(Feature available only in Premium Edition)
If you have applications in your infrastructure that require connecting to other applications using a password, they can query PMP to retrieve the password. This way, the application-to-application (A-to-A) passwords can also follow good password management practices like periodic rotation, without the trouble of manually making the updates at many places. Same procedure can be used for Application-to-Database password management (A-to-DB).
The web API exposed by PMP forms the basis for A-to-A Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application. PMP makes it easier for applications by providing a command line script that abstracts the complexities of using the web API. The command line scripts invoke libraries that use the web API.
When you want an application to use the PMP web API, first you should register the application with PMP, providing specific details on the application. PMP will then create an integration toolkit containing the libraries and the command line scripts. The application can then use the toolkit to perform password operations on the PMP repository. Follow the procedure detailed below to do this:
Go to "Admin" >> "General" and click "Password Management API"
In the GUI that opens, click "Add Application" and provide details about your application. Fill-in the following details
|
Term |
Definition |
|
Application Name |
Name of the application in which you wish to deploy A-to-A password management using PMP |
|
DNS Name/IP Address |
This is required to establish communication between the application and PMP |
|
Resource Type |
Select the operating system in which the application runs. Only those operating systems that are listed in the drop-down are supported by PMP (at present Windows & Linux are supported) |
|
Operations Allowed |
Select the password management operations you wish to allow for the application - Creating Passwords / Resetting Passwords / Retrieving Passwords. |
|
Inherit the permissions of |
You need to set the password access permissions for the application. The application cannot be allowed to manage all passwords. It has to be allotted specific passwords accessible to it. PMP already has a comprehensive, well-defined access permissions for users. The application may be permitted to inherit the same access levels of one of the users of PMP. Select the name of the user from the drop-down. |
Click "Save". Now, using the details provided by you, PMP will create a toolkit for the application
Click "Download Toolkit" and save the toolkit in the server where the application is running
As mentioned above, the application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application. To make these settings,
Create SSL client certificate & private key
Generate the certificate signing request and generate the certificate as explained in the openssl cookbook. Put the certificate and key directory where you installed the PMP API in the application
Configurations for PMP API
Open a command prompt and navigate to the directory where you have installed the PMP API
Edit PMP_API.conf and set the absolute path of client certificate and its private key (that you created and stored as explained above) for the parameters ClientCertPath and ClientKeyPath
This step is to create truststore in PMP for A-to-A
/ A-to-DB authentication. Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and
execute the following command:
For Windows
importCert.bat <Absolute
Path of client certificate created by you>
For Linux
importCert.sh <Absolute
Path of client certificate created by you>
Restart PMP server
|
Important Note: The client certificate & private should be compulsorily present in the application server in which you want to use A-to-A / A-to-DB password management. |
The above steps represent the completion of PMP API installation in
the application. For automatic A-to-A password management, you need to
use the following commands in your application invoking the API.
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For
Windows
PMP_API.bat RETRIEVE
<Resource Name as present in PMP> <Account
Name as present in PMP>
For Linux
PMP_API.sh RETRIEVE
<Resource Name as present in PMP> <Account
Name as present in PMP>
Executing the above command will return the password alone.
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For
Windows
PMP_API.bat RESET_LOCAL <Resource
Name as present in PMP> <Account Name as present in PMP> <New
Password>
For Linux
PMP_API.sh RESET_LOCAL <Resource
Name as present in PMP> <Account Name as present in PMP> <New
Password>
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For
Windows
PMP_API.bat RESET_REMOTE <Resource
Name as present in PMP> <Account Name as present in PMP> <New
Password>
For Linux
PMP_API.sh RESET_REMOTE <Resource
Name as present in PMP> <Account Name as present in PMP> <New
Password>
Executing the above command will try to do remote password reset. If the operation succeeds, it will change the password in PMP too and will return the message "Password changed successfully". In case, remote password reset fails, it will not change the password in PMP and will return the message "Password reset failed".
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For
Windows
PMP_API.bat CREATE
<Resource Name> <Account
Name> <Password>
For Linux
PMP_API.sh CREATE
<Resource Name> <Account
Name> <Password>
Executing the above command will create a new resource and an account in PMP. If you do not give a password for the account, PMP will automatically generate one.
© 2007, AdventNet Inc. All Rights Reserved.