Storing Digital Certificates, Licence Keys, Files, Documents, Images etc.

Different file types could be securely stored in the PMP repository along with the passwords. To store a license key or a certificate or a document etc. you need to select the 'Resource Type' as explained below:

By default, PMP supports the following file stores:

Certificate store: to store any private / public keys, digital certificates and digital signature files
 

License key store: to store any software license keys
 

File store: to store any digital content (documents, pictures, executables etc)

You can create any new resource type as pert your requirements.

Resources of the above types are managed and shared the same way as other resources. During retrieval, a link to the file is provided for it to be saved locally to the disc.

• What is the need for Password Policy field here?  

This question naturally arises when you are in the process of adding a resource. The following example would provide the answer: If your intention is to have accounts with strong passwords, others with admin privileges should not disturb this intention while changing the password. So, this step is crucial though it does not have a direct bearing on resource addition.

• Can I add my own custom fields for resources?

Yes, you can. You can have up to 20 additional custom fields to resources. To add a custom field, go to "Resources" tab and click the button "Customize Resource" in the drop-down under "More Actions"
 

1. Character/list - for text inputs

2. Numeric - to store numeric inputs

3. Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate

4. Date & Time - to store date and time inputs

• Can others see the resources added by me?

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, if you decide to share your resources with other administrators, they will be able to see tham.

Important Note:

If you want to enable password reset in remote systems, make sure that the passwords you enter in this step and the ones in the actual target systems are the same. PMP uses these credentials to login to the target systems and do the password reset and if the passwords are wrong, the password reset will not happen.

• Can I add my own custom fields for accounts?

Yes, you can. You can have up to 20 additional custom fields to accounts. To add a custom field, traverse to "Admin >> Customize >> Accounts -Additional Fields". Your additional fields can be in any of the following four formats -

1. Character/list - for text inputs

2. Numeric - to store numeric inputs

3. Password - to store password inputs. The values entered here, will not be echoed in the GUI. Additionally, Password Generator icon will be present beside it to help generate

4. Date & Time - to store date and time inputs

Resource Type

Reset Credentials Requirement

Windows (applies to Windows 2000, Windows 2003, Windows XP and Windows Vista servers and desktops) & Windows Domain

• For resetting the passwords of the local user accounts, choosing the administrator account in this step is not mandatory.

• If you want to reset service account passwords of services running in this Windows resource, specify the local Administrator account, which will be used to login into the machine and perform the password reset

• If the PMP service is run with domain administrator privilege, PMP will be able to change the passwords of all the local accounts in the computer (present in the domain) without the need for supplying the old password

• Click "Finish"

Linux / IBM AIX, HP UNIX, Solaris, Mac OS

For remote password reset of Unix resources, PMP first uses the remote login account to login to the target system. Then, to carry out password reset, privilege elevation is needed. PMP can either 'su' as root or use 'sudo' to execute the remote password reset commands (if the target system supports execution of password reset commands through 'sudo)'.

In this process, the following steps are involved:

1. Selecting the protocol

2. Selecting the authentication method for remote login based on the protocol chosen and specifying the remote login account

3. Specifying the root account if PMP has to use 'su' / selecting 'sudo'
    

Step 1 - Selecting the Protocol

• Select the protocol for remote login - ssh or telnet and then select the remote login account and root account. If you have chosen telnet, you can go to step 3.

Step 2 - If you opt for SSH, specify the authentication method
 

• If you opt for SSH, you have the option to use either "Password Authentication" or "Public Key Infrastructure" (PKI) Authentication.
  
  If you choose PKI authentication, you need to select the remote login account as explained below:
  
  The public key would be present under the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present. Also, PMP supports SSH2 and above only.
  
  Then browse and supply the corresponding Private Key.

Step 3 - Specifying the root account / selecting 'sudo'

 

• As mentioned above, for executing remote password reset commands, PMP can either 'su' as root or use 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.

• If you use the option, 'su' as root, you need to select the root account

• If the target system allows execution of password reset commands through 'sudo', you can select that option
   

• Click "Finish"

MySQL Server Resource Type

Password reset for MySQL server is done over JDBC. So, the MySQL Administrator credentials are required. You can enable remote reset of the password of MySQL server as below:

1. Specify the port where the MySQL server is running. By default,  MySQL occupies the port 3306
2. Specify the connection mode - you can configure the connection between MySQL Server and PMP to  be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.
   
   To enable the SSL mode, the MySQL server should be serving over SSL and you will have to import the MySQL server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
   
   To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
   
   For Windows
   importCert.bat <Absolute Path of certificate>
   
   
   For Linux
   importCert.sh <Absolute Path of certificate>
   
   Restart PMP server. Then continue with the following steps.
3. To enable PMP access the MySQL server, provide MySQL Root Account Name
4. Click "Finish"

MS SQL Server Resource Type

Password reset for MS SQL server is done over JDBC. So, either a domain account credential having enough privileges to modify SQL server passwords or the MS SQL Administrator credential are required. You can enable remote reset of the password of MS SQL server as below:

1. Specify the port where the MS SQL server is running. By default,  MS SQL occupies the port 1433
2. Specify the connection mode - you can configure the connection between MS SQL Server and PMP to  be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.
   
   To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the MS SQL server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
   
   To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
   
   For Windows
   importCert.bat <Absolute Path of certificate>
   
   
   For Linux
   importCert.sh <Absolute Path of certificate>
   
   Restart PMP server. Then continue with the following steps.
3. To enable PMP access the MS SQL server, provide any one of the following details -
1. Windows Authentication details - that is specifying the domain name of which the MS SQL server is a part and then selecting any one user username  present in the domain (OR)
2. MS SQL Administrator Account
4. Click "Finish"

For Oracle DB Server

To carry out password reset for Oracle DB server, administrative privileges are required. So, an administrator account has to be specified. You can enable remote reset of the password of Oracle DB server as below:

1. Specify the Oracle DB Listener Port. By default, the Oracle DB server listens to the port 1521
2. Specify the connection mode - you can configure the connection between Oracle DB Server and PMP to  be over an encrypted channel (AES 256). If you choose the option 'YES' (encrypted mode), do the following. Otherwise, proceed to Step 3.
• Start Oracle Net Manager

• In the Navigator window, select "Oracle Net Configuration".

• Expand the option Local > Profile

• From the list in the right side pane, select the option "Oracle Advanced Security"

• In the tabbed window that appears thereafter, click the tab "Encryption"

• In the drop-down list for Encryption, select the option "Server"

• For "Encryption Type" list, select the option "Accepted"

• In the text-filed for 'Encryption Seed', enter random characters numbering between 10 and 70. Or, it can even be left blank

• Select the algorithm "AES 256"
• Specify an Oracle administrator account
3. Specify the Oracle Service Name. By default, the service name is taken as ORCL
4. Click "Finish"

For Sybase ASE

Prerequisite:

• jConnect 6.0 JDBC driver is required for the password reset. The driver is a file named "jconn3.jar" will be available under <Sybase_Install_Directory>\jConnect_6_0\classes folder (in Sybase ASE 15.0)
• Copy the jconn3.jar and save it under <PMP_Install_Directory>\lib folder (in the machine running PMP server)

To carry out password reset for Sybase ASE, administrative privileges are required. So, an administrator account has to be specified. Steps for enabling remote password reset for Sybase ASE are explained below:

1. Specify the Sybase ASE Port. By default, it occupies the port 5000 (in SSL mode, default port is 2748)
2. Specify the connection mode - you can configure the connection between Sybase ASE and PMP to  be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following. Otherwise, proceed to Step 3.
   • If you want to enable SSL communication from PMP to Sybase ASE
   • Copy and save the trust root certificate of the Sybase server present under trust root certificate will be present in <SYBASE_HOME>\ASE-15_0\certificates (in sybase ASE 15.0) to <PMP_Install_Directoty>\conf\ folder
   • Run this command to import the certificate in PMP: '<PMP_HOME>\jre\bin\keytool.exe -import -v -alias sybase -file <rootcert.txt> -keystore server.keystore -keypass passtrix -storepass passtrix -noprompt'
   • <rootcert.txt> is the root certificate of the Sybase ASE and usually named as <hostname>.txt
   • Restart PMP server
3. Specify an administrator account of Sybase ASE
4. Click "Finish"

For HP ProCurve Devices

PMP requires Telnet or SSH service to be running in the resource. Manager Account and Prompts of Manager Mode and Configuration Mode are required for PMP to login to the resource. PMP will use the configuration mode to reset the passwords. You can enable remote reset of passwords of your Hp Pro Curve devices by providing the following credentials:

For Cisco Devices (IOS/CatOS/PIX)

PMP requires Telnet or SSH service to be running in the resource. Passwords of the enable mode and a user account are required for PMP to login to the resource. PMP will use the configuration terminal mode to reset the passwords. You can enable remote reset of passwords of your cisco devices by providing the following credentials: