APPENDIX 1: System Config Manager Parameters

parameter name description sample parameter value restart required default value aioc alert notification mail address if this parameter is set, a notification is also sent to specific users if it’s not set, the notification is only sent to the related manager test user\@mail com no n/a aioc approval excluderequester enabled when this parameter is set to true and a group has multiple approvers, if one of those approvers performs an action that requires approval, they cannot approve their own request in this case, they are excluded from the approver list and will not receive any approval emails or notifications however, even if the parameter is true, if there is only a single approver, that user can approve their own request if an approver is a member of multiple groups and performs an action that requires approval, the system evaluates the approvers within the relevant realm if the user is the only approver in that realm, they will receive the approval email/notification and can approve their own request if there are other approvers besides them, they are excluded from the approver list and will not receive any email or notification true,false no false aioc available jdbc drivers this parameter is used to set requested database types separated by a "," comma oracle jdbc driver oracledriver,org postgresql driver,com microsoft sqlserver jdbc sqlserverdriver,com mysql jdbc driver,org apache cassandra cql jdbc cassandradriver,com teradata jdbc teradriver,org apache hive jdbc hivedriver,org apache hive jdbc db2driver, cdata jdbc couchbase couchbasedriver no n/a aioc backup backupdir backup directory path in kron pam the file path “/pam/backup” must be manually created in kron pam before starting backup the backup file is created in this path first, then it is transferred to the path defined in “aioc backup ftp dirname” parameter yes n/a aioc backup ftp server ip server ip the backup file will be transferred to yes n/a aioc backup ftp username username to connect to the ftp server defined with the “aioc backup ftp server ip” parameter yes n/a aioc backup ftp password password of the user defined with the “aioc backup ftp username” parameter the parameter must be defined with a “yes” encryption option yes n/a aioc backup ftp dirname directory path where the backup file will be sent to in the target ftp server defined with the “aioc backup ftp server ip” parameter yes n/a aioc backup diskspace min gbyte required disk space for ftp server to transfer backup file the value should be set according to the size of the database to be backed up yes n/a aioc command provisioning c3p0 preferredtestquery defines the query that will be executed for all connection tests if the default connectiontester is being used defining a preferredtestquery that will execute quickly in the database may dramatically speed up connection tests select 1 from dual no n/a aioc connection reservation expiration alert before values this parameter sets an expiry notification to be sent n days before the end of the connection reservation e x 1 no n/a aioc connection reservation approval requester email visibility this parameter enables the display of the requester's email address in notification emails, the mobile application, and the 'my approvals' section of the user interface true,false no false aioc connection reservation max allowed hours this parameter is used to define the maximum duration users can request when creating a connection reservation e x 2160 no n/a aioc connection reservation reason required this parameter determines whether the "reason" field is mandatory when making a reservation through the device > reservation screen its default value is false , meaning the field is optional if the parameter is set to true , users will be required to fill in this field in order to complete the reservation process e x true,false no false aioc date format this parameter defines the date and time format based on a locale value it uses regional settings such as "en us", "tr tr", or "ru ru" to automatically determine how date and time are displayed in the system its default behavior follows the selected locale’s standard format if this parameter is set, the system formats date and time according to the given locale, without requiring a custom format definition ru ru,tr tr no n/a\[ea1] aioc date time format this parameter allows defining a custom date and time format directly using a format pattern (e g , "yyyy mm dd hh\ mm\ ss") unlike locale based formatting, it provides full control over how date and time values are displayed if this parameter is set, the system uses the specified format instead of relying on locale settings, enabling more precise and customizable formatting options yyyy mm dd hh\ mm\ ss no dd mm yyyy hh\ mm\ ss aioc device available interface names this parameter is used to define an interface name for devices with the same ip address, so they can be distinguished during connection e g interface 1, interface 2 yes n/a aioc download android active this parameter is used to enable the link to the play store link example values true,false no true aioc download ios active this parameter is used to enable the link to the app store link example values true,false no true aioc download linux active this parameter is used to enable an application that the linux system can download example values true,false no true aioc download macos active this parameter is used to enable to download the desktop application to mac computers example values true,false no true aioc download windows active this parameter is used to enable to download the desktop application example values true,false no true aioc device group property keys this parameter is used to define device group properties example values tag name,tag region,adddevicesshkeytouserselection no null aioc email domains set this parameter with related email domains (more than one domain can be added with a comma ex singleconnect com, abc com) gmail com, kronpam com no n/a aioc force end user to react interface set this parameter to true to force the following users to the new end user interface · users that are not in the system admins group · users that are not in a group with the admin group flag · users that are not named admin defaults to false true, false no true aioc instead of ad line manager this parameter defines where to direct the approval request to provide the missing ad line manager and it will direct all the requests in case the ad line manager is not imported to kron pam or the ad line manager is missing test user\@mail com no n/a aioc languages this parameter sets the preferred language as options in gui more than one language preference can be added with a comma separator en us, ru ru, ko kr no en us,de de,ko kr aioc nsso active this parameter is used to activate the nsso module in aioc and grant ssh proxy rights to kron pam true no true aioc portal disallow\ multi login this parameter enables or restricts multi login on the kron pam gui true, false no false aioc portal session idletime minute this parameter defines the time in minutes to disconnect the session if the user is inactive 45 yes 30 aioc portal session idletime warning before min this parameter defines the gives warning before ending the session 5 no n/a aioc portal allowed ip for admin users this parameter defines the users in the admin group to only be able to access through set ip/s 10 20 42 55,10 20 42 50 no n/a aioc region field visibility if this parameter is set as “true”, the region field is visible in the new device discovery screen in the device i̇nventory if it is set as “false”, the region field is not visible in the new device discovery screen in the device inventory if this parameter is not set, a controller/controlled license is required to visualize the region field false aioc locking ad user enabled this parameter defines available to make ad users lockable ad users will be locked for failed login attempts and inactivity cases same as local users true no false aioc session play alert mail address users can enter one or more email addresses separated by commas in this parameter to specify where the alert notifications that when someone views a "play session" in the "session logs should be sent user1\@krontech com,user2\@krontech com no n/a aioc users default password strength it sets the default password security level for users in pam 5 no n/a\[ea1] aioc users password strength length it defines the minimum password length required for users in kronpam 5 no n/a aioc users password strength symbol count it defines the minimum number of special characters required in the password 5 no n/a aioc users password strength symbol chars it defines which special characters are allowed or required in the password 5 no n/a aioc users password strength number count it defines the minimum number of digits required in the password 5 no n/a aioc users password strength lowercase count it defines the minimum number of lowercase letters required in the password 5 no n/a aioc users password strength uppercase count it defines the minimum number of uppercase letters required in the password 5 no n/a aioc timezone it can be defined as "new york usa" or "gmt 5" or "etc/gmt 5" for all those 3 definitions, time will show " (gmt 05 00)" if the parameter is defined, time in emails will be converted to the defined time zone, otherwise, the system zone of the server sending the email will be used n/a aioc user group property keys this parameter defines the user group properties allowsftpinsshdevices yes allowsftpinsshdevices,httpproxyenabled,otpenabled,rdpproxyenabled,sftpproxyenabled,sqlproxyenabled,sshproxyenabled,otpsmsenabled aioc user password algorithm this parameter sets the preferred algorithm to encode user passwords possible algorithms are defined in the examples e g \ md5(default), sha256, sha384, sha512, and ntlm yes sha512 aioc user group change notifier enabled when a user group is edited or a user is added/deleted, a notification mail is sent to the group manager set this parameter to false to disable sending notification emails defaults to true false no true aioc user group change notification email when a user group is edited or a user is added/deleted, a notification mail is sent to the specific mail addressess multiple email addresses can be added to this parameter krontest\@gmail com, test\@krontech com no n/a aioc user password log check count this value checks whether the user's new password matches older passwords (ex if it is 2, it checks last 2 passwords) 2 no 2 aioc users default password strength this parameter is used to set the preferred user password strength level according to predefined levels 0 none 1 password length must be at least 5 characters 2 password length must be at least 5 characters / number required 3 password length must be more than 7 characters/ upper lower case, number, special character required 4 password length must be more than 15 characters / upper lower case, number, special character required 0 no 1 allow\ changing reservation time by approver this parameter provides to change time duration during approval time by approver true,false no false approval sms http encoding encoding format see 5 3 6 approval workflow sms settings alternative values utf 8, utf 16be approval sms http headers http sms header see 5 3 6 approval workflow sms settings ex content type\ text/xml n/a approval sms http url sms sender http url see 5 3 6 approval workflow sms settings ex http //api smsexample com/v1/send sms n/a approval status change to expire when the defined time to approve the instant connection ends, the request status changes from “waiting“ to “expired" if not approved by approver/s ex 10, n/a approval workflow\ level timeout period values the timeout period value alternatives for approval workflow settings, separated by commas see 5 3 5approval workflow for details default values are 30 minutes, 2 hours, 1 day ex 30m,2h,1d no 30 minutes, 2 hours, 1 day auto approve when requester is approver when the approver is also the requester, approval is automatically given true, false no false cookie warning message content this parameter is used to inform users that cookies are being used at kron, we deeply respect your privacy,and we are dedicated to ensuring that your journey with our product is nothing short of exceptional our commitment to delivering the best experience possible leads us to employ cookies these tiny pieces of data play a crucial role in enhancing your interaction with our platform by utilizing cookies, we can offer personalized settings and preferences that align with your unique needs thank you for choosing kronpam we look forward to continuing to enhance your experience and provide you with a product that aligns perfectly with your needs and expectations no false command approval sms http body template for sms messages to be sent for command approval through http see 5 3 6 approval workflow sms settings n/a command approval sms smpp body template for sms messages to be sent for command approval through smpp see 5 3 6 approval workflow sms settings n/a connection approval sms http body template for sms messages to be sent for connection approval through http see 5 3 6 approval workflow sms settings n/a connection approval sms smpp body template for sms messages to be sent for connection approval through smpp see 5 3 6 approval workflow sms settings n/a desktop client otp enabled this parameter is used to enable or disable multi factor authentication (mfa) for the desktop client application login for its online functions default value is false true, false no false disable instant approval for http this parameter checks wf level check box ("disable instant approval") all http approvals disabled when this parameter set as true true,false no false disable instant approval for rdp this parameter checks wf level check box ("disable instant approval") all rdp approvals disabled when this parameter set as true true,false no false disable instant approval for sftp this parameter checks wf level check box ("disable instant approval") all sftp approvals disabled when this parameter set as true true,false no false disable instant approval for ssh this parameter checks wf level check box ("disable instant approval") all ssh approvals disabled when this parameter set as true true,false no false export securecrt role groups this parameter determines whether to include the roles of device groups in the exporting folder the parameter is used to export device lists for securecrt securecrt is a commercial ssh, telnet client, and terminal emulator true yes true export securecrt script extension this parameter determines the type of script file of the exporting devices the parameter is used to export device lists for securecrt securecrt is a commercial ssh, telnet client, and terminal emulator js yes js export securecrt shorten names if this parameter is saved as true, the parent device group name is discarded from the device group names the parameter is used to export device lists for securecrt securecrt is a commercial ssh, telnet client, and terminal emulator true yes true export securecrt single script this parameter determines whether to include a script file in the exporting folder the parameter is used to export device lists for securecrt securecrt is a commercial ssh, telnet client, and terminal emulator true yes true export securecrt templates dir this parameter defines the directory folder for devices the parameter is used to export device lists for securecrt securecrt is a commercial ssh, telnet client, and terminal emulator ${netright home}/templates/securecrt yes ${netright home}/templates/securecrt hsm enabled hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 true yes hsm method hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 client yes hsm provider classname hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 com ncipher provider km ncipherkm yes hsm keystore type hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 ncipher sworld yes hsm keystore alias hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 secureworld yes hsm keystore load password hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 xxx yes hsm keystore entry password hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 xxx yes hsm secretkey algorithm hardware security module (hsm) integration docid\ efcwtydr30g4jra3rux93 aes yes iga 2fa token timestep defines the token validity period (in seconds) default is 30 yes 30 iga 2fa sms http body http request body for sending sms http body value no n/a iga 2fa sms http headers headers included in the sms http request http headers value no n/a iga 2fa sms http secret body secret data added to the http request for security http secret data value no n/a iga 2fa sms http url url used for sending sms via http http url no n/a iga 2fa sms smpp body sms message content when using the smpp protocol smpp body value no n/a iga 2fa sms smpp secret body secret data in the smpp sms message body smpp secret data value no n/a iga 2fa use external mobile app allows mfa client applications such as google authenticator or microsoft authenticator to run true yes false kron cripto aes key this parameter defines the key to hide sensitive data iqtn5fh70qhoeknednklcizrehowwhwdfmg0uoykmtc= yes n/a kill session on reservation end this parameter is used to automatically kill sessions after the specified time for reservation connections such as rdp, ssh, and sftp proxy true,false no false legal notice enabled customers can set up a legal disclaimer message to appear at the start of rdp or vnc sessions this parameter must be set as “true” to show the message this parameter is used to set up a legal disclaimer message restart of the web portal service is needed after configurations true, false no false legal notice text the text to be shown as a legal disclaimer message this parameter is used to set up a legal disclaimer message restart of the web portal service is needed after configurations \<text> no n/a mail templates dir this parameter defines the default mail template directory kron pam sends emails to group admins to notify them of new user requests, password manager actions, command authorization requests, etc kron pam also sends password reset emails and mfa activation token emails in order to achieve these actions, email settings have to be configured on kron pam using the mail config screen in the system config manager menu ${netright home}/templates/mail yes ${netright home}/templates/mail max push count to send in one time this parameter limits the notifications to be sent in the mobile app to prevent overactivity of the notification system 10 no mobile application otp enabled this parameter is used to enable or disable multi factor authentication (mfa) for the mobile application login for its online functions true, false no false mobile application register token otp validity seconds the validity period for one time passwords sent for register token operation (in seconds) integer (default value = 60) no 60 mobile tomcat url this parameter defines the kron pam mobile application server address https //sc251 singleconnect com 9443/mobile api/rest no http //localhost 9080/mobile api/rest multitenancy enabled this parameter enables kron pam’s multitenancy function true no false multitenancy tacacs port range the port range to be used for the tacacs devices for the tenants should be defined with this parameter 50000 50100 no n/a netright alias this parameter determines which modules to use in aioc you can set the system as kron pam, single monitor or single command using this parameter sc no sc netright auth ldap this parameter enables or disables ldap/ad authentication false yes false netright auth ldap basedn this parameter defines the ldap base dn base dn is the section of the directory where the application will start searching for users and groups dc=example,dc=com no dc=example,dc=com netright auth ldap principal security principal of context set from the expression defined as uid uid=?,dc=example,dc=com no uid=?,dc=example,dc=com netright auth ldap url this parameter determines the active directory/ldap hostname/ip address, port number and ldap/ldaps protocol if more than one url is used, the parameters should be separated by “,” (e g , ldap\ //10 10 10 10 389, ldaps\ //10 10 10 20 636) ldap\ //1 1 1 1 389 no ldap\ //1 1 1 1 389 netright auth ldap timeout timeout duration for a response from the ad/ldap server 1200 no 1000 (default value in ms) netright auth ldap socket timeout timeout period for socket connection with the ad/ldap server 6000 no 5000 (default value in ms) netright auth tacacs this parameter determines the use of the tacacs+ authorization true yes false netright auth tacacs server this parameter defines the address of the tacacs+ server 127 0 0 1 no 127 0 0 1 netright auth tacacs server key this parameter defines the key of the tacacs+ server z7i/z15wxhgejrwgfaqo3a== no n/a netright autoddl this parameter is set as true while upgrading kron pam the value of this parameter remains false while using the system false yes false netright baseurl this parameter is used to configure the base url to provide connection from a proxy service http //127 0 0 1 80 no n/a netright cache enable this parameter determines whether the user interface has cache false yes false netright content root this parameter defines the folder of the root content ${netright home}/filerepo yes ${netright home}/filerepo netright hidden property keys this parameter stores the hidden properties password no password netright home this parameter defines the netright home directory /pam/gui/netright yes /pam/gui/netright netright instancename this parameter defines the kron pam instance name you can use different names if you use more than one instance instance name info to the web gui is made visible by default kronpam no n/a netright jdbc database this parameter defines the type of kron pam database postgresql no postgresql netright jdbc password this parameter defines the password of the kron pam database no n/a netright jdbc url this parameter defines the address of the kron pam database jdbc\ postgresql //localhost 5444/aioc no n/a netright jdbc username this parameter defines the name of the kron pam database aioc no aioc netright license file path this parameter defines the path of the license file ${netright home}/licence properties no ${netright home}/licence properties 1 netright name this parameter defines the header in the kron pam gui kronpam yes kronpam netright version this parameter defines the version shown in gui 2 14 3 no n/a notify user before ttl password expire this parameter is used for users to receive expiration notifications a certain number of days before the expiration date (password ttl) of the passwords they set through the user group 3 no n/a nsso nsso ssl port this parameter defines the ssl port of the link between the ssh proxy and kron pam 4443 no 4443 nsso remote desktop base dir this parameter defines the folder in kron pam where files transferred during an rdp session are stored /tmp no /pam/rdpshare nsso remote desktop daemon host this parameter defines the host address of the rdp proxy 127 0 0 1 no 127 0 0 1 nsso remote desktop daemon port this parameter defines the port of the rdp proxy 4822 no 4822 nsso remote desktop drive sharing enabled this parameter is used to transfer files between rdp endpoints when this property is set, a special folder on kron pam (/tmp/\<username>) is shared with all the rdp endpoints as a shared drive named “g on sc rdp” true, false no n/a nsso remote desktop idle threshold time limit to start calculation of idle time (millisecond) example 40000 no 30000ms(30seconds) nsso remote desktop key logger enabled this parameter grants rights to see the rdp session logs as key logger mouse and keyboard inputs during rdp sessions can be accessed in this page true no true nsso remote desktop key logger hidden key the key logger of rdp sessions logs all the key motions in clear text this feature must be stopped to obscure certain data when the users press the defined key twice in a session, the key logger hides the key motions by the limit defined in this parameter 20 yes 15 nsso remote desktop key logger key hiding shortcut this parameter is used to define the key that will disable key logging for the defined hidden limited keys the default key is "esc" esc yes “esc” nsso remote desktop ocr enabled this parameter grants rights to see the rdp session logs as ocr logs you can see the activities performed by the user during an rdp session true no true nsso remote desktop ocr lang this parameter is used to get ocr logs in the required language codes for the supported languages can be found in the admin guide multiple languages must be separated by "+" eng+kor+tur+spa no n/a nsso remote desktop ocr threads this parameter defines the maximum number of threads allocated to ocr processes in multitenant environments ex 2 no 2 nsso remote desktop session duration limit warning before min this parameter is used to determine the time a warning is shown before the session times out example 4 no n/a otp rest url this parameter is used to enable mfa the rest url should be set as the kron pam public ip and port ex\ http //127 0 0 1 no pam auth username case sensitive when this parameter is true, the system checks the username with case sensitivity and blocks logins that do not exactly match the defined username true,false no false rdp idle session timeout user sessions can be terminated based on their idle duration this parameter is used to set a timeout limit (minute) example 5 no 60 rdp min reason character limit this parameter is used to specify the minimum character limit required for the connection min 5 no n/a rdp timeout server response time this parameter is used to set timeout for the response time of the server the connection timeout parameter can be configured as per the requirements (second) ex 10 no 15 sapm job password change thread count this parameter is used to change the number of threads running the sapm auto import jobs 5 yes 5 sapm create parent group right this parameter allows end users to create or restrict their own password vault parent groups true,false no false sapm show\ password expiration time values this parameter defines the password reservation times of sapm accounts when a user makes a password reservation for an sapm account, these time options are presented to reserve a time 5m,30m,2h,24h no 5m,30m,2h,24h sc aaa freeradius password this parameter defines the password to connect to the radius server no n/a sc aaa freeradius url this parameter defines the url address of the radius server jdbc\ postgresql //127 0 0 1 5444/aioc no jdbc\ postgresql //127 0 0 1 5444/aioc sc aaa freeradius username this parameter defines the username to connect to the radius server aioc no aioc sc aaa radius ldap conf path this parameter is used to set the path of the radius configuration file to insert active directory/ldap parameters /etc/raddb/mods available/ldap no /etc/raddb/mods available/ldap sc aaa radius restart command this parameter defines the command to restart the radius server the server needs to be restarted with this command to apply changes systemctl restart pam radius no systemctl restart pam radius sc aaa tacacs conf path this parameter is used to set the path of thetacacs+ configuration file to insert active directory/ldap parameters /pam/tacacs/etc/kron tacacs conf no /pam/tacacs/etc/kron tacacs conf sc aaa tacacs restart command this parameter defines the command to restart the tacacs+ server the server needs to be restarted with this command to apply changes systemctl restart pam tacacs no systemctl restart pam tacacs sc freeradius server this parameter defines the address of the free radius server if this parameter is not equal to the requested remote address, the program will return an authorization error 127 0 0 1 yes 127 0 0 1 sc policy xml dir this parameter defines the location of the policy xml file /u01/nssoapp/conf/xml yes /u01/nssoapp/conf/xml sc portal otp enabled this parameter is used to enable or disable multi factor authentication (mfa) for the kron pam gui login true, false no false sc rdp connection otp enabled this parameter is used to enable or disable multi factor authentication (mfa) for rdp connections (true=enabled, false=disabled) false no false sc rdp otp cache enabled if this parameter is saved as true, the user will not be asked for otp during the cache duration after entering otp true no true sc rdp otp cache seconds this parameter defines the cache time in seconds 300 no 300 sc rdp page list element length this parameter defines the length of the accounts and remote app names sometimes names can be long and do not fit in the screen value length 1 29 characters 2 36 characters 3 56 characters 4 89 characters no 1 sc user group manager obligated member of group this parameter is used to determine whether managers will belong to the user group or not true, false no true selenium chrome binary this parameter specifies the exact file path to the google chrome executable on your system it ensures selenium launches the correct browser instance, which is especially important in custom or server environments /usr/bin/google chrome no selenium side runner binary this setting points to the command line tool used to execute selenium ide ( side) project files it allows the automation framework to locate and run your pre recorded test suites directly from the terminal selenium side runner no selenium chrome args this parameter defines the specific command line arguments and flags passed to google chrome upon launch it allows you to completely customize the browser's behavior for your testing environment, such as running it in headless mode or bypassing sandbox restrictions headless, disable infobars, no sandbox, enable javascript, disable dev shm usage, disable gpu, remote debugging port=9222, incognito , user data dir=/tmp/selenium profil no selenium side runner ss directory specifies the local directory path where screenshots are automatically saved during test execution, providing a centralized location for visual logs /pam/gui/templates no selenium side runner debug mode activates an enhanced logging state that prints detailed browser console logs and internal execution steps to the terminal, facilitating deeper technical troubleshooting true, false no show\ wiretosessionwarning this parameter can be used to set whether or not the notification sent to the user when the wire to session process starts will be displayed false, true no smpp addressrange the destination address range to be served by this esme account this parameter is optional, and smsc settings will be applied if it is not defined example 1 (for numbers starting with 1 yes n/a smpp addrnpi numeric plan indicator (npi) to be used for address range parameters this parameter is optional, and smsc settings will be applied if it is not defined alternative values 0 unknown 1 isdn (e163/e164) 3 data (x 121) 4 telex (f 69) 6 land mobile (e212) 8 national 9 private 10 ermes 14 internet (ip) 18 wap client id yes n/a smpp addrton type of number (ton) to be used for address range parameter this parameter is optional, and smsc settings will be applied if it is not defined alternative values 0 unknown 1 international 2 national 3 network specific 4 subscriber number 5 alphanumeric 6 abbreviated yes n/a smpp bindmode bind mode for the esme account this parameter is mandatory for sending/receiving sms over smpp alternative values t transmitter r receiver tr transceiver (transmitter and receiver) yes n/a smpp destinationnpi numeric plan indicator (npi) parameter to be used for destination address this parameter is optional, and smsc settings will be applied if it is not defined alternative values 0 unknown 1 isdn (e163/e164) 3 data (x 121) 4 telex (f 69) 6 land mobile (e212) 8 national 9 private 10 ermes 14 internet (ip) 18 wap client id yes n/a smpp destinationton type of number (ton) parameter to be used for destination address this parameter is optional, and smsc settings will be applied if it is not defined alternative values 0 unknown 1 international 2 national 3 network specific 4 subscriber number 5 alphanumeric 6 abbreviated yes n/a smpp enquirelinkperiodms period in milliseconds to make enquirelink requests to the smsc enquirelink requests are used to check the health of the status of the connection between the esme and target smsc any value less than or equal to “0” will be defaulted to 5000 ms (5 seconds) the smpp connection will be automatically re established in case of smpp connection failures during enquire link requests ex 10000 (in milliseconds yes n/a smpp ip ip address of the smsc this parameter is mandatory for sending/receiving sms over smpp ex 10 20 40 95 yes n/a smpp password the password used to authenticate an esme account defined in smsc this parameter is mandatory for sending/receiving sms over smpp ex netright yes n/a smpp port binding port for smpp, listened on smsc this parameter is mandatory for sending/receiving sms over smpp ex 16000 yes n/a smpp receivetimeout timeout duration for trying to receive a message from the smsc this parameter is optional alternative values 1 (infinite wait until a pdu is received 1,2,3… (number of seconds) yes n/a smpp servicetype sms application service associated with the message this parameter is optional and sent as default, if not defined alternative values (null) default cmt cellular messaging cpt cellular paging vmn voice mail notification vma voice mail alerting wap wireless application protocol ussd unstructured supplementary services data yes n/a smpp sourceaddress the source address to be used when sending messages this parameter is mandatory for sending/receiving sms over smpp ex pam, +12348372939 yes n/a smpp sourcenpi numeric plan indicator (npi) to be used in the sme source address parameters this parameter is mandatory for sending/receiving sms over smpp it should be defined as unknown (0), if an alphanumeric source address is tobe used to send messages (ex singlecon) alternative values 0 unknown 1 isdn (e163/e164) 3 data (x 121) 4 telex (f 69) 6 land mobile (e212) 8 national 9 private 10 ermes 14 internet (ip) 18 wap client id yes n/a smpp sourceton type of number (ton) to be used in the sme source address parameters this parameter is mandatory for sending/receiving sms over smpp it should be defined as alphanumeric, if an alphanumeric source address is to be used to send messages (ex singlecon) alternative values 0 unknown 1 international 2 national 3 network specific 4 subscriber number 5 alphanumeric 6 abbreviated yes n/a smpp syncmode receiving mode if set to sync, the application waits for a response after sending a request pdu if set to async, the application doesn't wait for responses, rather they are passed to and implementation of serverpdulistener by the receiver the listener is also passed every request pdu received from the smsc this is an optional parameter and default value is sync alternative values sync – synchronous async asynchronous yes sync smpp systemid the system id used to identify an esme defined in smsc it is used for smpp sender authentication this parameter is mandatory for sending/receiving sms over smpp ex netright yes netright smpp systemtype the system type used to categorize the type of esme binding to the smsc this parameter is optional for sending/receiving sms over smpp, and if not defined the system type is sent as null alternative values vms voice mail system ota over the air activation system (null) default yes n/a sms channel which channel is to be used to send sms alternative values http for using http based sms proxy smpp for using smpp towards smpp yes http ssh min reason character limit this parameter is used to specify the minimum character limit required for the connection min 5 no sso geosites this parameter defines the location of the server no sso ip this parameter defines the ip address of the ssh proxy 127 0 0 1 no ip address of ssh proxy sso port this parameter defines the port of the ip address of the ssh proxy 2222 no 2222 syslog message rfcformat rfc 5424 and rfc 3164 formats are supported in siem configuration this parameter determines the rfc format and must be set as one of these values rfc 5424, rfc 3164 no rfc 5424 syslog message content format this parameter is used to determine content format key value, cef, legacy cef no key value syslog server hostname kron pam can send logs to siem systems this parameter is used to set the siem host ip address 10 10 20 20 yes syslog server port this parameter is used to set the port of the siem host 514 yes 514 tfa otp issuer the name of the mfa server this string is shown on top of the offline token value on the mobile app, when a qr code that is issued from the server is scanned on a mobile app string no user forcemanageruseringroup if this parameter is saved as true, you must define a manager for a user group otherwise, user groups can be created without a manager true no true user lock afterfailedloginattempts users are locked after a certain number of failed login attempts this parameter defines the number of failed login attempts before locking the user account 5 10,20 yes 20 aioc locking ad user enabled this parameter defines available to make ad users lockable ad users will be locked for failed login attempts and inactivity cases same as local users true,false no false user lock afterinactivemillis kron pam locks inactive users this parameter defines the maximum inactive time before locking a user the user password must be reset to unlock the user account 2629743000 no 2629743000 user mail from this parameter defines the sender mail address for mfa change it\@change it com yes n/a user registration enabled this parameter is to hide the new user button on the login screen default value is false true,false no false user suspend afterfailedloginattempts users are suspended after a certain number of failed login attempts this parameter defines the number of failed login attempts before suspending the user 10 yes 10 user suspend formillis after a certain amount of failed login attempts, users are suspended for the time determined in this parameter this value is in milliseconds 60 no 60 1 windows auth keytab path these parameters are used to configure the windows authentication settings (the abovementioned parameters should be set for respective ui) = /pam/gui/conf/sc keytab no windows auth spn =http/ kron pam servername no aioc auth rdc this parameter enables windows authentication feature for desktop client true yes false aioc auth windows this parameter enables windows authentication for kron pam web gui true yes false rdp idle session timeout warning before min this parameter is used to configure the warning pop up display 5 yes 5 rdp hide top menu by default when this parameter is true, the bar in the rdp connections will be hidden by default true no false aioc portal client ip header this property will be available the default value is null, so no header will be checked to detect the client ip (tcp source ip will be used by default) you can define it with the value "x forwarded for" x forwarded for yes null session record encryption enabled this parameter allows rdp/vnc and ssh video recordings to be securely stored in an encrypted format in a database the recordings remain encrypted until the user replays them, ensuring data protection and confidentiality true no false sc rdp reason mail recipient if the reasonrequiredforconnection parameter is set and if this parameter is available in systemconfig, the written reason will be mailed to the recipients more than one email address can be used, with a comma separator kron\@krontech com,pam\@kron com no n/a ssh client kex algorithms this parameter specifies the key exchange algorithms used by the ssh client when vault accounts make ssh connections key exchange algorithms determine how the client and server negotiate a shared secret key for the session ecdh sha2 nistp521,ecdh sha2 nistp384,ecdh sha2 nistp256,diffie hellman group exchange sha256,diffie hellman group18 sha512,diffie hellman group17 sha512,diffie hellman group16 sha512,diffie hellman group15 sha512,diffie hellman group14 sha256,diffie hellman group exchange sha1,diffie hellman group14 sha1,diffie hellman group1 sha1 n/a ssh client host key algorithms this parameter specifies the host key algorithms used by the ssh client to authenticate the server when making an ssh connection to the vault account ecdsa sha2 nistp256 cert v01\@openssh com,ecdsa sha2 nistp384 cert v01\@openssh com,ecdsa sha2 nistp521 cert v01\@openssh com,ssh ed25519 cert v01\@openssh com,rsa sha2 512 cert v01\@openssh com,rsa sha2 256 cert v01\@openssh com,ecdsa sha2 nistp256,ecdsa sha2 nistp384,ecdsa sha2 nistp521,ssh ed25519,sk ecdsa sha2 nistp256\@openssh com,sk ssh ed25519\@openssh com,rsa sha2 512,rsa sha2 256,ssh rsa,ssh dss n/a ssh client encryption algorithms this parameter specifies the encryption algorithms used by the ssh client to encrypt the data transferred between the client and the server chacha20 poly1305\@openssh com,aes128 ctr,aes192 ctr,aes256 ctr,aes128 gcm\@openssh com,aes256 gcm\@openssh com,aes128 cbc,aes192 cbc,aes256 cbc,arcfour256,arcfour128,3des cbc,blowfish cbc n/a ssh client mac algorithms this parameter specifies the message authentication code (mac) algorithms used by the ssh client to ensure the integrity and authenticity of the data hmac sha2 256 etm\@openssh com,hmac sha2 512 etm\@openssh com,hmac sha1 etm\@openssh com,hmac sha2 256,hmac sha2 512,hmac sha1,hmac md5,hmac sha1 96,hmac md5 96 n/a aioc rest api rate limiter active parameter whether the limit value is active or passive true no true aioc rest api rate limiter threshold the number of requests requestcount 300 aioc rest api rate limiter unit the future of the requests will be defined as daily, hourly, minute or secondly day/hour/minute/second minute rap cloud server this parameter defines the remote access portal address the parameter can be defined as url with ip (e g , https //34 234 69 53/connect) or as url with domain name (e g , https //cloudpam com/connect) http //cloudpam com/connect no http //localhost 7777/connect rap rdp session duration limit warning before min this parameter defines how many minutes before the rdp session expires that the timeout warning will be sent on the remote access portal 1 no 1 rap ssh session duration limit warning before min this parameter defines how many minutes before the ssh session expires that the timeout warning will be sent on the remote access portal 1 no 1 rap http session duration limit warning before min this parameter defines how many minutes before the http/https session expires that the timeout warning will be sent on the remote access portal 1 no 1 rap token expiration period this parameter indicates the lifespan of a token and is used to prevent the creation of long term rpam invitation links 1 no 1 rap sms http url url is used to send sms via http for remote privileged access management tokens https //api iletimerkezi com/v1/send sms no n/a rap sms http body the sms message content when using http protocol for remote privileged access management tokens \<request>\<authentication>\<username>xxxphonenumberxxx\</username>\<password>xxxpasswordxxx\</password>\</authentication>\<order>\<sender>kron\</sender>\<senddatetime>\</senddatetime>\<message>\<text> \<!\[cdata\[ dear %usereid%, please use the passcode below during login phase of your secure remote access connection passcode %passcode% secure remote access connection (access on web browser) %connurl% ]]> \</text>\<receipents>\<number>%phonenumber%\</number>\</receipents>\</message>\</order>\</request> no n/a rap sms smpp body the sms message content when using the smpp protocol for remote privileged access management tokens smpp body value no n/a rap sms http headers the headers included in the sms for remote privileged access management tokens content type\ text/xml no content type\ text/xml rap sms http encoding a character encoding used in the sms for remote privileged access management tokens utf 8 no utf 8 rap sms http method the http method used in sms for remote privileged access management tokens post, get no post rap sms http delimiter the delimiter character used in the sms for remote privileged access management tokens & no & rap sms channel the sms channel used for remote privileged access management tokens http, smpp no http rap client otp enabled the mfa parameter for entering remote access portal if the parameter is set to true, the user needs to enter a 6 digit otp code on the remote access portal login page true/ false no false rap passcode characters count this parameter shows how many characters are used in the passcode definition this parameter's value should be numeric, and the default value is 8 if the system admin defines this parameter as 4 or fewer, the passcode is created with 4 characters 12 no 8\[dt1] rap passcode only numeric text this parameter's value should be a boolean, and the default value is false if this parameter's value is set as true, the passcode only contains numeric values; however, if this parameter's value is set as false, the passcode contains alphanumeric values true / false no false show\ wiretosessionwarning this parameter, whose default value is true, is added to the system config manager in order to display the "your session is monitored by admin" warning to the user who started the ssh/telnet or rdp/vnc session when the admin connects to an active session via wire to session when the parameter value is defined as false, no warning will appear on the screen of the user who starts the session with this feature, even if the user does not see the warning, "your session has been monitored by admin" log in is displayed in the session log true/ false no true resources of containers with this parameter, it is defined whether the container used for http proxy will run on the local machine or on another machine remote/local /all no local/remote/all rdp time restriction warning before min specifies the number of minutes before the scheduled session end time that a warning message is displayed to the user in an rdp session this parameter is part of the time restriction policy and allows administrators to configure how early users are notified before their session is terminated 7 no 1 aioc hide on behalf of tenant switch this parameter is used in both non host and host tenants for hiding tenant to switch feature, if the parameter is set as true the default value of this parameter is false , it means that until this parameter is set as true, the access on behalf feature is used as in the usual scenario true / false no false sapm duallock option hide it determines whether the enable duallock switch box on the vault definition screen will appear or not if it is not defined as default value or defined as false , this value will appear on the screen, if true , this switch box will not appear on the screen true/false no n/a connector tunnel port range this parameter is used to set the tenant connector’s tunnel port range 10000 11000 no 10000 11000 connector tunnel subnet base this parameter is used to define the subnet base value of the tenant connector 192 168 0 0 no 192 168 0 0 connector heartbeat check interval this parameter is used to set the heartbeat check interval if heartbeat messages cannot be sent to the kron pam server for the number of minutes specified by this value, the connector status becomes failed (for example, if this value is set to 5, if no heartbeat messages are received for 5 consecutive minutes, the connector status becomes failed ) 5 no 5 connector port range this parameter is used to define the virtual port range for devices which are reached by the tenant connector these ports are not used to reach these devices from outside of the connector, but these ports are only used for device mapping 40000 50000 no 40000 50000 1 netright job master instance name netright job master instance name $region name mfa provider this parameter defines the external mfa provider used by the system if this parameter's value is set to radius, the system initiates the mfa process via a radius server radius no mfa external provider radius addresses this parameter is used to define the host and port information of the radius server(s) multiple definitions can be specified as a comma separated list for redundancy; if one is unreachable, the next will be tried 10 20 30 40 no mfa external provider radius secret this parameter, which must be defined by selecting the encryption checkbox, contains the shared secret key used for secure communication between kron pam and the radius server no mfa external provider radius timeout this parameter defines the maximum time, in milliseconds, the system waits for a response from the radius server before timing out 3000 no 3000 mfa external provider radius retry count this parameter determines the number of retry attempts the system will perform if no response is received from the radius server within the specified timeout period 3 no 3 mfa external provider radius proto this parameter specifies the authentication protocol type used in the radius request packet pap no pap mfa external provider radius user field this parameter determines which user attribute is sent in the radius request's username field available values include username, phone, email, or userprincipalname username no username mfa external provider radius nas id this parameter is used to define the nas identifier radius attribute in the request packet, which is provided when specifically required by the radius server mfa external provider radius nas ip address this parameter defines the nas ip address radius attribute sent in the request packet to identify the client's ip address to the radius server no mfa external provider radius factor this parameter, when its value is set to push, enables the system to utilize multi factor authentication specifically through push notifications push allow\ changing reservation time by approver this parameter is used to allow approver to change the reservation time on the mobile apps before approving the requests true / false no false tenant expiration warning before day this parameter is used to show a warning message on the web gui, xx days before the tenant's expiration 15 no 15 aioc login different methods enabled this parameter is used to have a new button called “login with different methods” on the kron pam server and desktop client the new button allows users to log in to the system different than (e g , saml) the conventional login process true / false no false aioc hide on behalf of tenant switch this parameter is used to in the both tenant and host environments for hiding tenant to switch feature, if the parameter is set as true the default value of this parameter is false , it means that until this parameter is set as true , the access on behalf feature is used as in the usual scenario true / false yes false