed account with DSS authentication:
1. Go to the Managed System Settings page for the managed system.
2. Click the Local Accounts tab.
3. From the Authentication Type list, select DSS.
4. Click the Edit button.
5. Copy the key into the box or click Import New Key and select the file from your computer.
6. Click Save.
DSS Key Auto Management
A DSS key rule is set on a managed system that supports DSS authentication.
The check box ‘Auto-Managed DSS key’ enables DSS key auto-management to take place when the password for
the account is being changed, both scheduled and manual change. It follows the same schedule as password
changing.
Generating a new DSS public/private key pair will remove the old public key (if there is one) from the authorized_
keys file and append the new public key.
To retrieve the public key for the account:
1. Go to the Managed System Settings page for the managed system.
2. Select the Default DSS Key Rule which will be used to generate the key.
Using DSS Authentication
Password Safe Administration Guide 51 © 2018. BeyondTrust Software, Inc.
Note: Click Add to create a key rule. See Creating a DSS Key Rule.
3. Click the Local Accounts tab.
4. Select the Auto-Manage DSS Key check box.
The schedule selected for the Automatic Password Changingwill now apply to the DSS key.
Using DSS Authentication
Password Safe Administration Guide 52 © 2018. BeyondTrust Software, Inc.
Get the Public Key
To view and copy the public key:
1. On the Managed System Settings dialog box, click the Local Accounts tab.
2. Select the managed account and click the Public Key button.
Creating a DSS Key Rule
Password Safe ships with a default DSS key rule:
• Type: RSA
• Bit size: 2048
• Encryption: Auto Managed Passphrase is Default Password Rule
You can change the settings for the default rule but you cannot delete the rule.
Optionally, you can create a rule.
To create a DSS key rule:
1. In the console, select Configuration > PowerBroker Password Safe.
2. Click DSS Key Rule.
3. Click +.
4. Enter a name and description.
5. Select a Key Type: RSA or DSA.
6. Select a bit size.
7. Select an encryption method: None or Auto-Managed Passphrase. The default encryption method is Auto-
Managed Passphrase.
8. SelectUpdate.
Using DSS Authentication
Password Safe Administration Guide 53 © 2018. BeyondTrust Software, Inc.
Using DSS Authentication
Password Safe Administration Guide 54 © 2018. BeyondTrust Software, Inc.
Session Monitoring
Session monitoring records the actions of a user while they are accessing your password protected assets. The
actions are recorded in real-time with the ability to bypass inactivity in the session. This allows you to view only the
actions of the user.
Setting up Session Monitoring
You configure session monitoring when you are adding a managed system (or editing the settings for the managed
system).
There are additional settings that you need to configure, such as listen port and screen resolution.
Configuring Listen Host and File Location
Using the BeyondInsight Configuration tool, you can set the listen host and file location for the monitored sessions.
To configure session monitoring:
1. Log on to the configuration tool.
2. Go to the Password Safe section.
3. Enter the IP address for the listen host.
4. Set the location for the session monitoring file. The default location is in the installation directory
\data\sessionmonitoring.
Setting Session Monitoring Screen Resolution
To configure screen resolution:
1. In the console, click Configuration > PowerBroker Password Safe.
2. Click Session Monitoring.
3. Set the screen resolution.
4. Select the Smart Sizing check box to resize the RDP window to match the size of the user's screen.
5. Click Update.
In the web portal, override the default setting by selecting the Smart Sizing check box. Smart Sizing is only available
for RDP requests:
Session Monitoring
Password Safe Administration Guide 55 © 2018. BeyondTrust Software, Inc.
Personalized Notification Images
As a Password Safe Administrator, you can add corporate logos to replace default brand splash, replay and lock
images.
Note: You will need to clear the browser cache in order to see new images after they have been updated.
Also, all image files should be backed up in a safe location because they will be overwritten on the next
upgrade and will need to be replaced after the upgrade completes to restore the customization.
Splash Image
To customize the splash image:
1. Place the customized splash.png file in this directory:
/eEye Digital Security/Retina CS/ Website/images
Size must be 1024 x 768 px
Rename the original splash.png file or move it to another location.
2. In [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy]
registry key add the following string value:
"splash_png" with a value of the path to the customized splash image
Replay Images
To customize the Admin > Replay logos:Session Monitoring
Password Safe Administration Guide 56 © 2018. BeyondTrust Software, Inc.
Modify the following files:
– C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder.jpg
Size must be 147 x 125 px
– C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder-lg.jpg
Size must be 1024 x 768 px
– C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\ssh_placeholder.jpg
Size must be 137 x 125 px
Lock Image
To customize the lock image that appears to the end user when an administrator locks an active session:
1. Place the customized lock.png file in this directory:
/eEye Digital Security/Retina CS/ Website/images
Size must be 1024 x 768 px
Rename the original lock.png file or move it to another location.
2. In [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy\lock]
registry key add the following string value:
"png" with a value of the path to the customized lock image
Password Masking
Passwords can be ‘masked’ or hidden from session replays.
Masks can be created, changed and deleted. These actions are captured in the user auditing.
To configure a mask:
1. In the console, click Configuration > PowerBroker Password Safe.
2. Click Session Monitoring.
3. Enter a mask name (required, 100 characters maximum).
4. In the Mask box, enter a pattern to search and replace (required, 100 characters maximum).
5. Select the Active check box to turn on the mask.
Session Monitoring
Password Safe Administration Guide 57 © 2018. BeyondTrust Software, Inc.
When active, a currently recording SSH session will have the keystrokes checked against the mask. Any
matches are replaced. When the keystroke session is replayed the viewer will see the asterisks instead of the
password. More than one mask can be active at a time.
Viewing Recorded Sessions
The following users can view recorded sessions:
• Administrators
• Users with the Auditor role
• Users with the ISA role
To view a recorded session:
1. In the console, select Menu to expand, and then select Replay.
2. Click All, RDP, or SSH to find the recording.
3. Select a recorded session.
A thumbnail is displayed with session details.
4. Click Open to review the recording.
The recorded session opens in a new window with standard video viewing options. 
Session Monitoring
Password Safe Administration Guide 58 © 2018. BeyondTrust Software, Inc.
Note: You can hover over any part of the video progress bar to reveal the time stamp and click anywhere on
the bar to select an instance in the recorded session.
5. Select the Mark as Reviewed check box for easy tracking of reviewed sessions.
6. Add comments as needed and select Save. The comments are displayed with the session thumbnail.
Viewing Recorded Sessions in a Multi-Node Environment
In a multi-node environment, sessions can be viewed from any node in the environment regardless of the node it
was created on.
SSL certificates are used to ensure secure communication between the nodes. You m ust create a certificate using
a CA and import the certificate on each of the nodes.
When setting up the certificate, the Password Safe agent host name (or host name override) must match the Issued
to details on the certificate properties in the Certificates snapin.
Note that the CA certificates that issue the SSL certificates (the Issued by on the certificate properties) must be
trusted by all nodes in the environment.
To confirm the host name matches the Issued to field:
1. In the console, go to Configuration > Password Safe > Session Monitoring.
2. Select the agent in the list, and view the host name (or host name override).
3. Open the Certificates snapin, and then double-click the certificate.
4. Confirm the name of the certificate in one of the following places:
– On the General tab, confirm the host name is the same name in the Issued to field.
– On the Details tab. Scroll to the Subject field and confirm the CN=<name> matches on the agent host
name.
Keystroke Logging
Password Safe records keystrokes for all recorded sessions. When you open a recorded session, the pane on the
right displays keystrokes.
Select a keystroke entry to open the viewer to where that keystroke occurred.
Filter keystroke entries in the Search box by date, time or keystroke.
The following screen capture shows an example:
Session Monitoring
Password Safe Administration Guide 59 © 2018. BeyondTrust Software, Inc.
Turning Off Keystroke Logging
Keystroke logging is on by default. In the Session Monitoring configuration, you can turn off keystroke logging for
ISA users and Admin sessions.
Keystroke logging can be set for all other users when creating an access policy. For more information, see
"Configuring Password Safe System Settings".
To turn off keystroke logging:
1. Select Configuration > PowerBroker Password Safe.
2. Select Session Monitoring.
3. Clear the check box for the session type: RDP, SSH or Application.
You can clear the setting for the ISA role or Admin Sessions role.
4. Click Update.
Enhanced Session Auditing
Enhanced session auditing captures and records all mouse activity in the Keystrokes menu of Recorded Sessions for
RDP and Application sessions.
During a recorded RDP session, a dissolvable agent called pbpsmon is installed on the host for the duration of the
session. The agent monitors and audits Windows click events.
Note: Session monitoring captures text that is copied in an RDP session window. The copied text is only captured
the first time. Any subsequent copy tasks of the same text are not captured for the session.
To use enhanced session auditing, the functional account of the managed Windows host or Remote Desktop
Services host needs administrative rights.
Turning Off Enhanced Session Auditing
Enhanced session auditing is on by default. Turn off enhanced session auditing:
• On the Session Monitoring configuration page for ISA users
Session Monitoring
Password Safe Administration Guide 60 © 2018. BeyondTrust Software, Inc.
• On the Access Policy configuration page for Admin sessions and all other users. For more information, see
"Configuring Password Safe System Settings".
Note that enhanced session auditing uses the rules in the access policy for Admin session multi-session
checkouts.
To turn off enhanced session auditing for ISA users:
1. Select Configuration > PowerBroker Password Safe.
2. Select Session Monitoring.
3. Clear the check box for the session type: RDP or Application.
4. Click Update.
Troubleshooting Enhanced Session Auditing
The following files are deployed as part of enhanced session auditing:
• pbpsdeploy - The BeyondTrust Password Safe Deployment Agent service
• pbpsmon
• pbpslaunch
pbpsmon and pbpslaunch are contained in a cab file that is copied to the Windows directory and extracted to
C:\pbps\
pbpsdeploy
The pbpsdeploy.exe resides in the Windows directory (C:\Windows).
• Access to the ADMIN$ is required to copy pbpsdeploy.exe from Password Safe to the target server
• Confirm the service is dsiplayed in the Services snap-in after deployment
• In the pbsm logs there should be the output from the deployment service.
Example:
2017/03/07 15:47:12.186 2292 6548 INFO: Pushing pbpsdeploy service to 10.200.28.39 as user
backupadmin
2017/03/07 15:47:13.528 2292 6548 INFO: Starting pbpsdeploy service on 10.200.28.39 as
user backupadmin
2017/03/07 15:47:13.593 2292 6548 INFO: Copied pbpsmon.cab
2017/03/07 15:47:13.716 2292 6548 INFO: pbpsmon install:
Using binary directory C:\Windows\
Created directory C:\pbps
Extracting File "pbpsmon.exe" (Size: 15872 bytes) -> "C:\pbps\pbpsmon.exe"
Extracting File "pbpslaunch.exe" (Size: 145408 bytes) -> "C:\pbps\pbpslaunch.exe"
Extracting File "msvcp120.dll" (Size: 455328 bytes) -> "C:\pbps\msvcp120.dll"
Extracting File "msvcr120.dll" (Size: 970912 bytes) -> "C:\pbps\msvcr120.dll"
Extracting File "vccorlib120.dll" (Size: 247984 bytes) -> "C:\pbps\vccorlib120.dll"
Extracting File "libeay32.dll"(Size: 1359872 bytes) -> "C:\pbps\libeay32.dll"
Extracting File "ssleay32.dll" (Size: 252928 bytes) -> "C:\pbps\ssleay32.dll"
Creating registry keys
Registry keys successfully created
Creating task
Task successfully created
Session Monitoring
Password Safe Administration Guide 61 © 2018. BeyondTrust Software, Inc.
pbpsmon
Verify the following setup has been performed by the deployment service.
• In Task Scheduler, confirm the following task is created: BeyondTrust Password Safe Monitoring Task
• In regedit, the following registry key is created:
HKLM\System\CurrentControlSet\Control\Terminal Server\Addins\PBPSMON (creates the disconnect event)
pbpslaunch
Verify the following setup has been performed by the deployment service.
• In regedit, the following registry key is created:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\TerminalServer\TSAppAllowList\Applications\pbpslaunch
• A pbpslaunch entry exists in RemoteApp Manager:
Session Monitoring
Password Safe Administration Guide 62 © 2018. BeyondTrust Software, Inc.
• There we will be a log statement "Accepting RDP Channel <name>". There should be one for pbpsmon and if it
is an application session one for pbpslaunch.
– Example:
2017/03/07 15:47:14.659 3672 4788 INFO: Accepting RDP Channel PBPSMON
• The Event Viewer on the target server includes setup and cleanup results of pbpsmon and pbpslaunch sent to
pbsmd.
– Event Viewer -> Windows Logs -> Application and filter on the Source = pbpsdeploy
Note: You can disable pbpsmon and pbpslaunch by adding the following reg value on the UVM and restarting the
Session Monitoring service.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_
proxy\disable_deploy = 1
Keystroke Search
To find sessions containing keystrokes:
1. Select the Search by keystrokes check box and enter a word or phrase in the field provided.
2. Click Search.
If the word or phrase was logged then the sessions containing those keystrokes are displayed.
Keystroke for Active Sessions
Keystrokes are logged and viewable during Active Sessions as they are executed. Administrators can sort these
keystrokes as they populate live by selecting Oldest to Newest to change it to Newest to Oldest within the
Keystroke menu.
Note: Logged keystrokes cannot be selected during Active Sessions as they can be in recorded sessions.
Session Frame Export
You can select a screen shot from a recorded session and export to a JPEG file. The file exports to a resolution of
1024 x 768. This feature is only available for recorded RDP and SSH sessions. Screen shots can be taken while the
recording is paused or in play mode.
To export the frame:
1. Select the Snapshot button.
The JPEG file is automatically saved to your default download location specified in your browser settings.
A notification is displayed when the export is complete.
Session Monitoring
Password Safe Administration Guide 63 © 2018. BeyondTrust Software, Inc.
Admin (Ad Hoc) Sessions
This feature allows the user to make an ad hoc connection to a machine without doing the request/approval
procedure.
The Admin Session page displays if the user is in the Administrators Group, is assigned the ISA role, or is assigned
the Password Safe Admin Session permission.
Complete the form by selecting the type of connection, machine IP address or name, and the account to use to
connect. If it is an RDP connection an RDP file will be created, for SSH you will receive the SSH link.
Connections using the Admin Session are recorded and available for replay to the Administrator account only.
Session Monitoring
Password Safe Administration Guide 64 © 2018. BeyondTrust Software, Inc.
Concurrent Sessions
Remote sessions can be limited to a set number of concurrent sessions.
The option to increase or limit the number of sessions a user can open at one time is configured in Access Policies.
For more information, see "Configuring Password Safe System Settings".
If a user tries to open more sessions than allowed, then a message is displayed on the Requests page.
Session Monitoring
Password Safe Administration Guide 65 © 2018. BeyondTrust Software, Inc.
Active Sessions
You can view a session in real time. Administrators, ISA or a user with the Active Session Reviewer role, who have
permissions to the asset set through Smart Rule roles, can view Active Sessions live.
1. Log on to the web portal.
2. Click the menu to expand, and then select Active Sessions.
3. Select a session.
4. Click the thumbnail to open the session in a larger window.
Locking an Active Session
To lock a session:
1. Log on to the web portal.
2. Click the menu to expand, then select Active Sessions.
3. Select a session.
4. Click the Lock button to lock the user session, preventing further interaction with their session. The message
displayed to the user is different for RDP and SSH sessions. See example below.
Session Monitoring
Password Safe Administration Guide 66 © 2018. BeyondTrust Software, Inc.
RDP:
SSH:
5. Click the Unlock button to unlock the session.
Note: Alternatively, a session can be locked and unlocked when viewing the session in the session player
window, by clicking the Lock and Unlock buttons.
Terminate an Active Session
To terminate an active session:
1. Log on to the web portal.
2. Click the menu to expand, then select Active Sessions.
3. Select a session.
4. Click the Terminate button to immediately end a session.
Session Monitoring
Password Safe Administration Guide 67 © 2018. BeyondTrust Software, Inc.
Alternatively, a session can be terminated when viewing the session in the session player window, by clicking
the Terminate button.
Note: When terminating a session, it will automatically close and be removed from the Active Sessions table. The
session will then be available to view in Replay Sessions.
Terminate and Cancel an Active Session
To terminate and cancel an active session:
1. Log on to the web portal.
2. Click the menu to expand, then select Active Sessions.
3. Click the Terminate and Cancel button to immediately end a session and check-in the request.
Alternatively, a session can be terminated and canceled when viewing the session in the session player window, by
clicking the Terminate and Cancel button. The Terminate and Cancel button is only present for those requests
initiated by requestor type users; not Admin, ISA or sessions created through Admin Sessions.
Archiving Recorded Sessions
You can archive recorded sessions. Archive settings are configured on the UVM appliance. For more information,
refer to the UVM Appliance User Guide.
Note: Parameters can be configured to allow auto-archiving of any recorded sessions older than a specific
number of days.
Session Monitoring
Password Safe Administration Guide 68 © 2018. BeyondTrust Software, Inc.
Archiving Sessions and Restoring Archived Sessions
1. Once a session has been recording you can retrieve it from the Replay Sessionswindow. Open the session by
selecting the Open button. Once the viewer opens, click Archive Session.
2. To view archived sessions, select the archived session and the Restore Session button is displayed.
Remote Proxy Sessions
In a distributed environment where there is more than one BeyondInsight instance installed, a Password Safe user
can request a session to a remote instance. In this scenario, a Password Safe end user can request passwords and
sessions for a remote instance by selecting a node on the request page.
BeyondInsight instances (or agents) automatically provide a heartbeat status to the primary BeyondInsight server.
The agent provides a status:
• every 5 minutes
Session Monitoring
Password Safe Administration Guide 69 © 2018. BeyondTrust Software, Inc.
• on start up (the Active status is turned on)
• on shutdown (the Active status is turned off)
Only active agents are displayed as nodes in the Password Safe web portal.
Viewing Agents
To view agents and configure a display name:
1. In the console, select Configuration> PowerBroker Password Safe.
2. Select Session Monitoring.
Active and inactive agents are displayed in the Agent list.
3. If the DNS for the remote server is different than the primary BeyondInsight server, you can enter the host
name in the override box.
4. In the Display Name box, enter the node name that you want to display in the Password Safe web portal.
5. Click Update.
Displaying Nodes in Password Safe
If you want users to access specific BeyondInsight instances, then you must turn on the setting in Global Settings
configuration.
To display the node selector in the Password Safe web portal:
1. In the console, select Configuration > PowerBroker Password Safe.
2. Select Global Settings.
3. Select the check box for Allow users to select a remote proxy when creating sessions.
4. Click Update.
Nodes are only displayed in the web portal when this check box is selected. By default, the check box is not
selected.
Session Monitoring
Password Safe Administration Guide 70 © 2018. BeyondTrust Software, Inc.
Adding Windows Components
• Active Directory
• LDAP
• Services
Windows Systems Managed Accounts
When adding aWindows system to Password Safe management, the following options are available on the
Managed Account Settings page:
• Change password for Windows Services started by the account
• Change password for Windows Scheduled Tasks started by this account
Note: When managing domain accounts tied to Windows scheduled tasks a domain Functional Account is
required. For more information, see "Adding Windows Components".
Note: When changing domain accounts tied to Windows scheduled tasks the NetBIOS field MUST be configured
on the Managed Directory. For more information, see "Adding a Directory".
Select the check box to have Password Safe change the password for these Windows functions started by the
account.
Adding Windows Components
Password Safe Administration Guide 71 © 2018. BeyondTrust Software, Inc.
Adding a Directory
You can add Active Directory or LDAP directories to Password Safe management.
1. In the console, selectManaged Accounts.
2. Select Directories from the menu.
3. Click the Create New Directory icon.
4. Configure the information for the directory.
Note: When configuring the Managed Account Settings for an Active Directory account, you can choose a
Domain Controller to change or test a password. The Domain Controller on the managed account will
override a Domain Controller on the functional account selected.
5. Click Save.
Note: You must save the system settings before you can proceed to the Management tab or Local Accounts
tab.
Adding Directory Accounts
There are two ways you can add directories: Manually or using an Active Directory query with a Smart Group.
Password Safe Administration Guide 72 © 2018. BeyondTrust Software, Inc.
Adding Directory Accounts Manually
1. After you save the domain you can manage the accounts by selecting the arrow for the domain that you want
to edit. Select Edit Directory Details.
2. Click the Accounts tab in the Managed Directory Settings and manually add the accounts.
Discover Active Directory Accounts with an Active Directory Query
1. To discover Active Directory accounts create a Smart Rule and choose the following filter criteria:
– Directory Query and Include accounts from Directory Query.
– Select the query from the list. Click the browse button to create a query on the fly.
– Ensure the check box is selected: Discover accounts for Password Safe Management.
2. In the Perform Actions section, select the following criteria:
– Show Managed Account as Smart Group
– Manage Account Settings
Note: By default, the Smart Rule will auto manage the Directory Account passwords. If this is not desired, set
Enable Automatic Password Management to No, otherwise ALL accounts in the query will have passwords
changed.
3. Select Save.
4. All of the Active Directory accounts will not display in the Accounts grid. Choose Accounts from the menu to
view them in the grid.
Password Safe Administration Guide 73 © 2018. BeyondTrust Software, Inc.
Linked Accounts
You can link Active Directory accounts to assets on a specified domain.
To manage linked accounts:
1. In the console, select Assets.
2. Select the arrow icon for an asset, and then select Edit Password Safe Details from the menu.
3. Select the Linked Accounts tab.
4. Select the check box for an account that you want to link to the asset.
5. Click the Add Link icon:
6. Click Save.
Creating an Active Directory Functional Account
When creating an Active Directory managed account, the functional account requires a Domain Controller.
Administrators can choose a targeted Domain Controller from the menu or select Any Domain Controller which
allows Active Directory to choose.
Note: If a failure occurs when connecting to a target Domain Controller, Password Safe will connect on the
domain level.
Password Safe Administration Guide 74 © 2018. BeyondTrust Software, Inc.
Adding Windows Services
You can add Windows Services to Password Safe management. The Service Account can be added as the managed
account. When a service is under management, the following occurs when the managed account password
changes:
• A service that is running will restart when the password is changed
• A service that is stopped is not restarted when the password is changed
• Dependent services will be restarted or not restarted based on the state of the primary service
Before adding services to Password Safe management, ensure the following is in place:
• Start the remote registry service on the target
• Start the Universal Plug and Play (UPnP ) Device Host service on the target
• Start the Service Directory Placement Protocol (SDPP) Discovery service on the target
• Verify machines are in the domain, if applicable
• Verify assets are managed with Local Administrator if not on domain, or Domain Administrator accounts if on
domain
Go through the following procedures to prepare and add services to Password Safe management.
Set up the Service Report
1. Log on to the console as an administrator.
2. Click Scan, and then clickManage Report Templates link.
3. Click Service Report and select Edit Scan Settings.
4. Click Options and select Advanced Options. Clear the check box for Disable Back Port Detection.
5. Select Retina Local Scan Service Options. Select the Yes check box for Perform Local Scanning.
This is the only required option.
6. Click Update.
Prepare the Services
1. On the asset where the service resides, select the service in the Services snap-in and stop the service if
running.
2. Right-click the service in the Services snap-in and select Properties.
Be sure that the password on the Local or Active Directory account associated to services, matches and tests.
Test in the console on the Accounts or Directories page in Managed Accounts.
3. Click the Log on tab of the service and enter the Local or Active Directory account and current credentials.
If required, retrieve a password using the Password Safe administrator log in.
4. Restart services and verify they start successfully.
Run a Scan on the Service Assets
1. Run a scan on the assets using the Service Report template to add the assets to the console.
2. After the scan runs, verify the following:
– Select Asset Details for the asset and confirm the services are collected
Password Safe Administration Guide 75 © 2018. BeyondTrust Software, Inc.
– The log service status is RUNNING and the log in account name is correct
– Verify on the Directories page in Managed Accounts that NetBios is entered (FQDN) if domain account is
used
3. On the Managed Account Settings or Managed Directory Settings page for the Local or Active Directory
account, ensure the following check boxes are selected and then click Save:
– Change password for Windows Services started by this account
– Restart all services managed by this account
4. Select the Local or Active Directory account and click Test. A green check mark indicates success.
5.Click Change. A green check mark indicates success.
6. Restart the services to verify the password change.
The password change is successful if the service restarts. Otherwise, the password change is not successful. Go
through all the steps in this chapter to troubleshoot.
Troubleshooting Changes
On the Local Accounts tab for the managed system, results are displayed by the Change button:
Password Safe Administration Guide 76 © 2018. BeyondTrust Software, Inc.
The following screen capture shows possible results.
• The green checkmark indicates the password change is successful.
• The middle red x indicates that services failed to start.
• The end red x indicates that a scheduled task failed to start.
• If password changes are successful and tasks and services are successfully started, then only the green
checkmark is displayed.
Password Safe Administration Guide 77 © 2018. BeyondTrust Software, Inc.
Adding Applications
Applications can be managed by Password Safe. Requestors can then request access to the application and launch a
session through the Password Safe web portal.
Application sessions can be recorded.
To add an application to Password Safe management, you must:
• Set up the application details in Password Safe configuration
• Associate the application to a managed account
• Create an access policy that permits application access. Recording and keystroke logging can be turned on
here.
• Create a user group that includes the managed accounts. Assign the Requestor role (or Requestor/Approver
role) that includes selecting the access policy.
Adding an Application
Note that the system where the application resides must already be added to Password Safe before you can add
the application here.
To configure an application:
1. In the console, click Configuration > PowerBroker Password Safe.
2. Click Applications.
3. Click the + icon.
4. Enter a name for the application. It is recommended using the name of the application for transparency. The
following are optional categorization fields: Version, Publisher and Type.
5. The following fields are required:
– Alias - combines the name and version entered by default but the field can also be edited to display any
desired alias.
Adding Applications
Password Safe Administration Guide 78 © 2018. BeyondTrust Software, Inc.
– Application/Command - the path to the application. For example, C:\Program Files\Windows
NT\Accessories\wordpad.exe
– Parameters - The arguments to pass to the application. Default placeholders are: username=%u
password=%p and host=%h.
managed account name = %u
managed account password = %p
managed asset name = %h
managed asset ip = %i
database port = %t
database instance or asset name = %d
– Functional Account - Select a Functional Account from the menu. The Functional Account must already be
created.
– Managed System - The Managed System must have the application (such as wordpad.exe) configured.
When starting an application session, an RDP session connects to this Application Server and starts the
application.
– AutoIt Passthrough - Select the check box to automatically pass the credentials for the application through
an RDP virtual channel. Using AutoIt Passthrough provides a secure way to access applications through a
remote session. The user requesting the session is not required to enter the application credentials.
There are prerequisites that must be met before you can use AutoIt Passthrough. For more information,
see Using AutoIt Passthrough.
6. Administrators can associate the application with a linked Windows system or a linked Linux/Unix system. By
default, the check boxes are not selected; this is the most restrictive state. A standard user in Password Safe
will see one row with an Application to the same functional account and managed system.
– Associate the Application with a linked Windows system – Standard users will see all Windows based
systems applied to the Domain Linked Account when they log on to Password Safe. This will exclude
Linux/Unix systems.
– Associate the Application with a linked Linux/Unix system – Standard users will see all Linux/Unix based
systems applied to the Domain Linked Account. This will exclude Windows systems.
– If both options are enabled, all systems associated to the Domain Linked Account will be shown.
Note: When configuring access to a Linux system, Sudo can be used to configure authentication. The
administrator can include a Functional Account but it is not required.
7. Select the Active check box to make the application available for remote sessions.
8. Click Create.
Encryption Module for RemoteApp
The Encrypted Module for RemoteApp is an application which is automatically enabled to hide sensitive
information from the terminal service logs.
To use this encryption it is required that the asset be configured with a Functional Account which is also an
Administrator on the server the user is connecting to. 
Adding Applications
Password Safe Administration Guide 79 © 2018. BeyondTrust Software, Inc.
Associating the Application to a Managed Account
Now that the application is configured, the application must be associated with a managed account.
You select the application on the Managed Accounts Settings page. For more information about managed accounts
settings, see Adding aManaged Account Manually.
1. In the console, select Managed Accounts.
2. On the Managed Accounts page, select Edit Account for the managed account.
3. Scroll to the Applications list, and then select the application.
Setting up the Access Policy
You can create an access policy or use an existing policy. The access policy will be part of the Requestor role set up
described in the next section.
Note: The Application Access Policy applies to TOAD® and applications. The same access policy is used for both.
To set up the application access policy:
1. Select Configuration > PowerBroker Password Safe.
2. Click Access Policies.
3. Set the scheduling parameters.
4. Select the Application check box.
For complete details on access policy settings, see Creating an Access Policy.
5. Click Save.
Setting up the Role Based Access
The users that need to access the application must be managed accounts that are members of a user group.
The Requestor role and application access are assigned as part of creating the user group.
1. In the console, select Configuration > Users & Groups.
2. Go to the Smart Rules section on the Group Details page, and select the Roles button for a Smart Rule.
3. Select the Requestor role.
4. In the section Access Policy for Requestor, select the Access Policy configured for the application.
Adding Applications
Password Safe Administration Guide 80 © 2018. BeyondTrust Software, Inc.
If there is no access policy configured for the application, click the browse button to create a policy. For more
information, see Access Policies.
Using AutoIt Passthrough
The following prerequisites must be in place before you can use the AutoIt Passthrough feature:
• The application must be launched through an AutoIt script.
• The wrapper AutoIt script is calling the Password Safe Passthrough library through pbpspassthru.dll (provided
as part of the Password Safe Resource Kit).
For information about turning on the feature, see Adding an Application.
AutoIt Script Details
The AutoIt example script uses the following functions:
• pbpspassthru.dll
• pbps_get_credentials
• DLLCall - An AutoIt function. The first argument takes in the location of the dll to call. In the example, the
pbpspassthru.dll is located in the same directory as the AutoIt script.
Example
Func get_credentials($token)
Local $aResult = DLLCall("pbpspassthru.dll", "str:cdecl", "pbps_get_
credentials", "str", $token, "bool", 0)
Local $credentials = StringSplit($aResult[0], " ")
return $credentials
Endfunc
pbps_get_credentials Function
char* pbps_get_credentials(char* token, bool respond_with_json)
Parameters
char* token = A onetime use token provided by Password Safe as the lastcommand line argument passed to
the AutoIt script.
bool respond_with_json = A flag to toggle the format of credentials. When this value is True the credentials
will be in a json format. Otherwise, they will be a white space delimiter list.
Return Value
The token is sent to Password Safe to be validated.
• If the token is valid for the current session and has not been used the return value will be a string with
credentials in the desired format.
• If the token is invalid or has been used the return value will be NULL.
Tokens are validated and credentials are sent over an encrypted RDP virtual channel not visible to the end user.
Adding Applications
Password Safe Administration Guide 81 © 2018. BeyondTrust Software, Inc.
Adding SAP as a Managed System
You can add your SAP environment to Password Safe management.
Password Safe supports SAP NetWeaver.
Requirements
• Instance Number - When adding the system to Password Safe you need to know the SAP instance number.
• Client ID - An ID that is unique to that SAP instance.
Note: The instance number and client ID are provided in an email when you purchase SAP.
• SAP permissions - The Password Safe functional account requires RFC privileges.
SAP RFC privileges are needed for password changes. RFC permissions assigned to the functional account
permits the password change. However, the password cannot be tested.
If an account has RFC privileges, that account can change their password and others. It can also test it's own
password.
• The user name and password in Password Safe must be the same as in SAP.
Setting up the Functional Account
The functional account requires the Client ID.
All other settings are the typical functional account settings. See Creating a Functional Account.
Adding SAP
You must add SAP manually. You cannot add SAP using a Smart Rule.
To add SAP:
1. Go to the Assets page.
2. Select the asset where the SAP instance resides, and then select Add to Password Safe.
3. Select SAP from the Platform list.
4. Enter the instance number.
5. All other settings are the typical managed system settings. See Adding aManaged System.
Adding Applications
Password Safe Administration Guide 82 © 2018. BeyondTrust Software, Inc.
Changing Passwords on Managed Accounts
The password on managed accounts can only be changed once a day. The current password is required to change
the password.
If you try to change the password more than once a day, a message is displayed indicating that the password cannot
be changed.
Adding Applications
Password Safe Administration Guide 83 © 2018. BeyondTrust Software, Inc.
Adding a Cloud Application
Access policies can be configured for cloud applications. Requestors can request access to specific cloud sites and
launch a session through the Password Safe web portal. The sessions can be recorded and monitored live or
watched at a later date.
Note: Before configuring a Cloud account you must set up a Functional Account. Additionally Office 365 requires
that bothMicrosoft Online Service Sign-in Assistant for IT Professionals RTW and Azure Active Directory
Module for Windows PowerShell be downloaded and installed before managing an Office 365 Account in
Password Safe. Both applications can be downloaded from the following address:
https://support.office.com/en-au/article/Managing-Office-365-and-Exchange-Online-with-Windows-
PowerShell-06a743bb-ceb6-49a9-a61d-db4ffdf54fa6
The following Cloud applications are supported:
Amazon Web Service Azure
Facebook GoGrid
Google Instagram
LinkedIn Office 365
Pinterest Rackspace
Twitter XING
Workday Dropbox
Box Salesforce
To configure a cloud application:
1. In the console, click Configuration > PowerBroker Password Safe.
2. Click Applications
3. Click the + icon.
4. Enter a name for the application. It is recommended using the name of the application for transparency. The
following are optional categorization fields: Version, Publisher and Type.
5. The following fields are required:
– Alias - Combines the name and version entered by default but the field can also be edited to display any
desired alias.
– Application/Command - The path to the application. Such as:
C:\Users\Administrator\Desktop\autoit\ps_facebook.exe
– Command Line Parameters - The arguments to pass to the application. Default placeholders are:
username=%u password=%p and host=%h.
– Functional Account - Select a Functional Account. The Functional Account must already be created.
Note: A Functional Account is required for Office 365 and Amazon cloud accounts.
Password Safe Administration Guide 84 © 2018. BeyondTrust Software, Inc.
https://support.office.com/en-au/article/Managing-Office-365-and-Exchange-Online-with-Windows-PowerShell-06a743bb-ceb6-49a9-a61d-db4ffdf54fa6
https://support.office.com/en-au/article/Managing-Office-365-and-Exchange-Online-with-Windows-PowerShell-06a743bb-ceb6-49a9-a61d-db4ffdf54fa6
Once a cloud application is configured, accounts must be added manually on the Managed Accounts page.
1. Select Cloud from the menu.
2. Complete the fields as you would for a Managed System (see "Managed Systems").
Note: The cloud application Workday requires that you download and install the GeoTrustGlobal_CA.er
certificate before you can configure the cloud in BeyondInsight.
Password Safe Administration Guide 85 © 2018. BeyondTrust Software, Inc.
Requesting an Application Session
Applications, including Databases and Cloud, are available in the web portal after the initial set up.
To request an application session:
1. In the console, click Menu to expand, and then select Accounts.
2. Click Applications.
3. Click the application that you want to access.
4. Enter a reason.
5. Select the other parameters, if required.
6. Click Application Session.
7. Click a tab to display available applications: Applications, Databases and Cloud.
Password Safe Administration Guide 86 © 2018. BeyondTrust Software, Inc.
SSH and RDP Connections
In the Password Safe web portal, Requestors can request access to use SSH or RDP remote connections.
To permit remote connections, you must configure an access policy. For more information, see "Access Policies".
The following section provides additional information on setting up SSH or RDP connections.
Requirements for SSH
• You must install PuTTy to enable SSH functionality. Go towww.putty.org and download the software.
• If you are using Windows 8 or Windows Server 2012 VMWare virtual machine, VMWare Tools installs itself as
a URL Handler for SSH and stops the sample registry script from working. You must remove the registry
variable:
[HKEY_LOCAL_MACHINE\SOFTWARE\VMware,
Inc.\VMwareHostOpen\Capabilities\UrlAssociations]"ssh"="VMwareHostOpen.AssocUrl"
Supported SSH Client Ciphers
Authentication Methods Password, Public key, Keyboard interactive
Encryption Algorithms AES, Triple DES, Blowfish, blowfish-ct, blowfish-cbc,
Encryption Modes CBC, CTR
Host Key Algorithms RSA, DSS
Key Exchange Algorithms Diffie-Hellman - group 14, diffie-hellman-group1-sha1,
MAC Algorithms MD5, SHA-1, SHA-2, HMAC-MD5, HMAC-MD5-96, HMAC-SHA1-96
Symmetric Key Algorithms arcfour256, arcfour128, arcfour
The set of encryption algorithms and MAC algorithms that may be used by Password Safe is configurable via registry
keys:
HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/BeyondTrust/PBPS/SessionManager/ssh_proxy/ciphers
HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/BeyondTrust/PBPS/SessionManager/ssh_proxy/macs
Each of these keys, if defined, must hold a multi-string value (REG_MULTI_SZ), with one algorithm name per line.
For example, 'ciphers' might be:
aes128-ctr
aes192-ctr
aes256-ctr
This would restrict the available encryption algorithms to those named. The restriction applies both to the
algorithms used between the client and Password Safe, and to the algorithms used between Password Safe and the
managed system.
Weak RSA server host keys shorter than 1024 bits are now rejected by default. Use the following registry key to
change this setting.
SSH and RDP ConnectionsPassword Safe Administration Guide 87 © 2018. BeyondTrust Software, Inc.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshMinimumRsaKeySize (DWORD) =
1024 (size of key and bits)
Auto-Launch PuTTY Registry File
To launch the SSH Client automatically, the SSH protocol must be associated with an application. To register an
application such as PuTTY which is used in the example below, change the references to PuTTY to point to the
application.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\ssh]
@="URL:Secure Shell Protocol"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\ssh\DefaultIcon]
@="%%ProgramFiles%%\\PuTTY\\putty.exe"
[HKEY_CLASSES_ROOT\ssh\shell]
[HKEY_CLASSES_ROOT\ssh\shell\open]
[HKEY_CLASSES_ROOT\ssh\shell\open\command]
@="cmd /V:ON /s /c @echo off && set url=%1 && for /f \"tokens=1,2,3 delims=:/
\" %%a in (\"!url!\") do set protocol=%%a&set host=%%b&set port=%%c && start
\"\" \"%%ProgramFiles(x86)%%\\PuTTY\\putty.exe\" -P !port! !host!"
Supported SSH Session Protocols
You can use the following protocols with an SSH session: X11, SFTP, SCP.
You must use the Registry Editor to turn the settings on.
X11
The value is a <binary value> toggle.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_x11
SCP
The value is a <binary value> toggle.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_scp
SFTP
The value is a <binary value> toggle.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_sftp
Multiple SSH Sessions
To avoid a potential security risk, more than one SSH session is not permitted through one SSH connection.
You can turn on the following registry key to permit more than one session on a connection:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_
multiplex = 1
SSH and RDP Connections
Password Safe Administration Guide 88 © 2018. BeyondTrust Software, Inc.
Login Accounts for SSH Sessions
Creating a login account allows the user to open an SSH session in environments where remote shell access is not
permitted, for instance the root account. A login account will be used to establish the initial shell connection and
then switch the session to the Managed Account.
This feature supports the following platforms: AIX, HPUX, Linux and Solaris.
Manually Enabling Login Accounts
To manually enable login accounts you must enable the function on both the Managed System and the Managed
Account you want to use for the SSH session.
1. Select the Managed System you want to use to log on to the SSH session.
2. Select the check box Enable Login Accounts for SSH Sessions.
3. Click Edit next to the Login Account field.
4. Create a login account the same way you would configure a Functional Account. This function will allow the
system to log on to the SSH session by bypassing the Functional Account.
5. Select Save.
6. Select the Managed Account that will be accessed using SSH sessions.
7. In the Managed Account Settings select the check box Enable Login Account for SSH Sessions. This will allow
this Managed Account to be used via Login Account for the SSH Session.
SSH and RDP Connections
Password Safe Administration Guide 89 © 2018. BeyondTrust Software, Inc.
8. Select Save.
Enabling Login Accounts with a Smart Rule
For organizations managing many assets and accounts, Administrators can enable Login Accounts with a Smart Rule.
1. Create a Smart Rule to manage the assets which will be used to access the SSH session.
2. Select the actionManage Assets using Password Safe.
3. Select the platform and the functional account.
4. From the Enable Login Account for SSH Session list, select yes.
5. Select a login account.
6. Create a Smart Rule to manage the Managed Accounts which will allow users to login for an SSH session.
7. In the Perform Actions section, selectManaged Account Settings.
8. Scroll to Account Options and select the check box Enable Login Account for SSH Sessions.
SSH and RDP Connections
Password Safe Administration Guide 90 © 2018. BeyondTrust Software, Inc.
Direct Connect
You can use Direct Connect for remote session requests for SSH and RDP sessions. Direct Connect requests access
to aManaged Account on behalf of the Requestor. The Requestor accesses the system without ever viewing the
Managed Accounts credentials.
If the Requestor is not granted Auto-Approval for a session, the user receives a message stating Request requires
approval. If the request is not approved within 5 minutes this connection will close. After 5 minutes the client
disconnects and the user can send another connection request. When the request is approved, the user is
automatically connected.
When there is an existing request for the system and account, the request is reused and the session created.
Requesting an SSH Session
The Requestor's information, including the Reason and the Request Duration, will be auto-populated with default
Password Safe settings.
Using an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections.
To request an SSH session using Direct Connect:
1. To access a Managed Account using Direct Connect, the Requestor has to connect to Password Safe's SSH
Proxy using a custom SSH connection string with the following formats:
For UPN credentials
<Requestor>+ <Username@Domain>+<System Name>@<Password Safe>
For down-level logon names\non-domain credentials
<Requestor>@<Domain\\Username>@<System Name>@<Password Safe>
2. Override the default SSH port and enter port 4422. The Requestor will then be prompted to enter their
password which they use to authenticate into Password Safe.
Example For UPN credentials
ssh -p 4422 <Requestor>+ <Username@Domain> +<System Name>@<Password Safe>
Example For down-level logon names\non-domain credentials
ssh -p 4422 <Requestor>@<Domain\\Username>@<System Name>@<Password Safe>
3. Once the Requestor is authenticated they will be immediately connected to the desired machine.
Requesting an RDP Session
Note: RDP Direct Connect only supports push two-factor authentication. An access-challenge response is not
supported.
SSH and RDP Connections
Password Safe Administration Guide 91 © 2018. BeyondTrust Software, Inc.
Note: LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.
To request an RDP session using Direct Connect:
1. Click the arrow to download the RDP file from Password Safe.
This is a one time download. Each account and system combination requires that the user download the
unique RDP file associated with it.
2. Run the file to establish a connection to the targeted system.
3. The Requestor is then prompted to enter the password to which they use to authenticate into Password Safe.
Using a Two-Factor Authentication Token
RDP and SSH Direct Connect sessions support using a two-factor authentication token.
• RDP session - A delimiter (,) must be entered after you enter the password. For example, password,token
The delimiter can be changed using the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\2fa_
delimiter
Note: The delimiter must be excluded from user logon passwords.
• SSH session - You are prompted to enter a token after you enter the password.
Troubleshooting Connections
If an SSH or RDP session fails to launch, ensure that the settings on the system match the criteria below:
Start Program - Edit Group Policy
Windows Settings - Security Settings - Local Policies
Security Options - Network Security: LAN Manager Authentication level
Send LM &NTLM - use NTLMv2 session security if negotiated
User account control: run all administrators in admin approval mode - must be DISABLED
Once you have configured the settings above, restart the machine.
If an SSH session fails to launch for a Linux system, ensure the following:
There is a home directory for the account used to log onto the system. Note that this may bethe managed
account or login account (if configured).
Password Restrictions
On Windows 2008 and Windows 7 systems, RDP sessions will terminate when passwords are greater than 81
characters. The following are password limitations:
SSH and RDP Connections
Password Safe Administration Guide 92 © 2018. BeyondTrust Software, Inc.
Windows 2008 and Windows 7 - Maximum characters allowed for a password is 81. Once a password exceeds 81
characters the user cannot log on with the selected account.
Windows 2012 - Maximum characters allowed for a password is 127. Once a password exceeds 127 characters,
the user cannot log on with the selected account.
RDP Sessions
Certificate Authentication
To ensure secure communications, an RDP session uses the same certificate as the certificate created for the web
portal. The certificate supports SSL/TLS authentication types.
Creating a Certificate and Adding to the BeyondInsight Server
To avoid certificate error messages when initiating an RDP session, create a certificate signed by a valid Certificate
Authority for the BeyondInsight server, then add that certificate and the certificate chain to the BeyondInsight
server Certificate stores.
Use the following high-level steps as guidance.
Create the Certificate Request
1. On the BeyondInsight server, open IIS Manager.
2. On the local host node, select Server Certificates, and then select Create Certificate Request.
3. Go through the Request Certificate wizard.
– Note that the Common Name equals the server name or the IP address depending on the URL you are
using for the BeyondInsight logon page.
For example, server name could be an IP address, the server short name or a fully qualified domain name:
https:\\<server name>\webconsole
common name = <servername>
– On the Cryptographic Service Provider Properties page, be sure to select bit length: 2048
4. Enter a file name for the certificate request and set the location to the desktop.
Signing the Certificate
The procedure for signing the certificate varies depending on your company’s CA implementation.
1. Go to your Certificate Authority website.
2. On the Certificate Request or Renewal Request page, copy the text from the certificate request file.
– Be sure to select Web Server as the Certificate Template type.
3. After you click Submit, download the certificate and certificate chain to your desktop.
4. Copy the files to the BeyondInsight server desktop. This will be the Server Certificate.
5. Go to IIS Manager on the BeyondInsight server, and click Complete Certificate Request.
6. On the Specify Certificate Authority Response page, find the file on your desktop, enter a friendly name, and
use the default Personal certificate store.
Bind the Server Certificate to the Default Web Site in IIS
1. Right-click Default Web Site, and then select Edit Bindings.
2. Select https on port 443, and then click Edit.
3. From the SSL certificate list, select the Server certificate created earlier, and then click OK.
SSH and RDP Connections
Password Safe Administration Guide 93 © 2018. BeyondTrust Software, Inc.
Add certificate chain through mmc
1. On the BeyondInsight server, open mmc and add the Certificates snap-in (select Computer account).
2. Go to and expand Trusted Root Certification Authorities.
3. Right-click Certificates > All Tasks > Import.
4. Go through the Certificate Import wizard to import the certificate chain file (created earlier).
– Select the appropriate file extension.
– Be sure to store the certificate in Trusted Root Certification Authorities.
Smart Sizing
When in an RDP session, the user can choose to smart size the client window so that no scroll bars display.
Configure smart sizing on the Session Monitoring Configuration page.
Font Smoothing
Font smoothing is turned on by default.
To turn off font smoothing, change the following registry key value from 0 to 1.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\disable_
font_smoothing = 1 (DWORD)
Configuring Ports
Ports can be configured using the BeyondInsight Configuration tool.
Scroll to the Password Safe section in the tool to set all port values.
These ports are configurable under Global Settings. The default inbound port connections to the Password Safe
proxy:
RDP - 3389
SSH - 4422
SSH and RDP Connections
Password Safe Administration Guide 94 © 2018. BeyondTrust Software, Inc.
Adding Databases
There are two ways to discover and manage database instances:
• Auto-management – Use for SQL Server and Oracle
• Manual management – Use for MongoDB, MySQL, Sybase ASE, Teradata
Auto Discovery and Management for Database Instance
The following scan templates include database instance data in the scan results:
• All Audit Scan
• Asset Report Scan
After you run a scan, the assets are displayed on the Assets page. At this point, you can create a Smart Rule to
manage the database instances.
1. Select Databases from the menu and then create a Smart Rule to manage the database instances.
2. Go to the Smart Rules Manager and create an asset-based Smart Rule.
3. From the Asset Selection Criteria, select Address Group and select the group that includes the database
instances.
4. In the Perform Actions section, select the database platform and functional account:
5. Scroll to the right and ensure the default port number for the database platform is entered:
– Oracle: 1521
– SQL Server: 1433
6. Select Save.
Adding Databases
Password Safe Administration Guide 95 © 2018. BeyondTrust Software, Inc.
Note: To verify your instances are managed, go to the Assets page, select the Smart Group, and select Databases
from the menu.
Manual Management for Database Instances
You can manually add the following database instance types. When selecting the database platform ensure the
correct port number is displayed.
• Mongo - 27017
• SQL Server - 1433
• MySQL - 3306
• Oracle - 1521
• PostgreSQL - 5432
• Sybase ASE - 5000
• Teradata - 1025
To add a database instance manually:
1. Log on to BeyondInsight.
2. Select Assets, and then click Scan.
3. Select the Discovery Scan report under Assets or Detailed Discovery Scan under PowerBroker for Windows.
Create a Smart Group that will show all of the database servers.
4. Click Assets, then choose Manage Smart Rules and New.
5. Select the Ports criteria and the port group that you just created in the step above “i.e. Database ports”.
6. Run the scan against your IP address range. At the end of the scan, all of the database servers should be added
to the Smart Group above:
7. Associate a database with each asset that you want to manage:
Adding Databases
Password Safe Administration Guide 96 © 2018. BeyondTrust Software, Inc.
a. Select the asset where a database instance is installed and select Add Database from the Show Action
Menu.
b. Select a database platform.
– When adding a SQL Server database, you can optionally select the Default check box rather than
enter an instance name.
The default instance name for the SQL Server database will then be used and the Instance Name will
be displayed as (default) on the Databases page, as shown:
– When adding an Oracle database, you can use the default Connector Descriptor to use a basic
connection string or you can provide an alternate connection string (for example if using tnsnames in
your environment) by selecting Use Alternate. Click the question mark to view the allowed tags and
click Get Default to have the default connetion details populated in the box where you can edit as
required for your environment.
Adding Databases
Password Safe Administration Guide 97 © 2018. BeyondTrust Software, Inc.
Note: Connector Descriptor is only accessible when adding a new database instance manually OR when
editing a pre-existing database instance from asset details using the AssetWizard. Managed
System Settings for the databance instance does not show the Connector Descriptor details.
Database instances that existed prior to upgrading to release 6.8,are already configured to work
with the default connection type as shown in the below example:
c. On the Assets page, select Databases from the list to display the new database. Select Edit Password Safe
Details.
Adding Databases
Password Safe Administration Guide 98 © 2018. BeyondTrust Software, Inc.
d. In the System tab, select a functional account and click Test. If the test was successful, a green check is
displayed as shown in the screen shot.
Note: If the test fails, verify that the correct port is used for the database and the functional account has
required permissions in place.
e. Click Save.
8. Create a rule that will enumerate all of the user’s accounts from this database and will add them for Password
Safe management automatically.
9. Create a Smart Rule (asset based) where if the Password Safe Platforms is SQL Server. The actions should be:
– Action # 1 Manage Assets using Password Safe, select the functional account which should have rights in
the target MS-SQL and a Password Rule.
Action # 2 Manage Password Safe Accounts, select the SQL Server platform and enable the Discover
Accounts check box, and select Include all accounts. With these settings, Password Safe discovers all of the
user accounts in the target database and adds them for management (except the account that we are
using as a functional account).
Adding Databases
Password Safe Administration Guide 99 © 2018. BeyondTrust Software, Inc.
10. Click Save. After few minutes you can see if the rule has worked by going to the Managed Accounts page, in
platforms select Database Managed Accounts:
Managing Database Instance Accounts
Once the database instances are managed, create aManaged Accounts Smart Rule to manage the database
instance accounts. The steps are the same for both auto discovered or manually added database instances.
1. In the Smart Rules Manager for Managed Accounts, select the criteria that will match on the database instance
account name.
2. Select Yes from the Discover accounts for Password Safe Management list.
3. From the Discover accounts from list, select the address group where the database instance resides.
Note: If you have named Functional Accounts (which are not defaults) you should remove them from
management by using aManaged Account Field filter, as shown:
4. In the Perform Actions section, select Show managed account as a Smart Group.
5. SelectManage Account Settings, select a password rule and either Auto-Manage the Accounts or not and
select your criteria.
6. Click Save.
Adding Databases
Password Safe Administration Guide 100 © 2018. BeyondTrust Software, Inc.
Creating a Functional Account for a SQL Server Database
When you are adding SQL Server as a managed system, you must first create a Security login in SQL Server that you
will use for the functional account.
Permissions and Roles in SQL Server
The following roles and permissions are required for the functional account:
• Server roles – public
• ALTER ANY LOGIN
• CONNECT SQL
Applying Permissions to a Functional Account
The following code samples show you how to apply the required permissions to the functional account.
GRANT CONNECT SQL TO [FunctionalAccountName];
GRANT ALTER ANY LOGIN TO [FunctionalAccountName];
Creating the Account in SQL Server
To create the SQL Server account:
1. Connect to a database as the SQL Server sa on the asset you have managed.
2. Expand Security and expand Logins.
3. Right-click Logins and selectNew login.
4. Enter a Login name and select SQL Server Authorization.
5. Enter and confirm a password. Configure the user as desired.
Adding Databases
Password Safe Administration Guide 101 © 2018. BeyondTrust Software, Inc.
6. Click OK.
7. To configure the user, right-click the user and select Properties.
8. Select Server Roles, and ensure the public roles is selected:
Adding Databases
Password Safe Administration Guide 102 © 2018. BeyondTrust Software, Inc.
9. Select Securables, and then click the Search button.
10. Select the server instance and click OK.
11. From the list of permissions, ensure the Alter any login and Connect SQL are selected for Grantor sa.
12. Click OK.
Adding Databases
Password Safe Administration Guide 103 © 2018. BeyondTrust Software, Inc.
SQL Server Instance Port Retrieval
Retrieving a port number on a managed database instance.
To configure aMicrosoft SQL Server database for Password Safe:
Note: This query is for a created instance only. You do not need to provide a port number for the default
instance.
1. Create an instance on SQL Server.
2. Once the instance is running, go into the database and selectNew Query.
3. Execute the following query as shown on separate lines:
GO
xp_readerrorlog 0, 1, N'Server is listening on'
GO.
4. Open BeyondInsight, find the asset where the SQL Server database is installed.
5. Select the "i" icon to show asset information. Click the Edit button to open the AssetWizard.
6. SelectNext until you reach the Databases page.
7. Select Add and fill out the fields with the applicable system information. Enter the port number retrieved from
the SQL query and select Save.
Adding Databases
Password Safe Administration Guide 104 © 2018. BeyondTrust Software, Inc.
8. Select the Assets menu, and then select Databases.
9. The new database is displayed. Click the arrow for the database instance, and then select Add to Password
Safe. Fill out the details required for the managed system settings.
10. Create a functional account using the System Admin credentials from the SQL Server. Enter the appropriate
information from your SQL Server and select Save.
Adding a PostgreSQL Database Instance
A PostgreSQL database instance must be added manually.
Before adding the instance to Password Safe management, you must create an account in PostgreSQL that will be
will the functional account in Password Safe.
Creating Accounts in PostgreSQL
The following instructions are guidance only. For more information about how to create an account, refer to the
PostgreSQL documentation.
To create the account with appropriate level permissions:
Adding Databases
Password Safe Administration Guide 105 © 2018. BeyondTrust Software, Inc.
1. Run pgadmin from the icon on the tray.
2. Right-click Login/Group roles, and then select Create.
3. Enter a name. This will be the functional account.
4. On the Privileges tab, ensure the following permissions are in place for the functional account:
Login, Create role, Inherit rights from parent roles
5. Right-click Login/Group roles, and then select Create.
6. Enter a name. This will be the managed account.
7. On the Privileges tab, ensure the following permissions are in place for the managed account:
Login, Inherit rights from parent roles
You also need to know the database instance name and the port number.
In pgadmin, click Object and then select Properties, Connection tab.
Adding the PostgreSQL Instance to Password Safe
To add a PostgreSQL instance:
1. Scan the asset where the PostgreSQL instance resides.
2. Go to the Assets page.
3. Select the asset, and then select Add Database from the menu.
4. Set the following:
– Instance Name - Enter the instance name.
– Platform- Select PostgreSQL.
– Version - Optional. Enter the PostgreSQL version number.
– Port - Default port value is 5432.
5. Click Save.
6. On the Assets page, select the asset, and then select Databases from the menu.
The database instance must be added to Password Safe management.
7. Select the instance, and then select Add to Password Safe.
8. On the Managed System Settings dialog box, click Add to enter the functional account details.
9. Click + to add the Functional Account information for a PostgreSQL account. Be sure to select PostgreSQL as
the platform.
Adding Databases
Password Safe Administration Guide 106 © 2018. BeyondTrust Software, Inc.
10. Click Save and close the window.
11. Select the new functional account from the list and click Test. A green check indicates success.
12. Click Save on theManaged System Settings dialog box.
Configuring Settings on the Oracle Platform
When you are adding Oracle as a Managed System:
• Add the Functional Account to the console.
• Add the Functional Account to the Oracle User list in Oracle.
• Set the IP address for the host in Oracle NetManager.
Adding the Functional Account
To configure the functional account:
1. Select Configuration > PowerBroker Password Safe.
2. Click Functional & Login Accounts, and then click +.
3. SelectOracle from the Platform list.
4. To assign the SYSDBA role to the functional account, select SYSDBA from the Privilege list, and then enter the
user name and password.
Note: The SYSDBA role is required if you use the SYS Oracle account as the functional account.
5. Continue to set the remaining options. For more information, see Creating a Functional Account.
When adding the Oracle platform as a managed system, be sure to select the SYSDBA functional account:
Adding Databases
Password Safe Administration Guide 107 © 2018. BeyondTrust Software, Inc.
Permissions for the Functional Account in Oracle
In Oracle Enterprise Manager, the functional account (other than SYS) must be added to the Oracle User list.
The user account must be assigned the following Privileges & Roles:
– ALTER USER
– CONNECT
– SELECT ON DBA_USERS - Required for autodiscovery of Oracle instance managed accounts.
Adding Databases
Password Safe Administration Guide 108 © 2018. BeyondTrust Software, Inc.
Creating the Functional Account in Oracle
To create a functional account in Oracle:
CREATE USER [FunctionalAccountName] IDENTIFIED BY password;
GRANT CONNECT TO [FunctionalAccountName];
To grant permission to the functional account to change passwords on a managed account:
GRANT CONNECT TO [FunctionalAccountName];
GRANT ALTER USER TO [FunctionalAccountName];
GRANT SELECT ON DBA_USERS TO [FunctionalAccountName];
Adding Databases
Password Safe Administration Guide 109 © 2018. BeyondTrust Software, Inc.
Setting Up the Host
On the Oracle platform, you must configure the following settings.
• In Oracle NetManager, the host name IP address must be explicitly set as a listener
• Also in Oracle NetManager, set the service name as the host name IP address.
Adding Databases
Password Safe Administration Guide 110 © 2018. BeyondTrust Software, Inc.
Using Encrypted Connections
Password Safe supports Oracle database connections that are configured to use encryption. Using encryption is
optional.
The following encryption protocols are supported:
AES128, AES192, AES256, RC4_128, RC4_256, 3DES112, 3DES168
Configure encryption using Oracle NetManager.
The following section is provided for guidance only. For more information, refer to Oracle product documentation.
On the Profile node, select Network Security and then set the following:
On the Integrity tab, select:
– Server from the Integrity menu
– required from the Checksum Level menu
– SHA256 as the method
On the Encryption tab, select:
– Server from the Encryption menu
– required from the Encryption Type menu
– AES256 as the method
Note: If you select required for Checksum Level and Encryption Type, you must enter an encryption seed in the
sqlnet.ora file.
Setting up a TOAD® Connection
Password Safe support connections to TOAD® for Oracle and TOAD® for SQL Server.
To use TOAD with Password Safe:
• A Password Safe managed system must be configured with Remote Desktop Services and RemoteApp. TOAD
must be configured in RemoteApp to allow for arguments to be passed.
• The database that TOAD will connect to must be managed in Password Safe.
Configuring a TOAD Connection
Before you can set the connection details for TOAD, a functional account must be created.
To create the connection:
1. In the console, select Configuration > PowerBroker Password Safe.
2. Select TOAD®.
3. Click +, and then select a platform: Oracle, SQL Server, Postgre SQL.
4. You must enter an alias. It will be a unique name for the system in Password Safe. You cannot have duplicate
aliases.
5. The following fields are required:
– Application/Command - The path to the TOAD application. For example, C:\Program Files\Dell\Toad for
Oracle 12.6 Freeware\Toad.exe.
– Functional Account - Select the functional account from the menu.
Adding Databases
Password Safe Administration Guide 111 © 2018. BeyondTrust Software, Inc.
– Terminal Services System - The Terminal Services System must have TOAD configured. When starting a
TOAD application session, an RDP session connects to this Terminal Services System and starts the
application.
6. Click Update.
Note: You must ensure that the user requesting the TOAD connection is granted the TOAD/Application access
policy.
Adding Databases
Password Safe Administration Guide 112 © 2018. BeyondTrust Software, Inc.
Requesting a TOAD Connection
When requesting an application session:
• TOAD for Oracle users can select the system in the Password Safe web portal and then click Application
Session.
• TOAD for SQL Server users must retrieve a password before starting the application session:
Adding Databases
Password Safe Administration Guide 113 © 2018. BeyondTrust Software, Inc.
Adding a Custom Platform
On the Custom Platform page, add an SSH or Telnet platform tailored to your environment. Password Safe contains
several built-in SSH and Telnet platforms such as Linux, Solaris, and Cisco that are designed for the most common
configurations. A custom platform can be created to overcome advanced configurations that are not supported by
the built-in platforms, or for a platform that is currently not supported by Password Safe.
Custom and built-in platforms work the same way by connecting to a remote SSH or Telnet server and waiting for a
response. Once a response is received a regular expression is evaluated against the response and the platform
replies with a command that will start the process of changing a password on the relevant system.
Creating a Custom Platform
To create a custom platform to add as a Password Safe Managed System:
1. In the console, select Configuration > PowerBroker Password Safe.
2. Select Custom Platforms, and then click the + icon.
3. From there you must configure two tabs to add the platform.
4. The following details the actions required to configure each screen for a custom Linux platform.
Configure the Options Tab
On the Options tab the following fields are available:
– Platform Name - The given name will appear in the Platform lists throughout the application and must be
unique.
– Telnet/SSH - Indicates what protocol the custom platform will use.
– Port - Use the default port for SSH or Telnet. Optionally, enter a port to test the settings.
– Prompt RegEx - Regular expression that will evaluate to the shell prompt of the remote system, e.g. ~ ]#.
– Config Prompt Regex / Elevated Prompt RegEx - These two regular expressions are mainly meant for
network appliances that have multiple prompts depending on a mode.
– End of line - The end of line field specifies how the platform will indicate to the SSH or Telnet server that it
is sending a command. The default is the carriage return character (\r).
– Exit Command - Use an exit command to close the session.
– Elevation Command - Enter an elevated account such as sudo or sudoer to elevate the Functional Account
permissions.
– Interrupt - Use a UNIX or Linux interrupt command to stop the SSH or Telnet session.
– Password Command - Enter the command to change the password.
– Active - The custom platform is activated in the system when the Active check box is selected.
– Enable Logon Account - Select the check box to display the logon account option on the Managed Systems
Settings page. Use this feature when another account (not the Functional Account) is used to log on to the
managed system.
Adding a Custom Platform
Password Safe Administration Guide 114 © 2018. BeyondTrust Software, Inc.
– Enable Jump Host - If you are using the elevated credential pbrun jumphost, you canconfigure the
PowerBroker for UNIX & Linux policy server host name to connect to. Select the check box here. Go to
the Check Password tab to enter the policy server host name details.
Configure the Steps Tab
On the Steps page define the responses that you expect from the server and the replies that the platform will send.
The options include two groups: After Login and Error Handling.
Keeping with the Linux example below, we can see the first expect statement expects that the regular expression
is Enter your reason for login: and replies with changing password if there is a match.
Before configuring the Steps tab, select the Steps Type from the list. The template changes depending on the
selection:
Change Password - Manually change the password for the custom platform.
Check Password - Tests the password by attempting a log on.
Change Public Key - Runs a script to replace the public key.
To configure the Steps tab:
1. Use the default statement group to start the custom platform. Additional groups can be created as required.
2. To create a new statement group hover the cursor to the far right of an existing group name and click the +
icon.
3. To edit the name of the statement group name hover the cursor over the group name, click in the field and
enter the name.
4. Enter an expect statement. There are two ways to populate the expect field:
a. Type text or a regular expression in the field
b. Use a template:
– Click in the field and select a template from the resulting list
– Click Insert template field button to insert the template
5. Enter a response statement. There are two ways to populate the response field:
a. Type text or a regular expression in the field
b. Use a template:
– Click in the field and select a template from the resulting drop down
Adding a Custom Platform
Password Safe Administration Guide 115 © 2018. BeyondTrust Software, Inc.
– Click Insert template field button to insert the template
6. The response type can be changed by selecting an option from the send response list. If goto is selected you
need to select a statement group from the resulting list.
7. Error handling is selected by default. Do not select it if Error Handling is not required. Ensure an error message
is entered in the Error handling expect statement if error handling is activated.
8. To add expect statements hover the cursor to the right of the Error handling check box and click the + icon.
9. Click Create.
The following is an explanation of the functionality for each aspect of the Steps tab.
1. Error Handling - The error handling check means that when the statement comes in, all of the statements in
the error handling section are evaluated first before “Enter your reason for login:”. For example when the
platform connects to the remote SSH server the SSH server is going to reply with:
Welcome to Linux Mint
* Documentation: http://www.linuxmint.com
Last login: Mon Apr 13 10:45:51 2015 from dev-machine
Enter your reason for login:
The platform will then try to find a match in the following order:
- BAD COMMAND
- Usage:
- BAD PASSWORD
- Enter your reason for login:
Adding a Custom Platform
Password Safe Administration Guide 116 © 2018. BeyondTrust Software, Inc.
If a match is found for Enter your reason login: then the platform will reply with changing password. The
platform will then expect the SSH server to send back the shell prompt and the platform will reply with
passwd <<manacctname>>.
2. When the platform is communicating with the remote server it will replace the tags with data. In the above
example <<manacctname>> will be replaced by the managed account associated with the platform. These
are template fields that can be inserted into the expect box and response box. When the platform is
communicating with the remote server it will replace the tags with data. If we have a prompt defined in the
options screen as ~]$ the platform will convert the tag <<prompt>> to this value when it is evaluating the
regular expressions.
3. Expect Statement - It is recommended to include the prompt in the regex of the expect field to ensure the
platform waits until all the data from the previous command is read from the target system before moving to
the next statement.
The final expect statement says expect all authentication tokens updated successfully and finish with success.
When you create a custom platform you must be able to detect when a password has been successfully
changed on the remote server. When you have detected this event you must set the action drop down to
finish with success.
4. Goto statements - The flow jumps to the group specified by the goto statement. Flow does not return to the
original group. If a group is to be used as a goto, it should be designed such that the intended task of the
platform is completed here.
Change Password and Check Password Tabs
After filling out the fields on the tab, Password Safe will run the credentials, log on to the host using the Managed
Account name and follow through the configurations provided on the Steps tab.
Adding a Custom Platform
Password Safe Administration Guide 117 © 2018. BeyondTrust Software, Inc.
1. Select the tab and enter the host and functional account.
2. If you are using the elevated credential pbrun jumphost, enter the IP address for the PBUL policy server.
Ensure the Enable Jump Host check box is selected on the Options tab. Otherwise, the Jump Host box is not
displayed.
3. Use the default port for SSH or Telnet. Optionally, enter a port to test the settings.
4. In the Elevation Command box, enter an elevated account such as sudo or sudoer to elevate the Functional
Account permissions.
5. Provide aManaged Account name and a new password to complete the test.
6. Click Change Password or Check Password button.
7. When the test returns a successful connection, go to the Options tab and select the Active check box. Click the
Create button. You can then select the Custom Platform in the Systems Settings when you configure the
platform to be managed by Password Safe.
Cloning a Custom Platform
Cloning a custom platform speeds and simplifies configuration.
Note: Built-in platforms can be cloned but not deleted.
1. To clone a custom platform, select Clone next to the platform name.
2. Enter a name in the Clone Name box.
3. Select Clone.
Exporting a Custom Platform
Exporting a custom platform is an option available to assist with troubleshooting.
1. Select the platform.
2. Click the Tools tab.
3. Click the Export button.
Importing a Custom Platform
1. Select the + icon in the Custom Platform list and select Import.
2. A file browser will open and then select a platform. If the platform exists in the Custom Platform list, it will
modify the existing platform. If the platform is not currently in the Platform list, it will create a new Platform
entry.
Adding a Custom Platform
Password Safe Administration Guide 118 © 2018. BeyondTrust Software, Inc.
Example of Linux Platform
In this short synopsis of the Linux platform you can see how it works by expecting data and responding to the data
based on the evaluation of regular expressions. It examines the output of each command to determine if an error
occurred or if it can continue sending replies to the server.
• Platform establishes a connection to the remote SSH server with the provided credentials.
• SSH server replies with:
Welcome to Linux Mint
* Documentation: http://www.linuxmint.com
Last login: Mon Apr 13 10:45:51 2015 from dev-machine
dev@dev-machine ~ ]#
• The platform evaluates a regular expression looking for the shell prompt “~]#” and replies with the passwd
command for the specified managed account.
passwd managedaccount complexpassword
• If the arguments passed to the passwd command are valid the server will reply with:
Enter new Unix Password:
The platform waits for the server’s response and evaluates a regular expression looking for “Enter new Unix
Password” . If the response is not “Enter new Unix Password” then the platformlooks for other possible responses
such as “User does not exist”. If this regular expression evaluates to true then the platform exits with an error. If
the regular expression “Enter new Unix Password” evaluates to true then the platform will reply with the new
password.
Adding a Custom Platform
Password Safe Administration Guide 119 © 2018. BeyondTrust Software, Inc.
Working with Smart Rules
You can use Smart Groups to onboard assets, platforms and accounts to Password Safe. The filters that you
configure in the Smart Group determine the assets that will be added to the management console.
You can use Smart Rules to onboard:
• Systems, including any of the platforms list here, Supported Platforms
• Databases
• Local Linux and Windows accounts (scanned in and manual)
• Active Directory accounts (manually only using an Active Directory query)
• Dedicated accounts (manually using a query)
Note: The settings in a Smart Rule override the settings on the Managed System Settings page.
This section provides information on how you can use Smart Groups with Password Safe. For information, refer to
the BeyondInsight User Guide.
Overview
There are three types of Smart Rules available with a Password Safe license: Asset based Smart Rules, Vulnerability
based Smart Rules and Managed Accounts based Smart Rules.
Predefined Smart Groups
By default there are Smart Groups already defined and created.
The following tables list Smart Groups useful in Password Safe environments.
Table 1. Asset Based Smart Groups
Smart Group Category Definition
All Assets in Password Safe
Assets and
Devices
All assets under Password Safe management.
Recent Assets not in Password Safe
Assets and
Devices
All assets discovered in the last 30 days that have not yet
been added to Password Safe.
Recent Non Windows Assets not in
Password Safe
Assets and
Devices
All non Windows assets discovered in the last 30 days that
have not yet been added to Password Safe.
RecentWindows Servers not in Password
Safe
Servers
Windows servers discovered in the last 30 days that are
not added to Password Safe.
Recent Virtual Servers not in Password
Safe
Virtualized
Devices
Virtualized server assets discovered in the last 30 days
that are not yet added to Password Safe.
Table 2. Managed Accounts Smart Groups
Smart Group Definition
All Managed Accounts
Recently Added Managed Accounts Filters on managed accounts added less than 30 days ago.
Database Managed Accounts
Filters on the database platform and includes SQL Server and Oracle
platforms.
Working with Smart Rules
Password Safe Administration Guide 120 © 2018. BeyondTrust Software, Inc.
Hardware Device Managed Accounts Filters on hardware devices including Dell DRAC and HP iLO platforms.
Linux Managed Accounts Filters on the Linux platform.
Mac Managed Accounts Filters on the Mac OSX platform.
Unix Managed Accounts Filters on the UNIX platform.
Windows Managed Accounts Filters on the Windows platform.
Considerations When Designing Smart Rules
• The filter criteria is processed hierarchically. When creating the filter structure, place the filters that reduce
the largest number of entities at the top of the hierarchy.
• When onboarding Active Directory accounts using an LDAP query, ensure the query is restrictive as possible.
For example, configure the query on a smaller set of data in your environment.
• When onboarding be cautious about creating more than one Smart Rule with the same system or accounts. If
the Smart Rules have different actions, they will start continually overwriting each other in an endless loop.
• External delays on Smart Rules. When a Smart Rule depends on external data source, like LDAP, processing can
take a longer time. For example, a directory query that uses the discover accounts feature (managed account
Smart Rule) or discover assets feature (Asset Smart rule).
Smart Rule Processing
A Smart Rule processes and updates the information in the Smart Group when certain actions occur.
The actions might be any of the following:
• The Smart Rule is edited and saved in the Smart Rules Manager
• A timer expires
• A Smart Rule with a Child Smart Rule in the Selection Criteria triggers the Child Smart Rule to run before the
parent will complete.
• Account Smart Rules with Selection Criteria “Dedicated Account” will process when a change to the mapped
group is detected. This can occur in the following scenarios:
– A new user logs on
– The group refreshes in Active Directory by an admin viewing or editing the group in Configuration > Role
Based Access.
Changing the Processing Frequency for a Smart Rule
By default, Smart Rules process when asset changes are detected. The assets in the Smart Rule are then
dynamically updated.
To provide more restrictive processing, you can select alternate frequency settings to override the default
processing. The Smart Rules will process in the selected timeframe (for example, the rule will process once a
week).
Depending on the Smart Rule use, you might want Smart Rules to process less frequently.
To set the processing frequency:
Working with Smart Rules
Password Safe Administration Guide 121 © 2018. BeyondTrust Software, Inc.
1. Go to the Smart Rules Manager.
2. Select a Smart Rule type, and then click New.
3. Enter a name and description. Select the category from the list.
4. Click the Advanced button, and then select a frequency from the list.
5. Select the asset criteria and actions.
6. Click Save.
The Smart Rule processes for the first time after you click Save.
The Smart Rule will always process after you click Save.
Working with Smart Rules
Password Safe Administration Guide 122 © 2018. BeyondTrust Software, Inc.
Dedicated Account Smart Rule
The Dedicated Account Smart Rule allows you to dynamically map dedicated administrator accounts outside of
BeyondInsight to users in a BeyondInsight group.
To set up the Smart Rule:
1. On the Smart Rules Manager page, selectManaged Accounts based Smart Rule and then selectNew.
2. Select Dedicated Account, and then define filter rules.
UPN filters match on the application user UPN and the Managed Account UPN. The Managed Account UPN
must be in place when the Smart Rule processes.
3. In the Perform Actions section, selectMap Dedicated Accounts To and then select a user group.
4. Select + to add an action.
5. Select Show managed account as Smart Group.
After setting up the Smart Rule, you must assign permissions and roles to the user group.
6. Select Configuration > User & Groups.
Working with Smart Rules
Password Safe Administration Guide 123 © 2018. BeyondTrust Software, Inc.
Note: If there is more than one match to the user names which match the criteria in the Dedicated Accounts
Smart Group, you must edit the Smart Group to exclude the duplicate matches.
Using Quick Groups
You can group managed accounts in a Quick Group. A Quick Group is a category of Smart Group and an easier way
to organize and group managed accounts.
The default processing time on a Quick Group is Once. For more information about Smart Rule processing, see
"Changing the Processing Frequency for a Smart Rule".
To create a Quick Group:
1. In the console, clickManaged Accounts.
2. Select an existing Smart Group where the managed accounts are members.
3. Select the check boxes for the managed accounts that you want to add to the Quick Group.
4. If the group is new, enter a name for the group, and then click Add to Quick Group. Otherwise, select an
existing Quick Group from the list, and then click Add to Quick Group.
Note that the name must be unique to the organization and no more than 75 characters.
Quick Groups are displayed in a Quick Group category in the Smart Groups pane.
You can add and remove accounts in the Quick Group in this view.
Note: In the Smart Rules Manager you can change the name and description of the Quick Group, but cannot add
or modify filters or actions.
Working with Smart Rules
Password Safe Administration Guide 124 © 2018. BeyondTrust Software,Inc.
Changing Quick Groups in the Smart Rules Manager
You can modify some details of the Quick Group, including the name and description. However you cannot add or
modify filters or actions.
Changing the Password for Users
You can change passwords for selected managed accounts.
1. In the console, clickManaged Accounts.
2. Select a Smart Group or Quick Group.
3. Select the check box for the accounts.
4. Click Change Passwords.
Working with Smart Rules
Password Safe Administration Guide 125 © 2018. BeyondTrust Software, Inc.
Role Based Access
Creating user groups gives you great flexibility in delegating access to managed systems. Permissions provide
access to BeyondInsight system components while Password Safe roles determine the scope of access to managed
systems.
There are two parts to configuring Password Safe role-based access.
• User group permissions - Permissions are assigned when you create a user group. Permissions are system-
wide and provide access to various components of the BeyondInsight infrastructure. There are permissions
that are specific to accessing and using features of the Password Safe application.
• Password Safe roles - The roles define the actions that your Password Safe users can take when using the
Password Safe web portal for password releases or access to applications.
User Group Permissions
The following table provides an overview of the Password Safe permissions that can be assigned to a user group.
Permission Read andWrite assigned
Password Safe Account
Management
Grants permissions to the following features on the Managed Accounts page:
– Bulk delete accounts
– Add accounts to a Quick Group
– Remove accounts from a Quick Group
– Add, edit, and delete accounts
Password Safe Admin
Session
Allows non ISA users access to the Admin Session feature in Password Safe.
Using an Admin Session allows ad-hoc RDP/ssh sessions without running through the
request process.
Password Safe Bulk
Password Change
Use the bulk password change feature on the Managed Account page.
Password Safe Domain
Management
Manage domains.
Password Safe Role
Management
Manage roles provided they have the following permissions: Password Safe Role
Management and User Accounts Management.
Password Safe System
Management
Users can manage assets and databases on the Assets page, including:
– Create, change, and remove directory and cloud systems
– Link and unlink directory accounts to managed assets
Note: Password Safe Account Management permission is needed with
Password Safe System Management permission to manage Password Safe
accounts.
In addition to the Password Safe permissions, users need the following general permissions:
Asset Management Read, create, and delete assets and databases.
Management Console
Access
Access to log on to the management console.
Role Based Access
Password Safe Administration Guide 126 © 2018. BeyondTrust Software, Inc.
Password Safe Roles
In Password Safe, a role is the connection between a Password Safe user account and a managed system. A role
defines what the user or group can do with respect to that managed system.
Role Description
Requestor
Users can submit a request to retrieve a managed password or file.
When assigning the Requestor role, you must select an access policy.
Approver
Users can approve requests for the release of managed passwords or files.
Typically, system administrators and network engineers are assigned to this role.
Requestor/Approver
With this cross-functional role, a user can submit or approve requests for password or file
releases. However, an approver cannot approve their request when dual control is
enforced.
This role is typically used in a peer approval environment.
Information Security
Administrator
This role is responsible for setting up managed systems and accounts.
The ISA role provides the functionality required for security help desk personnel. The ISA
role can delegate limited authority to those responsible for resource management.
The role enables a user to bypass every workflow and security measure, like approval
workflows or checked out accounts. So even if another user already checked out an account
and the password is known by this user, an ISA user can look at the password.
Auditor
Users can:
• Log on and run reports in BeyondInsight Analytics and Reporting
• View Replay Sessions in the web portal
The Auditor role can be assigned with other roles.
No Roles Assign this role to remove any previously assigned roles to a user group.
Credentials Manager Users can set credentials via the "PUTManagedAccounts/{accountId}/Credentials" API.
Recorded Session
Reviewer
Users can view recorded Password Safe sessions, including:
• add comments
• mark the session as reviewed
• archive sessions if configured on the appliance.
Active Session
Reviewer
Users can view active Password Safe sessions, including:
• lock session
• terminate the session
• cancel the request.
On all systems where a user is granted the ISA role, the user can change system details:
• Grant users/groups roles to the managed system
• Review release requests
• Add and change accounts on managed systems
Role Based Access
Password Safe Administration Guide 127 © 2018. BeyondTrust Software, Inc.
• Assign a system to a collection (provided the ISA role is granted to the user for both the system and the
collection)
• Remove his or her ISA role from a system.
Asset or Managed Account Smart Rule
The roles that you can assign vary depending on the Smart Rule type.
• Asset based Smart Rule - Roles only include the ISA role and Auditor role.
• Managed Accounts based Smart Rule - Roles include most roles:
Creating a User Group and Assigning Roles
Note: You cannot assign roles to the BeyondInsight administrator.
Roles are only available to BeyondInsight features.
Note: All changes to BeyondInsight user accounts (users with BeyondInsight roles assigned) must be managed by
the BeyondInsight Administrator account.
To create a user group:
1. Select Configuration > Users & Groups.
2. Click +, and then Group or Active Directory Group.
3. Enter a group name and description. For more information, refer to the BeyondInsight User Guide.
4. Set the permissions.
5. Select a Smart Rule where the BeyondInsight assets will be added.
If you select the Write check box to apply the permission to all Smart Rules, then a message might be displayed
indicating that the permission will only be applied to visible Smart Rules. Click the button Select all Smart Rule
for Write to apply the write permission to all Smart Rules.
6. Click Roles.
Role Based Access
Password Safe Administration Guide 128 © 2018. BeyondTrust Software, Inc.
A role is selected and applied to a Smart Rule.
7. Select the role to assign, and then click Save. The role changes are synchronized with the BeyondInsight
appliance.
Recorded Session Reviewer and Active Session Reviewer Roles
Any type of user can be assigned Recorded Session Reviewer and Active Session Reviewer roles.
1. Assign read and write privileges on the Managed Accounts Smart Rule to a user group.
2. Save the user group settings and then click Roles.
3. Select Recorded Session Reviewer or Active Session Reviewer.
4. Click Save.
Quarantine User Accounts
You can turn on the quarantine feature as a preventative measure when suspicious activity is detected.
Role Based Access
Password Safe Administration Guide 129 © 2018. BeyondTrust Software, Inc.
When quarantine is turned on, the user account can no longer log on to the console or API, and any active sessions
are terminated immediately.
The difference between account lockout and account quarantine is that account lockout cannot terminate sessions.
The setting is turned on at the user account level.
To turn on quarantine:
1. Go to the Configuration page.
2. In Role Based Access Settings, selectUsers & Groups.
3. Create a user group or select an existing user group.
4. In the Users pane, click + to create a user account. Ifworking with existing accounts, select the user in the list.
5. Configure user account properties, such as name, email address, and telephone.
6. Select the Account Quarantined check box.
7. Click Create.
Setting the Refresh Interval on the Quarantine Cache
You can set the length of time that passes before the cache is updated with the user accounts from the database.
The quarantine is only applied to the user account after the cache is updated.
The user can remain logged on and sessions remain active up until the refresh interval time passes (and the cache
is updated with the quarantine status).
To set the refresh interval:
1. Go to the Configuration page.
2. In the System settings, select Site Options.
3. In the Session settings, enter the number of seconds that pass before the cache is updated with the most
recently discovered quarantined user accounts.
The default value is 600 seconds (10 minutes). The maximum value is 1200 seconds (20 minutes).
4. Click Update Session Options.
Configuring API Access
When using the Password Safe API, you must create a user group that permits access to the API. Additionally, any
managed accounts that must be accessible by the API must also be configured.
Creating a User Group with API Access
If you want users to access the Password Safe API, then you must create a user group and turn on the AP setting.
A BeyondInsight user will have API access if at least one of the user groups they belong to has API access enabled.
To create a user group:
1. Go to the Configuration page.
2. In Role Based Access Settings, selectUsers & Groups.
3. Click +, and then select a group type: Group, Active Directory Group, or LDAP Directory Group.
4. Configure the properties for the group: name, description, permissions, and Smart Rules access.
5. Click the Enable Application API check box.
6. Select a key type based on the API access required for the user group.
7. Click Create.
Role Based Access
Password Safe Administration Guide 130 © 2018. BeyondTrust Software, Inc.
Managed Account Settings
You must turn on API access for a Password Safe managed account to be accessible to the API methods.
To turn on API access for a managed account:
1. In the console, clickManaged Accounts.
2. Click the arrow icon for a managed account, and then select Edit Account.
3. On the Managed Account Settings page, select the Enable for API Access check box.
4. Click Save.
Restricting Access to Password Safe Logon Page
When using SAML authentication to access the Password Safe web portal, you might not want users to log on
directly to the web portal URL. You can disable direct access to the Password Safe web portal URL. Users must then
always provide the SAML credentials before gaining access to the web portal.
The setting can be applied to Active Directory, LDAP, and local BeyondInsight users.
The following procedure assumes the user group and user are already created.
To disable the logon form:
1. In the console, go to Configuration > Role Based Access > User & Groups.
2. Select a user group, and then select a user.
3. On the User Details page, select the Disable Forms Login check box.
4. Click Update.
Configuring Approvals
You can control the number of approvers required for a requestor. You can also control the number of approvers
required for each access type: View Password, RDP and SSH.
To configure the approvers required for each requestor:
1. In the console, select Configuration > Users & Groups.
2. Select Read andWrite for the All Managed Accounts Smart Rule.
3. Select a role and an access policy. Click the browse button to create an access policy.
Role Based Access
Password Safe Administration Guide 131 © 2018. BeyondTrust Software, Inc.
Using a Managed Account as a Credential
You can use a managed account for the credential when you are configuring queries and user groups for Active
Directory and LDAP.
For more information on managed account settings, see Adding aManaged Account Manually.
Note: You cannot delete a managed account if it is used as a credential for a user group. You can delete a
managed account used as a credential for a directory query, however, the query will no longer run. You
must select another credential for the query to run again.
Configuring the Managed Account
Before you configure the query or group, the managed account must be in place and specific settings selected.
When you configure the managed account settings be sure to select the following setting:
Role Based Access
Password Safe Administration Guide 132 © 2018. BeyondTrust Software, Inc.
If there are several managed accounts organized in a Smart Group, be sure to set the Enable Accounts for
AD/LDAP queries in the Smart Rules Manager, as shown:
Be sure to clear the check box Change Password After Release. This setting is available when you
are adding the managed account manually or using a Smart Rule.
Log files can grow significantly in a short time when using managed account credentials with a
directory query.
Configuring the Query
Active Directory and LDAP queries can use aManaged Account as a credential.
To configure the query:
1. In the console, select Configuration.
2. Under Role Based Access, select Directory Queries.
3. Click New.
4. Configure the settings for the query including, directory type, title, path, scope, object, and filters.
5. Click the Credentials tab, and then selectUse Stored AD Credentials.
6. Select the Managed Account from the list.
Role Based Access
Password Safe Administration Guide 133 © 2018. BeyondTrust Software, Inc.
7. Click Save.
Configuring the Group
An Active Directory group and LDAP group can use aManaged Account as the credential.
When you are creating the group, the Managed Account is listed as a credential.
When you click the Credentials button on the Select Active Directory Group dialog box, you can view the Managed
Accounts available as credentials. You cannot change the credentials here.
LDAP Directory Groups
Before logging on to the Password Safe website using LDAP, you must configure an LDAP directory group.
To configure an LDAP account:
Role Based Access
Password Safe Administration Guide 134 © 2018. BeyondTrust Software, Inc.
1. In the console, select Configuration > Users & Groups.
2. In the User Groups pane, click the + icon and select LDAP Directory Group.
3. Click the Credentials button and enter the credential details and click OK.
4. Enter the server address and click Go.
5. To filter the groups, enter keywords in the group filter or use a wildcard.
6. Click OK.
7. Provide the Group Membership Attribute and Account Naming Attribute before clicking Create Group.
Logging in with LDAP Directory Account
1. Go to the Password Safe web site and click the LDAP link.
2. Enter the server, port, user name and password.
3. Click Login.
Real Time Authorization
Real Time Authorization allows administrators to remove users from groups while they are logged in with a
Directory account and use the registry key to perform an additional check to ensure that the user still has access to
the password at the time they requested it. This puts the user through the log in process every time a password is
requested.
Enable the following registry key to turn on this feature:
SOFTWARE\Wow6432Node\Beyondtrust\PBPS\EnableCheckoutAuthorization
After the user is removed from the group, they will receive the following error message when they request
password access.
Role Based Access
Password Safe Administration Guide 135 © 2018. BeyondTrust Software, Inc.
Role Based Access
Password Safe Administration Guide 136 © 2018. BeyondTrust Software, Inc.
Multi-Node and Multi-Tenant Environments
Overview
Password Safe allows you to assign workgroups to Password Safe agents to give the user more granularity to
password changes. Password Safe uses workgroup assignments on the Managed Account level to allow Password
Safe agents to process password changes, password tests, and account notifications for their designated
workgroup.If an agent is not assigned to a workgroup, the agent will function on a global level and can change any account that
does not have a designated workgroup assigned.
Creating a Password Safe Agent
This is an automated process. When any node in an Active/Active configuration is running Password Safe v6.0 the
agent registers with the BeyondInsight database.
You can view registered Password Safe agents in the Password Safe configuration.
Assigning a Workgroup to a Password Safe Agent
To assign a Password Safe agent to a workgroup:
1. In the console, click Configuration > PowerBroker Password Safe.
2. Click Agent Assignment.
3. Select Assign to an existingWorkgroup, and then select a workgroup from the menu.
Optionally, you can create a workgroup on the fly. Select Create and assign to a new Workgroup, and then
enter a name. Click Save.
4. Click Save.
Viewing Agents Assigned to a Workgroup
1. In the console, click Configuration > Workgroups.
You can see the number of Password Safe agents assigned to a workgroup.
Multi-Node and Multi-Tenant Environments
Password Safe Administration Guide 137 © 2018. BeyondTrust Software, Inc.
2. To view the agents associated with a workgroup, click the number in the Password Safe Agents column.
Assigning a Workgroup to a Managed Account
You can assign a workgroup to a particular managed account. You can set the workgroup through the Managed
Account Settings dialog box or using a Smart Rule.
If you set the workgroup value to Any, then the account can be changed by any Password Safe agent.
On the Managed Account Settings dialog box, select a workgroup from the menu.
In the Smart Rules Manager, select Assign Workgroup on each account.
Multi-Node and Multi-Tenant Environments
Password Safe Administration Guide 138 © 2018. BeyondTrust Software, Inc.
Which Agent Made the Last Change on the Account?
There are two columns on the Accounts page:
• Change Agent – Displays the agent that was used during the last password change event.
• Workgroup – Displays the assigned workgroup, if applicable.
If the Workgroup column value is empty, then there is no workgroup assigned and you can expect the Change
Agent column to display any Password Safe agent.
If the Workgroup column is populated, you will see only the Change Agent column with a Password Safe agent that
is assigned to that workgroup. An exception to this would be if a Workgroup assignment change was made and no
change has yet been completed by the Change Agent. The column could show an agent that was part of the
previous Workgroup assignment.
Multi Tenant
After your BeyondInsight environment is configured with multiple organizations, the Password Safe change agents
must be assigned to a workgroup. Multiple agents can be assigned to one workgroup—this distributes the workload
and allows Password Safe to scale if needed for the organization.
In a multi-tenant environment each organization requires at least one agent. You can only assign an agent to one
organization. Assigning an agent to more than one organization is not a supported implementation.
Note: Any managed accounts which are in a workgroup that is not assigned to an agent will not be processed.
To assign a Password Safe agent to a workgroup:
1. Select Configuration > PowerBroker Password Safe.
2. Select Agent Assignment.
3. Select an agent from the Agent list and then select an organization.
Note: Every time an agent is re-assigned to a workgroup, the Password Safe omniservice must be restarted.
Multi-Node and Multi-Tenant Environments
Password Safe Administration Guide 139 © 2018. BeyondTrust Software, Inc.
4. Select one of the following options:
– Do not assign to a Workgroup - The agent only processes managed accounts that are not assigned to a
workgroup.
– Assign to an existingWorkgroup - The agent processes managed accounts assigned to this workgroup and
all other managed accounts that belong to this organization that are currently not assigned to a workgroup.
– Create and assign to a new Workgroup - Creates a workgroup. The agent processes any managed
accounts assigned to it, and unassigned Managed Accounts within that organization.
5. Click Save.
After the agents are assigned, managed accounts can be re-assigned to a different workgroup if required. Managed
Accounts can be assigned to workgroups manually by editing the Manage Account Settings or creating a Smart Rule
to bulk assign accounts to a new workgroup. For more information on assigning managed accounts to workgroups,
see "Assigning aWorkgroup to aManaged Account".
For more information on how to configure a multi tenant environment, refer to the BeyondInsight User Guide.
Synced Accounts in a Multi Tenant Environment
When viewing synced accounts on a managed account in a multi tenant environment, only synced accounts in that
organization are displayed.
Multi-Node and Multi-Tenant Environments
Password Safe Administration Guide 140 © 2018. BeyondTrust Software, Inc.
Third Party Ticket Systems
PowerBroker Password Safe allows the incorporation of third party ticket systems such as ServiceNow and
Remedy.
Configuring Remedy
Before creating the functional account you must ensure that the Remedy connector is configured.
1. In the console, click Configuration.
2. Under General, click Connectors.
3. In the Connectors pane click +.
4. Select BMC Remedy Connector from the list.
5. Enter a Connector Name, a Remedy Username, and a Remedy Password.
The connector name can be any name.
The credentials for the Remedy system must provide access to the web service and be able to create requests.
The Active check box is selected by default. Data is only exported when the check box is selected.
6. Select the Integrate Remedy with Password Safe Ticket System check box, fill in the necessary information,
and then click Update.
Note: Soap Date/Time Format is optional – only use if your BMC Remedy instance is localized to a non-
standard date time. Formats are based on .Net DateTime formatting standards.
The List Operation box must be selected when List Operations are used in the WSDL file. For more
information, refer to BeyondInsight & Password SafeThird Party Integration Guide.
7. Create the Functional Account.
Third Party Ticket Systems
Password Safe Administration Guide 141 © 2018. BeyondTrust Software, Inc.
a. In the console, click Configuration > PowerBroker Password Safe > Functional & Login Accounts, and
then click +.
b. Select BMC Remedy from thePlatform list, fill out all of the account details, and then click Save.
Note: The connector credentials must match the credentials of the Functional Account.
8. Create the ticket system.
a. In the System Configuration pane, click Ticket Systems.
b. In the Ticket Systems pane, click +.
c. Select BMC Remedy Ticket System from Platform list.
d. Select the Functional Account you just created.
e. Select the check boxes for the three remaining options and then click Create.
Note: For any tickets being verified using this ticket system you must ensure in the Remedy system that the
Requestor is populated in the Assigned To field. The User ID here must match the Password Safe User ID.
Configuring CA Service Desk Manager
CA Service Desk Manager does not require a connector. There are two ways to configure CA Service Desk with
Password Safe:
• Using a functional account that has permissions to access CA Service Desk Manager
• Using a PKI Certificate
Third Party Ticket Systems
Password Safe Administration Guide 142 © 2018. BeyondTrust Software, Inc.
Using a Functional Account for Access
To create the Functional Account:
1. In the console, select Configuration > PowerBroker Password Safe > Functional & Login Accounts, and then
click +.
2. Select CA Service Desk from Platform list.
3. Enter the full URL to the CA Service Desk Manager API in the Domain box.
4. Enter the CA Service Desk Manager credentials. The user requires the Passwordsafe_ticket_system role. The
unique name to find this role is x_bets_bi_integrat.passwordsafe_ticket_system.5. Configure the remaining settings.
6. Click Save.
Creating the Access Policies
Create two access policies:
• Users that need ticket validation
• Emergency access
Each access policy requires at least one Approver.
To create an access policy for ticket validation:
1. Go to Configuration > Password Safe > Access Policies.
2. Configure the access schedule settings: time, recurrence, range, location.
3. From the type area of the Access Schedule page, be sure to select at least 1 from the Approvers list.
4. Click Save.
Third Party Ticket Systems
Password Safe Administration Guide 143 © 2018. BeyondTrust Software, Inc.
To create an access policy for emergency access:
1. Go to Configuration > Password Safe > Access Policies.
2. Configure the access schedule settings: time, recurrence, range, location.
3. From the type area of the Access Schedule page, be sure to select Auto Approve from the Approvers list.
4. Click Save.
Creating the Ticket System
To add the ticket system to Password Safe:
1. Go to Configuration > Password Safe > Ticket Systems.
2. Click +, and then select CA Service Desk Ticket System from the Platform list.
3. Select the functional account, and then enter a name for the system.
Note: Access Policy Certificate Common Name and Access Policy Code are not required.
4. Select the check boxes as shown and then click Update:
Third Party Ticket Systems
Password Safe Administration Guide 144 © 2018. BeyondTrust Software, Inc.
Note: For any tickets being verified using this ticket system you must ensure within the CA Service Desk Manager
that the Requestor is populated in the Assignee field. The User ID here must match the Password Safe
User ID.
Configuring Global Settings
To configure required global settings:
1. Go to Configuration > Password Safe > Access Policies.
2. Ensure the following check boxes are selected:
– Ticket Settings
– Reason is required for new requests
3. Select other settings as needed.
4. Click Update.
Using a PKI Certificate Access Policy
An alternative way to set up access to CA Service Desk Manager is using a PKI certificate.
Importing the PKI Certificate
1. Enable PKI logon in CA Service Desk Manager.
Instructions are in \Java\PKI_loginServiceManaged_JAVA_steps.doc located on the CA SDM server.
2. Copy and install the certificate generated above to the Password Safe server.
a. Open the mmc console.
b. Add the Certificates snap-in.
c. Select Computer account and local computer.
d. Expand Personal folder, and then right-click Certificates folder.
e. Select All Tasks > Import.
f. Click Next and Browse to certificate location.
g. Set file types to All Files (*.*)
h. Select the certificate and open it.
Third Party Ticket Systems
Password Safe Administration Guide 145 © 2018. BeyondTrust Software, Inc.
i. On the Private key protection page:
– Enter the certificate password.
– Select the check box: Mark this key as exportable. This will allow you to back up or transport your
keys at a later time.
j. On the Certificate Store page, select Personal.
k. Click Finish.
3. Assign IIS_IUSRS permissions to use keys.
a. Right-click the certificate, and then select All Tasks > Manage Private Keys.
b. Add local computer IIS_IUSRS.
c. Assign Full Control.
Creating the Functional Account
To create the functional account:
1. Go to Configuration > Password Safe > Functional & Login Accounts, and then click Creating the Functional
Account
To create the functional account:
1. Go to Configuration > Password Safe > Functional & Login Accounts, and then click +.
2. From the Platform list, select CA Service Desk.
3. In the Domain box, enter the URL to the CA Service Desk web service.
4. Enter a user name and password. The information is not used in this implementation so can be anything.
5. Set the remaining fields as needed.
6. Click Save.
Creating the Access Policies
Creating access policies is the same for both access implementations. See Creating the Access Policies.
Creating the Ticket System
To add the ticket system to Password Safe:
1. Go to Configuration > Password Safe > Ticket Systems.
2. Click +, and then select CA Service Desk Ticket System from the Platform list.
3. Select the functional account, and then enter a name for the system.
4. Enter ServiceDesk DEFAULT in the Access Policy Certificate Common Name box.
5. Enter DEFAULT in the Access Policy code box.
6. Select the check boxes as shown and then click Update:
Third Party Ticket Systems
Password Safe Administration Guide 146 © 2018. BeyondTrust Software, Inc.
Configuring Jira Ticket System
1. Create the Functional Account. In the console, select Configuration > PowerBroker Password Safe >
Functional & Login Accounts, and then click +.
2. Select JIRA from the Platform list.
3. Enter the full URL for Jira.
Note: There are two types of Jira environments, a hosted cloud environment and a local host environment.
The Local Host environment requires the suffix "/jira" be added to the domain name in the field
provided.
4. Enter the JIRA credentials and then click Save.
Third Party Ticket Systems
Password Safe Administration Guide 147 © 2018. BeyondTrust Software, Inc.
5. Create the ticket system.
a. In the System Configuration pane, click Ticket Systems.
b. In the Ticket Systems pane, click +.
c. Select Ticket Systems.
d. Select JIRA Ticket System from the Platform list.
e. Select the Functional Account you just created.
f. Select the check boxes for the remaining options and then click Create.
Note: For any tickets being verified using this ticket system you must ensure within the JIRA Web Portal that the
Requestor is populated in the Assignee field. The User ID here must match the Password Safe User ID.
Configuring ServiceNow
Integrate Password Safe and ServiceNow to validate tickets prior to users gaining access to privileged passwords
and sessions. This integration includes options to auto-approve ticket validation, and break glass functionality to
allow emergency approval in the case ServiceNow is unavailable.
Note: The user configuring ServiceNow and Password Safe integration needs the Passwordsafe_ticket_system
role. The unique name for this role is x_bets_bi_integrat.passwordsafe_ticket_system.
To configure ServiceNow, you must:
• Add the ticket system on the Connectors page
• Create a functional account and associate that with the ServiceNow connector
• Add the ticket system to Password Safe
Note: For any tickets being verified, you must ensure in the ServiceNow web portal that the Requestor is
populated in the Assigned To field. The User ID here must match the Password Safe User ID. Tickets must
also be associated with a ticket table extending from the Task table.
To add the ServiceNow connector:
Third Party Ticket Systems
Password Safe Administration Guide 148 © 2018. BeyondTrust Software, Inc.
1. In the console, select Configuration > Connectors.
2. Click +, and then select ServiceNow Ticket System.
3. Enter the following details for your ServiceNow system:
– Ticket System Name - A name for the ticket system.
– Instance URL - The URL for the ServiceNow environment.
– User name/Password - Credentials used to authenticate with ServiceNow. The credentials are only used
on this configuration page.
Note: The user must be a member of a role containing an ACL for the sys_choice table value field with
Read access.
– Enable State Validation - (Optional). Select the check box if you want tickets with a certain status available
to Password Safe. You must then select the table name and status types that you want to whitelist.
Depending on your requirements, you might want only Active tickets available to Requestors accessing the
ticket system through an RDP session. For example, you can select the Active check box on the State List to
add the table name to the Valid State Mappings table.
– Table Name - Enter the name of a ticket table in the ServiceNow system, and then click Search.
If the table name is valid and exists in ServiceNow then the State List ispopulated.
– State List - Select a state and click Add.
The Valid State Mappings table displays the ServiceNow table name and the status fields that you selected.
4. Click Update.
To create the functional account:
1. In the console, select Configuration > PowerBroker Password Safe > Functional & Login Accounts.
2. Select ServiceNow from the Platform list.
3. Enter the user name and credentials for ServiceNow. The credentials are the same credentials used when
entering ticket details in ServiceNow.
4. Select the ServiceNow ticket system from the Connector Name list.
Third Party Ticket Systems
Password Safe Administration Guide 149 © 2018. BeyondTrust Software, Inc.
Note: For more information on the functional account settings, see Creating a Functional Account.
5. Click Save.
To add the ticket system to Password Safe:
1. Select Configuration > PowerBroker Password Safe > Ticket Systems.
2. Select ServiceNow Ticket System from the Platform list.
3. Select the functional account.
Third Party Ticket Systems
Password Safe Administration Guide 150 © 2018. BeyondTrust Software, Inc.
Note: Access policy settings apply to CA Service Desk systems only.
4. Select the check boxes for the remaining options.
5. Click Update.
Third Party Ticket Systems
Password Safe Administration Guide 151 © 2018. BeyondTrust Software, Inc.
Reports in BeyondInsight Analytics and Reporting
The following reports are available in BeyondInsight Analytics and Reporting:
Report Description
Account Password Age
Provides a list of enabled user accounts for which the password has not
changed in more than 30 days.
Activity Contains a detailed history of all changed made to the appliance by any user.
Admin Session Activity History of all Password Safe changes on the appliance by any user.
Application Inventory Lists application inventory details.
Entitlement by Group Detailed view of Password Safe group membership and permissions.
Managed Account Password Age
Lists all accounts managed by Password Safe along with the password age
details.
Managed vs Unmanaged
Account List
Lists asset user account details, filtered by location, status, group membership
and more.
Password and Session Activity Provides a detailed transactional view of password and session activities.
Password Release Activity Lists details of password release activity.
Password Update Activity Lists details of password update activity.
Password Update Schedule Lists details of upcoming scheduled password updates.
Release-Reset Reconcile
Provides evidence that passwords have been reset appropriately after being
released.
Scheduled Password Change
Configuration
Provides details of upcoming scheduled password changes.
Service Account Usage
Provides detailed list of what systems are using a service account to start one or
more services.
Smart Rule Details Lists Smart Rules and details by type and category.
Synchronized Accounts Lists synchronized accounts.
For more information about reporting, refer to the BeyondInsight Analytics & Reporting User Guide.
Reports in BeyondInsight Analytics and Reporting
Password Safe Administration Guide 152 © 2018. BeyondTrust Software, Inc.
Advanced Systems Integration
PowerBroker for Unix & Linux Integration
If you are adding a PBUL policy server as a managed system, you can follow the procedures in Onboarding Systems
and Accounts.
You can use the following example policy for your pbrun policy. The policy is needed if you are using the pbrun
jumphost elevation property when adding the system.
Example Policy
#PBPS functional account using pbrun to execute commands
#This policy can be included on any host used to drive remote password
#change requests from PowerBroker Password Safe using the pbrun -h
#capability. This policy segment can be included on any Policy Server
#host using a standard include statement:
#Diagnostic Information
#print("Functional Account User: ", user);
#print("Requested Run User: ", requestuser);
#print("Target Host: ", runhost)
#print("Requested Command: ", command);
#Optional: Restrict PowerBroker Password Safe calls to the functional
#account of your choice by uncommenting the following if statement
#and updating the username:
if (user == "ENTER YOUR FUNCTIONAL ACCOUNT HERE")
{
#Process core password change commands: passwd, grep, sed and awk
#You may optionally force the run commands to be explict binarys,
#i.e. runcommand = "/bin/passwd"
#The following commands are executed as user 'root'
if (basename(command) in { "passwd", "grep", "sed", "awk" })
{
runuser = "root";
rungroup = "!g!";
rungroups = { "!G!" };
runcwd = "!~!";
accept;
}
#Run the 'whoami' command as the requested user (pbrun -u 'requested user')
#You may optionally force the command to be an explict binary,
#i.e. runcommand = "/bin/whoami"
if (basename(command) in { "whoami" })
{
runuser = requestuser;
Advanced Systems Integration
Password Safe Administration Guide 153 © 2018. BeyondTrust Software, Inc.
rungroup = "!g!";
rungroups = { "!G!" };
runcwd = "!~!";
}
#Run 'sh' or 'bash' command as the requested user (pbrun -u 'requested
user'),
#You may optionally force the run commands to be explict binarys,
#i.e. runcommand = "/bin/bash"
#but prompt the requested user account for their password
if (basename(command) in { "sh", "bash" })
{
runuser = requestuser;
rungroup = "!g!";
rungroups = { "!G!" };
runcwd = "!~!";
#Prompt user for password, prompt may be changed on the following line
runconfirmmessage="Password:";
runconfirmuser = requestuser;
accept;
}
}
Advanced Systems Integration
Password Safe Administration Guide 154 © 2018. BeyondTrust Software, Inc.
Password Safe Web Portal
PowerBroker Password Safe includes a web based interface for executing password requests and approvals.
A PowerBroker Password Safe user is a person who is authorized to log on to the PowerBroker Password Safe
appliance and perform tasks. The specific tasks that a user can perform are determined by the user privileges that
are assigned to that user.
It is recommended that the Password Safe web portal screen resolution be no less than 1280 x 800 pixels for
optimum efficiency.
Note: A person can have a Password Safe user account and a Password Safe administrator account. The accounts
may have the same user name, but they are completely separate accounts and their passwords are not
synchronized.
Navigating the Password Safe Web Portal
When navigating to the Password Safe web portal, the user will be asked to log in.
Note: Pre Login Banner does not support HTML.
The Password Safe web portal features vary depending on your role:
• Administrators can view the following menu options: Accounts, Requests, Approve, Replay Sessions, Active
Sessions, Admin Sessions.
• Regular users can view Accounts and Requests.
Select a search tab to reveal the Global Search field in the top right corner. The Global Search field can be used
with keywords and characters.
Note: When a user first logs on to the Password Safe portal, no assets will be populated and they will be
required to do a Global Search. Search results are limited to 1000 rows.
Accounts Page
Click and drag a column header title to rearrange the header location.
The following options are available:
Favorites
Allows the user to indicate their most used accounts by selecting the star. Users can then
select the Favorites button to filter for only favorite accounts.
System Indicates the name of the system.
OneClick
A column of thunderbolt buttons. A grayed out OneClick button indicates that the account is
not available.
Directory The directory name if applicable.
Account
The user name on the account. The "i" icon can be selected to display more information about
the account.
Account
Description
The description provided on the managed account when the managed account is set up.
Status
Indicates whether the account is available. When the bar on this column is green, it indicates
that all accounts are currently available. A red line indicatesthat no accounts are available.
Platform The type of platform.
Password Safe Web Portal
Password Safe Administration Guide 155 © 2018. BeyondTrust Software, Inc.
Application The application managed by BeyondInsight and Password Safe, if applicable.
Workgroup The workgroup the account is tied to if applicable.
Filtering
Each column header has a search filter.
Select Contains, Starts With, Is equal to or Is not equal to from the menu then enter a letter or keyword.
Password Release Process
The release of passwords for managed system accounts that require dual control is a three-step process. Each step
is performed by a PowerBroker Password Safe user with one of the following roles: Requestor, Approver,
Requestor/Approver. Using dual control ensures the security of the system account password, provides
accountability, and provides dual control over the managed accounts.
The basic process for releasing passwords has three steps:
• Password request - A password release is requested by an authorized Requestor.
• Password approval - The request for release is reviewed and approved by an authorized Approver.
• Password retrieval - The password is displayed by the authorized Requestor.
Request for Password Release
To request a password release:
1. Log on to the Password Safe web portal.
2. Click MENU to expand, and then select Accounts.
3. Click the tab for the system type you need access to.
4. Select the system from the list.
5. On the Requests page, set the following:
– Start Date - Select the start date for the session that corresponds with the access policy.
– Start Time - Select Immediately to release the password at the current time. Otherwise, click the
scheduling icon to set the time frame for release.
A request can be scheduled for the future. For example, schedule a release that coincides with scheduled
maintenance.
– Requested Duration - Set the length of time that the password is available. The time period begins when
the request is made.
Password Safe Web Portal
Password Safe Administration Guide 156 © 2018. BeyondTrust Software, Inc.
The default value is two hours. The maximum duration is 365 days. The Default Release Duration and
Maximum Release Duration settings are set on the managed account. See Adding aManaged Account
Manually.
– Access Request - Select the session type: Password, RDP Session, SSH or Application Session.
– Reason - Enter a reason for the request. By default the Reason field is required but it can be disabled
through BeyondInsight options. The maximum allowed length is 200 characters.
– Ticket System - (Optional) Select a ticket system and enter the ticket number. Ticket systems can be used
for cross reference.
6. Click Submit Request. An email is sent to the Approver if email notification is configured.
Reviewing a Password Request
You can review password requests. The list of requests available for review depends on your role. You can review
the requests on systems where you are a Requestor.
On the Requests page, click the buttons to view all, active and pending requests.
Use the filter setting available on each header to narrow the search. Enter filter criteria in the box.
Password Safe Web Portal
Password Safe Administration Guide 157 © 2018. BeyondTrust Software, Inc.
Approving or Denying the Password Release
When a password request for a system is properly submitted, the associated Approvers for that system are notified
by email of the pending request. The Approver uses the following procedure to approve or deny the password
request:
1. Log on to the Password Safe Web Portal.
2. Select Approve and click Pending.
3. Click on a pending request.
4. You may then enter a comment for the approval.
5. Select Approve or Deny.
Note: The user will be asked to confirm any Deny requests. Once a request is approved, the Approver can still
deny if the situation warrants.
Retrieving a Password
The password that was approved for release (by the Approver) can be displayed by the Requestor at any time
during the release duration.
1. The Requestor receives an email notification containing a link when the request has been approved. Click the
link to see a window with the date and time the release was approved and any comments made by the
Approver.
2. Click Retrieve Password to display the system account password. The password displays in a separate window
for a maximum of 20 seconds. The dialog box can be closed before the 20-second timeout. The Requestor can
display the password as often as necessary during the release duration period.
3. To copy the password to the clipboard, click the Copy Password to Clipboard icon.
4. Use the password to log on to the system within the password release time period.
Password Safe Web Portal
Password Safe Administration Guide 158 © 2018. BeyondTrust Software, Inc.
Authentication Mechanisms
Password Safe supports internal and external authentication mechanisms in either single-factor or two-factor
combinations. The external mechanisms that are supported by Password Safe are:
• Active Directory - see the BeyondInsight User Guide
• Radius - see the BeyondInsight User Guide
• LDAP - see "Logging in with LDAP Directory Account"
• Smart Card - see "Smart Card Authentication"
• Third Party Authentication Mechanisms supporting SAML 2.0 standard - see "Third Party Authentication"
External mechanisms are configured in Password Safe by a Password Safe administrator.
Active Directory Authentication - The Password Safe user is prompted for the user’s Active Directory credentials.
PowerBroker Password Safe Authentication - The Password Safe user is prompted for the user’s Password Safe
credentials.
Radius Two Factor Authentication - First, the Password Safe user is prompted for the user’s Password Safe
credentials. After successful entry of the Password Safe credentials, the user is prompted for the user’s Radius
code.
For more information on configuring two-factor authentication, see "Role Based Access".
Multi-System Checkout
This feature allows a Requestor quick access to all machines linked to the same Active Directory account. It allows a
Requestor to request access to an Active Directory account for one Managed System, and quickly use this account
for other managed systems which are linked to that account.
Note: For Requestors to take advantage of this feature, the User permissions must be set to Write under the
Password Safe Admin Session Smart Rule Role.
Making the Request
When a new request is made for an Active Directory account by a Requestor who has been assigned the correct
permissions, a check box will display on the request for Multi-System Checkout.
Password Safe Web Portal
Password Safe Administration Guide 159 © 2018. BeyondTrust Software, Inc.
Approving the Request for Multi-System Checkout
If the request is approved either automatically or by an Approver, the account is available on the Admin Sessions
page for the duration of the request for which it was approved.
1. On the Admin Sessions page, select an account from the Available Accounts list.
The Asset/IP list populates with Managed Systems that are tied to the account.
2. Select an asset from the Asset menu.
Note: Once a request is approved, the Requestor can then choose to open the session with any computer
linked to the approved Account regardless of whether or not it was included in the initial request.
Password Safe Web Portal
Password Safe Administration Guide 160 © 2018. BeyondTrust Software, Inc.
3. Click Connect to start the RDP session.
OneClick Feature
A Requestor will see the OneClick thunderbolt button when they log on to Password Safe to make a request. When
they open OneClick, any Access Policies that are configured with Auto Approve will be checked for availability.
Selecting the icon allows the Requestor to choose the duration of the request and connect immediately as long as
they have entered a request which meets the criteria of the Access Policy. Comprehensive messages will display to
the Requestorif their requests do not meet the requirements configured in the Access Policy.
The global setting in configuration for OneClick is Auto Select Access Policy. This changes the behavior of OneClick
so that when it is checked, OneClick will automatically select the best access policy. This means it will select the one
with the most available actions, or multiple Access Policies if each one has a different action. When the option is
unchecked, all the available Access Policy Schedules will display in OneClick. For more information, see
"Configuring Global Settings".
OneClick Bypass SSH Landing Page
Bypass the SSH landing page to save time for connecting users.
1. In the console, select Configuration > PowerBroker Password Safe.
2. Select Global Settings .
3. Select the Bypass SSH Landing Page check box.
Password Safe Web Portal
Password Safe Administration Guide 161 © 2018. BeyondTrust Software, Inc.
Admin Sessions
When an administrator logs on to the Password Safe web portal, they can open the Recorded Sessions tab and log
on to any machine for a session without going through a password request.
The Admin Sessions page will always be available for Administrators and ISA users and can be granted to other
users by selecting the Read and Write for the following Permission:
To open an Admin Session:
1. Select the Admin Session tab and complete the fields provided.
2. Select Connect and instantly open the RDP or SSH Admin Session.
Note: The Requestor can choose from amenu or manually enter the IP address of the computer they want
to connect to.
Password Safe Web Portal
Password Safe Administration Guide 162 © 2018. BeyondTrust Software, Inc.
Note: If Multi-System Checkout is configured two additional fields will display: Available Accounts and Asset / IP.
Multi-System Checkout is only for requestors.
Enforcing Session End Time
When an access policy is created, a time frame that permits access to the asset is assigned. As part of that policy,
the Password Safe administrator can enforce the end of the session and close the session when the time expires.
The sessions display a time counter indicating when the session will end.
RDP session:
SSH session:
Requesting Remote Proxy Sessions
In the Password Safe web portal, the BeyondInsight instances are represented as nodes. The end user can select a
session node.
For more information, see "Remote Proxy Sessions".
The remote proxy sessions apply to the following Password Safe session types where users can select a node to
connect to:
• Direct Connect sessions
• Password requests
• SSH session requests
• RDP session requests
• Admin sessions
The following screen captures show examples of the node selector.
• When using click launch to request a session, click Open RDP Session, and then select a node from the list:
Password Safe Web Portal
Password Safe Administration Guide 163 © 2018. BeyondTrust Software, Inc.
• When requesting a session as a Requestor, click Open SSH Session, and then select a node from the list:
Password Safe Web Portal
Password Safe Administration Guide 164 © 2018. BeyondTrust Software, Inc.
Appendix A
Remedy Connector
You can export Password Safe data to your BMC Remedy server. Exported events include, new and changed
managed systems and accounts, password requests, approvals, and retrievals.
To create the connector and send events, you must:
• Configure the connector. Be sure to select the Export Password Safe Events check box.
• Create an asset-based Smart Rule that includes the action Export Data.
Events are sent to Remedy after the connector and Smart Rule are created.
For more information on adding a Remedy connector, refer to the Third Party Integration Guide.
Exporting the CA Certificate
1. Open Internet Information Services (IIS) Manager.
2. Click on Default Web Site.
3. Click on Bindings.
4. On the Binding page select https.
5. Click Edit.
6. Verify the proper Certificate is in the drop down. It should be by default.
7. Click View.
Appendix A
Password Safe Administration Guide 165 © 2018. BeyondTrust Software, Inc.
8. Select the CA.
9. Select View Certificate.
10. Click Details.
11. Select Copy to File.
Appendix A
Password Safe Administration Guide 166 © 2018. BeyondTrust Software, Inc.
12. Click Next.
13. Choose Do not export private Key.
14. Click Next.
Appendix A
Password Safe Administration Guide 167 © 2018. BeyondTrust Software, Inc.
15. Select Base-64 encoded X.509 (.cer).
16. Click Next.
17. Name the file and select Save.
Appendix A
Password Safe Administration Guide 168 © 2018. BeyondTrust Software, Inc.
Importing the Certificate
Copy the certificate exported to the machine you need to run the script from. Launch Powershell or the Command
Prompt as Administrator.
Issue the command:
certutil.exe -f -addstore root <name_of_certificatefile>.cer
Appendix A
Password Safe Administration Guide 169 © 2018. BeyondTrust Software, Inc.
To verify the certificate is imported, browse to the website in IE and ensure you do not get a certificate warning.
Alternatively, you can look at the certificate store using the following steps:
1. Open Internet Explorer.
2. Click Alt+T.
3. Select Internet Options or press o.
4. Click on the Content Tab.
5. Select Certificates.
6. Verify you see the Certificate under Trusted Root Certification Authorities.
LAN Manager Authentication Setting
The LAN Manager authentication level needs to match the setting configured for the Password Safe server.
1. Open the Local Security Policy editor and go to Computer Configuration, Security Settings, Local Policies,
Security Options.
2. Set the Network security: LAN Manager authentication level to a level that is compatible with the
PowerBroker Safe appliance setting.
For additional information, visit the following URL to view the Microsoft article:
http://support.microsoft.com/kb/823659, and scroll to section 10: Network security: Lan Manager
authentication level.
How to Enable UAC Setting
These instructions apply to any Windows environment that supports User Access Control (UAC).
To confirm the policies:
Appendix A
Password Safe Administration Guide 170 © 2018. BeyondTrust Software, Inc.
1. For Windows Vista and Windows Server 2008 systems only. The User Access Control feature introduces
additional configuration requirements to support remote administration of Windows systems using WMI. Use
one of the following solutions:
– Disable the User Account Control: Run all administrators in Admin Approval Mode policy. A reboot of
the system is required for the policy change to take effect.
For additional information, visit the following URL to view the Microsoft article:
http://technet.microsoft.com/en-us/library/cc772207.aspx
– Disable Remote UAC (User Access Control) by changing the registry entry that controls Remote UAC. The
registry entry is:
HK_LocalMachine\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\system\
LocalAccountTokenFilterPolicy
When the value of this entry is 1, the Remote UAC access token filtering is disabled.
For additional information, visit the following URL to view the Microsoft article:
http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx
Third Party Authentication
PowerBroker Password Safe supports third party authentication for web tools which support SAML 2.0 standard
such as PingID, Okta and ADFS. Once the third party web tool is configured for Password Safe, users can use their
credentials to log into the Password Safe Web Portal.
Configuring Ping Identity for Password Safe
1. Log on to the Ping Identity admin portal.
2. Select the Add Application button and choose New SAML Application from the menu.
3. Fill in Application Name and Description.
4. Set category to Other then click Continue to Next Step.
Appendix A
Password Safe Administration Guide 171 © 2018. BeyondTrust Software, Inc.
5. Configure Assertion Consumer Service (ACS)
https://ServerURL/eEye.RetinaCSSAML/saml/AssertionConsumerService.aspx
6. Configure Entity IDhttps://ServerURL/eEye.RetinaCSSAML
7. Set Single Logout Binding Type to Redirect.
8. Upload Primary Verification Certificate (use sp.cer from \WebSiteSAML\Certificates).
9. Click Continue to Next Step.
Appendix A
Password Safe Administration Guide 172 © 2018. BeyondTrust Software, Inc.
10. Add the following attributes:
– Group (required) ensure you enable the check box for as literal. This must match the group created in
Beyond Insight
– Name (required)
– Email (Optional)
– Surname (optional)
– GivenName (Optional)
11. Click Save & Publish.
Appendix A
Password Safe Administration Guide 173 © 2018. BeyondTrust Software, Inc.
12. Download the Signing Certificate.
13. Download SAML Metadata.
14. Select Finish.
15. Copy Singing Certificate to BeyondInsight server save it in the following location:
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates
Rename certificate to: pingone.cer
16. Open:
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\saml.config
17. In notepad edit the ServiceProvider Name:
https://ServerURL/eEye.RetinaCSSAML
edit the PartnerIdentityProvider Nameto entityID from metadata
https://pingone.com/idp/yourPingIDName
edit SingleSignOnServiceUrl: SingleSignOnService to Location from metadata
https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=yourPingidpid
18. Save saml.config file.
Appendix A
Password Safe Administration Guide 174 © 2018. BeyondTrust Software, Inc.
19. Open C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\web.config
20. In notepad edit PartnerIdP value: to entityID from metadata
https://pingone.com/idp/yourPingIDName
21. Save web.config file.
Smart Card Authentication
Smart Cards can be used to authenticate a PowerBroker Password Safe user. This section is written with the
understanding that you have a working knowledge of PKI, Certificate Based Authentication, and IIS. To configure
Smart Card authentication for a user in Password Safe, follow these steps.
Configure Smart Card Authentication in BeyondInsight
1. Open up your web browser.
2. Enter the URL, https://<servername>/WebConsole and log on to BeyondInsight using an account that can
change BeyondInsight configuration.
3. Select Configuration > Multi-Factor Authentication.
4. Select the check box Enable Smart Cards.
Verify the Server Certificate
During the BeyondInsight install, self-signed certificates are created for Client Authentication and Server
Authentication. These certificates are placed in your Personal Certificates Store, and will show as Issued By
eEyeEmsCA.
To authenticate using Smart Cards, the server where BeyondInsight is running will need a certificate that was issued
from the local Certificate Authority. You will need to verify your server has the correct certificates issued before
continuing.
Appendix A
Password Safe Administration Guide 175 © 2018. BeyondTrust Software, Inc.
Verify the Web Server Certificate
During the BeyondInsight install, a Web Server certificate was created. This certificate will need to be replaced with
a Domain Certificate.
To verify you have domain certificate issued to the Web Server:
1. Open IIS.
2. Select the name of your Web Server.
3. Select Server Certificates.
Appendix A
Password Safe Administration Guide 176 © 2018. BeyondTrust Software, Inc.
4. Verify you have an issued Domain Certificate. If you do not see one listed, you will need to request one from
your Certificate Authority.
The Default Web Site Bindings
Now that we have an issued Domain Certificate, you must edit the bindings of the Default Web Site and replace the
self-signed certificate.
To do this:
1. Open IIS.
2. Expand Sites and select Default Web Site.
3. Right-click Default Web Site and select Edit Bindings from the menu.
Appendix A
Password Safe Administration Guide 177 © 2018. BeyondTrust Software, Inc.
4. Select https and click Edit.
5. At the bottom you will see the currently assigned SSL certificate. Either click the Select button and then select
the Domain Issued certificate and click OK, or use the drop-down menu.
Appendix A
Password Safe Administration Guide 178 © 2018. BeyondTrust Software, Inc.
BeyondInsight Configuration
The next step is to change the Domain Issued certificate in the BeyondInsight Configuration tool.
To do this:
1. Start the BeyondInsight Configuration tool. The default path is: C:\Program Files (x86)\eEye Digital
Security\Retina CS\REMEMConfig.exe
2. Scroll to Web Service.
3. From the SSL Certificate menu, select the Domain Issued certificate.
4. Click Apply.
Appendix A
Password Safe Administration Guide 179 © 2018. BeyondTrust Software, Inc.
Password Safe
Now that we have the correct certificates applied, we can open up a web browser and go to the URL,
https://<servername>/WebConsole/PasswordSafe. You will be prompted to select your certificate and enter your
pin.
You will now be logged into Password Safe. The connection should now be secure. If not, see the troubleshooting
section below.
Appendix A
Password Safe Administration Guide 180 © 2018. BeyondTrust Software, Inc.
RADIUS Multi-Factor Authentication Using Duo
This section is a high-level overview on the configuration required for Password Safe to work with a RADIUS
infrastructure with Duo.
Password Safe can work with the following Duo configurations:
• RADIUS Auto
• RADIUS Challenge
• RADIUS Duo only
To configure multi-factor for RADIUS Auto and RADIUS Challenge configurations:
1. In the console, click Configuration > Users & Groups.
2. ClickMulti-Factor Authentication.
3. Be sure to set the following:
– Authentication Mechanism - PAP or MSCHAPv2. Note that MSCHAPv2 is only supported if the Duo proxy
is configured to use a RADIUS client.
– Authentication Port - This is the port that is configured on your RADIUS server.
– Initial Request - Forward User Name and Password
4. Click Update.
To configure multi-factor for a RADIUS Duo-only configuration:
1. In the console, click Configuration > Users & Groups.
2. ClickMulti-Factor Authentication.
3. Be sure to set the following:
– Authentication Mechanism - PAP
– Authentication Port - This is the port that is configured on your RADIUS server.
– Initial Request - Forward User Name and Token
– Initial Prompt - Enter a message that is displayed on the Password Safe logon page to provide guidance to
users on the information to enter. In this case, the user must enter the RADIUS code.
Appendix A
Password Safe Administration Guide 181 © 2018. BeyondTrust Software, Inc.
4. Click Update.
Example Logon Page
After RADIUS multi-factor authentication is configured the logon page for end users varies.
The following logon page shows a Duo-only example. The user can:
• Enter a passcode to log on
or
• Select a device to send a code to. The user then enters the code on the logon page.
Appendix A
Password Safe Administration Guide 182 © 2018. BeyondTrust Software, Inc.
Appendix B: Software Installation
PowerBroker Password Safe can be deployed as a software installation. It must be noted that in these instances, the
customer assumes the responsibility for hardening the database and server.
In addition, certain features built into the appliance, such as high availability and auto-backup are not available for
software-only installations.
Installation Overview
• Install BeyondInsight
• Install Password Safe license using the BeyondInsight Configuration tool
For information on installing BeyondInsight, refer to the BeyondInsight Installation Guide.
Installing Password Safe License
After you install BeyondInsight:
1. Open the BeyondInsight Configuration tool.
2. SelectManage License.
3. SelectUpdate License and selectNext.
Appendix B: Software Installation
Password Safe Administration Guide 183 © 2018. BeyondTrust Software, Inc.
4. Copy the license key into the box.
5. SelectNext and then select Finish.
Appendix B: Software Installation
Password Safe Administration Guide 184 © 2018. BeyondTrustSoftware, Inc.
Appendix C: Email Notifications
This section lists the email notifications that are sent to Password Safe users.
The matrix includes the event type that occurs to initiate the email notification and the account types that receive
the email.
Local Accounts
Includes non-domain asset and database managed systems.
Event Account Not configurable
Configurable by
template settings
Release Request Managed NA
– Account's Approver
– Requestor (CC)
– Asset's ISA
Request Response Managed NA
– Account's Approver
(CC)
– Requestor
– Asset's ISA
Password Change
Failure
Managed
– Managed System's ISA
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed Systems
settings UI)
NA
Functional
– Managed System's ISA
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed Systems
settings UI)
NA
Password Check
Failure
Managed
– Managed System's ISA
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed Systems
settings UI)
NA
Functional
– Managed System's ISA
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed Systems
settings UI)
NA
Privileged Password
Release
Managed
– Managed Account Release Notification Recipients
(Managed Accounts settings UI)
NA
Non-Managed Release
Expiration
Managed
– Managed Account Release Notification Recipients
(Managed Accounts settings UI)
NA
Appendix C: Email Notifications
Password Safe Administration Guide 185 © 2018. BeyondTrust Software, Inc.
Domain Accounts
Event Account Not configurable
Configurable by template
settings
Release Request Managed NA
– Account's Approver
– Requestor (CC)
– Domain Management
permission (with Read/Write)
Request Response Managed NA
– Account's Approver (CC)
– Requestor
– Domain Management
permission (with Read/Write)
Password Change
Failure
Managed
– Domain Management permission (with
Read/Write)
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed
Systems settings UI)
Functional
– Domain Management permission (with
Read/Write)
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed
Systems settings UI)
Password Check
Failure
Managed
– Domain Management permission (with
Read/Write)
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed
Systems settings UI)
Functional
– Domain Management permission (with
Read/Write)
– Built-in BeyondInsight Administrator
– Managed System contact person (Managed
Systems settings UI)
Privileged Password
Release
Managed
– Managed Account Release Notification
Recipients (Managed Accounts settings UI)
Non-Managed
Release Expiration
Managed
– Managed Account Release Notification
Recipients (Managed Accounts settings UI)
Appendix C: Email Notifications
Password Safe Administration Guide 186 © 2018. BeyondTrust Software, Inc.
	Overview
	Securing the Perimeter Within
	BeyondInsight Password Safe Architecture
	PowerBroker Password Safe Scalability
	Active/Active Deployment Model
	Password Safe Public API
	PowerBroker for Windows Integration
	Supported Platforms
	Port Requirements
	Getting Started
	Logging on to the Console
	Selecting a Display Language
	Navigating the Console
	Changing Your Logon Password
	Resetting Your Password
	Configuring Password Safe System Settings
	Configuring Global Settings
	Mail Templates
	Creating a Password Rule
	Ticket Systems
	API Registration
	Managed Account Aliasing
	Agent Configuration Details
	Configuring the Password Change Agent
	Configuring the Mail Agent
	Session Monitoring
	Password Test Agent Configuration
	Access Policies
	Creating an Access Policy
	Configuring a Connection Profile
	Using a Predefined Connection Profile
	Managed Account Caching
	Onboarding Systems and Accounts
	Onboarding Workflow
	Creating a Functional Account
	Overriding a Functional Account Password
	Adding a System
	Configuring Password Management Settings
	Adding an Account
	Adding a System Using a Smart Rule
	Adding Accounts Using a Smart Rule
	Managed Systems
	Setting the Account Name Format
	Importing an SSH Key Using a Smart Rule
	Managing the SSH Keys
	Viewing Managed System Details
	Managed Accounts
	Viewing Managed Accounts
	Viewing Managed Account Details
	Deleting Managed Accounts
	Unlinking Managed Accounts
	Changing Passwords for Managed Accounts
	Configuring Subscriber Accounts
	Configuring Password Reset for Managed Accounts
	Using a Managed Account as a Retina Scan Credential
	Using DSS Authentication
	Generating and Distributing the Key
	Creating a Functional Account with DSS Authentication
	Creating a Functional Account on the UNIX or Linux Platform
	Testing the Functional Account
	Setting DSS on the Managed Account
	DSS Key Auto Management
	Get the Public Key
	Creating a DSS Key Rule
	Session Monitoring
	Setting up Session Monitoring
	Configuring Listen Host and File Location
	Setting Session Monitoring Screen Resolution
	Personalized Notification Images
	Password Masking
	Viewing Recorded Sessions
	Viewing Recorded Sessions in a Multi-Node Environment
	Keystroke Logging
	Enhanced Session Auditing
	Keystroke Search
	Keystroke for Active Sessions
	Session Frame Export
	Admin (Ad Hoc) Sessions
	Concurrent Sessions
	Active Sessions
	Locking an Active Session
	Terminate an Active Session
	Terminate and Cancel an Active Session
	Archiving Recorded Sessions
	Archiving Sessions and Restoring Archived Sessions
	Remote Proxy Sessions
	Viewing Agents
	Displaying Nodes in Password Safe
	Adding Windows Components
	Windows Systems Managed Accounts
	Adding a Directory
	Adding Directory Accounts
	Adding Directory Accounts Manually
	Discover Active Directory Accounts with an Active Directory Query
	Linked Accounts
	Creating an Active Directory Functional Account
	Adding Windows Services
	Set up the Service Report
	Prepare the Services
	Run a Scan on the Service Assets
	Troubleshooting Changes
	Adding Applications
	Adding an Application
	Encryption Module for RemoteApp
	Associating the Application to a Managed Account
	Setting up the Access Policy
	Setting up the Role Based Access
	Using AutoIt Passthrough
	AutoIt Script Details
	Adding SAP as a Managed System
	Requirements
	Setting up the Functional Account
	Adding SAP
	Changing Passwords on Managed Accounts
	Adding a Cloud Application
	Requesting an Application Session
	SSH and RDP Connections
	Requirements for SSH
	Supported SSH Client Ciphers
	Auto-Launch PuTTY Registry File
	Supported SSH Session Protocols
	Multiple SSH Sessions
	Login Accounts for SSH Sessions
	Manually Enabling Login Accounts
	Enabling Login Accounts with a Smart Rule
	Direct Connect
	Requesting an SSH Session
	Requesting an RDP Session
	Using a Two-Factor Authentication Token
	Troubleshooting Connections
	RDP Sessions
	Certificate Authentication
	Smart Sizing
	Font Smoothing
	Configuring Ports
	Adding Databases
	Auto Discovery and Management for Database Instance
	Manual Management for Database Instances
	Managing Database Instance Accounts
	Creating a Functional Account for a SQL Server Database
	Permissions and Roles in SQL Server
	Creating the Account in SQL Server
	SQL Server Instance Port Retrieval
	Adding a PostgreSQL Database Instance
	Creating Accounts in PostgreSQL
	Adding the PostgreSQL Instance to Password Safe
	Configuring Settings on the Oracle Platform
	Adding the Functional Account
	Permissions for the Functional Account in Oracle
	Creating the Functional Account in Oracle
	Setting Up the Host
	Using Encrypted Connections
	Setting up a TOAD® Connection
	Configuring a TOAD Connection
	Requesting a TOAD Connection
	Adding a Custom Platform
	Creating a Custom Platform
	Configure the Steps Tab
	Cloning a Custom Platform
	Exporting a Custom Platform
	Importing a Custom Platform
	Example of Linux Platform
	Working with Smart Rules
	Overview
	Predefined Smart Groups
	Considerations When Designing Smart Rules
	Smart Rule Processing
	Changing the Processing Frequency for a SmartRule
	Dedicated Account Smart Rule
	Using Quick Groups
	Changing Quick Groups in the Smart Rules Manager
	Changing the Password for Users
	Role Based Access
	User Group Permissions
	Password Safe Roles
	Asset or Managed Account Smart Rule
	Creating a User Group and Assigning Roles
	Recorded Session Reviewer and Active Session Reviewer Roles
	Quarantine User Accounts
	Setting the Refresh Interval on the Quarantine Cache
	Configuring API Access
	Creating a User Group with API Access
	Managed Account Settings
	Restricting Access to Password Safe Logon Page
	Configuring Approvals
	Using a Managed Account as a Credential
	Configuring the Managed Account
	Configuring the Query
	Configuring the Group
	LDAP Directory Groups
	Logging in with LDAP Directory Account
	Real Time Authorization
	Multi-Node and Multi-Tenant Environments
	Overview
	Creating a Password Safe Agent
	Assigning a Workgroup to a Password Safe Agent
	Viewing Agents Assigned to a Workgroup
	Assigning a Workgroup to a Managed Account
	Which Agent Made the Last Change on the Account?
	Multi Tenant
	Synced Accounts in a Multi Tenant Environment
	Third Party Ticket Systems
	Configuring Remedy
	Configuring CA Service Desk Manager
	Using a Functional Account for Access
	Using a PKI Certificate Access Policy
	Configuring Jira Ticket System
	Configuring ServiceNow
	Reports in BeyondInsight Analytics and Reporting
	Advanced Systems Integration
	PowerBroker for Unix & Linux Integration
	Example Policy
	Password Safe Web Portal
	Navigating the Password Safe Web Portal
	Password Release Process
	Request for Password Release
	Reviewing a Password Request
	Approving or Denying the Password Release
	Retrieving a Password
	Authentication Mechanisms
	Multi-System Checkout
	Making the Request
	Approving the Request for Multi-System Checkout
	OneClick Feature
	OneClick Bypass SSH Landing Page
	Admin Sessions
	Enforcing Session End Time
	Requesting Remote Proxy Sessions
	Appendix A
	Remedy Connector
	Exporting the CA Certificate
	Importing the Certificate
	LAN Manager Authentication Setting
	How to Enable UAC Setting
	Third Party Authentication
	Smart Card Authentication
	Configure Smart Card Authentication in BeyondInsight
	Verify the Server Certificate
	Verify the Web Server Certificate
	The Default Web Site Bindings
	BeyondInsight Configuration
	RADIUS Multi-Factor Authentication Using Duo
	Example Logon Page
	Appendix B: Software Installation
	Installation Overview
	Installing Password Safe License
	Appendix C: Email Notifications
	Local Accounts
	Domain Accounts