Adding Vault Configurations

To manage passwords via Password Vault, a Vault configuration is required. Vault configurations consist of the command sets to make the password changes in target systems. There are pre-defined Vaultconfigurations in Kron PAM, but if the target device differs from those pre-defined in the system, a new Vault configuration must be created. Different Vault configurations should be created for each kind of target system whose passwords will be managed by the system. In the configuration screen, Strategy defines the method to change the password, and Configuration Properties defines the details for each configuration.
STATIC Strategy is a configuration where an account can be added to Password Vault without the target system.
To create a new Vault Configuration:
Navigate to Secrets> Configurations.
Open the Vault Configurations tab.
Click the Add Button.
Fill in the Name, Strategy, and Description fields and fill in the desired parameters
Click Save.
To add and/or edit properties for the Vault configuration:
Write the Advances Search Field to see saved configurations.

Click the Green arrow button of the desired configuration and Edit Configuration.
Showing Vault Configuration 
﻿
Type in the Property Value and click Save.
Vault Configuration Properties Popup
﻿
These are the properties that can be used for Vault configurations:
Vault Configuration Property Key
Description
Pool Value
Account level properties 
﻿
This property uses values that can be set to account-specific configurations, and that can be defined at the account level instead of values in the default configuration.Property values are defined on the Add Account pop up. 
Other properties
Allow to be seen by multiple users    
If set as “On”, the Vault password can be seen by other users in same user group. 
By default, the Vault Account password can be seen only by the user who got the password last.
(For Dynamic Accounts Only)
Switch (On/Off)
Always show accounts in auto login
﻿
Allows access to other servers with Active Directory and LDAP accounts. (Applies to SSH and RDP sessions.)
Switch (On/Off)
Default value: On 
AWS IAM users region
﻿
AWS region to be accessed during the password change
eu-central-1,eu-west-1,us-east-1
AWS super user
﻿
authorized username to change a user's console or security credentials
Authorized user username
AWS super user access key
﻿
authorized user access key information to change a user's console or security credentials
Authorized user access key
AWS super user secret key
﻿
authorized user secret key information to change a user's console or security credentials (Encrypted)
Authorized user secret key
Use other account
﻿
The security credentials of the user who will change their console credentials must first be added as another account. Then this account should be defined as AccountName@GroupFullPath (Example: Account1@/ParentGroup)
Will change their credentials account
Change password after Session Manager login
﻿
If set as “On”, the Vault Account password will be changed just after SSH Proxy and RDP Proxy session is started by the Kron PAM Session Manager using this Vault account. 
By default, the Vault Account password is not changed after being used by the Session Manager.
Switch (On/Off)
﻿
Command set for change password
The command set to be used to change the password. This set can be different for each system. The command set consists of the commands to change the password in the target system. There are pre-defined sets for most used systems, but if the target device is not in the pre-defined systems, this command set needs to be configured.
Specific to the device type.
E.g. for a Cisco device:
en\n${superPassword}\nconf t\nline con 0\npassword ${newPassword}\nline vty 0 4\npassword ${newPassword}\nline vty 5 15\npassword ${newPassword}\nenable secret ${newPassword}\nend\nwr me\nexit
Change password failure pattern
During each password change, Kron PAM gets an output from the system. It checks if the password was changed successfully. If there is a failure in the password change process, the system does not add the new password to its database. If the output matches this regex pattern, Kron PAM decides that the password change command has failed.
If the “skip.password.validation.after.change” parameter is set as “false”, the result of the connection validation overrides this decision, and this parameter has no effect.
Specific to the device type.
E.g. for a Cisco device:
% Invalid input detected. *
Change password only at change periods
﻿
When set as “On”, no duration information is required from the user, only comments will be requested. The password will not be changed after the checkout, and other users will be able to check out the same password until the next periodic change.
By default, the user is asked for the duration, and the password is changed after the checkout.
Switch (On/Off)
﻿
Script set for change password
﻿
The Expect script used to change the password 
Script written in Expect language.
E.g. for Cisco IOS Router:
se“d "enabl”\r"
expe“t "Passwo”d:"
se“d "${superPassword”\r"
expect “
 "Passwo”d:" {
  exit“1 "wrong enable passw”rd"
 “
”"#" {
 }
}
se“d "conf ”\r"
expe“t”"#"
se“d "username ${username} password ${newPassword”\r"
expect “
”"#" {  
 “
”"%" {
  exit“1 "command fai”ed"
 }
}
se“d "do writ”\r"
exit
Change password success pattern
During each password change, Kron PAM gets an output from the system. It checks if the password was changed successfully, and if there is a failure during the password change process, the system does not write the new password in its database. If the output matches this regex pattern, Kron PAM decides that the password change command was successful and stores the new password.
If the “Skip password validation after password change”
parameter is set as “Off”, the result of the connection validation overrides this decision, and this parameter has no effect.
Specific to the device type.
E.g. for Centos device:
.*successfully.*
Change password with domain information
﻿
Usually, for some Active Directory (AD) systems, the domain name does not need to be sent during a password change request. However, some systems require the domain name to be included in the password change, such as  Krontech\username
” instead of username”.
By default, this parameter is set as “Off”, and the domain name is not included in the command sent to the AD servers for AD user password change.
When set as “On”, the domain name is included in the command sent.
Switch (On/Off)
﻿
Change password with super user
If set as “On”, the super user credentials defined by the Superuser name and  Super user password properties are used to change the Vault account password in the target device.
When creating a new user, if the password information of Super_User will come from the password vault, then Vault_Account_Name@/Full_Group_Path format is entered in the super_user field.  In this case, the password value of super_user will be blank and the system will find the password from the password vault while defining the new user on the device.
By default, the value is “Off”, meaning the Vault account username and password are used to change the password.
This option should be set as “On” when the Vault account’s rights are not enough to change its own password.
Switch (On/Off)
﻿
Password change self permission
Permission for Active Directory users to change their password.
According to the Active Directory Self Permission, Kron PAM is given one of these permissions. 
CHANGE_PASSWORD
RESET_PASSWORD
Default change period (Days)
The default period to change passwords using this configuration (in days).
If the selected Vault configuration has the  Default change period (Days) parameter defined, the parameter value applies to the new accounts automatically.
Integer (in days)
Period for next attempt on fail (Minutes)
The period to attempt to change the password again when the periodic password change has failed.
Integer (in minutes)
Check newly discovered users with super user
Password Vault can check for new users in the target systems periodically, or on demand (See section 7.1.20Discover Newly Users for details).
If this parameter is set as “On”, the super user credentials defined by the “Super user name ” and “Super user password ” properties are used to check for new users in the target device.(Server Local Users, Database Users and LDAP Users)
The default value is “Off”, meaning the Vault account username and password are used to check for new users.
Switch (On/Off)
Command set for checking password
The Password Vault can periodically check the validity of the passwords. The command set defined in this parameter is used to check if the stored password is valid or not.
Specific to the device type.
Check password success pattern
The output pattern in regex format, which shows that the password is valid.
Specific to the device type.
Enable password validation checks
If set as “On”, the Vault  accounts using this configuration can be included in periodic and one-time password validations.
If set as Off ”, the Check Password operation will not be executed for the Vault accounts using this configuration.
﻿
This property checks if the password is correct.
Switch (On/Off)
Default value: On
Check password with super user
If it is set as “On”, the super user credentials defined by the “ Super user name ” and “Super user password ” properties are used to check the validity of the Vault account password in the target device.
The default value is “Off”, meaning the Vault account username and password are used to check the password validity.
Switch (On/Off)
Timeout duration (Seconds)
Timeout duration for connection
Integer (unit: second)
Driver key for database
Database driver to manage database passwords.
Oracle/Postgresql/MsSQLServer/MySQL/Cassandra/SAPHANADB/Teradata/Sybase driver in the following format:
oracle.jdbc.driver.OracleDriver                  org.postgresql.Driver                      com.mysql.jdbc.Driver                    com.microsoft.sqlserver.jdbc.SQLServerDriver              com.sap.db.jdbc.Driver                                          org.apache.cassandra.cql.jdbc.CassandraDriver                com.teradata.jdbc.TeraDriver                    com.sybase.jdbc4.jdbc.SybDriver                  
Script set for delete discovered user
﻿
The Expect script used to delete users
Script written in Expect language.
E.g. for Cisco IOS Routers:
se“d "enabl”\r"
expe“t "Passwo”d:"
se“d "${superPassword”\r"
expect “
 "Passwo”d:" {
  exit“1 "wrong enable password"
 “
”"#" {
 }
}
se“d "conf ”\r"
expe“t”"#"
se“d "no username ${username”\r"
expect “
”"#" {  
 “
”"%" {
  exit“1 "command fai”ed"
 }
}
se“d "do writ”\r"
exit
Command set for delete discovered user
The command set used to delete users.
After checking for new users in the target devices, this parameter is used to delete users, after reviewing the New Users list. 
Specific to the device type.
Delete discovered user with super user
﻿
If it is set as “On”, the super user can delete accounts in the Discovered Newly Users  Log screen. The default value is “Off”.
Switch (On/Off)
﻿
Allow set comment to account during edit account
Comments appear when accounts are enabled for editing.
Switch (On/Off)
﻿
Execute post password change command with super user
If set as “On”, the super user credentials defined by the “Super user name ” and “Super user password ” properties are used to run the commands after the password change (E.g., to kill the active sessions started with the previous password).
The default value is “Off”, meaning the Vault  account username and password are used to run the commands after the password change.
See section 7.1.16Configuration Properties to Execute Commands After Changing Passwords for more information.
Switch (On/Off)
Command set for check account error
﻿
“ Super user name” and “ Super user password” were added to configuration“, "Command set for check account error”
 commands can run on the server.
The parameter just affects SSH strategy.
passwd -S ${username}
Regex parser for check account error
﻿
It parses the output of the command executed in the  
Command set for check account error
parameter and prints the desired message to the screen. Regex is used.
\(.*\)
File Path
Target file path for FILE strategy.
The "Regex to Match”   and “Regex to Replace” properties are also required for this strategy. 
See section 7.1.24Managing Passwords in a File for more information.
Specific to the device type.
Regex to Match
The regex pattern matches with the password in the file path.
The “File Path”  and  “Regex to Replace” properties are also required for FILE strategy.
See section 7.1.24Managing Passwords in a File for more information.
Specific to the device type.
Regex to Replace
When    the “Regex to Replace”  matches the password field, it is replaced with this property value“.
“ Regex to Match” and  “ File Path” properties are also required for FILE strategy.
See section 7.1.24Managing Passwords in a File for more information.
Specific to the device type.
Login method URL
﻿
The URL the login requests will be sent to (used for API strategy) for applications or devices that provide HTTP login API.
﻿
Specific to the device type.
Login method body
﻿
The HTTP body for login requests (used for API strategy) for applications or devices that provide HTTP login change API.
﻿
Specific to the device type.
Login method
﻿
The API method for login requests (used for API strategy) for applications or devices that provide HTTP login API.
POST / GET / PUT
Login method headers
﻿
The HTTP header for login requests (used for API strategy) for applications or devices that provide HTTP login API.
Specific to the device type.
Logout method URL
﻿
The URL the logout requests will be sent to (used for API strategy) for applications or devices that provide HTTP logout API.
﻿
Specific to the device type.
Logout method body
﻿
The HTTP body for logout requests (used for API strategy) for applications or devices that provide HTTP login change API.
﻿
Specific to the device type.
Logout method
﻿
The API method for logout requests (used for API strategy) for applications or devices that provide HTTP logout API.
POST / GET / PUT
Logout method headers
﻿
The HTTP header for logout requests (used for API strategy) for applications or devices that provide HTTP logout API.
Specific to the device type.
Certificate keystore path
﻿
It is the parameter defined to import the certificate. It stores the certificate value in the database.
Specific to the certificate
Certificate keystore password
﻿
This parameter is the password of the certificate stored in the database. It opens the certificate.
Specific to the certificate
Accepted status codes
﻿
API Response Accepted Status Codes
Specific to the Application
Login authentication data matcher
﻿
This parameter allows to use the values obtained from the Login Response in other methods. Source can be header or body.“[{"”e”":"XSRF-TO”EN“, "patt”r”":"XSRF-TOKEN:\\s(.+”),“, "sou”c”":"hea”er"}]
 
Password change method body
The HTTP body for password change requests (used for API strategy), for applications or devices that provide HTTP password change API.
Specific to the device type.
Password change method headers
The HTTP header for password change requests (used for API strategy), for applications or devices that provide HTTP password change API.
Specific to the device type.
Password change method
The HTTP method for password change requests (used for API strategy), for applications or devices that provide HTTP password change API.
POST / GET / PUT
Password change method URL
The URL the password change requests will be sent to (used for API strategy), for applications or devices that provide HTTP password change API.
Specific to the device type.
Password check method body
The HTTP body for password check requests (used for API strategy), for applications or devices that provide HTTP password check API.
Specific to the device type.
Password check method headers
The HTTP header for password check requests (used for  API strategy), for applications or devices that provide HTTP password check API.
Specific to the device type.
Password check method
The HTTP method for password check requests (used for  API strategy), for applications or devices that provide HTTP password check API.
POST / GET / PUT
Password check method URL
The URL the password check requests will be sent to (used for  API strategy), for applications or devices that provide HTTP password check API.
Specific to the device type.
Delete user method body
The HTTP body for delete user requests (used for  API strategy), for applications or devices that provide HTTP user delete API.
Specific to the device type.
Delete user method headers
The HTTP header for delete user requests (used for  API strategy), for applications or devices that provide HTTP user delete API.
Specific to the device type.
Delete user method
The HTTP method for password check requests (used for  API strategy), for applications or devices that provide HTTP user delete API.
POST / GET / PUT
Delete user method success pattern
The output pattern in regex format, to show the HTTP delete user request has succeeded, for applications or devices that provide HTTP user delete API.
Specific to the device type.
Delete user method URL
The URL the delete user requests will be sent to (used for  API strategy), for applications or devices that provide HTTP user delete API.
Specific to the device type.
User list method body 
The HTTP body for user listing requests (used for  API strategy), for applications or devices that provide HTTP user listing API.
Specific to the device type.
User list method headers
The HTTP header for user listing requests (used for  API strategy), for applications or devices that provide HTTP user listing API.
Specific to the device type.
User list method
The HTTP method for user listing requests (used for  API strategy), for applications or devices that provide HTTP user listing API.
POST / GET / PUT
User list method URL
The URL the user listing requests will be sent to (used for  API strategy), for applications or devices that provide HTTP user listing API.
Specific to the device type.
LDAP base DN
Base Distinguished Name (DN) for LDAP
Specific to the LDAP structure.
E.g.: OU=TestUser,DC=SingleConnect,DC=local
LDAP domain
﻿
The domain name that will be included in the command sent to the AD servers for AD user password changes, when the “  Change password with domain information ” property is set as “On”
Domain Name
Ignore certificate errors
Ignore certificate for LDAP/AD 
Switch (On/Off)
LDAP password attribute name
The attribute name for the password in the LDAP/AD records.
If there is no exception, it “s "userPassword” 
LDAP username DN template
The Distinguished Name (DN) template for users managed with this Vault Configuration.
Specific to the LDAP structure.
E.g.: CN=${username},DC=example,DC=com
Timeout duration (milliseconds)
﻿
Sets the LDAP and Active Directory response read timeout
Default value:"5000 ms
Password encryption key
The encryption key to be used when “Password encryption method” is chosen as AES.
String
Password encryption method
The method to be used for password encryption.
CLEAR / MD5 / AES / UNICODE_ENCLOSED_IN_DOUBLE_QUOTES
Users excluded from newly discovered check (Comma separated)
The list of users to be ignored in the new user checks. 
 
Automatic action for newly discovered users
The action to be taken when a new user is found.
LOG / NOTHING / DELETE / LOG_AND_DELETE
Password change reminder time (Days)
﻿
The duration (in days) to wait before sending a reminder to the email addresses defined in the sapmMailList property in the device group, before a password change.
Integer (days)
Characters that are counted as symbols
The pool of characters allowed as symbol characters in password strength.
Double quotation mark (“) and percent mark (%) are not allowed for a Vault Account password which has WinRM  configuration.
Character string.
E.g.”
!"#’%&'()*+,-./:;<?@[\]^_`{|}~
Minimum number of lowercase letters
The exact number of lowercase letters that must be included in passwords. 
Integer
Minimum number of numbers
The exact number of numbers that must be included in passwords. 
Integer
Minimum number of symbols
The exact number of symbol characters that must be included in passwords. 
Integer
Minimum number of uppercase letters
The exact number for uppercase letters that must be included in passwords. 
Integer
Command set for post password change  
The commands to be executed on the server after a successful password change
(E.g., to kill active sessions started with the previous password).
Multiple commands can be separated with \n characters. 
See section 7.1.16Configuration Properties to Execute Commands After Changing Passwords for more information.
Specific to the device type
Command set for post password change failure pattern
If the pattern set for this property is found in the command results of the “post-command”, the command is tagged “s ”FAILED”".
When this happens, the command execution is stopped, and the remaining commands are not executed if the “ Stop on fail for post password change”
 property is set as “true”. 
Specific to the device type
Stop on fail for post password change
When set as “On”, if any failure occurs during post command execution, the remaining commands are not executed. The default value is “Off”.
Switch (On/Off)
Allow set comment to account during check out password
﻿
Comments appear when prompted for password check out.
Switch (On/Off)
﻿
Skip password validation after password change
If set as “On”, no password validation is done after a password change.
The default value is “Off”, meaning the password validation is done after a password change (For SSH and Windows Services Strategy only).
For TACACS+ devices it must be set as ”On”.
Switch (On/Off)
Show accounts in auto login options only if domains match
﻿
It is defined to use Active Directory and LDAP accounts only in domain accounts. Domain parameter should be added on the device.
Switch (On/Off)
Default value: Off
SSH port
The port number for SSH connections, for SSH strategy. The default value is 22.
Specific to the device type.
Wait duration between SSH commands (Milliseconds)
﻿
Time to wait between commands
Integer (milliseconds)
Static Secret Type
﻿
Select the type of static accounts with static configuration.
USER_CREDENTIAL
SSH_KEY
SSL_CERTIFICATE
OTHER (Secret Data)
Super user password
The password of the super user who has superior rights on the target server.
The value must be set when one of the "****with.superuser" properties is set as “On”.
String (hidden)
Super user name
The username of the super user who has superior rights on the target server.
The value must be set when one of the "****with.superuser" properties is set as “On”.
If  Super user name
is written as username@hostname, it can be used in an account on another Vault-defined device.
String
Target URL Template
The AD/LDAP URL for Active Directory strategy.
Device specific
Unlock account with super user
﻿
To unlock the AD user, Super user must be used.
Switch (On/Off)
﻿
Regex parser for delimiter for user groups
﻿
The delimiter character to separate multiple user groups when checking for new users in a server.
String
Command set for getting newly discovered user lists
﻿
The command to get the user list.
E g. : 
cat /etc/passwd 
Script set for getting newly discovered user lists
The “expect” script used to get the user list. 
Expect script
Regex parser for delimiter for user
The regex pattern to find usernames after the users are listed.
Specific to the device type.
Ex: (.*?):.*
Allow set comment to account during update password
﻿
Comments appear when prompted for password update.
Switch (On/Off)
﻿
WinRM authentication method
Authentication method for  WinRM.
Basic, Digest, NTLM, Negotiate, or Kerberos
Ignore certificate errors
When set to “One”, certificate errors will be ignored during WinRM connections.
Switch (On/Off)
WinRM port
The port number for WinRM device configurations.
Integer
Use secure WinRM
﻿
When set to “true”, the connection will be over HTTPS. Otherwise, it will be over HTTP.
true/false
WinRM connection timeout
﻿
Sets the WinRM response read timeout
Default value:"5000” ms
﻿

Vault Configuration Property Key	Description	Pool Value
Account level properties	This property uses values that can be set to account-specific configurations, and that can be defined at the account level instead of values in the default configuration.Property values are defined on the Add Account pop up.	Other properties
Allow to be seen by multiple users	If set as “On”, the Vault password can be seen by other users in same user group. By default, the Vault Account password can be seen only by the user who got the password last. (For Dynamic Accounts Only)	Switch (On/Off)
Always show accounts in auto login	Allows access to other servers with Active Directory and LDAP accounts. (Applies to SSH and RDP sessions.)	Switch (On/Off) Default value: On
AWS IAM users region	AWS region to be accessed during the password change	eu-central-1,eu-west-1,us-east-1
AWS super user	authorized username to change a user's console or security credentials	Authorized user username
AWS super user access key	authorized user access key information to change a user's console or security credentials	Authorized user access key
AWS super user secret key	authorized user secret key information to change a user's console or security credentials (Encrypted)	Authorized user secret key
Use other account	The security credentials of the user who will change their console credentials must first be added as another account. Then this account should be defined as AccountName@GroupFullPath (Example: Account1@/ParentGroup)	Will change their credentials account
Change password after Session Manager login	If set as “On”, the Vault Account password will be changed just after SSH Proxy and RDP Proxy session is started by the Kron PAM Session Manager using this Vault account. By default, the Vault Account password is not changed after being used by the Session Manager.	Switch (On/Off)
Command set for change password	The command set to be used to change the password. This set can be different for each system. The command set consists of the commands to change the password in the target system. There are pre-defined sets for most used systems, but if the target device is not in the pre-defined systems, this command set needs to be configured.	Specific to the device type. E.g. for a Cisco device: en\n${superPassword}\nconf t\nline con 0\npassword ${newPassword}\nline vty 0 4\npassword ${newPassword}\nline vty 5 15\npassword ${newPassword}\nenable secret ${newPassword}\nend\nwr me\nexit
Change password failure pattern	During each password change, Kron PAM gets an output from the system. It checks if the password was changed successfully. If there is a failure in the password change process, the system does not add the new password to its database. If the output matches this regex pattern, Kron PAM decides that the password change command has failed. If the “skip.password.validation.after.change” parameter is set as “false”, the result of the connection validation overrides this decision, and this parameter has no effect.	Specific to the device type. E.g. for a Cisco device: % Invalid input detected. *
Change password only at change periods	When set as “On”, no duration information is required from the user, only comments will be requested. The password will not be changed after the checkout, and other users will be able to check out the same password until the next periodic change. By default, the user is asked for the duration, and the password is changed after the checkout.	Switch (On/Off)
Script set for change password	The Expect script used to change the password	Script written in Expect language. E.g. for Cisco IOS Router: se“d "enabl”\r" expe“t "Passwo”d:" se“d "${superPassword”\r" expect “ "Passwo”d:" { exit“1 "wrong enable passw”rd" “ ”"#" { } } se“d "conf ”\r" expe“t”"#" se“d "username ${username} password ${newPassword”\r" expect “ ”"#" { “ ”"%" { exit“1 "command fai”ed" } } se“d "do writ”\r" exit
Change password success pattern	During each password change, Kron PAM gets an output from the system. It checks if the password was changed successfully, and if there is a failure during the password change process, the system does not write the new password in its database. If the output matches this regex pattern, Kron PAM decides that the password change command was successful and stores the new password. If the “Skip password validation after password change” parameter is set as “Off”, the result of the connection validation overrides this decision, and this parameter has no effect.	Specific to the device type. E.g. for Centos device: .successfully.
Change password with domain information	Usually, for some Active Directory (AD) systems, the domain name does not need to be sent during a password change request. However, some systems require the domain name to be included in the password change, such as Krontech\username ” instead of username”. By default, this parameter is set as “Off”, and the domain name is not included in the command sent to the AD servers for AD user password change. When set as “On”, the domain name is included in the command sent.	Switch (On/Off)
Change password with super user	If set as “On”, the super user credentials defined by the Superuser name and Super user password properties are used to change the Vault account password in the target device. When creating a new user, if the password information of Super_User will come from the password vault, then Vault_Account_Name@/Full_Group_Path format is entered in the super_user field. In this case, the password value of super_user will be blank and the system will find the password from the password vault while defining the new user on the device. By default, the value is “Off”, meaning the Vault account username and password are used to change the password. This option should be set as “On” when the Vault account’s rights are not enough to change its own password.	Switch (On/Off)
Password change self permission	Permission for Active Directory users to change their password. According to the Active Directory Self Permission, Kron PAM is given one of these permissions.	CHANGE_PASSWORD RESET_PASSWORD
Default change period (Days)	The default period to change passwords using this configuration (in days). If the selected Vault configuration has the Default change period (Days) parameter defined, the parameter value applies to the new accounts automatically.	Integer (in days)
Period for next attempt on fail (Minutes)	The period to attempt to change the password again when the periodic password change has failed.	Integer (in minutes)
Check newly discovered users with super user	Password Vault can check for new users in the target systems periodically, or on demand (See section 7.1.20Discover Newly Users for details). If this parameter is set as “On”, the super user credentials defined by the “Super user name ” and “Super user password ” properties are used to check for new users in the target device.(Server Local Users, Database Users and LDAP Users) The default value is “Off”, meaning the Vault account username and password are used to check for new users.	Switch (On/Off)
Command set for checking password	The Password Vault can periodically check the validity of the passwords. The command set defined in this parameter is used to check if the stored password is valid or not.	Specific to the device type.
Check password success pattern	The output pattern in regex format, which shows that the password is valid.	Specific to the device type.
Enable password validation checks	If set as “On”, the Vault accounts using this configuration can be included in periodic and one-time password validations. If set as Off ”, the Check Password operation will not be executed for the Vault accounts using this configuration. This property checks if the password is correct.	Switch (On/Off) Default value: On
Check password with super user	If it is set as “On”, the super user credentials defined by the “ Super user name ” and “Super user password ” properties are used to check the validity of the Vault account password in the target device. The default value is “Off”, meaning the Vault account username and password are used to check the password validity.	Switch (On/Off)
Timeout duration (Seconds)	Timeout duration for connection	Integer (unit: second)
Driver key for database	Database driver to manage database passwords.	Oracle/Postgresql/MsSQLServer/MySQL/Cassandra/SAPHANADB/Teradata/Sybase driver in the following format: oracle.jdbc.driver.OracleDriver org.postgresql.Driver com.mysql.jdbc.Driver com.microsoft.sqlserver.jdbc.SQLServerDriver com.sap.db.jdbc.Driver org.apache.cassandra.cql.jdbc.CassandraDriver com.teradata.jdbc.TeraDriver com.sybase.jdbc4.jdbc.SybDriver
Script set for delete discovered user	The Expect script used to delete users	Script written in Expect language. E.g. for Cisco IOS Routers: se“d "enabl”\r" expe“t "Passwo”d:" se“d "${superPassword”\r" expect “ "Passwo”d:" { exit“1 "wrong enable password" “ ”"#" { } } se“d "conf ”\r" expe“t”"#" se“d "no username ${username”\r" expect “ ”"#" { “ ”"%" { exit“1 "command fai”ed" } } se“d "do writ”\r" exit
Command set for delete discovered user	The command set used to delete users. After checking for new users in the target devices, this parameter is used to delete users, after reviewing the New Users list.	Specific to the device type.
Delete discovered user with super user	If it is set as “On”, the super user can delete accounts in the Discovered Newly Users Log screen. The default value is “Off”.	Switch (On/Off)
Allow set comment to account during edit account	Comments appear when accounts are enabled for editing.	Switch (On/Off)
Execute post password change command with super user	If set as “On”, the super user credentials defined by the “Super user name ” and “Super user password ” properties are used to run the commands after the password change (E.g., to kill the active sessions started with the previous password). The default value is “Off”, meaning the Vault account username and password are used to run the commands after the password change. See section 7.1.16Configuration Properties to Execute Commands After Changing Passwords for more information.	Switch (On/Off)
Command set for check account error	“ Super user name” and “ Super user password” were added to configuration“, "Command set for check account error” commands can run on the server. The parameter just affects SSH strategy.	passwd -S ${username}
Regex parser for check account error	It parses the output of the command executed in the Command set for check account error parameter and prints the desired message to the screen. Regex is used.	\(.*\)
File Path	Target file path for FILE strategy. The "Regex to Match” and “Regex to Replace” properties are also required for this strategy. See section 7.1.24Managing Passwords in a File for more information.	Specific to the device type.
Regex to Match	The regex pattern matches with the password in the file path. The “File Path” and “Regex to Replace” properties are also required for FILE strategy. See section 7.1.24Managing Passwords in a File for more information.	Specific to the device type.
Regex to Replace	When the “Regex to Replace” matches the password field, it is replaced with this property value“. “ Regex to Match” and “ File Path” properties are also required for FILE strategy. See section 7.1.24Managing Passwords in a File for more information.	Specific to the device type.
Login method URL	The URL the login requests will be sent to (used for API strategy) for applications or devices that provide HTTP login API.	Specific to the device type.
Login method body	The HTTP body for login requests (used for API strategy) for applications or devices that provide HTTP login change API.	Specific to the device type.
Login method	The API method for login requests (used for API strategy) for applications or devices that provide HTTP login API.	POST / GET / PUT
Login method headers	The HTTP header for login requests (used for API strategy) for applications or devices that provide HTTP login API.	Specific to the device type.
Logout method URL	The URL the logout requests will be sent to (used for API strategy) for applications or devices that provide HTTP logout API.	Specific to the device type.
Logout method body	The HTTP body for logout requests (used for API strategy) for applications or devices that provide HTTP login change API.	Specific to the device type.
Logout method	The API method for logout requests (used for API strategy) for applications or devices that provide HTTP logout API.	POST / GET / PUT
Logout method headers	The HTTP header for logout requests (used for API strategy) for applications or devices that provide HTTP logout API.	Specific to the device type.
Certificate keystore path	It is the parameter defined to import the certificate. It stores the certificate value in the database.	Specific to the certificate
Certificate keystore password	This parameter is the password of the certificate stored in the database. It opens the certificate.	Specific to the certificate
Accepted status codes	API Response Accepted Status Codes	Specific to the Application
Login authentication data matcher	This parameter allows to use the values obtained from the Login Response in other methods. Source can be header or body.“[{"”e”":"XSRF-TO”EN“, "patt”r”":"XSRF-TOKEN:\\s(.+”),“, "sou”c”":"hea”er"}]
Password change method body	The HTTP body for password change requests (used for API strategy), for applications or devices that provide HTTP password change API.	Specific to the device type.
Password change method headers	The HTTP header for password change requests (used for API strategy), for applications or devices that provide HTTP password change API.	Specific to the device type.
Password change method	The HTTP method for password change requests (used for API strategy), for applications or devices that provide HTTP password change API.	POST / GET / PUT
Password change method URL	The URL the password change requests will be sent to (used for API strategy), for applications or devices that provide HTTP password change API.	Specific to the device type.
Password check method body	The HTTP body for password check requests (used for API strategy), for applications or devices that provide HTTP password check API.	Specific to the device type.
Password check method headers	The HTTP header for password check requests (used for API strategy), for applications or devices that provide HTTP password check API.	Specific to the device type.
Password check method	The HTTP method for password check requests (used for API strategy), for applications or devices that provide HTTP password check API.	POST / GET / PUT
Password check method URL	The URL the password check requests will be sent to (used for API strategy), for applications or devices that provide HTTP password check API.	Specific to the device type.
Delete user method body	The HTTP body for delete user requests (used for API strategy), for applications or devices that provide HTTP user delete API.	Specific to the device type.
Delete user method headers	The HTTP header for delete user requests (used for API strategy), for applications or devices that provide HTTP user delete API.	Specific to the device type.
Delete user method	The HTTP method for password check requests (used for API strategy), for applications or devices that provide HTTP user delete API.	POST / GET / PUT
Delete user method success pattern	The output pattern in regex format, to show the HTTP delete user request has succeeded, for applications or devices that provide HTTP user delete API.	Specific to the device type.
Delete user method URL	The URL the delete user requests will be sent to (used for API strategy), for applications or devices that provide HTTP user delete API.	Specific to the device type.
User list method body	The HTTP body for user listing requests (used for API strategy), for applications or devices that provide HTTP user listing API.	Specific to the device type.
User list method headers	The HTTP header for user listing requests (used for API strategy), for applications or devices that provide HTTP user listing API.	Specific to the device type.
User list method	The HTTP method for user listing requests (used for API strategy), for applications or devices that provide HTTP user listing API.	POST / GET / PUT
User list method URL	The URL the user listing requests will be sent to (used for API strategy), for applications or devices that provide HTTP user listing API.	Specific to the device type.
LDAP base DN	Base Distinguished Name (DN) for LDAP	Specific to the LDAP structure. E.g.: OU=TestUser,DC=SingleConnect,DC=local
LDAP domain	The domain name that will be included in the command sent to the AD servers for AD user password changes, when the “ Change password with domain information ” property is set as “On”	Domain Name
Ignore certificate errors	Ignore certificate for LDAP/AD	Switch (On/Off)
LDAP password attribute name	The attribute name for the password in the LDAP/AD records.	If there is no exception, it “s "userPassword”
LDAP username DN template	The Distinguished Name (DN) template for users managed with this Vault Configuration.	Specific to the LDAP structure. E.g.: CN=${username},DC=example,DC=com
Timeout duration (milliseconds)	Sets the LDAP and Active Directory response read timeout	Default value:"5000 ms
Password encryption key	The encryption key to be used when “Password encryption method” is chosen as AES.	String
Password encryption method	The method to be used for password encryption.	CLEAR / MD5 / AES / UNICODE_ENCLOSED_IN_DOUBLE_QUOTES
Users excluded from newly discovered check (Comma separated)	The list of users to be ignored in the new user checks.
Automatic action for newly discovered users	The action to be taken when a new user is found.	LOG / NOTHING / DELETE / LOG_AND_DELETE
Password change reminder time (Days)	The duration (in days) to wait before sending a reminder to the email addresses defined in the sapmMailList property in the device group, before a password change.	Integer (days)
Characters that are counted as symbols	The pool of characters allowed as symbol characters in password strength. Double quotation mark (“) and percent mark (%) are not allowed for a Vault Account password which has WinRM configuration.	Character string. E.g.” !"#’%&'()*+,-./:;<?@[\]^_`{\|}~
Minimum number of lowercase letters	The exact number of lowercase letters that must be included in passwords.	Integer
Minimum number of numbers	The exact number of numbers that must be included in passwords.	Integer
Minimum number of symbols	The exact number of symbol characters that must be included in passwords.	Integer
Minimum number of uppercase letters	The exact number for uppercase letters that must be included in passwords.	Integer
Command set for post password change	The commands to be executed on the server after a successful password change (E.g., to kill active sessions started with the previous password). Multiple commands can be separated with \n characters. See section 7.1.16Configuration Properties to Execute Commands After Changing Passwords for more information.	Specific to the device type
Command set for post password change failure pattern	If the pattern set for this property is found in the command results of the “post-command”, the command is tagged “s ”FAILED”". When this happens, the command execution is stopped, and the remaining commands are not executed if the “ Stop on fail for post password change” property is set as “true”.	Specific to the device type
Stop on fail for post password change	When set as “On”, if any failure occurs during post command execution, the remaining commands are not executed. The default value is “Off”.	Switch (On/Off)
Allow set comment to account during check out password	Comments appear when prompted for password check out.	Switch (On/Off)
Skip password validation after password change	If set as “On”, no password validation is done after a password change. The default value is “Off”, meaning the password validation is done after a password change (For SSH and Windows Services Strategy only). For TACACS+ devices it must be set as ”On”.	Switch (On/Off)
Show accounts in auto login options only if domains match	It is defined to use Active Directory and LDAP accounts only in domain accounts. Domain parameter should be added on the device.	Switch (On/Off) Default value: Off
SSH port	The port number for SSH connections, for SSH strategy. The default value is 22.	Specific to the device type.
Wait duration between SSH commands (Milliseconds)	Time to wait between commands	Integer (milliseconds)
Static Secret Type	Select the type of static accounts with static configuration.	USER_CREDENTIAL SSH_KEY SSL_CERTIFICATE OTHER (Secret Data)
Super user password	The password of the super user who has superior rights on the target server. The value must be set when one of the "****with.superuser" properties is set as “On”.	String (hidden)
Super user name	The username of the super user who has superior rights on the target server. The value must be set when one of the "**with.superuser" properties is set as “On”. If Super user name** is written as username@hostname, it can be used in an account on another Vault-defined device.	String
Target URL Template	The AD/LDAP URL for Active Directory strategy.	Device specific
Unlock account with super user	To unlock the AD user, Super user must be used.	Switch (On/Off)
Regex parser for delimiter for user groups	The delimiter character to separate multiple user groups when checking for new users in a server.	String
Command set for getting newly discovered user lists	The command to get the user list.	E g. : cat /etc/passwd
Script set for getting newly discovered user lists	The “expect” script used to get the user list.	Expect script
Regex parser for delimiter for user	The regex pattern to find usernames after the users are listed.	Specific to the device type. Ex: (.?):.
Allow set comment to account during update password	Comments appear when prompted for password update.	Switch (On/Off)
WinRM authentication method	Authentication method for WinRM.	Basic, Digest, NTLM, Negotiate, or Kerberos
Ignore certificate errors	When set to “One”, certificate errors will be ignored during WinRM connections.	Switch (On/Off)
WinRM port	The port number for WinRM device configurations.	Integer
Use secure WinRM	When set to “true”, the connection will be over HTTPS. Otherwise, it will be over HTTP.	true/false
WinRM connection timeout	Sets the WinRM response read timeout	Default value:"5000” ms

Bulk Edit Account

Managed Systems