Reference Guide
...
Password Vault
Shared Accounts Password Manag...

Adding SAPM Configurations

4min

To manage passwords via SAPM, a SAPM configuration is required. SAPM configurations consist of the command sets to make the password changes in target systems. There are pre-defined SAPM configurations in Single Connect, but if the target device is different than those pre-defined in the system, a new SAPM configuration needs to be created. Different SAPM configurations should be created for each kind of target system whose passwords will be managed by the system. In the configuration screen, Strategy defines the method to change the password and Configuration Properties defines the details for each configuration.

STATIC Strategy is a configuration where an account can be added to SAPM without the target system.



To create a new SAPM Configuration:

  1. Navigate to SAPM Management > SAPM Management
  2. Open the Configuration tab.
  3. Fill in the Name, Strategy and Description fields and click Save.

To add and/or edit properties for the SAPM configuration:

  1. Click the Search button to see saved configurations.
  2. Click the Options drop-down menu of the desired configuration and select Show Properties.
Showing SAPM Configuration Properties
Showing SAPM Configuration Properties

  • Select a Property Key or click Edit on the desired property.
  • Type in the Property Value and click Save.
SAPM Configuration Properties Information Popup
SAPM Configuration Properties Information Popup


These are the properties that can be used for SAPM configurations:

SAPM Configuration Property Key

Description

Pool Value

account.level.properties

This property uses values that can be set to account-specific configurations, and that can be defined at the account level instead of values in the default configuration. Property values are defined on the SAPM Account screen.

Other properties

allow.seen.by.multiple user

If set as “true”, the SAPM password can be seen by other users in same user group. By default, the SAPM password can be seen only by the user who got the password last. (For Dynamic Accounts Only)

true/false

always.show.accounts.in.auto.login

Allows access to other servers with Active Directory and LDAP accounts. (Applies to SSH and RDP sessions.)

true/false Default value: true

change.password.after.session.login

If set as “true”, the SAPM password will be changed just after an RDP session is started by the Single Connect Session Manager using this SAPM account. By default, the SAPM password is not changed after being used by the Session Manager.

true/false

change.password.command.template

The command set to be used to change the password. This set can be different for each system. The command set consists of the commands to change the password in the target system. There are pre-defined sets for most used systems, but if the target device is not in the pre-defined systems, this command set needs to be configured.

Specific to the device type. E.g. for a Cisco device: en\n${superPassword}\nconf t\nline con 0\npassword ${newPassword}\nline vty 0 4\npassword ${newPassword}\nline vty 5 15\npassword ${newPassword}\nenable secret ${newPassword}\nend\nwr me\nexit

change.password.failure.pattern

During each password change, Single Connect gets an output from the system. It checks if the password was changed successfully. If there is a failure in the password change process, the system does not add the new password to its database. If the output matches this regex pattern, Single Connect decides that the password change command has failed. If the “skip.password.validation.after.change” parameter is set as “false”, the result of the connection validation overrides this decision, and this parameter has no effect

Specific to the device type. E.g. for a Cisco device: % Invalid input detected.*

change.password.only.at.change.period

When set as “true”, no duration information is required from the user, only comments will be requested. The password will not be changed after the checkout, and other users will be able to check out the same password until the next periodic change. By default, the user is asked for the duration, and the password is changed after the checkout.

true/false

change.password.script.template

The Expect script used to change the password.

Script written in Expect language. E.g. for Cisco IOS Router: send "enable\r" expect "Password:" send "${superPassword}\r" expect { "Password:" { exit 1 "wrong enable password" } "#" { } } send "conf t\r" expect "#" send "username ${username} password ${newPassword}\r" expect { "#" { } "%" { exit 1 "command failed" } } send "do write\r" exit

change.password.success.pattern

During each password change, Single Connect gets an output from the system. It checks if the password was changed successfully, and if there is a failure during the password change process, the system does not write the new password in its database. If the output matches this regex pattern, Single Connect decides that the password change command was successful, and stores the new password. If the “skip.password.validation.after.change” parameter is set as “false”, the result of the connection validation overrides this decision, and this parameter has no effect.

Specific to the device type. E.g. for Centos device: .*successfully.*

change.password.with.domain

Usually, for some Active Directory (AD) systems, the domain name does not need to be sent during a password change request. However, some systems require the domain name to be included in the password change, such as “SINGLECONNECT.COM/richard” instead of just “richard”. By default, this parameter is set as “false”, and the domain name is not included in the command sent to the AD servers for AD user password change. When set as “true”, the domain name is included in the command sent.

true/false

change.password.with.super.user

If set as “true”, the super user credentials defined by the super.username and super.password properties are used to change the SAPM account password in the target device. By default the value is “false”, meaning the SAPM account username and password are used to change the password. This option should be set as “true” when the SAPM account’s rights are not enough to change its own password.

true/false

change.password.self.permission

Permission for Active Directory users to change their password. According to the Active Directory Self Permission, Single Connect is given one of these permissions.

CHANGE_PASSWORD RESET_PASSWORD

change.period.in.day

The default period to change passwords using this configuration (in days). There are two locations for this configuration. The first one is in the SAPM Account Definition, and it has the higher priority. If “Change Period (day)” is not set in the SAPM account definition, the “change.period.in.day” property value for the SAPM Configuration is used to change the password. If both the “Change Period” for the SAPM Account and the “change.period.in.day” property value for the SAPM Configuration are not set, an error occurs when changing the password.

Integer (in days)

change.period.in.minute.on.fail

The period to attempt to change the password again when the periodic password change has failed.

Integer (in minutes)

check.new.users.with.super.user

SAPM can check for new users in the target systems periodically, or on demand (See section Checking for New Users for details). If this parameter is set as “true”, the super user credentials defined by the “super.username” and “super.password” properties are used to check for new users in the target device. The default value is “false”, meaning the SAPM account username and password are used to check for new users.

true/false

check.password.command.template

The Password Vault can periodically check the validity of the passwords. The command set defined in this parameter is used to check if the stored password is valid or not.

Specific to the device type.

check.password.success.pattern

The output pattern in regex format, which shows that the password is valid.

Specific to the device type.

check.password.validation

If set as “true”, the SAPM accounts using this configuration can be included in periodic and one-time password validations. If set as “false”, the Check Password operation will not be executed for the SAPM accounts using this configuration. This property checks if the password is correct.

true/false Default value: true

check.password.with.super.user

If it is set as “true”, the super user credentials defined by the “super.username” and “super.password” properties are used to check the validity of the SAPM account password in the target device. The default value is “false”, meaning the SAPM account username and password are used to check the password validity.

true/false

connection.timeout

Timeout duration for connection.

Integer (unit:second)

database.driver

Database driver to manage database passwords.

Oracle/Postgresql/MsSQLServer/MySQL/Cassandra/SAPHANADB/Teradata/Sybase driver in the following format: oracle.jdbc.driver.OracleDriver org.postgresql.Driver com.mysql.jdbc.Driver com.microsoft.sqlserver.jdbc.SQLServerDriver com.sap.db.jdbc.Driver org.apache.cassandra.cql.jdbc.CassandraDriver com.teradata.jdbc.TeraDriver com.sybase.jdbc4.jdbc.SybDriver

delete.list.script.template

The Expect script used to delete users.

Script written in Expect language. E.g. for Cisco IOS Routers: send "enable\r" expect "Password:" send "${superPassword}\r" expect { "Password:" { exit 1 "wrong enable password" } "#" { } } send "conf t\r" expect "#" send "no username ${username}\r" expect { "#" { } "%" { exit 1 "command failed" } } send "do write\r" exit

delete.user.command.template

The command set used to delete users. After checking for new users in the target devices, this parameter is used to delete users, after reviewing the New Users list.

Specific to the device type

edit.comment.enable

Comments appear when accounts are enabled for editing.

true/false

execute.post.command.with.super.usererror.check.account.command.template

If set as “true”, the super user credentials defined by the “super.username” and “super.password” properties are used to run the commands after the password change (E.g., to kill the active sessions started with the previous password).The default value is “false”, meaning the SAPM account username and password are used to run the commands after the password change. See section Configuration Properties to Execute Commands After Changing Passwords for more information.

true/false

error.check.account.command.template

If "super.username" and "super.password" were added to configuration, "Error.check.account.command.template" commands can run on the server. The parameter just affects SSH strategy.

passwd -S ${username}

error.check.account.command.parser

It parses the output of the command executed in the error.check.account.command.template parameter and prints the desired message to the screen. Regex is used.

\(.*\)

file.path

Target file path for FILE strategy. The "file.regex.to.match" and "file.regex.to.replace" properties are also required for this strategy. See section Managing Passwords in a File for more information.

Specific to the device type.

file.regex.to.match

The regex pattern to match with the password in the file path. The "file.path" and "file.regex.to.replace" properties are also required for FILE strategy. See section Managing Passwords in a File for more information.

Specific to the device type.

file.regex.to.replace

When the "file.regex.to.match" matches the password field, it is replaced with this property value. "file.regex.to.match" and "file.path" properties are also required for FILE strategy. See section Managing Passwords in a File for more information.

Specific to the device type.

http.change.password.body

The HTTP body for password change requests (used for HTTP strategy), for applications or devices that provide HTTP password change API.

Specific to the device type.

http.change.password.headers

The HTTP header for password change requests (used for HTTP strategy), for applications or devices that provide HTTP password change API.

Specific to the device type.

http.change.password.method

The HTTP method for password change requests (used for HTTP strategy), for applications or devices that provide HTTP password change API.

POST / GET / PUT

http.change.password.url

The URL the password change requests will be sent to (used for HTTP strategy), for applications or devices that provide HTTP password change API.

Specific to the device type.

http.check.password.body

The HTTP body for password check requests (used for HTTP strategy), for applications or devices that provide HTTP password check API.

Specific to the device type.

http.check.password.headers

The HTTP header for password check requests (used for HTTP strategy), for applications or devices that provide HTTP password check API.

Specific to the device type.

http.check.password.method

The HTTP method for password check requests (used for HTTP strategy), for applications or devices that provide HTTP password check API.

POST / GET / PUT

http.check.password.url

The URL the password check requests will be sent to (used for HTTP strategy), for applications or devices that provide HTTP password check API.

Specific to the device type.

http.delete.user.body

The HTTP body for delete user requests (used for HTTP strategy), for applications or devices that provide HTTP user delete API.

Specific to the device type.

http.delete.user.headers

The HTTP header for delete user requests (used for HTTP strategy), for applications or devices that provide HTTP user delete API.

Specific to the device type.

http.delete.user.method

The URL the delete user requests will be sent to (used for HTTP strategy), for applications or devices that provide HTTP user delete API.

POST / GET / PUT

http.delete.user.success.pattern

The output pattern in regex format, to show the HTTP delete user request has succeeded, for applications or devices that provide HTTP user delete API.

Specific to the device type.

http.delete.user.url

The URL the delete user requests will be sent to (used for HTTP strategy), for applications or devices that provide HTTP user delete API.

Specific to the device type.

http.user.list.body

The HTTP body for user listing requests (used for HTTP strategy), for applications or devices that provide HTTP user listing API.

Specific to the device type.

http.user.list.headers

The HTTP header for user listing requests (used for HTTP strategy), for applications or devices that provide HTTP user listing API.

Specific to the device type.

http.user.list.method

The HTTP method for user listing requests (used for HTTP strategy), for applications or devices that provide HTTP user listing API.

POST / GET / PUT

http.user.list.url

The URL the user listing requests will be sent to (used for HTTP strategy), for applications or devices that provide HTTP user listing API.

Specific to the device type.

ldap.base.dn

Base Distinguished Name (DN) for LDAP

Specific to the LDAP structure. E.g.: OU=TestUser,DC=SingleConnect,DC=local

ldap.domain

The domain name that will be included in the command sent to the AD servers for AD user password changes, when the “change.password.with.domain” property is set as “true”

Domain Name

ldap.ignore.certificate

Ignore certificate for LDAP/AD

true/false

ldap.password.attribute.name

The attribute name for the password in the LDAP/AD records.

If there is no exception, it is "userPassword"

ldap.username.dn.template

The Distinguished Name (DN) template for users managed with this SAPM Configuration.

Specific to the LDAP structure. E.g.: CN=${username},DC=example,DC=com

ldap.connection.timeout

Sets the LDAP and Active Directory response read timeout.

Default value:"5000" ms

new.password.encryption.key

The encryption key to be used when "new.password.encryption.method" is chosen as AES.

String

new.password.encryption.method

The method to be used for password encryption.

CLEAR / MD5 / AES / UNICODE_ENCLOSED_IN_DOUBLE_QUOTES

new.user.exception.list

The list of users to be ignored in the new user checks.



new.user.found.action

The action to be taken when a new user is found.

LOG / NOTHING / DELETE / LOG_AND_DELETE

password.change.reminder.day

The duration (in days) to wait before sending a reminder to the email addresses defined in the sapmMailList property in the device group, before a password change.

Integer (days)

password.strength.symbol.chars

The pool of characters allowed as symbol characters in password strength. Double quotation mark (“) and percent mark (%) are not allowed for a SAPM password which has WinRM configuration.

Character string. E.g.: !"#$%&'()*+,-./:;<?@[\]^_`{|}~

password.strength.lowercase.count

The exact number of lowercase letters that must be included in passwords.

Integer

password.strength.number.count

The exact number of numbers that must be included in passwords.

Integer

password.strength.symbol.count

The exact number of symbol characters that must be included in passwords.

Integer

password.strength.uppercase.count

The exact number for uppercase letters that must be included in passwords.

Integer

post.command

The commands to be executed on the server after a successful password change (E.g., to kill active sessions started with the previous password). Multiple commands can be separated with \n characters. See section Configuration Properties to Execute Commands After Changing Passwords for more information.

Specific to the device type.

post.command.failure.pattern

If the pattern set for this property is found in the command results of the “post-command”, the command is tagged as "FAILED". When this happens, the command execution is stopped, and the remaining commands are not executed if the “post.command.stop.on.fail” property is set as “true”.

Specific to the device type.

post.command.stop.on.fail

When set as “true”, if any failure occurs during post command execution, the remaining commands are not executed. The default value is “false”.

true/false

set.comment.to.account

Comments appear when prompted for password check out.

true/false

skip.password.validation.after.change

If set as “true”, no password validation is done after a password change. The default value is “false”, meaning the password validation is done after a password change (For SSH and WinRM Strategy only). For TACACS+ devices it must be set as ”true”.

true/false

show.accounts.in.auto.login.for.domain.match

It is defined to use Active Directory and LDAP accounts only in domain accounts. Domain parameter should be added on the device.

true/false Default value: false

ssh.port

The port number for SSH connections, for SSH strategy. The default value is 22.

Specific to the device type.

static.secret.type

Select the type of static accounts with static configuration.

USER_CREDENTIAL SSH_KEY

SSL_CERTIFICATE OTHER (Secret Data)

super.password

The password of the super user who has superior rights on the target server. The value must be set when one of the "****with.superuser" properties is set as “true”.

String (hidden)

super.username

The username of the super user who has superior rights on the target server. The value must be set when one of the "****with.superuser" properties is set as “true”.

String

target.url.template

The AD/LDAP URL for Active Directory strategy.

Device specific.

unlock.account.with.super.user

To unlock the AD user. A superuser must be used.

True/False

user.group.parser.delimiter

The delimiter character separates multiple user groups when checking for new users in a server.

String

user.list.command

The command to get the user list.

E.g.: cat /etc/passwd

user.list.script.template

The expect script is used to get the user list.

Expect script.

username.parser

The regex pattern to find usernames after the users are listed.

Specific to the device type. Ex: (.*?):.*

update.comment.enable

Comments appear when prompted for a password update.

true/false

winrm.auth.method

Authentication method for WinRM.

Basic, Digest, NTLM, Negotiate or Kerberos.

winrm.ignore.certificate

When set to “true”, certificate errors will be ignored during WinRM connections.

true/false

winrm.port

The port number for WinRM device configurations.

Integer

winrm.secure

When set to “true”, the connection will be over HTTPS. Otherwise, it will be over HTTP.

true/false

winrm.connection.timeout

Sets the WinRM response read timeout.

Default value:"5000" ms