Adding Vault Configurations

to manage passwords via password vault, a vault configuration is required vault configurations consist of the command sets to make the password changes in target systems there are pre defined vaultconfigurations in kron pam, but if the target device differs from those pre defined in the system, a new vault configuration must be created different vault configurations should be created for each kind of target system whose passwords will be managed by the system in the configuration screen, strategy defines the method to change the password, and configuration properties defines the details for each configuration static strategy is a configuration where an account can be added to password vault without the target system to create a new vault configuration navigate to secrets> configuration s open the vault configurations tab click on to add button fill in the name, strategy, and description fields and fill in the desired parameters click save to add and/or edit properties for the vault configuration write the advances search field to see saved configurations click the green arrow button of the desired configuration and edit configuration type in the property value and click save these are the properties that can be used for vault configurations sapm configuration property key description pool value account level properties this property uses values that can be set to account specific configurations, and that can be defined at the account level instead of values in the default configuration property values are defined on the sapm account screen other properties allow\ seen by multiple user if set as “true”, the sapm password can be seen by other users in same user group by default, the sapm password can be seen only by the user who got the password last (for dynamic accounts only) true/false always show\ accounts in auto login allows access to other servers with active directory and ldap accounts (applies to ssh and rdp sessions ) true/false default value true aws iam users region aws region to be accessed during password change eu central 1,eu west 1,us east 1 aws super user authorized username to change a user's console or security credentials authorized user username aws super user access key authorized user access key information to change a user's console or security credentials authorized user access key aws super user secret key authorized user secret key information to change a user's console or security credentials (encrypted) authorized user secret key change password with other account the security credentials of the user who will change their console credentials must first be added as another account then this account should be defined as accountname\@groupfullpath (example account1@/parentgroup) will change their credentials account change password after session login if set as “true, " the vault account password will be changed just after the kron pam session manager starts an rdp or ssh session using this vault account by default, the vault account password is not changed after being used by the session manager true/false change password command template the command is set to be used to change the password this set can be different for each system the command set consists of the commands to change the password in the target system there are pre defined sets for most used systems, but if the target device is not in the pre defined systems, this command set needs to be configured specific to the device type e g for a cisco device en\n${superpassword}\nconf t\nline con 0\npassword ${newpassword}\nline vty 0 4\npassword ${newpassword}\nline vty 5 15\npassword ${newpassword}\nenable secret ${newpassword}\nend\nwr me\nexit change password failure pattern during each password change, kron pam gets an output from the system it checks if the password was changed successfully if there is a failure in the password change process, the system does not add the new password to its database if the output matches this regex pattern, kron pam decides that the password change command has failed if the “skip password validation after change” parameter is set as “false”, the result of the connection validation overrides this decision, and this parameter has no effect specific to the device type e g for a cisco device % invalid input detected change password only at change period when set as “true”, no duration information is required from the user, only comments will be requested the password will not be changed after the checkout, and other users will be able to check out the same password until the next periodic change by default, the user is asked for the duration, and the password is changed after the checkout true/false change password script template the expect script is used to change the password script written in expected language e g for cisco ios router send "enable\r" expect "password " send "${superpassword}\r" expect { "password " { exit 1 "wrong enable password" } "#" { } } send "conf t\r" expect "#" send "username ${username} password ${newpassword}\r" expect { "#" { } "%" { exit 1 "command failed" } } send "do write\r" exit change password success pattern during each password change, kron pam gets an output from the system it checks if the password was changed successfully, and if there is a failure during the password change process, the system does not write the new password in its database if the output matches this regex pattern, kron pam decides that the password change command was successful, and stores the new password if the “skip password validation after change” parameter is set as “false”, the result of the connection validation overrides this decision, and this parameter has no effect specific to the device type e g for centos device successfully change password with domain usually, for some active directory (ad) systems, the domain name does not need to be sent during a password change request however, some systems require the domain name to be included in the password change, such as “singleconnect com/richard” instead of just “richard” by default, this parameter is set as “false”, and the domain name is not included in the command sent to the ad servers for ad user password change when set as “true”, the domain name is included in the command sent true/false change password with super user if set as “true”, the super user credentials defined by the super username and super password properties are used to change the sapm account password in the target device by default the value is “false”, meaning the sapm account username and password are used to change the password this option should be set as “true” when the sapm account’s rights are not enough to change its own password true/false change password self permission permission for active directory users to change their password according to the active directory self permission, kron pam is given one of these permissions change password reset password change period in day the default period to change passwords using this configuration (in days) there are two locations for this configuration the first one is in the sapm account definition, and it has the higher priority if “change period (day)” is not set in the sapm account definition, the “change period in day” property value for the sapm configuration is used to change the password if both the “change period” for the sapm account and the “change period in day” property value for the sapm configuration are not set, an error occurs when changing the password integer (in days) change period in minute on fail the period to attempt to change the password again when the periodic password change has failed integer (in minutes) check new\ users with super user sapm can check for new users in the target systems periodically, or on demand (see section docid\ inqcri6bqdc3qe7xb ofz for details) if this parameter is set as “true”, the super user credentials defined by the “super username” and “super password” properties are used to check for new users in the target device the default value is “false”, meaning the sapm account username and password are used to check for new users true/false check password command template the password vault can periodically check the validity of the passwords the command set defined in this parameter is used to check if the stored password is valid or not specific to the device type check password success pattern the output pattern in regex format, which shows that the password is valid specific to the device type check password validation if set as “true”, the sapm accounts using this configuration can be included in periodic and one time password validations if set as “false”, the check password operation will not be executed for the sapm accounts using this configuration this property checks if the password is correct true/false default value true check password with super user if it is set as “true”, the super user credentials defined by the “super username” and “super password” properties are used to check the validity of the sapm account password in the target device the default value is “false”, meaning the sapm account username and password are used to check the password validity true/false connection timeout timeout duration for connection integer (unit\ second) database driver database driver to manage database passwords oracle/postgresql/mssqlserver/mysql/cassandra/saphanadb/teradata/sybase driver in the following format oracle jdbc driver oracledriver org postgresql driver com mysql jdbc driver com microsoft sqlserver jdbc sqlserverdriver com sap db jdbc driver org apache cassandra cql jdbc cassandradriver com teradata jdbc teradriver com sybase jdbc4 jdbc sybdriver delete list script template the expect script used to delete users script written in expect language e g for cisco ios routers send "enable\r" expect "password " send "${superpassword}\r" expect { "password " { exit 1 "wrong enable password" } "#" { } } send "conf t\r" expect "#" send "no username ${username}\r" expect { "#" { } "%" { exit 1 "command failed" } } send "do write\r" exit delete user command template the command set used to delete users after checking for new users in the target devices, this parameter is used to delete users, after reviewing the new users list specific to the device type edit comment enable comments appear when accounts are enabled for editing true/false execute post command with super usererror check account command template if set as “true”, the super user credentials defined by the “super username” and “super password” properties are used to run the commands after the password change (e g , to kill the active sessions started with the previous password) the default value is “false”, meaning the sapm account username and password are used to run the commands after the password change see section docid\ xxbd1icisef6j7lpzygek for more information true/false error check account command template if "super username" and "super password" were added to configuration, "error check account command template" commands can run on the server the parameter just affects ssh strategy passwd s ${username} error check account command parser it parses the output of the command executed in the error check account command template parameter and prints the desired message to the screen regex is used \\( \\) file path target file path for file strategy the "file regex to match" and "file regex to replace" properties are also required for this strategy see section docid\ s mipzw xrknnueclteae for more information specific to the device type file regex to match the regex pattern to match with the password in the file path the "file path" and "file regex to replace" properties are also required for file strategy see section docid\ s mipzw xrknnueclteae for more information specific to the device type file regex to replace when the "file regex to match" matches the password field, it is replaced with this property value "file regex to match" and "file path" properties are also required for file strategy see section docid\ s mipzw xrknnueclteae for more information specific to the device type http change password body the http body for password change requests (used for http strategy), for applications or devices that provide http password change api specific to the device type http change password headers the http header for password change requests (used for http strategy), for applications or devices that provide http password change api specific to the device type http change password method the http method for password change requests (used for http strategy), for applications or devices that provide http password change api post / get / put http change password url the url the password change requests will be sent to (used for http strategy), for applications or devices that provide http password change api specific to the device type http check password body the http body for password check requests (used for http strategy), for applications or devices that provide http password check api specific to the device type http check password headers the http header for password check requests (used for http strategy), for applications or devices that provide http password check api specific to the device type http check password method the http method for password check requests (used for http strategy), for applications or devices that provide http password check api post / get / put http check password url the url the password check requests will be sent to (used for http strategy), for applications or devices that provide http password check api specific to the device type http delete user body the http body for delete user requests (used for http strategy), for applications or devices that provide http user delete api specific to the device type http delete user headers the http header for delete user requests (used for http strategy), for applications or devices that provide http user delete api specific to the device type http delete user method the url the delete user requests will be sent to (used for http strategy), for applications or devices that provide http user delete api post / get / put http delete user success pattern the output pattern in regex format, to show the http delete user request has succeeded, for applications or devices that provide http user delete api specific to the device type http delete user url the url the delete user requests will be sent to (used for http strategy), for applications or devices that provide http user delete api specific to the device type http user list body the http body for user listing requests (used for http strategy), for applications or devices that provide http user listing api specific to the device type http user list headers the http header for user listing requests (used for http strategy), for applications or devices that provide http user listing api specific to the device type http user list method the http method for user listing requests (used for http strategy), for applications or devices that provide http user listing api post / get / put http user list url the url the user listing requests will be sent to (used for http strategy), for applications or devices that provide http user listing api specific to the device type ldap base dn base distinguished name (dn) for ldap specific to the ldap structure e g ou=testuser,dc=singleconnect,dc=local ldap domain the domain name that will be included in the command sent to the ad servers for ad user password changes, when the “change password with domain” property is set as “true” domain name ldap ignore certificate ignore certificate for ldap/ad true/false ldap password attribute name the attribute name for the password in the ldap/ad records if there is no exception, it is "userpassword" ldap username dn template the distinguished name (dn) template for users managed with this sapm configuration specific to the ldap structure e g cn=${username},dc=example,dc=com ldap connection timeout sets the ldap and active directory response read timeout default value "5000" ms new\ password encryption key the encryption key to be used when "new\ password encryption method" is chosen as aes string new\ password encryption method the method to be used for password encryption clear / md5 / aes / unicode enclosed in double quotes new\ user exception list the list of users to be ignored in the new user checks new\ user found action the action to be taken when a new user is found log / nothing / delete / log and delete password change reminder day the duration (in days) to wait before sending a reminder to the email addresses defined in the sapmmaillist property in the device group, before a password change integer (days) password strength symbol chars the pool of characters allowed as symbol characters in password strength double quotation mark (“) and percent mark (%) are not allowed for a sapm password which has winrm configuration character string e g !"#$%&'() +, / ;\<?@\[\\]^ `{|} password strength lowercase count the exact number of lowercase letters that must be included in passwords integer password strength number count the exact number of numbers that must be included in passwords integer password strength symbol count the exact number of symbol characters that must be included in passwords integer password strength uppercase count the exact number for uppercase letters that must be included in passwords integer post command the commands to be executed on the server after a successful password change (e g , to kill active sessions started with the previous password) multiple commands can be separated with \n characters see section docid\ xxbd1icisef6j7lpzygek for more information specific to the device type post command failure pattern if the pattern set for this property is found in the command results of the “post command”, the command is tagged as "failed" when this happens, the command execution is stopped, and the remaining commands are not executed if the “post command stop on fail” property is set as “true” specific to the device type post command stop on fail when set as “true”, if any failure occurs during post command execution, the remaining commands are not executed the default value is “false” true/false set comment to account comments appear when prompted for password check out true/false skip password validation after change if set as “true”, no password validation is done after a password change the default value is “false”, meaning the password validation is done after a password change (for ssh and winrm strategy only) for tacacs+ devices it must be set as ”true” true/false show\ accounts in auto login for domain match it is defined to use active directory and ldap accounts only in domain accounts domain parameter should be added on the device true/false default value false ssh port the port number for ssh connections, for ssh strategy the default value is 22 specific to the device type ssh wait between commands in millisecond time to wait between commands integer (milliseconds) static secret type select the type of static accounts with static configuration user credential ssh key ssl certificate other (secret data) super password the password of the super user who has superior rights on the target server the value must be set when one of the " with superuser" properties is set as “true” string (hidden) super username the username of the super user who has superior rights on the target server the value must be set when one of the " with superuser" properties is set as “true” string target url template the ad/ldap url for active directory strategy device specific unlock account with super user to unlock the ad user a superuser must be used true/false user group parser delimiter the delimiter character separates multiple user groups when checking for new users in a server string user list command the command to get the user list e g cat /etc/passwd user list script template the expect script is used to get the user list expect script username parser the regex pattern to find usernames after the users are listed specific to the device type ex ( ?) update comment enable comments appear when prompted for a password update true/false winrm auth method authentication method for winrm basic, digest, ntlm, negotiate or kerberos winrm ignore certificate when set to “true”, certificate errors will be ignored during winrm connections true/false winrm port the port number for winrm device configurations integer winrm secure when set to “true”, the connection will be over https otherwise, it will be over http true/false winrm connection timeout sets the winrm response read timeout default value "5000" ms