Adding Accounts in Application Token

To use an Application Token  Rest API, a profile should be created for Application Token clients in the Password Vault. These profiles are called Application Token Accounts in the Kron PAM Web GUI.

To create an Application Token account, follow the steps below
Navigate to Secrets  > Vault.
Open the Application Tokens tab.
Click the Add Button.
Adding Accounts in Application Token
﻿
Enter the Application Name, Event User, and Security Level. You can remove the Event User if the account should not be related to any user in the system.
To enter the requester source IP Address, click the Edit button next to the Application IP Address. In the pop-up screen, enter single or multiple IPs with CIDR.
Application IP Pop-up Screen
﻿
To link Password Vault account(s), click the Edit button next to the Vault  Account field. You can link a single or multiple accounts to the Application Token account. Linked accounts can be accessed with the same token. Accounts are searched by name and Group Full Paths.
Application Token – Add Password Vault  Account Pop-up Screen
﻿
To link the Password Vault group path(s) to the Application Token account, click the Edit button next to the   Account Group field. You can link a single or multiple Account groups to the  Application Token account. Linked groups can be accessed with the same token.
Add Account Group 
﻿
Select any restrictions required from the restriction checkboxes. You can set time and usage limits.
Select the Allow Listing Accounts checkbox if listing all linked accounts and groups to the Application Token is required. If you don't select this checkbox, the linked accounts list cannot be retrieved through the /listSAPMAccounts API.
Enter any optional parameters listed according to your Security Level choice (details described below) and click Save.
Application Token  Accounts
﻿
After this step, an Application Token Account is created, and the Application Token authentication token is shown in the pop-up window.
Copy this token by clicking the text box (Later, you’ll need to include this parameter in the Rest API requests)
Application Token AAPM Account creation info box
﻿
Application Token Flow (Different colored arrows represent different Security Levels)
﻿
Parameter Name
Parameter Value
App Hash
The MD5SUM value of the application’s executable file.
(Used for Basic + Pin + Path + Hash Security Level)
App Path
The path of the application using AAPM
(Used for all Security Levels including Path)
Application IP
IP Address of the requester application.
Application Name
Name of the application requesting the AAPM passwords.
Event User
The user uses the password. (This value is logged in the Password Vault logs as the user of the password.) If the account should be independent of any user, the event user can be removed.  If an event user is set and the user permissions are not sufficient to reach the secret, the secret will not be retrieved through AAPM.
OS Account
The name of the account used by Kron PAM while connecting and checking the path
(Used for all Security Levels including Path)
OS Account Password
The password of the account that will be used by Kron PAM while connecting and checking the path.
(Used for all Security Levels, including Path, and applicable for Manual User OS Credential Type only)
OS Credential Type
The credential type used by Kron PAM while connecting and checking the path
Possible values: SAPM / Manual User
 (Used for all Security Levels including Path)
OS Type
The operating system type of the server that hosts the application
 Possible values: Windows / Linux / Mac OS 
(Used for all Security Levels, including Path)
PIN Sending Port
The port the client application is listening to
Kron PAM sends the PIN to this port (Used for all Security Levels, except Basic)
SAPM Account
The Password Vault account is used in AAPM.

Security Level
The Security Level for the AAPM process. The possible values are:
Basic: Default, basic AAPM Flow. The application requests the password via API. Kron PAM checks the application’s token and source IP and sends back the password as the response if everything is correct
Basic + Pin: The application requests the password via API. Kron PAM checks the application’s token and source IP and, if everything is connected, sends the PIN to a specific port. The application sends a second request with the PIN code and gets it.
Basic + Pin + Path: The application requests the password via API. Kron PAM checks the application’s token and source IP and, if everything is connected, sends the PIN to a specific port. The application sends a second request with the PIN code. Kron PAM checks the path and name of the application and sends back the password if it is true.
Basic + Pin + Path + Hash: The application requests the password via API. Kron PAM checks the application’s token and source IP and, if everything is correct, sends the PIN to a specific port. The application sends a second request with the PIN code. Kron PAM checks the path, name, and MD5SUM of the application and sends back the password if it is true.
Time Limit
The Time Limit checkbox enables the users to set an expiry date for the AAPM token. 
Expiry Date
The Expiry Date field allows users to set a deadline for token usage. 
Usage Limit
The Usage Limit checkbox enables the users to set a limit for maximum usage. 
Maximum Usage Count
The Maximum Usage Count allows the users to define a maximum usage limit. 
Allow Listing Accounts
The Allow Listing Accounts checkbox enables the linked Password Vault accounts and groups to be listed through the /listSAPMAccounts API. 
﻿

Parameter Name	Parameter Value
App Hash	The MD5SUM value of the application’s executable file. (Used for Basic + Pin + Path + Hash Security Level)
App Path	The path of the application using AAPM (Used for all Security Levels including Path)
Application IP	IP Address of the requester application.
Application Name	Name of the application requesting the AAPM passwords.
Event User	The user uses the password. (This value is logged in the Password Vault logs as the user of the password.) If the account should be independent of any user, the event user can be removed. If an event user is set and the user permissions are not sufficient to reach the secret, the secret will not be retrieved through AAPM.
OS Account	The name of the account used by Kron PAM while connecting and checking the path (Used for all Security Levels including Path)
OS Account Password	The password of the account that will be used by Kron PAM while connecting and checking the path. (Used for all Security Levels, including Path, and applicable for Manual User OS Credential Type only)
OS Credential Type	The credential type used by Kron PAM while connecting and checking the path Possible values: SAPM / Manual User (Used for all Security Levels including Path)
OS Type	The operating system type of the server that hosts the application Possible values: Windows / Linux / Mac OS (Used for all Security Levels, including Path)
PIN Sending Port	The port the client application is listening to Kron PAM sends the PIN to this port (Used for all Security Levels, except Basic)
SAPM Account	The Password Vault account is used in AAPM.
Security Level	The Security Level for the AAPM process. The possible values are: Basic: Default, basic AAPM Flow. The application requests the password via API. Kron PAM checks the application’s token and source IP and sends back the password as the response if everything is correct Basic + Pin: The application requests the password via API. Kron PAM checks the application’s token and source IP and, if everything is connected, sends the PIN to a specific port. The application sends a second request with the PIN code and gets it. Basic + Pin + Path: The application requests the password via API. Kron PAM checks the application’s token and source IP and, if everything is connected, sends the PIN to a specific port. The application sends a second request with the PIN code. Kron PAM checks the path and name of the application and sends back the password if it is true. Basic + Pin + Path + Hash: The application requests the password via API. Kron PAM checks the application’s token and source IP and, if everything is correct, sends the PIN to a specific port. The application sends a second request with the PIN code. Kron PAM checks the path, name, and MD5SUM of the application and sends back the password if it is true.
Time Limit	The Time Limit checkbox enables the users to set an expiry date for the AAPM token.
Expiry Date	The Expiry Date field allows users to set a deadline for token usage.
Usage Limit	The Usage Limit checkbox enables the users to set a limit for maximum usage.
Maximum Usage Count	The Maximum Usage Count allows the users to define a maximum usage limit.
Allow Listing Accounts	The Allow Listing Accounts checkbox enables the linked Password Vault accounts and groups to be listed through the /listSAPMAccounts API.

Application Token

Removing Accounts from Application Token