4.2 Managing AAPM (Application to Application Password Management) Accounts

note before configuring aapm accounts, an sapm account should be created adding accounts in aapm 1\ log in to the single connect web gui 2\ navigate to aapm management > aapm accounts 3\ enter application name, application ip address (requester source ip address), sapm account, event user and security level 4\ enter optional parameters that appear according to your security level choice details are described below 5\ save parameter name parameter value application name name of the application that will request aapm passwords sapm account the sapm account that will be used in aapm application ip ip address of the requester application event user the user using the password (this value is logged in the sapm logs as the user of the password) security level the security level for the aapm process the possible values are; basic default, basic aapm flow the application requests password via api single connect checks application token and source ip, sends the password as the response if everything is ok, basic + pin application requests password via api, single connect checks application token and source ip, if everything is connected it sends the pin to a specific port application sends a second request with the pin code and gets it basic + pin + path application requests password via api, single connect checks application token and source ip, if everything is connected it sends the pin to a specific port application sends a second request with the pin code, single connect checks the path and name of the application and sends the password if it is true basic + pin + path + hash application requests password via api, single connect checks application token and source ip, if everything is connected it sends pin to a specific port application sends a second request with the pin code, single connect checks the path and name of the application, checks the md5sum of the application and sends the password if it is true pin sending port the port of the application that is listened single connect sends the pinto this port (used for all security levels except basic level) os type the operating system type of the server that hosts the application possible values windows / linux / mac os (used for all security levels including path) app path the path of the application that is using aapm (used for all security levels including path) os credential type the credential type that will be used by single connect while connectingand checking the path possible values sapm / secret data vault / manuel user(used for all security levels including path) os account the name of the account that will be used by single connect whileconnecting and checking the path (used for all security levels including path) os account password the password of the account that will be used by single connect whileconnecting and checking the path (used for all security levels including path and applicable for manualuser os credential type only) app hash the md5sum value of the executable file of the application (used for basic + pin + path + hash security level) removing accounts from aapm 1\ log in to the single connect web gui 2\ navigate to aapm management > aapm accounts 3\ click the options button for the account to be removed 4\ select “delete aapm account” requesting password from aapm for requesting a password, single connect aapm restful api should be used each application added to aapm has a token aapm tokens can be displayed on the aapm management page restful api values token aapm account token passwordexpirationinminute password expiration time comment password request comment passwordchangerequired optional parameter with default value set as “false” if “true”, the password is changed before retrieval, otherwise password is changed after retrieval pin the pin code sent to the application for pin authentication example aapm restful api request the first request http //single connect url 8080/sc aapm ui/rest/aapm/password?token=543b7f16 7b09 4d8a b693 ec645b7b29db\&passwordexpirationinminute=10\&comment=api%20test%20comment the second request (which is applicable for all security levels that require pin authentication) http //single connect url 8080/sc aapm ui/rest/aapm/password?token=543b7f16 7b09 4d8a b693 ec645b7b29db\&passwordexpirationinminute=10\&comment=api%20test%20comment\&pin=123456 example aapm restful api response x5#okle5 (the password) aapm triggers triggers that are run after an sapm account password has been changed can be defined at this screen 1\ log in to the single connect web gui 2\ navigate to aapm management > aapm triggers 3\ select the sapm account that will be used to trigger a strategy after the password change of the sapm account 4\ select the strategy (for now only windows service account password change is available as a strategy) 5\ select a target type as either “single device” or “bulk” aapm trigger process when an sapm account’s password changes, an "aapm trigger process" record is created for each matching device, referring to the relevant "aapm trigger" definitions to search for these process records 1\ log in to the single connect web gui 2\ navigate to aapm management > aapm trigger process 3\ fill in the related fields and search the first step of this process status is “waiting” to trigger this process at a requested time, “aapmtriggerprocessjob” must be defined in the job scheduler 1\ log in to the single connect web gui 2\ navigate to administration > jobs scheduler 3\ click on, "fire job" 4\ choose “aapmtriggerprocessjob” and fill in the related areas 5\ click on, “fire job”