Adding Vault Configurations

to manage passwords via password vault, a vault configuration is required vault configurations consist of the command sets to make the password changes in target systems there are pre defined vaultconfigurations in kron pam, but if the target device differs from those pre defined in the system, a new vault configuration must be created different vault configurations should be created for each kind of target system whose passwords will be managed by the system in the configuration screen, strategy defines the method to change the password, and configuration properties defines the details for each configuration static strategy is a configuration where an account can be added to password vault without the target system to create a new vault configuration navigate to secrets> configuration s open the vault configurations tab click the add button fill in the name, strategy , and description fields and fill in the desired parameters click save to add and/or edit properties for the vault configuration write the advances search field to see saved configurations click the green arrow button of the desired configuration and edit configuration type in the property value and click save these are the properties that can be used for vault configurations vault configuration property key description pool value account level properties this property uses values that can be set to account specific configurations, and that can be defined at the account level instead of values in the default configuration property values are defined on the add account pop up other properties allow to be seen by multiple users if set as “on”, the vault password can be seen by other users in same user group by default, the vault account password can be seen only by the user who got the password last (for dynamic accounts only) switch (on/off) always show accounts in auto login allows access to other servers with active directory and ldap accounts (applies to ssh and rdp sessions ) switch (on/off) default value on aws iam users region aws region to be accessed during the password change eu central 1,eu west 1,us east 1 aws super user authorized username to change a user's console or security credentials authorized user username aws super user access key authorized user access key information to change a user's console or security credentials authorized user access key aws super user secret key authorized user secret key information to change a user's console or security credentials (encrypted) authorized user secret key use other account the security credentials of the user who will change their console credentials must first be added as another account then this account should be defined as accountname\@groupfullpath (example account1@/parentgroup) will change their credentials account change password after session manager login if set as “on”, the vault account password will be changed just after ssh proxy and rdp proxy session is started by the kron pam session manager using this vault account by default, the vault account password is not changed after being used by the session manager switch (on/off) command set for change password the command set to be used to change the password this set can be different for each system the command set consists of the commands to change the password in the target system there are pre defined sets for most used systems, but if the target device is not in the pre defined systems, this command set needs to be configured specific to the device type e g for a cisco device en\n${superpassword}\nconf t\nline con 0\npassword ${newpassword}\nline vty 0 4\npassword ${newpassword}\nline vty 5 15\npassword ${newpassword}\nenable secret ${newpassword}\nend\nwr me\nexit change password failure pattern during each password change, kron pam gets an output from the system it checks if the password was changed successfully if there is a failure in the password change process, the system does not add the new password to its database if the output matches this regex pattern, kron pam decides that the password change command has failed if the “skip password validation after change” parameter is set as “false”, the result of the connection validation overrides this decision, and this parameter has no effect specific to the device type e g for a cisco device % invalid input detected change password only at change periods when set as “on”, no duration information is required from the user, only comments will be requested the password will not be changed after the checkout, and other users will be able to check out the same password until the next periodic change by default, the user is asked for the duration, and the password is changed after the checkout switch (on/off) script set for change password the expect script used to change the password script written in expect language e g for cisco ios router se“d "enabl”\r" expe“t "passwo”d " se“d "${superpassword”\r" expect “ "passwo”d " { exit“1 "wrong enable passw”rd" “ ”"#" { } } se“d "conf ”\r" expe“t”"#" se“d "username ${username} password ${newpassword”\r" expect “ ”"#" { “ ”"%" { exit“1 "command fai”ed" } } se“d "do writ”\r" exit change password success pattern during each password change, kron pam gets an output from the system it checks if the password was changed successfully, and if there is a failure during the password change process, the system does not write the new password in its database if the output matches this regex pattern, kron pam decides that the password change command was successful and stores the new password if the “skip password validation after password change” parameter is set as “off”, the result of the connection validation overrides this decision, and this parameter has no effect specific to the device type e g for centos device successfully change password with domain information usually, for some active directory (ad) systems, the domain name does not need to be sent during a password change request however, some systems require the domain name to be included in the password change, such as krontech\username ” instead of username” by default, this parameter is set as “off”, and the domain name is not included in the command sent to the ad servers for ad user password change when set as “on”, the domain name is included in the command sent switch (on/off) change password with super user if set as “on”, the super user credentials defined by the super user name and super user password properties are used to change the vault account password in the target device by default, the value is “off”, meaning the vault account username and password are used to change the password this option should be set as “on” when the vault account’s rights are not enough to change its own password switch (on/off) password change self permission permission for active directory users to change their password according to the active directory self permission, kron pam is given one of these permissions change password reset password default change period (days) the default period to change passwords using this configuration (in days) if the selected vault configuration has the default change period (days) parameter defined, the parameter value applies to the new accounts automatically integer (in days) period for next attempt on fail (minutes) the period to attempt to change the password again when the periodic password change has failed integer (in minutes) check newly discovered users with super user password vault can check for new users in the target systems periodically, or on demand (see section 7 1 20discover newly users for details) if this parameter is set as “on”, the super user credentials defined by the “super user name ” and “super user password ” properties are used to check for new users in the target device (server local users, database users and ldap users) the default value is “off”, meaning the vault account username and password are used to check for new users switch (on/off) command set for checking password the password vault can periodically check the validity of the passwords the command set defined in this parameter is used to check if the stored password is valid or not specific to the device type check password success pattern the output pattern in regex format, which shows that the password is valid specific to the device type enable password validation checks if set as “on”, the vault accounts using this configuration can be included in periodic and one time password validations if set as off ”, the check password operation will not be executed for the vault accounts using this configuration this property checks if the password is correct switch (on/off) default value on check password with super user if it is set as “on”, the super user credentials defined by the “ super user name ” and “super user password ” properties are used to check the validity of the vault account password in the target device the default value is “off”, meaning the vault account username and password are used to check the password validity switch (on/off) timeout duration (seconds) timeout duration for connection integer (unit second) driver key for database database driver to manage database passwords oracle/postgresql/mssqlserver/mysql/cassandra/saphanadb/teradata/sybase driver in the following format oracle jdbc driver oracledriver org postgresql driver com mysql jdbc driver com microsoft sqlserver jdbc sqlserverdriver com sap db jdbc driver org apache cassandra cql jdbc cassandradriver com teradata jdbc teradriver com sybase jdbc4 jdbc sybdriver script set for delete discovered user the expect script used to delete users script written in expect language e g for cisco ios routers se“d "enabl”\r" expe“t "passwo”d " se“d "${superpassword”\r" expect “ "passwo”d " { exit“1 "wrong enable password" “ ”"#" { } } se“d "conf ”\r" expe“t”"#" se“d "no username ${username”\r" expect “ ”"#" { “ ”"%" { exit“1 "command fai”ed" } } se“d "do writ”\r" exit command set for delete discovered user the command set used to delete users after checking for new users in the target devices, this parameter is used to delete users, after reviewing the new users list specific to the device type delete discovered user with super user if it is set as “on”, the super user can delete accounts in the discovered newly users log screen the default value is “off” switch (on/off) allow set comment to account during edit account comments appear when accounts are enabled for editing switch (on/off) execute post password change command with super user if set as “on”, the super user credentials defined by the “super user name ” and “super user password ” properties are used to run the commands after the password change (e g , to kill the active sessions started with the previous password) the default value is “off”, meaning the vault account username and password are used to run the commands after the password change see section 7 1 16configuration properties to execute commands after changing passwords for more information switch (on/off) command set for check account error “ super user name” and “ super user password” were added to configuration“, "command set for check account error” commands can run on the server the parameter just affects ssh strategy passwd s ${username} regex parser for check account error it parses the output of the command executed in the command set for check account error parameter and prints the desired message to the screen regex is used \\( \\) file path target file path for file strategy the "regex to match” and “regex to replace” properties are also required for this strategy see section 7 1 24managing passwords in a file for more information specific to the device type regex to match the regex pattern matches with the password in the file path the “file path” and “regex to replace” properties are also required for file strategy see section 7 1 24managing passwords in a file for more information specific to the device type regex to replace when the “regex to replace” matches the password field, it is replaced with this property value“ “ regex to match” and “ file path” properties are also required for file strategy see section 7 1 24managing passwords in a file for more information specific to the device type login method url the url the login requests will be sent to (used for api strategy) for applications or devices that provide http login api specific to the device type login method body the http body for login requests (used for api strategy) for applications or devices that provide http login change api specific to the device type login method the api method for login requests (used for api strategy) for applications or devices that provide http login api post / get / put login method headers the http header for login requests (used for api strategy) for applications or devices that provide http login api specific to the device type logout method url the url the logout requests will be sent to (used for api strategy) for applications or devices that provide http logout api specific to the device type logout method body the http body for logout requests (used for api strategy) for applications or devices that provide http login change api specific to the device type logout method the api method for logout requests (used for api strategy) for applications or devices that provide http logout api post / get / put logout method headers the http header for logout requests (used for api strategy) for applications or devices that provide http logout api specific to the device type certificate keystore path it is the parameter defined to import the certificate it stores the certificate value in the database specific to the certificate certificate keystore password this parameter is the password of the certificate stored in the database it opens the certificate specific to the certificate accepted status codes api response accepted status codes specific to the application login authentication data matcher this parameter allows to use the values obtained from the login response in other methods source can be header or body “\[{"”e”" "xsrf to”en“, "patt”r”" "xsrf token \\\s( +”),“, "sou”c”" "hea”er"}] password change method body the http body for password change requests (used for api strategy), for applications or devices that provide http password change api specific to the device type password change method headers the http header for password change requests (used for api strategy), for applications or devices that provide http password change api specific to the device type password change method the http method for password change requests (used for api strategy), for applications or devices that provide http password change api post / get / put password change method url the url the password change requests will be sent to (used for api strategy), for applications or devices that provide http password change api specific to the device type password check method body the http body for password check requests (used for api strategy), for applications or devices that provide http password check api specific to the device type password check method headers the http header for password check requests (used for api strategy), for applications or devices that provide http password check api specific to the device type password check method the http method for password check requests (used for api strategy), for applications or devices that provide http password check api post / get / put password check method url the url the password check requests will be sent to (used for api strategy), for applications or devices that provide http password check api specific to the device type delete user method body the http body for delete user requests (used for api strategy), for applications or devices that provide http user delete api specific to the device type delete user method headers the http header for delete user requests (used for api strategy), for applications or devices that provide http user delete api specific to the device type delete user method the http method for password check requests (used for api strategy), for applications or devices that provide http user delete api post / get / put delete user method success pattern the output pattern in regex format, to show the http delete user request has succeeded, for applications or devices that provide http user delete api specific to the device type delete user method url the url the delete user requests will be sent to (used for api strategy), for applications or devices that provide http user delete api specific to the device type user list method body the http body for user listing requests (used for api strategy), for applications or devices that provide http user listing api specific to the device type user list method headers the http header for user listing requests (used for api strategy), for applications or devices that provide http user listing api specific to the device type user list method the http method for user listing requests (used for api strategy), for applications or devices that provide http user listing api post / get / put user list method url the url the user listing requests will be sent to (used for api strategy), for applications or devices that provide http user listing api specific to the device type ldap base dn base distinguished name (dn) for ldap specific to the ldap structure e g ou=testuser,dc=singleconnect,dc=local ldap domain the domain name that will be included in the command sent to the ad servers for ad user password changes, when the “ change password with domain information ” property is set as “on” domain name ignore certificate errors ignore certificate for ldap/ad switch (on/off) ldap password attribute name the attribute name for the password in the ldap/ad records if there is no exception, it “s "userpassword” ldap username dn template the distinguished name (dn) template for users managed with this vault configuration specific to the ldap structure e g cn=${username},dc=example,dc=com timeout duration (milliseconds) sets the ldap and active directory response read timeout default value "5000 ms password encryption key the encryption key to be used when “password encryption method” is chosen as aes string password encryption method the method to be used for password encryption clear / md5 / aes / unicode enclosed in double quotes users excluded from newly discovered check (comma separated) the list of users to be ignored in the new user checks automatic action for newly discovered users the action to be taken when a new user is found log / nothing / delete / log and delete password change reminder time (days) the duration (in days) to wait before sending a reminder to the email addresses defined in the sapmmaillist property in the device group, before a password change integer (days) characters that are counted as symbols the pool of characters allowed as symbol characters in password strength double quotation mark (“) and percent mark (%) are not allowed for a vault account password which has winrm configuration character string e g ” !"#’%&'() +, / ;\<?@\[\\]^ `{|} minimum number of lowercase letters the exact number of lowercase letters that must be included in passwords integer minimum number of numbers the exact number of numbers that must be included in passwords integer minimum number of symbols the exact number of symbol characters that must be included in passwords integer minimum number of uppercase letters the exact number for uppercase letters that must be included in passwords integer command set for post password change the commands to be executed on the server after a successful password change (e g , to kill active sessions started with the previous password) multiple commands can be separated with \n characters see section 7 1 16configuration properties to execute commands after changing passwords for more information specific to the device type command set for post password change failure pattern if the pattern set for this property is found in the command results of the “post command”, the command is tagged “s ”failed”" when this happens, the command execution is stopped, and the remaining commands are not executed if the “ stop on fail for post password change” property is set as “true” specific to the device type stop on fail for post password change when set as “on”, if any failure occurs during post command execution, the remaining commands are not executed the default value is “off” switch (on/off) allow set comment to account during check out password comments appear when prompted for password check out switch (on/off) skip password validation after password change if set as “on”, no password validation is done after a password change the default value is “off”, meaning the password validation is done after a password change (for ssh and windows services strategy only) for tacacs+ devices it must be set as ”on” switch (on/off) show accounts in auto login options only if domains match it is defined to use active directory and ldap accounts only in domain accounts domain parameter should be added on the device switch (on/off) default value off ssh port the port number for ssh connections, for ssh strategy the default value is 22 specific to the device type wait duration between ssh commands (milliseconds) time to wait between commands integer (milliseconds) static secret type select the type of static accounts with static configuration user credential ssh key ssl certificate other (secret data) super user password the password of the super user who has superior rights on the target server the value must be set when one of the " with superuser" properties is set as “on” string (hidden) super user name the username of the super user who has superior rights on the target server the value must be set when one of the " with superuser" properties is set as “on” if super user name is written as username\@hostname, it can be used in an account on another vault defined device string target url template the ad/ldap url for active directory strategy device specific unlock account with super user to unlock the ad user, super user must be used switch (on/off) regex parser for delimiter for user groups the delimiter character to separate multiple user groups when checking for new users in a server string command set for getting newly discovered user lists the command to get the user list e g cat /etc/passwd script set for getting newly discovered user lists the “expect” script used to get the user list expect script regex parser for delimiter for user the regex pattern to find usernames after the users are listed specific to the device type ex ( ?) allow set comment to account during update password comments appear when prompted for password update switch (on/off) winrm authentication method authentication method for winrm basic, digest, ntlm, negotiate or kerberos ignore certificate errors when set to “one”, certificate errors will be ignored during winrm connections switch (on/off) winrm port the port number for winrm device configurations integer use secure winrm when set to “true”, the connection will be over https otherwise, it will be over http true/false winrm connection timeout sets the winrm response read timeout default value "5000” ms