TPAM System Administrator Guide

TPAM System Administrator Guide
The Privileged Appliance and Modules
(TPAM) 2.5
System Administrator Guide
Copyright© 2015 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and
AIX are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.
Juniper, JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
Linux® is a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered
trademark of MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are
registered trademarks of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and
other countries. Nokia is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the
United States and/or other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS
is a registered trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc.
PROXYSG is a trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered
trademark of Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in
the United States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States
and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks
and names or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
TPAM System Administrator Guide
Updated - November 2015
Software Version - 2.5
TPAM 2.5
System Administrator Guide
2
Contents
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Information to gather . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Initial Set Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Recommended steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Start Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Power on the TPAM appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Configure the network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Configure DNS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
View running values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Flush DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
DNS suffix search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Host file mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Sys-Admin User ID’s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Web tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Key based tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Time tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Add a web sys-admin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Add a CLI sys-admin user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Regenerate keys for CLI users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Delete a sys-admin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Disable/Enable a sys-admin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Unlock a sys-admin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Reset sys-admin user ID password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Manage your TPAM sys-admin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Promote a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Demote a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Manage the parmaster user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Active logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Distributed Processing Appliances (DPAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
TPAM 2.5
System Administrator Guide
3
Power on the DPA appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Configure network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Enable remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Change setup password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Define remote IP address restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Prepare the DPA for enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Logs menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Increase DPA license count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Enroll DPA in cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Manage DPA settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
DPA log tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Remove DPA from a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Re-enroll a DPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Change DPA SSH port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Manage host file entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Net tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
DPAs and failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Test DPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
DPA version number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Member status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Snapshots tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Graphs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Cluster status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configure a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Remove a cluster member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Reboot a replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Automatic failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Functionality on a failed over replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Automatic failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Change the run level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Force a failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Unforce a failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Transfer authoritative primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Take over as authoritative primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
How to change the replication interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Archive Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Configure archive servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
TPAM 2.5
System Administrator Guide
4
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Sys-Admin activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Security log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Firewall log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Database log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Alerts log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Proc log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Archive log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
SysLog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Reason Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Add a reason code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Delete a reason code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Enable/Disable a reason code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Edit global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Password Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Default password rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Add a password rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Delete a password rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Email Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Configure mail agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Start/Stop the mail agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Sent mail report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Clear the mail queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Mail agent log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Configure email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Reset to factory defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Date and Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Set date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Configure network time protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Manage host keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Manage SSH keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Generate web certificate request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
TPAM 2.5
System Administrator Guide
5
Import web certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
TPAM trusted CA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Web access trusted CA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Reset certificate to factory default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Certificate based web access for user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Sybase trusted root certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
MySQL trusted root certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Upload a certificate on a replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Automation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Agent status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Start/Stop the auto management engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Disable/Enable an agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Auto Management settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Check password queue schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Manually load the check password queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Agent logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Daily Maintenance agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Auto Discovery agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Post-Session Processing agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
SSH daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Backup settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configure the backup schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
On demand backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
View backup log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
View backup history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Download an online backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Delete a backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Add an alert receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Delete an alert receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Alert thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Certificate based authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
SafeWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
RSA SecurID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
TPAM 2.5
System Administrator Guide
6
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Windows Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Ticket Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Data tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Rules listing tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Rule details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Add a ticket system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Add a ticket system rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Duplicate a ticket system rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Delete a ticket system rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Duplicate a ticket system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Delete a ticket system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Custom Logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
File requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Upload custom logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Remove custom logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Adjust license limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
License management change log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Login Banner and Message of the Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Message of the day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Net Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
The ping utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Nslookup utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
TraceRoute utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Telnet test utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Route table management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
System Status Page and O/S Patch Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
O/S patch status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
System status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
System status graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
TPAM 2.5
System Administrator Guide
7
How to create a support bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Types of software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Check TPAM current version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Download a software update from the customer portal . . . . . . . . . . . . . . . . . . . . . . 156
Apply a software update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
View patch log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
View patch history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Shut Down/Restart the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Shutdown appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Restart appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Restore and Revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Restore from a backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Apply backup to a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Revert to factory default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Revert to restore point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Disable remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
CLI Commands for the System Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Command standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Relocating/Readdressing an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Change a primary’s IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Change a replica’s IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Kiosk Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
How to access the kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Reset the parmaster password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Restore from a backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Revert to a snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
TPAM 2.5
System Administrator Guide
8
1
Before You Begin
•
Introduction
•
Information to gather
Introduction
This document has been prepared to assist you in becoming familiar with Quest One Privileged Password
Management. The System Administrator Guide explains the core functionality of the Privileged Password
Management product regardless of modules and licenses purchased. It is intended for network administrators,
consultants, analysts, and any other IT professionals using the product.
Before beginning the initial configuration of TPAM, take a few minutes to copy and complete the worksheet on
this page. The information below will be used in the process of setting up TPAM, and having it pre-organized
here will ensure an easy setup.
NOTE: If you are configuring the High Availability, make an additional copy of this page and complete one
for each device.
Information to gather
1
Have an available workstation or laptop that can be used to access the TPAM through direct crossover
connection. Use the Ethernet crossover cable provided with the appliance.
2
Write down the network configuration for the TPAM Primary:
3
4
•
IP address:_____________________________________
•
Subnet Mask:___________________________________
•
Default Gateway:________________________________
•
Primary DNS Server:_________________________________
•
Secondary DNS Server:_______________________________
Write down the network configuration for the TPAM Replicas:
•
IP address:_____________________________________
•
Subnet Mask:___________________________________
•
Default Gateway:________________________________
•
Primary DNS Server:_________________________________
•
Secondary DNS Server:_______________________________
If you have purchased DPAs, write down the network configuration for the DPAs.
•
IP address:_____________________________________
•
Subnet Mask:___________________________________
•
Default Gateway:________________________________
•
Primary DNS Server:_________________________________
TPAM 2.5
System Administrator Guide
9
•
5
6
7
8
9
Secondary DNS Server:_______________________________
If you have purchased a Cache server, write down the network configuration for the Cache.
•
IP address:_____________________________________
•
Subnet Mask:___________________________________
•
Default Gateway:________________________________
•
Primary DNS Server:_________________________________
•
Secondary DNS Server:_______________________________
Write down the information for the archive server you will use for backups.
•
Archive server name:_________________________________
•
IP Address:_________________________________________
•
Account Name:______________________________________
•
Password/DSS Key:__________________________________
Write down the information for the archive server you will use for logs.
•
Archive server name:_________________________________
•
IP Address:_________________________________________
•
Account Name:______________________________________
•
Password/DSS Key:__________________________________
For PSM Customers, write down the information for the archive server you will use for session logs.
•
Archive server name:_________________________________
•
IP Address:_________________________________________
•
Account Name:______________________________________
•
Password/DSS Key:__________________________________
Obtain the password for the parmaster account. This password is included in the documentation shipped
with the appliance.
________________________________________
IMPORTANT: If the parmaster account is recorded on this worksheet, it is highly recommended that
this page be removed from the guide and destroyed after use.
10 SMTP Mail Configuration (optional, but highly recommended)
•
IP address of the mail server:__________________________
•
Email address to be used by TPAM:_______________________
11 NTP server address (optional):_____________________________
12 Allow remote access to /config? __________ Yes _________ No
TPAM 2.5
System Administrator Guide
10
2
Initial Set Up
•
Introduction
•
Recommended steps
Introduction
This chapter covers the recommended steps for configuration steps in the /config and /admin interfaces. The
order of the information presented in this manual reflects the recommended steps outlined below.
Recommended steps
To configure the /config and /admin interface:
1
Log on to the /admin interface. Put the appliance in Operational mode. Repeat this step for all
appliances. See Change the run level for instructions on how to do this.
2
Log on to the /config interface. Configure the network settings and DNS settings. Repeat this step for all
appliances. See Configure the network settings.
3
Generate or import web certificates for all your TPAM devices. See Generate web certificate request and
Import web certificate.
4
Log onto the /admin interface with the parmaster user ID.
5
Add a Sys-Admin CLI user ID. Download and store the key outside of the appliance. See Add a CLI sysadmin user for details.
6
If applicable configure high availability cluster. See Configure a cluster.
7
Configure license usage. See Adjust license limits.
8
Configure archive servers for backups. See Configure archive servers.
9
Configure archive server for logs. See Archive log settings.
10 Configure reason codes. (optional) See Add a reason code.
11 Configure global settings. See Edit global settings.
12 Configure password rules. See Add a password rule.
13 Configure email settings. See Configure mail agent and Configure email notification.
14 Configure the date and time settings. See Set date and time.
15 Configure the automation engine. See Auto Management settings tab.
16 Configure daily maintenance agent, auto discovery agent and post session processing agent (PSM
customers only). See Daily Maintenance agent.
17 Configure backup schedule. See Configure the backup schedule.
18 Subscribe to alerts. See Add an alert receiver.
19 Generate new SHH keys. (optional) Manage SSH keys.
TPAM 2.5
System Administrator Guide
11
20 Configure external authentication. (optional) See External Authentication.
21 Configure Ticket Systems. (optional) See Add a ticket system.
22 Add custom logo. (optional) See Upload custom logo.
23 Configure a message of the day and/or login banner. (optional) See Login Banner and Message of the Day.
TPAM 2.5
System Administrator Guide
12
3
Start Up
•
Introduction
•
Power on the TPAM appliance
Introduction
Take a few moments to gather the tools you will need to perform the initial setup of the TPAM appliance, and
organize your environment. You will need the following items:
•
A laptop or workstation computer with a web browser and ethernet interface that can be located near
the appliance.
•
A standard ethernet crossover cable.
•
Document supplied by Dell Software containing usernames and passwords (located on the CD).
•
One IP address for each TPAM appliance on the network.
Power on the TPAM appliance
To power on the TPAM appliance:
1
Press the power button on the front panel of the appliance.
2
Connect a remote host computer (laptop, etc.) to the /config interface port using a crossover cable.
3
Set the IP address of the remote host to any address on the 192.168.1.XXX subnet, except for
192.168.1.105.
4
From the remote host, open a web browser session to: https://192.168.1.105/config. If prompted to
accept the certificate, click Yes.
5
Enter parmaster for the User Name. The password is supplied in the documentation accompanying the
appliance.
TIP: If you have problems accessing the config interface check your browser Security Settings. Try
using an alternate browser and/or make sure you have set up the URL as a trusted site.
TPAM 2.5
System Administrator Guide
13
Once logged on, you will see the /config home page:
TPAM 2.5
System Administrator Guide
14
4
Network Settings
•
Introduction
•
Configure the network settings
•
Configure DNS settings
•
View running values
•
Flush DNS
•
DNS suffix search
•
Host file mapping
Introduction
The /config interface provides the connection for the initial setup and configuration of the TPAM appliance, as
well as an ongoing management interface for accessing logs and other forensic information.
The /config interface is used to set the following parameters for the appliance:
•
IP Address
•
Subnet Mask
•
Default Gateway
•
DNS server(s)
Configure the network settings
To configure the network settings:
1
2
Select Network Settings | Modify Network Settings from the menu.
Enter the IP Address, Subnet Mask, and Default Gateway. Click the Save Settings button.
NOTE: These settings take effect immediately, so if you change the IP address, upon clicking the save
changes button your user session will end and you will have to log on to TPAM at the new IP address.
TPAM 2.5
System Administrator Guide
15
Configure DNS settings
Modifying the DNS settings allows a change in the configuration of just the DNS servers without making any
changes to the built-in firewall or IP address of the appliance. This is a more desired method when no other
network configuration changes are being made.
To configure the DNS settings:
1
Select Network Settings | Modify DNS Settings from the menu.
2
Enter the Preferred DNS Server and the Alternate DNS Server. Click the Save Settings button.
View running values
If you select Network Settings | View Running Values from the main menu, the current values for the primary
network interface for the appliance are displayed. This read only view lets the System Administrator confirm
that the settings are correct.
Flush DNS
To immediately flush all cached DNS entries:
1
Select Network Settings | Flush DNS from the menu.
2
Click the FlushDNS button.
DNS suffix search
The DNS suffix search allows you to add domain suffix search order to the network settings. Adding these
suffixes allows DNS to query for systems by appending these suffixes in order. For example: I enter a system in
TPAM and give it a network address of questdevchad. If the suffix search order is blank, it will query the DNS for
questdevchad without any other information and fail. Specifying a suffix search list allows the system to append
the suffix to questdevchad to resolve an address. If the search order was: example.org,tpamexample.org, it
would first try to resolve questdevchad.example.org first and then questdevchad.tpamexample.org if the first
resolution fails.
TPAM 2.5
System Administrator Guide
16
To add DNS suffix search:
1
Select Network Settings | DNS Suffix Search from the menu.
2
Enter up to six DNS suffixes.
3
Click the Save Settings button.
Host file mapping
Host file mapping allows a static entry of a Host Name that is directly linked to an IP Address without the
dependency of a DNS server.
To map a host file:
1
Select Network Settings | Manage Hosts File from the menu.
2
Enter the Host IP address and the Host Name. Click the + button.
3
To remove an entry click the X button.
4
Select Replicate hosts file to other consoles and include in backup to replicate the mappings to
replicas in the cluster.
TPAM 2.5
System Administrator Guide
17
5
Sys-Admin User ID’s
•
Introduction
•
Add a web sys-admin user ID
•
Add a CLI sys-admin user
•
Regenerate keys for CLI users
•
Delete a sys-admin user ID
•
Disable/Enable a sys-admin user ID
•
Unlock a sys-admin user ID
•
Reset sys-admin user ID password
•
Manage your TPAM sys-admin user ID
•
Promote a user ID
•
Demote a user ID
•
Manage the parmaster user ID
•
Active logins
Introduction
This chapter covers, adding and managing TPAM System Administrator user ID’s.
To add and manage Sys-Admin user ID’s, information is entered on the following tabs in the TPAM interface:
Table 1. Sys-Admin User Management: TPAM interface tabs
Tab name
Description
Details
Define main information, such as name, and contact information.
Details/Web
Configure access and authentication methods.
Details/Key Based
Define key based authentication method.
Details/Time
Define time zone and access times.
Details/Custom Information
Custom fields available for use.
TPAM 2.5
System Administrator Guide
18
Details tab
The table below explains all of the field options available on the Details tab.
Table 2. Sys-Admin User Management: Details tab options
Field
Description
Required? Default
User Name
The user’s login id. Usernames may be a maximum of 30 characters
long. The following special characters are allowed in the user name:
`~#%&(){}.!'
Yes
User Disabled?
If selected, the user cannot access TPAM.
No
Last Name
Last name of the user.
Yes
First Name
First name of the user.
Yes
Phone Number
Phone number associated with the user ID in TPAM.
No
Mobile Number
Mobile number associated with the user ID in TPAM.
No
Email Address
The email address that TPAM will use for email notifications from
TPAM.
No
Off
If multiple email addresses are to be associated with the user, this
may be accomplished by using a semicolon and no spaces to separate
them. An alias name can also be designated for the email (this name
is displayed in the To: box). Example: John
Doe<[email protected];[email protected]>,…
To create an alias, type it as: alias<email-address-1;email-address-2>
Double quotes may be required to include spaces in email addresses.
Description
The description box may be used to provide additional details about
the user.
No
Web tab
The table below explains all of the field options available on the Web tab:
TPAM 2.5
System Administrator Guide
19
Table 3. Sys-Admin User Management: Details Web tab options
Field
Description
Required?
Default
Allow WEB
Access?
If selected, the user can access TPAM via the web.
No
On
Password/
Confirm
Password
Enter/confirm a password for the user account. If left blank, a
No
random password is generated by the TPAM system. The TPAM default
password rule configured by the System Administrator is used for
these passwords
Certificate
Thumbprint
For users who authenticate using a client certificate, the
certificate’s SHA1 or SHA2 thumbprint should be entered here. This
option will not appear unless certificate is selected as the primary
user authentication type.
Primary User
Authentication
If selected, user can use primary authentication to authenticate. The Yes
primary authentication user ID cannot be the same as any other
user’s TPAM user name or primary authentication ID. Available
choices are:
Secondary User
Authentication
NOTE: Allowing web access is permanent once saved. The only way
to remove web access for the user id is to delete the user and add
the user back.
•
Certificate - User’s authenticate using a client certificate.
•
Local - TPAM
•
Windows Active Directory - WinAD is configured in the admin
interface as an external source of authentication. The
Windows® AD primary user ID must always be in UPN( user
principle name) format, allowing the use of multiple domains.
•
LDAP - LDAP is configured in the admin interface as an
external source of authentication. You have the option of
letting users type a shortened version of their LDAP user ID
that expands to the full LDAP user ID for authentication.
•
Radius - Radius is configured in the admin interface as an
external source of authentication.
•
Defender - Defender is configured in the admin interface as
an external source of authentication
If the user is using secondary authentication select the type, source
and enter their user ID here. Choices of secondary authentication
are:
•
None
•
Safeword
•
SecureID
•
LDAP
•
Radius
•
WinAD
•
Defender
No
No
Local
None
TPAM 2.5
System Administrator Guide
20
Key based tab
The table below explains all of the field options available on the Key Based tab:
Table 4. Sys-Admin User Management: Details Key Based tab options
Field
Description
Required? Default
CLI
If selected, the user can access TPAM via the CLI.
No
CLI Key
Passphrase
Only applies to CLI users. This is an optional passphrase to encrypt the No
user’s private key. The phrase is case sensitive, up to 128 characters,
and does not allow double quotes (“). The phrase is not stored and
cannot be retrieved after the key is generated. Remember to give the
passphrase to the CLI user along with their private key file.
Off
NOTE: If the CLI user ID and key are going to be used in any type of
scripting or automation, be aware that any time a CLI key with a
passphrase is used the passphrase must be typed by the user via the
keyboard. Passphrase entry via any type of scripting is not allowed for
DSS Keys
Restricted IP
Address
Only applies to CLI users. If an address is specified, the user may only No
access TPAM from this address. More than one IP address may be
specified by separating each with a comma – up to a limit of 100
characters for the entire string. The use of wildcards is also permitted
to specify a complete network segment – i.e. 10.14.10.*
Since a CLI user cannot be disabled with a check box, this box can be
used to temporarily disable the user access by setting the value to an
invalid IP address such as “disabled”.
Time tab
The Time tab allows you to set a System Administrator’s local time zone. This tab is not enabled for CLI users.
NOTE: The TPAM server is always at UTC time and never uses daylight savings time.
The table below explains all of the field options available on the UserID Time tab:
TPAM 2.5
System Administrator Guide
21
Table 5. Sys-Admin User Management: Details Time tab options
Field
Description
Required?
Default
User Timezone
Select a local time zone for the user.
Yes
Will default to
the default user
timezone global
setting value.
Yes
No Restrictions
NOTE: If the user is in a time zone that follows DST, TPAM
will automatically adjust the time for them.
Time Based System Choices are:
Access
• No Restriction - if selected, the user can access
TPAM at any time/day.
•
Allow - To limit a user’s access to TPAM, select the
Allow button, select days of the week and enter
up to 4 time ranges. Multiple ranges must be
separated by semi-colons. The ranges must be
entered using 24-hour times with a hyphen
between start and end times.
•
Prohibit - To restrict a user’s access to TPAM,
select the Prohibit button, select days of the week
and enter up to 4 time ranges. The ranges must be
entered using 24-hour times with a hyphen
between start and end times.
Custom information tab
There are six custom fields that can be used to track information about each user. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled the Custom Information tab will not be visible.
Add a web sys-admin user ID
When adding a user ID in TPAM, information is entered on the following tabs to configure the user:
•
Details
•
Details/Web
•
Details/Time
•
Details/Custom
The following procedure describes the steps to add a user ID.
To add a new web user ID:
1
Select Sys-Admin UserIDs | Add Sys-Admin UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Enter information on the Web tab. For more information on this tab see Web tab. (Optional)
4
To set time zone and access rules, click the Time tab and make changes. For more details see Time tab.
(Optional)
TPAM 2.5
System Administrator Guide
22
5
To enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6
Click the Save Changes button.
Add a CLI sys-admin user
A CLI Sys-Admin user ID is a special user account used to access TPAM remotely via the CLI (command line
interface). It is possible for one user ID to be both a web and CLI user. When accessing TPAM through the CLI
they can only execute specific commands supported by the TPAM CLI. User IDs that have access to the system
administrator CLI commands will have "CliA" listing in the interface column on the User Listing tab.
NOTE: The parmaster user ID cannot be given CLI access.
To add a new Sys-Admin CLI user ID:
1
Select Sys-Admin UserIDs | Add Sys-Admin UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Enter information on the Web tab. For more information on this tab see Web tab.
4
Click the Key Based tab. Select the CLI check box. Enter information on the Key Based tab. For more
information see Key based tab.
5
Click the Save Changes button.
6
Click the Details tab.
7
Click the Key Based tab.
8
Click the Download Key button.
9
Save the key file that is generated.
10 Give this key file to the user. This key file must be placed on any computer that uses this user ID to
access TPAM’s command line functions.
NOTE: The name of the key file can be renamed.
IMPORTANT: If a user ID has both web and API or CLI access to TPAM you will not be able to download or
generate keys for that user ID. The user must log on to TPAM to download and/or regenerate their own DSS
key.
Regenerate keys for CLI users
To generate a new key:
1
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user.
5
Click the Details tab.
6
Click the Key Based tab.
7
If you require a CLI Key Passphrase, enter one. If not proceed to step 8.
8
Click the Regenerate Key button.
TPAM 2.5
System Administrator Guide
23
Delete a sys-admin user ID
To delete a sys-admin user ID:
1
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
Disable/Enable a sys-admin user ID
To disable/enable a sys-admin user ID:
1
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be changed.
5
Click the Details tab.
6
Select/Clear the User Disabled? box.
7
Click the Save Changes button.
Unlock a sys-admin user ID
A user may need to be unlocked if they enter an incorrect password multiple times.
To unlock a sys-admin user:
1
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be unlocked.
5
Click the Unlock button.
Reset sys-admin user ID password
To reset a sys-admin user’s password:
1
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be reset.
TPAM 2.5
System Administrator Guide
24
5
Click the Details tab.
6
Enter the new password in the Password and Confirm fields.
7
Click the Save Changes button.
8
Notify the user of their new password.
Manage your TPAM sys-admin user ID
Any user may change their password and update individual account details using the User menu option.
To reset your password:
1
From the User Menu select Change Password.
2
Enter the Old Password, the New Password, and Confirm New Password.
3
Click the Save Changes button.
NOTE: User passwords are subject to the requirements of the Default Password Rule.
To edit your user details:
1
From the User menu select User Details.
2
Make changes in the following fields:
Table 6. Fields available under User Details
Field name
Description
Phone Number
Phone number that is associated with your user id in TPAM.
Mobile Number
Mobile number that is associated with your user id in TPAM.
E-mail
The email address that TPAM will use for email notifications from TPAM.
My Timezone
The appropriate time zone must be chosen from the list. With this option most
dates and times that the user sees in the application or on reports are converted
to their local time. If a date or time still reflects server time it is noted on the
window.
CLI Key Passphrase
Only applies to CLI users. This is an optional pass phrase to encrypt the user’s
private key. The phrase is case sensitive, up to 128 characters, and does not allow
double quotes (“). The phrase is not stored and cannot be retrieved after the key
is generated.
Reset SysAdm CLI
Key
Click this button to create a new CLI key for the user ID.
Get SysAdm CLI Key Click the button to retrieve the new CLI key.
3
Click the Save Changes button.
TPAM 2.5
System Administrator Guide
25
Promote a user ID
TPAM allows you to promote user IDs with Web or CLI access in the /tpam interface to sys-admin user IDs with
access to the /admin and /config interface.
NOTE: You cannot promote the paradmin user ID.
To promote a user ID:
1
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
2
Click the Promote User button.
3
Enter filter criteria to find the user ID to promote.
4
Click the Listing tab and select the user ID.
5
Click the Details tab.
NOTE: If the user you are promoting has CLI access for the /tpam interface, they will not
automatically have CLI access to the /admin interface when you promote them, you must select
the CLI check box.
6
If the user is a CLI user, select the CLI check box on the Key Based tab.
7
Click the Save Changes button to grant the user system administrator privileges.
TIP: If a user ID that has web and CLI access is promoted, that user must log on to the /admin interface to
generate their keys for CLI Sys Admin access.
Demote a user ID
To demote a user ID:
1
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
2
Enter filter criteria to find the user ID to demote.
3
Click the Listing tab and select the user ID.
4
Click the Demote User button.
5
Click the OK button on the confirmation window.
NOTE: You cannot demote a user ID if they do not have a User Type assigned in the /tpam interface.
Manage the parmaster user ID
There is the option to have TPAM manage the parmaster user ID, so that any user wanting to log on as parmaster
must go through the TPAM request and approval process to obtain the account password. When the parmaster
account is managed through TPAM you cannot enter a new password for this account on the Sys-Admin
Management User Details page. Additionally, when a user is logged on as parmaster they will not have access to
the User menu Change Password option.
NOTE: The global approver and requestor groups will not automatically grant a user access the paradmin
and parmaster accounts when they are managed. You must go to a user’s permissions tab to assign the
permissions for these accounts.
To manage the parmaster user ID:
1
Create a sys-admin account. See Add a web sys-admin user ID.
2
Log on to the /admin interface using the new sys-admin account.
TPAM 2.5
System Administrator Guide
26
3
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
4
Filter for the parmaster account. Click the Listing tab.
5
Select the parmaster account.
6
Click the Details tab.
7
Select the Administer account password with local PPM? check box.
8
Click the Save Changes button.
After this is saved the parmaster account on the managed system Local_Appliance_parmaster will be set with
the Automatic Password Management selected.
9
Logon to the /tpam interface.
10 Select Accounts | Manage Accounts from the menu.
11 Filter for the parmaster account. Click the Details tab.
12 Click the Management tab. Verify that the password check and changes profiles you want used to manage
this account are assigned.
The password will be scheduled for an immediate reset. Depending on the number of password changes in the
queue it may take some time to reset. Any users currently logged on as parmaster will be prompted to enter a
new password once it has been reset.
To disable management of the parmaster user ID:
1
Log on to the /admin interface using a sys-admin account other than parmaster.
2
Select Sys-Admin UserIDs | Manage Sys-Admin UserIDs from the menu.
3
Filter for the parmaster account. Click the Listing tab.
TPAM 2.5
System Administrator Guide
27
4
Select the parmaster account.
5
Click the Details tab.
6
Clear the Administer account password with local PPM? check box.
7
Enter a new password in the password and confirm fields.
8
Click the Save Changes button.
Active logins
To view all user IDs currently logged on to TPAM select System Status/Settings | Active Logins from the menu.
The session start time is displayed in server time (UTC). To view the user details select the User from the list
and click the User Details tab. To terminate a user’s session in TPAM select the User from the list and click the
Terminate button.
TPAM 2.5
System Administrator Guide
28
6
Distributed Processing Appliances
(DPAs)
•
Introduction
•
Power on the DPA appliance
•
Configure network settings
•
Enable remote access
•
Change setup password
•
Define remote IP address restrictions
•
Prepare the DPA for enrollment
•
Logs menu
•
Increase DPA license count
•
Enroll DPA in cluster
•
Manage DPA settings
•
DPA log tab
•
Remove DPA from a cluster
•
Re-enroll a DPA
•
Change DPA SSH port
•
Manage host file entries
•
Net tools
•
Test DPA
•
DPA version number
Introduction
You have the option to purchase Distributed Processing Appliances (DPAs) to increase the number of concurrent
PSM sessions that can be run. Each additional DPA supports up to 150 additional concurrent sessions. PSM
performs simplistic load balancing by sending the next session record or replay request to the active DPA with
the most available sessions remaining.
With DPA v3.0+ you can now assign a DPA to a system to optimize password checking and changing. At the
system level (on the Affinity tab) you can assign the DPA that should perform password checking and changing
for all the accounts on that system.
To get the DPA up and running you must perform the following steps:
•
Power on the DPA
•
Configure the network settings
•
Enable remote access (Optional)
TPAM 2.5
System Administrator Guide
29
•
Define remote access IP restrictions (Optional)
•
Prepare the DPA for enrollment
•
Enroll the DPA in a cluster
•
Manage DPA settings
•
Assign systems to DPA
Power on the DPA appliance
To power on the DPA appliance:
1
Connect a keyboard and monitor to the DPA appliance.
2
Press the power button on the front panel of the appliance. After the power on self test, the appliance
will boot to a log on prompt.
3
Enter dpasetup for the user ID and Setup4DPA as the password. Both the user ID and password are casesensitive, enter them exactly as shown. This is the only user ID that can be used to log on to the console.
The following menu will appear listing all of the commands available from the configuration console.
Configure network settings
To configure network settings:
1
Enter 4 and press the ENTER key to configure the network settings.
TPAM 2.5
System Administrator Guide
30
2
If your DPA will be using only one NIC, enter 3 and press the ENTER key to disable the eth1 network
settings. A reason to configure both NICs would be in an enclave scenario. In this scenario, the TPAM
appliance is not in the same network as the target systems. The DPA can act as a bridge to the target
devices when TPAM can access the DPA via one of the NICs and the DPA can access the target systems
with the other DPA NIC.
3
Enter D and press the ENTER key to disable the eth1 interface or enter the IP address if both eth1 and
eth0 will be used.
4
Enter Y and press the ENTER key to save your changes.
5
Press the ENTER key to return to the main menu.
6
Enter 2 and press the ENTER key to modify the eth0 network settings.
7
Enter the IP Address for eth0 as prompted and press the ENTER key
8
Enter the Network Mask for eth0 as prompted and press the ENTER key.
9
Enter the Default Gateway for eth0 as prompted and press the ENTER key.
10 Enter the MTU Size if desired. If nothing is entered the default value is 1500.
11 Press the Y key and press the ENTER key to save your changes.
12 Press the ENTER key to return to the manage network settings menu.
13 If the DPA will use both NICs enter 3 and press the ENTER key to modify the eth1 settings.
14 Enter the IP Address for eth1 as prompted and press the ENTER key
15 Enter the Network Mask for eth1 as prompted and press the ENTER key.
16 Enter the Default Gateway for eth1 as prompted and press the ENTER key.
17 Press the Y key and press the ENTER key to save your changes.
TPAM 2.5
System Administrator Guide
31
18 Press the ENTER key to return the manage network settings menu.
19 Enter 4 and press the ENTER key to modify the DNS settings.
20 Enter the DNS IP and press the ENTER key.
21 Enter the Secondary DNS IP and press the ENTER key. (Optional)
22 Enter the DNS Domain and press the ENTER key. (Optional)
23 Enter Y and press the ENTER key to save your changes.
24 Press the ENTER key to return to the manage network settings menu.
25 Enter Q and press the ENTER key to return to the main menu.
Enable remote access
This step allows remote SSH access to the DPA. Allowing remote SSH access gives you the ability to copy and
paste the enrollment string, rather than having to write it down and type it in manually. By default, remote
access to the DPA is disabled.
To enable/disable remote access:
1
Enter 5 and press the ENTER key to configure remote access.
2
Enter 2 and press the ENTER key.
3
Enter E and press the ENTER key to enable remote access to the DPA.
4
Enter and confirm a password for the rdpasetup user.
5
Enter Q and press the ENTER key to return to the main menu.
6
Enter 8 and press the ENTER key to shutdown the appliance.
NOTE: The DPA will not shutdown or reboot if there are any active sessions running.
7
Remove the monitor and keyboard from the appliance.
TPAM 2.5
System Administrator Guide
32
8
Place the DPA on your network.
9
Power the appliance on.
10 Using an SSH client, connect to the DPA with the user ID rdpasetup using the password you just set.
Change setup password
This step allows you to change the password associated with the dpasetup account.
To change the password for the dpasetup account:
1
From the main menu enter 5 and press the ENTER key.
2
Enter 1 and press the ENTER key.
3
Enter Y and press the ENTER key.
4
Enter the current password and press the ENTER key.
5
Enter the new password and press the ENTER key.
Define remote IP address restrictions
You can configure IP address restrictions for the remote access to the DPA. If remote IP address restrictions are
configured, the IP address of the remote machine is checked against all restrictions that are entered. If it meets
all specified criteria, the login is allowed to proceed.
All restrictions must be entered at one time, comma separated. Wildcards and negation are allowed. A *
matches zero or more characters. A ? matches exactly one character. A ! negates the criterion. In the example
below, “192.168.30.*” says all IP addresses starting with “192.168.30.” are allowed. Then, the
“!192.168.30.???” excludes 192.168.30.100 through 192.168.30.255. Also, 192.168.30.1 is explicitly excluded.
To configure restrictions:
1
From the main DPA menu, enter 5 and press the ENTER key.
TPAM 2.5
System Administrator Guide
33
2
Enter 3 and press the ENTER key.
3
Enter the restriction rules and press the ENTER key.
4
Enter Y and press the ENTER key.
Prepare the DPA for enrollment
The next step is to prepare the DPA for enrollment to your TPAM appliance. This step prepares temporary keys
that are used to establish the secure connections between the DPA and your TPAM appliance(s). This step is best
done remotely as the string necessary to enroll the DPA is rather long and remotely accessing the DPA allows you
to copy the string more easily.
To prepare for enrollment:
1
From the main menu, enter 3 and press the ENTER key.
2
When prompted, enter the IP address of the TPAM primary device, and press the ENTER key.
3
Enter E and press the ENTER key to enroll the DPA.
4
Enter Y and press the ENTER key.
5
Copy the key that is presented. You will need to enter this key in procedure below. See Increase DPA
license count.
Logs menu
Through the logs menu you can access the following logs:
TPAM 2.5
System Administrator Guide
34
Table 7. Logs available on Logs menu
Log name
Description
Current Activity Log
Displays actions taken within the DPA setup menu such as login, enrollment, IP
restrictions, etc from the current month.
Last Months Activity Log
Displays activity log from the previous month.
DPA Initialization Log
Displays information that can be used by technical support when troubleshooting
an issue with a DPA.
Bad Login Attempts Log
Displays invalid log on attempts to the DPA console.
Current J2EE Server Log
Displays the
To view the DPA logs:
1
From the main menu, enter 6 and press the ENTER key.
2
Enter 1,2,3, 4 or 5, and press the ENTER key to view the different logs.
Increase DPA license count
Before the DPA can be enrolled in TPAM, you must increase the DPA license count in the admin interface.
To adjust license limits:
1
Select System Status/Settings | License Management from the menu.
2
Enter a number in the MaxDPAs for the number of DPAs you will be adding to TPAM.
3
Click the Save Changes button.
Enroll DPA in cluster
To enroll a DPA in a cluster:
1
Log on to the /admin interface of the primary TPAM appliance.
2
Select System Status/Settings | Cluster Management from the menu.
3
Click the New Cluster Member button.
TPAM 2.5
System Administrator Guide
35
4
Enter a name for the DPA.
5
Select Distributed Processing Appliance from the appliance type list.
6
Select one of the following from the appliance active list:
•
Active - DPA can be used for PSM sessions and password management
•
Inactive - DPA will not be used for PSM sessions or password management, regardless of affinity
settings.
7
Enter the network address for the DPA in the network address field.
8
Change the default SSH port if necessary.
9
Click the Check Address button.
10 Enter or paste the enrollment string that was generated from the DPA console.
11 Click the Save button.
12 If the DPA is successfully enrolled, enter Y back on the DPA console to complete the TPAM enrollment
process on the console. This completes the DPA enrollment process.
Manage DPA settings
Once the DPA is enrolled, it is visible in the /tpam interface and its’ settings can be configured.
To manage the DPA settings:
1
Log on to the /tpam interface.
2
Select Management | DPAs from the menu.
3
Select the DPA from the servers list.
4
Click the Details tab.
TPAM 2.5
System Administrator Guide
36
5
Enter a DNS name for the DPA. (Optional)
6
Enter the maximum number of concurrent sessions that should run on this DPA. The maximum value is
150.
7
Enter a description for the DPA. (Optional)
8
Select/Clear the Allow PSM? check box. If selected, the DPA can be used for session recording and
playback. If cleared, the DPA cannot be used for session recording and playback. This will be selected by
default if the DPA is saved as active when it is enrolled in the cluster.
9
Select/Clear the PPM Only? check box. If selected, the DPA can be used for password checks and
changes, regardless of the Allow PSM? setting.
10 Select/Clear the Auto-Archive Session Logs? check box. If selected, as soon as a session is completed it
is immediately pushed to the archive server. If selected, select an archive server to send the sessions to.
11 Select/Clear the Use this DPA for replays of session logs archived here? check box. This check box is
only enabled if the Auto-Archive Session Logs? check box and the Allow PSM? check boxes are selected.
If selected, this DPA will replay sessions that have been archived.
12 Change the Web Access Proxy Profile that will be used by the DPA if the default is not desired. This only
applies to PSM Web Access systems. See the TPAM Client Setup Guide for more details.
13 Click the Save Changes button.
DPA log tab
The DPA log tab provides visibility to PSM related processes on the DPA that could be helpful when
troubleshooting.
To view a DPA log:
1
Select Management | DPAs from the menu.
2
Select the DPA to view.
3
Click the Log tab.
4
Enter your search criteria on the Filter tab.
5
Click the Log tab.
TPAM 2.5
System Administrator Guide
37
Remove DPA from a cluster
When a DPA is removed from a cluster any systems that were assigned to the DPA revert to using the local
appliance or other DPAs in the cluster based on the system’s affinity assignments.
To remove a DPA from a cluster:
1
Log on to the /admin interface of the primary appliance in the cluster.
2
Select System Status/Setting | Cluster Management from the menu.
3
Select the DPA to be removed from the cluster member list.
4
Click the Remove Cluster Member button.
5
Click the OK button on the confirmation window.
Re-enroll a DPA
If the need arises to replace a DPA with another physical DPA, you can re-enroll the new physical DPA under the
same name and IP address as the old one and all the original System affinity settings will be preserved. Reenrollment requires an enrollment string obtained from the DPA console. See Enter Y and press the ENTER key..
To re-enroll the DPA:
1
Log on to the /admin interface of the primary appliance in the cluster.
2
Select System Status/Setting | Cluster Management from the menu.
3
Select the DPA to re-enroll from the cluster member list.
4
Select the Enrollment String check box.
5
Enter or paste in the enrollment string.
6
Click the Enroll/Re-enroll DPA button.
Change DPA SSH port
IMPORTANT: To change the port used by the DPA, it must be changed on the DPA console first, before it is
changed on the Cluster Management page in the TPAM interface.
To change the port configuration for an existing DPA:
1
Log on to the DPA console.
2
Type 4 and press the ENTER key.
TPAM 2.5
System Administrator Guide
38
3
Type 5 and press the ENTER key.
4
Type the new port number and press the ENTER key.
5
Type Y and press the ENTER key.
6
Log off the DPA Console.
7
Log on to the admin interface of TPAM.
8
Select System Status/Settings | Cluster Management from the menu.
9
Click the Cluster Status tab.
10 Select the DPA you want to change in the Cluster Member list.
11 Select the Ssh Port check box.
12 Type the new port number.
13 Click the Save button.
Manage host file entries
Host file entries can be added, deleted and listed from the DPA Configuration interface. This allows a customer
to add entries that will enable PSM Web Access sessions to work without DNS setup.
TPAM 2.5
System Administrator Guide
39
To add a host file entry:
1
Log on to the DPA console.
2
Type 4 and press the ENTER key.
3
Type 9 and press the ENTER key.
4
Type the host file entry in the format IP_address host_name(s). Press the ENTER key.
5
Type Y to continue.
6
Type N to return to the main menu if there are no more entries to add.
To delete a host file entry:
1
Log on to the DPA console.
2
Type 4 and press the ENTER key.
3
Type 10 and press the ENTER key.
4
Type the host file entry you want to delete. (0-...) Press then ENTER key.
To list host file entries:
1
Log on to the DPA console.
2
Type 4 and press the ENTER key.
3
Type 8 and press the ENTER key.
TPAM 2.5
System Administrator Guide
40
Net tools
To assist the TPAM System Administrator with troubleshooting common network related problems, the DPA
contains network tools that are accessible from the main menu.
To access the net tools menu from the main menu enter 9 and press the ENTER key.
The table below describes how each of the available tools:
Table 8. Net tools descriptions
Menu Option
Description
Ping Utility
The ping utility can be used to verify connectivity to remote hosts and determine
latency. Many of the optional parameters for the ping command are available. T
NsLookup Utility
Nslookup is a common TCP/IP tool used to test DNS settings and perform similar
information gathering using DNS resolution. The DPA utility for nslookup will use
the DNS server(s) configured to TPAM only. The option to specify a server is not
provided. TPAM System Administrators can benefit from the ability to use nslookup
to resolve hostnames to IP addresses and vice versa.
TraceRoute
The traceroute utility is available for examining network routing and connectivity
from the DPA to a remote IP address or hostname. The use of traceroute is often
disallowed by firewalls, routers, and other network security infrastructure – but if
allowed, it can be a valuable diagnostic tool
Telnet Test
The Telnet test utility lets a test be performed from the DPA to another system
over a specific port. The tool will test the defined port using telnet functionality
to verify the port, whether a connection can be made, and then immediately close
the connection.
DPAs and failover
When a session terminates on a DPA, the DPA uses gossip protocol to determine where to complete the session.
If the session is initiated by the primary and that primary is operational then the session is completed on the
primary. If the originating primary is down but there are failed over replicas then the session will be completed
TPAM 2.5
System Administrator Guide
41
on the first failed over replica ordered alphabetically. If there are no appliances available the DPA will hold the
session log until a console becomes available. If the session originated from a failed over replica then it will
complete with the failed over replica or the primary if the replica has failed back.
Test DPA
Testing a DPA checks the connectivity from the DPA to the primary and other replicas in the cluster. If using an
archive server for PSM session logs, the connectivity between the DPA and archive server is tested. Details on
sessions being recorded, replayed and monitored are also listed.
To test a DPA:
1
Select System Status/Setting | Cluster Management from the menu.
2
Select the DPA to test from the cluster member list.
3
Click the Test DPA button. The results of the test will appear on the Results tab.
Init Pending: Y indicates that the initialization of the DPA is pending. The DPA would be found in this
state just after enrollment or re-enrollment or after a restart of the DPA. The initialization includes
pushing software updates from TPAM to the DPA. This may take a few minutes.
To test the DPA connectivity from the DPA console:
1
Log on to the DPA console.
2
Type 1 and press the ENTER key.
DPA version number
The DPA software version is occasionally updated when a patch is applied to TPAM.
TPAM 2.5
System Administrator Guide
42
To check the DPA software version number:
1
Select System Status/Settings | Cluster Management from the menu.
2
Click the Cluster Status tab.
3
Scroll down to see the DPAs and their latest version number.
TPAM 2.5
System Administrator Guide
43
7
High Availability Cluster
•
Introduction
•
Details tab
•
Member status tab
•
Snapshots tab
•
Graphs tab
•
Cluster status tab
•
Logs tab
•
Configure a cluster
•
Remove a cluster member
•
Reboot a replica
•
Automatic failover
•
Functionality on a failed over replica
•
Automatic failback
•
Change the run level
•
Force a failover
•
Unforce a failover
•
Transfer authoritative primary
•
Take over as authoritative primary
•
How to change the replication interval
Introduction
High availability clustering is an option for customers to support TPAM with a minimum of down time and
eliminate a single point of failure. Each appliance is configured with a cluster role. The cluster role choices are:
•
Primary - Acts as the information source for the cluster. Only one primary allowed per cluster.
•
Replica - redundant appliance that is kept in synch with the primary. Can be configured to automatically
fail over if it loses contact with the primary.
•
Standalone - this role only applies to DPAs enrolled in the cluster and cannot be changed.
For details on how to enroll DPAs in a cluster see Before the DPA can be enrolled in TPAM, you must increase the
DPA license count in the admin interface..
TPAM 2.5
System Administrator Guide
44
Details tab
The table below explains all the of the options available on the cluster management details tab.
Table 9. Manage Cluster Settings and Members: Details tab options
Field
Description
Required?
Default
Name
Unique name to identify the appliance
Yes
TPAMCONSOLE
Yes
Console
Appliance
Yes
Active
Appliance Type Two appliance types:
Appliance
Active
•
Console - TPAM appliance
•
DPA - Distributed Processing Appliance.
It is not possible to flag a primary appliance as inactive. The
choices for replicas and DPAs are:
•
Active - participating in cluster
•
Inactive - For an appliance if inactive it is not
participating in cluster replication. If a DPA is marked
inactive it will not be used for session recording or
playback.
Network
Address
Network addresses must be unique within a cluster. After
Yes
entering the network address you must click the Check
Address button to be able to save the appliance in the cluster.
Ssh Port
Applies to DPAs. This is the port used to communicate with the Yes for DPAs
DPA. The default is 22. If another port is required enter that
port number here and in the DPA configuration screen.
Enrollment
String
The enrollment string generated when a DPA is configured
must be entered here.
Role
Choices of:
•
Primary
•
Replica
22
Yes, if you
want to set
DPA to
Active and it
was not
previously
enrolled
TPAM 2.5
System Administrator Guide
45
Table 9. Manage Cluster Settings and Members: Details tab options
Field
Description
Required?
Default
Run Level
Choices of:
Yes
Operational
Yes
300
•
Maintenance - In this mode users can only log on to the
/admin and /config interfaces.
•
Operational - TPAM is fully functional
DPAs are always in operational mode.
Failover
Timeout
The number of seconds a replica will wait after losing contact
with the primary before failing over. The minimum failover
timeout is 60 seconds. A value of 0 (zero) means the replica
will NOT failover.
Failback
Timeout
The number of seconds a replica will wait after re-establishing Yes
contact with the primary before beginning failback processing.
The minimum failback timeout is 60 seconds.
60
The Restart Clustering button should be used anytime the global settings for replication are changed.
Member status tab
The member status tab displays many statistics about the appliance such as memory and disk space, software
version and hot fixes installed, and serial number information. Here system administrators can see this
information for all cluster members without having to log on individually to each cluster member. Much of this
information is also visible of the System Status page for each appliance.
Snapshots tab
When a replica is enrolled in a cluster, during that process a snapshot is taken of the current state of the
replica. This snapshot can be used as a restore point in case the enrollment process fails and it is necessary to
get the replica back to its original state.
There are two CLI system administrator commands available to revert to the snapshot if needed,
ListRestorePoints and Revert. For more details see Commands.
IMPORTANT: At this time do not “Revert to Snapshot” unless you are advised to do so by Technical
Support.
TPAM 2.5
System Administrator Guide
46
Graphs tab
The graphs display data concerning the cluster member that is selected in the list. This data can be useful when
working with technical support on replication issues. There are no graphs available for the primary appliance,
only replicas and DPAs. A replica or DPA that has not yet been enrolled in the cluster will have empty graphs.
Below is a brief description of the available graphs:
Table 10. Manage Cluster Settings and Members: Graphs tab options
Graph name
Description
Database
Transfers
Quantity of database data successfully published from a primary to a replica appliance.
When viewed on the primary, gaps in this graph indicate that no database data was
published to a replica.
Gossip Activity
Rate of gossip reports received from a peer appliance. Gaps or errors in this graph indicate
that the peer appliance was down or unreachable.
Replication
Bundles
Published
Count of full and incremental replication bundles successfully published from a primary to a
replica appliance. When viewed on the primary, gaps in this graph indicate that no data was
published to a replica.
Replication File
Transfers
Quantity of file-based data successfully published from a primary to a replica appliance.
File-based data includes session logs, secure files and report output. When viewed on the
primary, gaps in this graph indicate that no file data was published to a replica. This may be
normal if no file updates were generated during this time.
TPAM 2.5
System Administrator Guide
47
Cluster status tab
The cluster status tab displays important information about the health and status of the cluster members, such
as run level, replication status and software version level.
The possible values for replication status are:
•
Failed Over - a replica has lost contact with the primary in the cluster and the failover time out has
expired.
•
Failing Back - a replica has re-established contact with the primary and the failback time out has
expired.
•
Replicating - normal status for a healthy primary.
•
Standby - normal status for a healthy replica or a primary with no replicas defined.
•
Unknown - when you have added a new cluster member but not uploaded the enrollment bundle or when
a TPAM appliance is restarted but has not gossiped yet.
•
Updating - Displayed when a replica is applying an update from the primary.
NOTE: The Cluster Status tab reflects the status from the selected appliances’s point of view.
The possible values for cluster member state are:
•
Failed - appears when a cluster member has not gossiped within the last minute, but has prior gossip
activity in the past.
•
Healthy - communicating with other cluster members.
•
Unknown - when you have added a new cluster member but not but not uploaded the enrollment bundle
or when a TPAM appliance is restarted but has not gossiped yet.
Logs tab
The logs tab displays data pertinent to the high availability implementation on the appliance. Items such as
replication status change, failover, etc are displayed in the logs. The Logs tab always displays logs from the
primary appliance, regardless of the appliance selected in the cluster member list. The time displayed on the
Logs tab is server time (UTC).
TPAM 2.5
System Administrator Guide
48
Configure a cluster
By definition, a cluster consists of one primary appliance, zero or more replica appliances, and zero or more
DPAs. Each replica is individually configurable for failover and with its own delay values for failover and
failback. When appliances are shipped to a customer all appliances will be pre-configured for the primary role
and then can be changed during configuration.
NOTE: The TPAM appliances in a cluster communicate with one another using port 8000. TPAM appliances
communicate with DPAs using port 22. Please ensure that your firewalls are configured to allow
communication through these ports.
TIP: Before adding a replica to a cluster, it is recommended that a System Administrator CLI user ID is
added to the replica and the keys are retrieved for this user ID, prior to enrolling the replica in the cluster.
The System Administrator user ID can be used to execute the Revert command if the enrollment process
fails.
To configure a cluster:
1
Turn on and configure the network settings for any appliances you want to use as replicas on your
network. Make note of the IP addresses of each future replica.
2
Log on to the /admin interface for the appliance you want to label as the primary.
3
Select System Status/Settings | Cluster Management from the menu.
4
Select the Name check box. It is recommended to change the name of the appliance to include
“primary” somewhere in the name. (optional)
5
Click the Save button.
6
Click the New Cluster Member button.
TPAM 2.5
System Administrator Guide
49
7
Enter the name for the replica.
8
Enter the network address of the replica.
9
Click the Check Address button.
10 Select Replica from the role list.
11 Enter the failover timeout.
12 Enter the failback timeout.
13 Click the Save button.
14 Click the Make Enrollment Bundle button. This generates the key file that will be used to communicate
with the replica.
15 Click the Continue with Change button.
NOTE: Make sure you have enabled pop-ups for your TPAM appliance.
16 You will be prompted to save the enrollment bundle file. Click the OK button and save the file locally.
17 Log on to the /admin interface of the replica appliance.
TPAM 2.5
System Administrator Guide
50
18 Select System Status/Settings | Cluster Management from the menu.
19 Select the Run Level check box.
20 Select Maintenance from the Run Level list.
21 Click the Change Run Level button.
22 Click the Continue with Change button.
23 Click the Select File button.
24 Click the Browse button. Select the file.
25 Click the Upload button.
26 Click the Apply button.
27 Click the Continue with Change button.
TPAM 2.5
System Administrator Guide
51
28 Log off the replica appliance or close the browser.
NOTE: You may receive an error logging off depending on where the replica is in the enrollment
process. This error can be ignored.
29 On the primary appliance select System Status/Settings | Cluster Management from the menu.
30 Select the replica in the cluster member list. Wait for the replica run level to change from Unknown to
Maintenance, then proceed to the next step.
NOTE: To refresh the page click the Details tab.
NOTE: The replica may be visible in the cluster list but its status may be unknown for quite some
time until it has fully enrolled with the primary. The time it takes to complete enrollment is
dependent on the size of the backup being applied to the replica from the primary.
31 Select the Run Level check box.
32 Select Operational from the Run Level list.
33 Click the Change Run Level button.
34 Repeat steps 8 -35 to add additional replicas to the cluster.
Remove a cluster member
To remove a cluster member:
1
Logon to the /admin interface of the primary appliance.
2
Select System Status/Settings | Cluster Management from the menu.
3
Select the appliance to remove from the cluster, either a console or DPA.
4
Click the Remove Cluster Member button.
5
Click the OK button on the confirmation window.
TPAM 2.5
System Administrator Guide
52
6
Click one of the following buttons:
•
Remove and Reset Data - Appliance is removed from the cluster. All customer data will be
deleted, paradmin and parmaster accounts will have the password reset to the factory default.
Network settings will remain.
•
Remove and Retain Data - Appliance is removed from the cluster, but all customer entered data
persists.
•
Do Not Remove - Cancel removing the appliance from the cluster.
The appliance will automatically be put in Maintenance mode with a role of primary when it is removed from
the cluster.
Reboot a replica
You have the option to reboot the replicas in a cluster from the cluster management page of the primary.
To reboot the replica:
1
On the cluster management page of the primary appliance, select the replica from the cluster
management list.
2
Click the Reboot button.
3
Click the Continue with Change button.
4
Click the OK button on the confirmation window.
Automatic failover
When a replica detects that the primary has failed it starts a failover timer if the failover timeout has a value
other than 0 (zero). If the primary does not recover before the failover timer expires then an automatic failover
TPAM 2.5
System Administrator Guide
53
to the replica/s occurs. The amount of time the replicas uses for its failover timer is entered in the failover
timeout field.
When an automatic failover occurs, TPAM users can log on to the failed over appliance and continue to create
requests, approve requests, review requests, retrieve passwords and files, and start or replay sessions.
Passwords can be reset manually, but will not automatically be reset after a password release or expired
request. The automation engine cannot be started on a failed over replica. No data can be edited or added in
the “failed over” mode.
Functionality on a failed over replica
When a replica is in "Failed Over" state the functionality available to users is limited. See the table below for
details.
Table 11. Functions available during failover
Function
Available during failover
Add, edit or delete systems
No
Add system template
No
Hard delete a system
No
Manually test connection to a system
Yes
View system details
Yes
View soft deleted systems
Yes
List systems
Yes
Add, edit or delete accounts
No
Hard delete an account
No
View account details
Yes
View soft deleted accounts
Yes
Retrieve account password
Yes
Manually reset an account password
Yes
Manually check an account password
Yes
View past passwords
Yes
List accounts and List PSM accounts
Yes
Add, edit or delete collections
No
View collection details
Yes
List collections
Yes
Add, edit or delete files
No
View file details
Yes
TPAM 2.5
System Administrator Guide
54
Table 11. Functions available during failover
Function
Available during failover
Retrieve file
Yes
List files
Yes
Add, edit, or delete a synchronized password
No
View synchronized password details
Yes
Reset the password for a synchronized password
No
Add, edit or delete a user ID
No
Disable a user ID
No
Reset the password for a user ID
Yes
View user ID details
Yes
List user IDs
Yes
Add user template
No
Add, edit or delete group
No
View group details
Yes
List groups
Yes
Add, edit, delete cache server
No
Batch imports and updates
No
Auto Discovery
No
Account Discovery
No
Add or Delete TPAM CLI ID
No
Test TPAM CLI ID
Yes
View and replay session logs
Yes
Monitor sessions
Yes
Add, edit or delete privileged commands
No
View privileged command details
Yes
View, add, edit or delete post session processing, PSM connection, restricted No
command or account discovery profiles
Add or edit DPAs
No
Test DPA connectivity
Yes
Add, edit or delete access policies
No
View access policies
Yes
Request a password
Yes
Approve a password
Yes
Request a session
Yes
Approve a session request
Yes
Review a session
Yes
Request a file
Yes
Approve a file request
Yes
Run on demand reports
Yes
Edit batch report subscriptions
No
View batch report subscriptions
Yes
Browse old batch stored reports
Yes
Edit data extract schedules and data sets
No
View data extract schedules and data sets
Yes
TPAM 2.5
System Administrator Guide
55
Table 11. Functions available during failover
Function
Available during failover
Auto Management Engine for checking and changing passwords.
No
Apply a patch
Yes
Generate Web Certificate Request
Yes
Upload TPAM Trusted CA certificate
Yes
Edit Sybase and MySQL trusted root certificates
No
Edit Daily Maintenance Agent start time
No
Add, edit or delete an archive server
No
Add or remove a cluster member
No
Add, edit or delete external authentication settings
No
Edit Global Settings
No
Edit license counts
No
Edit Login Banner
Yes
Add, edit or delete message of the day
Yes
Add, edit or delete password rules
No
Add, edit or delete reason codes
No
Edit SysLog configuration settings
No
Create a support bundle
Yes
Add new ticket system
No
Edit existing ticket systems
Yes
Revert from a restore point
Yes
The mail agent must be started to continue automatic email notifications.
Automatic failback
When a failed over replica re-establishes contact with the primary it starts the failback timer. If the replica
continues to be communicating with the primary when the failback timer expires then automatic failback to the
primary occurs. The amount of time the replica uses for its failback timer is entered in the failback timeout
field.
During the automatic failback the replica that is failing back will experience a system outage while the failback
process synchronizes the data between the appliances.
IMPORTANT: The process to failback and synchronize the data on the replica with the primary takes
several minutes. If you have trouble checking the status of the replica once the failback has started, wait
a few minutes and check back again.
TPAM 2.5
System Administrator Guide
56
Change the run level
To change the run level of an appliance:
1
Select System Status/Settings | Cluster Management from the menu.
2
Select the Run Level check box.
3
Select Maintenance or Operational from the Run Level list.
4
Click the Change Run Level button.
5
Click the Continue with Change button.
When the appliance is in maintenance mode the following applies:
•
Users cannot log on to the tpam interface.
•
In the admin interface access to the mail settings, automation engine settings, agents, archive log
settings, and re-submission of batch reports are disabled while in maintenance mode.
Force a failover
It is possible to force a failover to another cluster member. Forcing a failover can be useful during disaster
recovery testing or if there is a scenario where the primary appliance has failed and none of the replicas are
configured for automatic failover.
A failover can be forced by logging on to the /admin interface of the primary or by logging on to the /admin
interface of the cluster member you want to force a failover to. When a failover is forced the following
conditions exist in the cluster environment:
•
The primary is STILL the authoritative primary.
•
The appliance that has the forced failover mode is no longer receiving replication from the authoritative
primary.
•
With an appliance in forced failover mode TPAM users can log on to the authoritative primary OR the
failed over appliance to create requests, retrieve passwords or start or replay sessions.
•
The forced failover appliance will not automatically failback, according to the failback settings. The Unforce Failover button has to be clicked to reverse the failover. See Unforce a failover for more details.
To force a failover from the primary appliance:
1
Logon to the /admin interface of the primary appliance.
2
Select System Status/Settings | Cluster Management from the menu.
3
Select the cluster member to force the failover to.
4
Click the Force Failover button.
TPAM 2.5
System Administrator Guide
57
5
Click the Continue with Change button on the confirmation window.
6
Click the Cluster Status tab to verify that the appliance has the mode of “FailedOver”. This may take a
few minutes. Click the Cluster Status tab to refresh the page.
Unforce a failover
Once a failover is un-forced, any activity in TPAM that took place on the failed over appliance will be
synchronized with the primary and then replicated to other cluster members as part of the failback processing
job.
IMPORTANT: The process to un-force a failover and synchronize the data on the replica with the primary
takes several minutes. If you have trouble checking the status of the replica once the failover has been
unforced, wait a few minutes and check back again.
To un-force a failover:
1
Log on to the /admin interface of the primary appliance.
2
Select System Status/Settings | Cluster Management from the menu.
3
Select the cluster member that is currently failed over.
4
Click the Un-force Failover button.
TPAM 2.5
System Administrator Guide
58
5
Click the Continue with Change button. This kicks off the Failback timeout count down, so the failback
will not start processing till the count down completes. Wait several minutes to allow the un-force
failover processes to complete, eventually the replica will return to a replication status of standby.
Transfer authoritative primary
The transfer authoritative primary function is used when you want to switch the primary role from one cluster
member to another. This should only be used when the original primary member is up and running.
To transfer the primary role to another console in the cluster:
1
Log on to the /admin interface of the primary.
2
Make sure the primary is selected in the cluster member list.
3
Select the Run Level check box.
4
Select Maintenance from the list.
5
Click the Change Run Level button.
6
Click the Continue with Change button.
7
Select the replica from the cluster member list that you want to transfer the primary role to.
8
Select the Run Level check box.
9
Select Maintenance from the list.
10 Click the Change Run Level button.
11 Click the Continue with Change button.
12 Click the Transfer Author. Primary button.
13 Click the Continue with Change button. The role of the replica will automatically change to “Primary”
and the original primary will automatically have it’s role changed to “Replica”. Any other replicas in the
cluster will automatically recognize the new primary.
14 Select the former primary from the cluster member list.
TPAM 2.5
System Administrator Guide
59
15 Select the Run Level check box.
16 Select Operational from the list.
17 Click the Change Run Level button.
18 Log on to the /admin interface of the new primary.
19 Select the Run Level check box.
20 Select Operational from the list.
21 Click the Change Run Level button.
Take over as authoritative primary
The take over authoritative primary function should be used when the primary has failed, is not going to be
brought back up, and there are multiple replicas in the cluster.
To have a replica take over as authoritative primary:
1
Log on to the /admin interface of the replica that will become the new primary.
2
Select System Status/Settings | Cluster Management from the menu.
3
Make sure the replica is selected in the cluster member listing.
4
Select the Run Level check box.
5
Select Maintenance from the list.
6
Click the Change Run Level button.
7
Click the Take Over Author. Primary button.
TPAM 2.5
System Administrator Guide
60
8
Click the Continue with Change button.
9
Once the role of this appliance changes to Primary, select the Run Level check box.
10 Select Operational from the list.
11 Click the Change Run Level button.
12 Refresh the page. If the old primary is still appearing in the Cluster Members list, select it in the list and
click the Remove Cluster Member button.
13 In the pop up box that appears select Remove and Retain data.
14 Next you must log on to the /admin interface of any other replica/s in the cluster to recognize the new
primary. Select System Status/Settings | Cluster Management from the menu.
15 Select the replica you are logged on to from the cluster member list.
16 Select the Run Level check box.
17 Select Maintenance from the list.
18 Click the Change Run Level button.
19 Select the new primary from the cluster member list.
20 Click the Recognize New Author. Primary button.
21 Select the replica you are logged on to from the cluster member list.
22 Select the Run Level check box.
23 Select Operational from the list.
24 Click the Change Run Level button.
TIP: Give the replica a few minutes to save settings and then refresh the page. The old "original
primary" should disappear from the cluster member list.
25 Repeat steps 14-23 for any additional replicas.
Any DPAs that were part of the original cluster should still be there and operating as normal with the "new"
primary. No additional configuration is needed for the DPAs.
Any cache servers configured should also be operational without any additional configuration.
To add the replacement appliance into the cluster as a replica:
1
Turn on the replacement appliance.
2
Log on to it’s admin interface. Select System Status/Settings | Cluster Management from the menu.
3
Select the Run Level check box.
4
Select Maintenance from the list.
5
Click the Change Run Level button.
TPAM 2.5
System Administrator Guide
61
6
Log on to the admin interface of the new primary.
7
Select System Status/Settings | Cluster Management from the menu.
8
Click the New Cluster Member button.
9
Enter the name for the new replica.
10 Enter the network address of the old primary.
11 Click the Check Address button.
12 Select Replica from the role list.
13 Enter the failover timeout.
14 Enter the failback timeout.
15 Click the Save button.You will see a message that “Appliance at address x.x.x.x is not yet registered in
the cluster.”
16 Click the Make Enrollment Bundle button. This generates the key file that will be used to communicate
with the replica.
17 Click the Continue with Change button.
18 You will be prompted to save the enrollment bundle file. Click the OK button and save the file locally.
19 Log on to the /admin interface of the new replica appliance.
20 Select System Status/Settings | Cluster Management from the menu.
21 Click the Select File button.
22 Click the Browse button. Select the enrollment bundle file.
23 Click the Upload button.
24 Click the Apply button.
25 Click the Continue with Change button.
TPAM 2.5
System Administrator Guide
62
26 Log off the replica appliance or close the browser.
NOTE: You may receive an error logging off depending on where the replica is in the enrollment
process. This error can be ignored.
27 On the primary appliance select System Status/Settings | Cluster Management from the menu.
28 Select the replica in the cluster member list. Wait for the replica run level to change from Unknown to
Maintenance, then proceed to the next step.
NOTE: To refresh the page click the Details tab.
NOTE: The replica may be visible in the cluster list but its status may be unknown for quite some
time until it has fully enrolled with the primary. The time it takes to complete enrollment is
dependent on the size of the backup being applied to the replica from the primary.
29 Select the Run Level check box.
30 Select Operational from the Run Level list.
31 Click the Change Run Level button.
To make the replacement appliance the primary once it has been added to the cluster as a
replica:
1
See the procedure for Transfer authoritative primary.
How to change the replication interval
To change the replication interval:
1
On the primary appliance select System Status/Settings | Global Settings from the menu.
2
Select Replication as the Category Filter.
TPAM 2.5
System Administrator Guide
63
3
Change the replication interval setting and click the Save Changes button.
4
Select System Status/Settings | Cluster Management from the menu.
5
Select the primary in the cluster member list.
6
Click the Restart Clustering button.
TPAM 2.5
System Administrator Guide
64
8
Archive Servers
•
Introduction
•
Configure archive servers
Introduction
Archive servers provide an external storage location for logs and offline backup files from TPAM.
Configure archive servers
To configure an archive server:
1
Select System Status/Settings | Archive Servers from the menu.
2
Click the Add Server button.
The table below explains the options on the archive server management page:
Table 12. Archive Server Management: Details tab options
Field
Description
Required? Default
Server Name
The unique server name.
Yes
Network
Address
The IP address or fully qualified domain name.
Yes
TPAM 2.5
System Administrator Guide
65
Table 12. Archive Server Management: Details tab options
Field
Description
Required? Default
Archive Method
Select one of the following archive methods:
Yes
•
FTP - lets the data be transmitted to any FTP server.
Because the backup file is encrypted using AES256,
there is not a security risk for the data, however
authentication credentials may be exposed on the
network.
•
sFTP using password - let the data be transmitted to an
sFTP server. In addition to the file encryption
protection, the authentication credentials are also
protected from network exposure.
•
SCP using DSS Key - the most secure transport method,
data is transmitted through SCP (secure copy) with an
encrypted SSH tunnel form TPAM to the archive server.
The SCP method uses a public/private key pair for
authentication. Supported keys are OpenSSH and SECSH
keys. To complete the setup of the archive server for
SCP communication, download the required public key
using the Get Open SSH or Get Sec SSH button and store
the key in the proper location on the archive server.
Port
Port number for TPAM to use.
No
DSS Key Details
When using DSS key authentication, a function is available to
permit specific configuration of the public/private keys used.
No
•
FTP
Avail. System Std. Keys – uses the single standard SSH
keys (either Open SSH or the commercial key) stored
centrally on TPAM. You have the ability to have up to
three active keys simultaneously. These keys are
configured in the paradmin interface. Use the list to
select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to use
all currently active keys when communicating with the remote
system.
•
Use System Specific Key – allows the generation and
download of a specific SSH key to be used with this
system only. The key must first be generated using
theget/ Regen 2084bit or 1024bit buttons, and then
downloaded in either Open SSH or Sec SSH (commercial)
format.
The public key must be placed into the proper directory on the
archive server. For most systems this is [user’s home
directory]/.ssh (create the directory if it does not exist). The
public key must also be specified as an authorized
authentication method for the functional account. A new DSS
key pair can be generated at any time (if for example it is felt
that the existing keys have been compromised). Clicking the
Regen Key Pair button generates a new public/private key pair.
The Regen Key Pair only regenerates the system specific key
for the selected archive server, so only that archive server is
affected.
Account Name
Used to authenticate to the archive server, and within whose
home directory the logs are stored.
Yes
TPAM 2.5
System Administrator Guide
66
Table 12. Archive Server Management: Details tab options
3
Field
Description
Required? Default
Path to Storage
Enter the full path as required for the storage location on the
archive server.
Yes
Description
Descriptive text for the archive server.
No
Enter the settings and click the Save Changes button.
The connection and authentication between TPAm and the archive server can be tested by clicking the Test
button.
To clear the existing host keys for the archive server from the TPAM appliance click the Clear Host Entry button.
TPAM 2.5
System Administrator Guide
67
9
Logs
•
Introduction
•
Sys-Admin activity log
•
Security log
•
Firewall log
•
Database log
•
Alerts log
•
Proc log
•
Archive log settings
•
SysLog configuration
Introduction
The Logs menu lets the System Administrator view many logs with critical information about the appliance. All
logs can be exported to an excel® or csv file.
Sys-Admin activity log
The Sys-Admin activity log reports the activity of all TPAM System Administrators. The sys admin activity log
data can be displayed in server time (UTC) or the user’s local time zone, whichever they select on the Report
Filter tab.
To view the Sys-Admin Activity Log:
1
Select Logs | Sys-Admin Activity Log from the menu.
2
Enter your search criteria on the report filter tab.
3
Use one if the following methods to view the results:
•
Click the Report tab
TPAM 2.5
System Administrator Guide
68
•
Click the Export to Excel button
•
Click the Export to CSV button
Security log
The security log reports any events related to log on activity. Only failed events are displayed to conserve
resources. The security log displays server time (UTC).
To view the Security Log:
1
Select Logs | Security Log from the menu.
2
Enter your search criteria on the report filter tab.
3
Use one if the following methods to view the results:
•
Click the Report tab
•
Click the Export to Excel button
•
Click the Export to CSV button
Firewall log
The firewall log displays events logged by the firewall component of TPAM. The firewall is configured to log all
denied traffic. The firewall log displays server time (UTC).
To view the Firewall Log:
1
Select Logs | Firewall Log from the menu.
2
Enter your search criteria on the report filter tab.
3
Use one if the following methods to view the results:
•
Click the Report tab
•
Click the Export to Excel button
•
Click the Export to CSV button
Database log
The database log shows logged activity from the TPAM SQL Server® database. The database log displays server
time (UTC).
TPAM 2.5
System Administrator Guide
69
To view the Database Log:
1
Select Logs | Database Log from the menu.
2
Enter your search criteria on the report filter tab.
3
Use one if the following methods to view the results:
•
Click the Report tab
•
Click the Export to Excel button
•
Click the Export to CSV button
Alerts log
The Alerts log displays events related to any of the alerts that you can subscribe to. The alerts log displays
server time (UTC).
TPAM 2.5
System Administrator Guide
70
To view the Alerts Log:
1
Select Logs | Alerts Log from the menu.
2
Enter your search criteria on the report filter tab.
3
Use one if the following methods to view the results:
•
Click the Report tab
•
Click the Export to Excel button
•
Click the Export to CSV button
Proc log
The Proc log displays information on cluster replication, software updates, batch report processing and system
services. The proc log data can be displayed in server time (UTC) or the user’s local time zone, whichever they
select on the Report Filter tab.
To view the Proc Log:
1
Select Logs | Proc Log from the menu.
2
Enter your search criteria on the report filter tab.
3
Use one if the following methods to view the results:
•
Click the Report tab
•
Click the Export to Excel button
•
Click the Export to CSV button
Archive log settings
Logs are maintained and stored on TPAM for the duration of the retention period configured in global settings.
Log data is purged daily, based on these settings. To retain purged log data you have the option to send this data
to an archive server prior to the purge.
To configure archive settings for logs:
1
Select System Status/Settings | Archive Log Settings from the menu.
TPAM 2.5
System Administrator Guide
71
2
Check the Enabled? box to enable the setting.
3
Select an archive server from the list. See Configure archive servers for more details if needed.
4
Select All or Failed from the list and enter an email address for notifications. (Optional)
5
Click the Save Settings button.
SysLog configuration
TPAM allows the optional configuration of the sys-admin activity report and the user activity report to be
transmitted to a receiver or collector. This provides an alternate way to view activity reports as well as to
monitor the TPAM appliance health and welfare.
To configure the reports to be sent to the syslog server:
1
Select System Status/Settings | SysLog Configuration from the menu.
2
Enter the IP address for the syslog server.
3
Enter the Port number.
4
Select Enable Syslog for Sys-Admin Activity Log to send this report to the syslog server.
5
Select Enable Syslog for User Activity Log to send this report to the syslog server.
6
Select Enable Syslog for Failed Logins to send this report to the syslog server.
7
Click the Save Settings button.
TPAM 2.5
System Administrator Guide
72
10
Reason Codes
•
Introduction
•
Add a reason code
•
Delete a reason code
•
Enable/Disable a reason code
Introduction
Reason codes can be configured for requestors and ISAs to use when making a file, password or session request.
To enable reason codes make sure that the reason code global settings have been set to Optional or Required.
For more information on these global settings see Edit global settings.
Add a reason code
To add a reason code:
1
Select System Status/Settings | Reason Codes from the menu.
2
Click the New Code button.
3
Enter a unique name for the reason code.
TPAM 2.5
System Administrator Guide
73
4
Enter a description for the reason code. (Optional)
5
Clear the Reason Code is active? check box if you do not want the reason code immediately available as
a choice for requestors. (Optional)
6
Click the Save Changes button.
The reason code will now be available for requestors to select when making requests in the /tpam interface.
Delete a reason code
Reason codes can only be deleted if they have not been used on any requests. If the reason code was used but
all those requests have aged out of TPAM based on the global setting retention period, then it may also be
deleted.
To delete a reason code:
1
Select System Status/Settings | Reason Codes from the menu.
2
Select the reason code from the list to be deleted.
3
Click the Delete Code button.
4
Click the OK button on the confirmation window.
Enable/Disable a reason code
A reason code can be disabled so that it not available for requestors and ISA’s to use on requests, but not
deleted, so it can be enabled in the future.
To enable/disable a reason code:
1
Select System Status/Settings | Reason Codes from the menu.
2
Select the reason code from the list.
3
Clear/Select the Reason Code is active? check box.
4
Click the Save Changes button.
TPAM 2.5
System Administrator Guide
74
11
Global Settings
•
Introduction
•
Edit global settings
•
Descriptions
Introduction
Global settings are used to maintain many key controls and parameters in TPAM. The number displayed in the
Setting column represents the value set for the Option Name. You can narrow down the view of global settings
on the page by using the Category Filter at the top of the page.
Edit global settings
To view and edit global settings:
1
From the /admin interface, select System Status/Settings | Global Settings from the menu.
2
To narrow the global settings displayed, select a choice from the Category Filter list.
3
Use the scroll bar to locate the global setting.
4
Enter the value in the Setting column, select the desired button in the setting column, or select the a
value from the list. Repeat this step for each global setting to be edited.
5
Click the Save Changes button.
TPAM 2.5
System Administrator Guide
75
Descriptions
The table below provides a description of each global setting and the configurable parameters.
Table 13. Global Settings descriptions
Category
Option name
Description
Default
Account Login
Control
Account
Lockout
Duration
The time (in minutes) that an account remains locked. Valid
entries are 10 - 9999. A setting of 9999 requires an
administrator to manually unlock the account. The minimum
value of this setting is controlled by the current setting of the
Lockout Window.
15
NOTE: If you are going to require an administrator to manually
unlock accounts, create a CLI Administrator ID and a CLI
System Administrator ID, in the event that the parmaster and
paradmin accounts get locked.
The number of consecutive failures within the lockout window 5
required to lock a user account. Valid entries are 0 - 100. A
value of 0 (zero) indicates the user’s account will never be
locked due to failed logins. A value of 1 means that a single
failed login attempt will lock an account.
Account Login
Control
Account
Lockout
Threshold
Account Login
Control
Account
The duration (in minutes) that failed logon attempts are
Lockout Window counted. Valid entries are 0 - 15. The maximum value of this
setting is controlled by the current setting of the lockout
duration. A value of 0 (zero) means that there is no time limit
to tracking failed log on attempts. All failed attempts will be
counted until logon is successful or the account becomes
locked.
10
Account Login
Control
Allow 1024 bit
key length for
regenerated
user key.
User keys generated prior to 2.5.913 are 1024 bits. If Yes is
selected they will continue to be generated as 1024. If No is
selected keys generated will be 2048.
No
Account Login
Control
Allow Multiple
Sessions
If Yes is selected, users can have multiple browser sessions
Yes
using the same user ID. If No is selected, each user ID may have
only one authenticated session.
Account Login
Control
Disable after
Inactive for n
Days
Possible values are between 14 - 365 in days. If a user has not
logged onto TPAM in this number of days, the user ID is
disabled.
365
Account Login
Control
Inform User of
bad password
If Yes is selected, users will be told if they enter an invalid
password when logging in. If No is selected, the user will be
told that the username and/or password is invalid.
No
When both Inform User of bad password AND Inform User of
failed login attempts are both set to Yes, the user is informed
that the password is invalid along with the number of failed
logon attempts thus far.
NOTE: For security reasons we recommend leaving this set to
No, unless you are troubleshooting login and authentication
problems.
Account Login
Control
Inform User of
disabled
account
If Yes is selected, users will be told if their account is disabled No
when they attempt to login. If No is selected, the user will be
told that the username and/or password is invalid.
NOTE: For security reasons we recommend leaving this set to
No, unless you are trouble shooting login and authentication
problems.
TPAM 2.5
System Administrator Guide
76
Table 13. Global Settings descriptions
Category
Option name
Description
Default
Account Login
Control
Inform User of
failed login
attempts
If Yes is selected, the system will display to the user the
number of failed login attempts that have been made on their
user ID since their last login.
No
Account Login
Control
Inform User of
locked account
If Yes is selected, the user will be informed when attempting No
to login that their account is locked. If No is selected, the user
will be told that the username and/or password is invalid.
NOTE: For security reasons we recommend leaving this set to
No, unless you are trouble shooting login and authentication
problems.
Account Login
Control
Login token
lifespan
The number of seconds a user can remain inactive on the login 300
page before they are forced to refresh the page to login. Valid
entries are 60-600.
Account Login
Control
Maximum
Password Age
Specifies the maximum time between password changes (in
days). Valid entries are 0 – 180.
42
Account Login
Control
Minimum
Password Age
Specifies the minimum time between password changes (in
days). Valid entries are 0 – 14.
0
Account Login
Control
Password Grace
Period
The number of days, prior to a user’s password expiring, that
14
they will be reminded that their password will expire in X days.
A setting of 0 means no warnings will be given. Valid entries
are 0-30.
Account Login
Control
Password
History
Number of old passwords stored by TPAM for user accounts.
Stored passwords may not be reused, and are replaced on a
first-in first-out basis. Valid entries are 0 – 24.
5
Account Login
Control
Session
Inactivity
Timeout
Time, in minutes, that a user’s session will time out after
inactivity. Valid entries are 10-2880.
2880
Allow Migration
Allow 2.4
If Yes is selected, the System Migration menu option is
Yes
Migration in
available under the Restore menu in the config interface. If No
Config Interface is selected, the menu option is not available.
Browser
Window
Admin Interface Select a default screen resolution size from the list for the
default window /admin interface.
size
Browser
Window
Admin Interface If Yes is selected, a new browser window will be opened when No
in new window a user logs on to the /admin interface. Also the browser
window will automatically close upon log out.
1024x768
If No is selected, the user can browse in the window they
currently have open. Depending on the browser, the user may
have to manually close the browser window when logging off.
Browser
Window
Config Interface Select a default screen resolution size from the list for the
default window /config interface.
size
1024x768
Browser
Window
Config Interface If Yes is selected, a new browser window will be opened when No
in new window a user logs on to the /config interface. Also the browser
window will automatically close upon log out.
If No is selected, the user can browse in the window they
currently have open. The user must manually close the browser
window when logging off.
Browser
Window
Main Interface
default window
size
Select a default screen resolution size from the list for the
/tpam interface.
1024x768
TPAM 2.5
System Administrator Guide
77
Table 13. Global Settings descriptions
Category
Option name
Description
Browser
Window
Main Interface
in new window
If Yes is selected, a new browser window will be opened when No
a user logs on to the /tpam interface. Also the browser window
will automatically close upon logging off.
Default
If No is selected, the user can browse in the window they
currently have open. The user must manually close the browser
window when logging off.
Custom Column
Names
Managed
Six custom boxes available to track account information. If
Null
Account Custom configured these appear on the Account Custom Information
1-6
tab and are listed as filter options on many filter tabs. Column
names are limited to 32 characters, cannot be the same as any
other Custom column name nor any existing column in the
Accounts table. Must consist of only upper or lowercase
letters, numbers, spaces, periods, hyphens, and underscores. A
custom column name may be “undefined” by simply erasing
the value.
NOTE: Any data entered while the custom column name is
defined is inaccessible if the custom name is undefined.
Custom Column
Names
Managed System Six custom boxes available to track system information. If
Null
Custom1-6
configured these appear on the System Custom Information tab
and are listed as filter options on many filter tabs. Column
names are limited to 32 characters, cannot be the same as any
other Custom column name nor any existing column in the
Systems table. Must consist of only upper or lowercase letters,
numbers, spaces, periods, hyphens, and underscores. A custom
column name may be “undefined” by simply erasing the value.
NOTE: Any data entered while the custom column name is
defined is inaccessible if the custom name is undefined.
Custom Column
Names
User Custom 1-6 Six custom boxes available to track user information. If
Null
configured these appear on the User Custom Information tab
and are listed as filter options on many filter tabs. Column
names are limited to 32 characters, cannot be the same as any
other Custom column name nor any existing column in the
Users table. Must consist of only upper or lowercase letters,
numbers, spaces, periods, hyphens, and underscores. A custom
column name may be “undefined” by simply erasing the value.
NOTE: Any data entered while the custom column name is
defined is inaccessible if the custom name is undefined.
Customer
Specified
Appliance
Identity
Custom box available to name the appliance. This box is used
on the Appliance Usage Batch Report.
Customer
Specified
Hide Retrieved
Passwords
In order to prevent over the shoulder exposure of retrieved
Never
passwords the displayed password can optionally be hidden so
that is can be copied to a clipboard without revealing it to
passerby. When the password is hidden the user can copy it to
the clipboard by moving the mouse in the designated area and
typing Ctrl-C. The options are as follows:
•
Never - the password is displayed
•
Hide, but allow password to be revealed - the
password is hidden when retrieved but clicking the
Reveal Password button will display it.
•
Always hide the retrieved password - the password is
hidden and must be copied to the clipboard.
Null
NOTE: Even if the password is hidden from view it is still
considered “Released”.
TPAM 2.5
System Administrator Guide
78
Table 13. Global Settings descriptions
Category
Option name
Customer
Specified
Max Attachment The maximum total size (in megabytes) of batch report output 0
Size (MB)
files that can be sent to a user in a single email. When the user
subscribes to more than one output file from a report this is
the total size of all files to be attached. A message will be
attached to the email body if one or more files cannot be
attached due to this limit. Enter 0 (zero) for unlimited
attachment size.
Description
Default
Customer
Specified
System Date
Format
System Date Global Setting that controls the default input and Month/
output date and time formats for the entire appliance. Choices Day/Year
are “Month/Day/Year hh:mm AM/PM” or “Day/Month/Year
hh:mm24”.
NOTE: If this setting is changed all users must refresh their
browsers or they may encounter a session time out error.
Global Groups
Allow Global
Groups to be
used for
Permissioning
If No is selected, then Global Groups do not appear on the
Group Listing and Group Membership assignment tab and are
not used to determine permissions. For performance reasons,
if Global Groups are not used, it is recommended that this
setting be set at No.
Individual
Accountability
Allow Account
specific
override
If Yes is selected, individual accountability can be turned off at No
the account level, letting more than one requestor request this
password at the same time or during an overlapping duration.
Changing this value to No removes this from all accounts that
were enabled in the TPAM interface.
Mobile Device
Allow Password
Retrieval
This setting controls if mobile device users of TPAM are
permitted to retrieve passwords on their mobile device.
Yes
Mobile Device
Quick Approve
Text
Custom text you can enter that appears as the Password
Approval Reason when approving a request from a mobile
device. This message is used if the Approver uses the Quick
Approve functionality or does not enter a message when
approving a request.
Quick
Approved
from
Mobile
Device
Mobile Device
Quick Deny Text Custom text you can enter that appears as the Password Denial
Reason when denying a request from a mobile device. This
message is used if the Approver uses the Quick Deny
functionality or does not enter a message when denying a
request.
Quick
Denied
from
Mobile
Device
Mobile Device
Quick Expire
Text
Custom text you can enter that appears as the Password
Cancellation/Expiration Reason when canceling/expiring a
request from a mobile device. This message is used if the
Requestor uses the Quick Expire functionality or does not enter
a message when expiring a request.
Quick
Cancel/
Expire
from
Mobile
Device
Mobile Device
Quick Submit
Text
Custom text you can enter that appears as the Password
Request Reason when submitting a request from a mobile
device. This message is used if the Requestor uses the Quick
Submit functionality or does not enter a message when
submitting a request.
Quick
Submit
from
Mobile
Device
Old Password
Retention
Failed Password Specifies the number of days that TPAM retains failed
Days
passwords. Valid entries are 1 – 90.
15
Old Password
Retention
Minimum
Retention Days
30
Specifies the least number of days that TPAM stores old
passwords. Valid entries are 1 – 360.
No
NOTE: If Past Passwords and Minimum Retention Days are
configured differently, both conditions must be satisfied before
a password is deleted from history.
TPAM 2.5
System Administrator Guide
79
Table 13. Global Settings descriptions
Category
Option name
Description
Default
Old Password
Retention
Past Passwords
The number of previous passwords that TPAM stores for a
managed system. Valid entries are 1 – 30.
5
Old Password
Retention
Purge Password
Batch Size
To minimize the performance impact for other interactive
users this setting controls the number of passwords deleted in
each transaction during the purge password portion of the
Daily Maintenance process. Valid entries are 5-100.
10
Online Backups
Online Backups
The number of TPAM backups that are stored locally. Valid
entries are 1 – 10.
5
PSM Session
Max Session
Duration
(Hours)
The allowed duration (in hours) for a PSM Session. A job runs
0
every 10 minutes that terminates any sessions that are
exceeding this threshold. A value of 0 lets sessions run with no
time limit. Valid entries are 0-168 (7 days).
PSM Session
Maximum
Recording Size
Maximum size in megabytes a session recording is allowed to
reach. Warning messages will start when the session reaches
60% of the set limit. The session will be terminated when it
reaches the size limit.
500
PSM Session
Replay all
sessions before
completing
review
Setting this value to Yes will require that the reviewer replay
all the session logs before a review can be completed.
No
PSM Session
Session
Termination
Wait Time
The maximum amount of time, in seconds, before TPAM will
terminate a session as a result of a run level change on
appliance, or during a failback to a primary appliance.
300
PSM Session
Session
The number interval in seconds, that TPAM will warn users that 60
Termination
a session is getting ready to terminate, up until the session is
Warning Interval terminated.
Replication
Database
Backup Set Max
Incr Usage MB
The maximum amount of disk space (in megabytes) that TPAM 1024
will use for incremental database backups. Incremental
database backups are only used for replication and not related
to a TPAM backup.
NOTE: Every time this value is changed you must go to the
Cluster Management page, select the primary and click the
Restart Clustering button.
Replication
File
Resynchronizati
on Interval
The interval, in seconds, that a primary appliance will force a
re-synchronization of replicated files, (session logs, report
output, secure files, etc.) with each replica appliance.
3600
NOTE: Every time this value is changed you must go to the
Cluster Management page, select the primary and click the
Restart Clustering button.
Replication
Replication
Interval
The interval, in seconds, that the primary console will push
incremental updates to each replica appliance.
60
NOTE: Every time this value is changed you must go to the
Cluster Management page, select the primary and click the
Restart Clustering button.
Request Reasons Detailed Reason This setting controls if ISAs are required to enter a detailed
Text for ISA
reason when retrieving a password or file. Possible values are
Release
Required, Not Allowed and Optional.
Required
NOTE: Setting this to Not Allowed or Optional and setting
Reason Code for ISA Release to Not Allowed or Optional lets
ISA’s retrieve passwords and files without entering a reason.
TPAM 2.5
System Administrator Guide
80
Table 13. Global Settings descriptions
Category
Option name
Description
Default
Request Reasons Detailed Reason This setting controls whether a detailed request reason is
Text for Request required for any password, file or session request Possible
values are Required, Not Allowed and Optional.
Required
NOTE: Setting this to Not Allowed or Optional and setting
Reason Code for Release to Not Allowed or Optional lets
requestors request passwords, files and sessions without
entering a reason.
Request Reasons Reason Code for This setting controls if ISAs are required to enter a reason code Optional
ISA Release
before they retrieve a password or file. Possible values are
Required, Not Allowed and Optional.
Request Reasons Reason Code for This setting controls if requestors are required to enter a
Request
reason code as they request a password, file or session.
Possible values are Required, Not Allowed and Optional.
Optional
Retention
Period
Account
This setting controls the number of days that TPAM will store
Discovery Agent the Account Discovery Agent activity. Valid entries are 1-30.
Log
30
Retention
Period
Activity Log
The number of days that TPAM stores log entries for TPAM
activity events. Valid entries are 30 – 365.
90
Retention
Period
Alerts Log
The number of days that TPAM stores system generated alerts. 30
Valid entries are 1-30.
Retention
Period
Auto Discovery
Agent Log
The number of days that TPAM stores the Auto Discovery Agent 30
log entries. Valid entries are 1-30.
Retention
Period
Backup Log
The number of days that TPAM stores backup activity logs.
Valid entries are 10 – 365.
30
Retention
Period
Batch ImportUpdate History
(0 = Never
Delete)
The number of days to retain Batch Import/Update history
results, based on the date the batch was submitted, not
completed, or canceled. A value of 0 means the results are
never deleted. Valid entries are 0-999.
0
Retention
Period
Data Extract
Log
The number of days that TPAM stores logs of data extract
history. Valid entries are 1-90.
30
Retention
Period
DPA Server
Activity Log
The number of days that TPAM stores DPA Server activity. Valid 30
entries are 1-30.
Retention
Period
File Release Log The number of days that TPAM stores file release activity logs. 90
Valid entries are 30 – 365.
Retention
Period
File Release
Request
The number of days file release requests are retained before
archival. Valid entries are 1-365.
90
Retention
Period
Firewall Log
The number of days that TPAM stores firewall activity logs.
Valid entries are 1 – 90.
30
Retention
Period
ISA Release Log
The number of days that TPAM stores ISA password release
activity logs. Valid entries are 30-365.
90
NOTE: Setting a lower retention period for the ISA Release Log
affects how much data is available for the Password Release
Log.
Retention
Period
Mail Agent Log
The number of days that TPAM stores log entries for mail agent 10
activity. Valid entries are 1 – 365.
Retention
Period
Online Batch
Reports
The number of days that TPAM stores logs of scheduled batch
job activity. Valid entries are 1 – 180.
Retention
Period
Password
Change Activity
Detail
The number of days that TPAM stores detailed password change 30
logs. Valid entries are 10 – 90.
30
TPAM 2.5
System Administrator Guide
81
Table 13. Global Settings descriptions
Category
Option name
Description
Retention
Period
Password
Change Log
The number of days that TPAM stores password change activity 90
logs. Valid entries are 30 – 365.
Default
Retention
Period
Password
Release Log
The number of days that TPAM stores password release activity 90
logs. Valid entries are 30 – 365.
Retention
Period
Password Test
Activity Detail
The number of days that TPAM stores detailed password test
logs. Valid entries are 10 – 90.
Retention
Period
Password Test
Results
The number of days that success/failure results for automated 30
password tests are retained. Valid entries are 10 – 90.
Retention
Period
Post Session
Processing Log
(PSM customers
only)
The number of days that TPAM stores post session processing
logs. Valid entries are 1-365.
Retention
Period
PSM Archive Log The number of days that TPAM stores the PSM Archive Log,
(PSM customers which reports on the success and failure of archiving sessions.
only)
Valid entries are 1-30.
5
Retention
Period
Pwd Change
Agent Log
The number of days that TPAM stores password change agent
activity logs. Valid entries are 10 – 90.
30
Retention
Period
Pwd Test Agent
Log
The number of days that TPAM stores password test activity
logs. Valid entries are 10 – 90.
30
Retention
Period
Release Request The number of days password release requests are retained
before archival. Valid entries are 10-999.
90
30
10
NOTE: Setting a lower retention period for the Release Request
Log affects how much data is available for the Password
Release Log.
Retention
Period
Security Log
The number of days that TPAM stores security event logs. Valid 10
entries are 5 – 90.
Retention
Period
Sent Mail Log
The number of days that TPAM stores log entries for sent mail
items. Valid entries are 1 – 365.
30
Retention
Period
Session Request The number of days that session release requests are retained
(PSM customers before archival. Valid entries are 10-999.
only)
NOTE: This setting limits the Max age in days for session log
deletion in the PSM Archive Settings in the /tpam interface.
90
Retention
Period
Synchronized
Password
Change Log
The number of days that TPAM stores logs of synchronized
password changes. Valid entries are 30-365.
90
Retention
Period
Sys-Admin Log
The number of days that TPAM stores system administrator
activity logs. Valid entries are 30 – 365.
90
Review
Notification
Immediate
Review
Notification
If Yes is selected, a Review Requirement email is sent
immediately, one email per review. If No is selected, emails
are not sent for individual reviews, including the escalation
emails configured at the account.
Yes
Review
Notification
Periodic Review Sends email notifications of uncompleted Session or Password Disabled
Notification
Release reviews at the top of the hour, at the selected
Interval
frequency. One email is sent per reviewer with as many
uncompleted reviews that can fit in the body of the email.
1x/Day notifications are sent at midnight, server time.
Reviewers are sent a single email notification when the review
is required, and a single escalation email if so configured at
the account. Setting both of the Review Notification settings to
No and Disabled disables all Release Review emails.
TPAM 2.5
System Administrator Guide
82
Table 13. Global Settings descriptions
Category
Option name
Role Policy
Always use
If No is selected, permissions are determined by querying the
cached
database to ensure the most up to date permissions are used,
permission data but this can slow down TPAM performance for customers with
large data sets.
Description
Default
No
If Yes is selected, the cached permissions data, that is updated
every 60 seconds will be used to determine permissions.
If Not for Password/File Retrieval and Session Start is
selected, the most up to date data will be used to determine
permissions for retrieving a password, file or starting a session,
but the cached data will be used for all other permission
calculations.
If Yes or Not for Password/File Retrieval and Session Start is
selected it is recommended that Administrators and ISAs use
the Rebuild Assigned Policies page in the /tpam interface
after editing permissions to rebuild the cached permissions
immediately.
Role Policy
Role Policy
Default new
systems to no
assigned ISA
policy
If Yes is selected, when an administrator has one or more ISA
access policies, and adds a new system the ISA policy will
default to Do Not Assign an ISA policy.
Ignore Policies
includes
collection
membership
Changes the behavior of the Ignore System Access Policies
check box when it is selected for an account.
No
NOTE: This global setting only affects systems added through
the TPAM web interface. Not systems added through the API,
CLI or batch import.
No
If Yes is selected, the check box will ignore both system and
collection level permission assignments which apply to the
account’s parent system.
If No is selected, the check box will only ignore permissions
assigned directly to the system. Permissions assigned to
collections where the system is a member will still propagate
to the account.
TPAM 2.5
System Administrator Guide
83
Table 13. Global Settings descriptions
Category
Option name
Description
Role Policy
Pause Rebuild
Policies job
during batch
operations
The job which rebuilds the Assigned Policies data normally runs Never
every 60 seconds and rebuilds the data whenever updates are
detected. Some types of batch import or update jobs may
trigger this rebuild process many times while they are running,
as do Auto Discovery and Account Discovery. If the job starts
while one of these processes it still modifying data it may slow
down TPAM and put a strain on resources. This setting allows
you to pause the rebuild jon until the end of the batch process.
Default
The batch jobs and processes affected by this are:
Import/Update Users, Systems, Accounts, Update Collection
Membership, Update Permissions, LDAP and Generic Auto
Discovery and Account Discovery.
The settings are as follows:
•
Never - the jobs will process updates as soon as they are
detected.
•
Only for updates triggered by the process itself - when
one of the affected processes is running, all rebuilds
triggered by updates from that process will be deferred
until that process ends.
•
For all updates while a batch is running - while any of
the affected batches are running ALL scheduled rebuilds
will be deferred until the batch process has completed
no matter what process performs the updates. An
administrator or ISA can still force a rebuild by clicking
the Run Now button in the tpam interface.
NOTE: If the Always use cached permission data global
setting is set at Yes or Not for ...., we recommend leaving this
setting at Never.
Role Policy
Require System
and Account
Name filters
When administrators and ISAs have access to very large
No
numbers of systems and accounts they may experience
performance problems when doing unfiltered searches on the
manage systems and manage accounts pages. If Yes is selected,
they will be forced to enter a value for system and/or account
name in order to retrieve a listing.
Role Policy
Restrict ISA
If Yes is selected, only Administrators can add systems.
System Creation
No
Trash Cleanup
Allow Manual
Hard Deletes
If Yes is selected, hard deletes of systems and accounts are
allowed regardless of how the Days in Trash global setting is
set.
Yes
Trash Cleanup
Days in trash
(0= never
delete)
Specifies the number of days that TPAM retains deleted
systems and deleted accounts. When set to zero they are not
deleted. Valid entries are 0-999.
10
User Control
Allow User
Timezone
Changes
If Yes is selected, the user can change their Time Zone in My
Info/User Details. If No is selected, only an Administrator or
User Admin can change a user’s Time Zone. This does not
affect the Time Zone controls for System Administrators.
Yes
User Control
Default User
Timezone
The default timezone for all new user ID’s in the /tpam and
/admin interface. This value can be overwritten by a user
template.
UTC
TPAM 2.5
System Administrator Guide
84
12
Password Rules
•
Introduction
•
Default password rule
•
Add a password rule
•
Delete a password rule
Introduction
Password construction rules for managed systems are system and account specific. Two managed accounts on
the same system can have different password rules assigned. If a system and account have different password
rules the password rule assigned at the account level takes precedence. When creating a password rule make
sure the password rules on the managed system match what is configured in TPAM.
Default password rule
Password rules govern the passwords that are generated by TPAM. TPAM is pre-configured with a default
password rule that will appear in the listing. The default password rule can be modified to meet your needs but
not deleted. The default password rule is also used for local user authentication so there are limitations on
what values can be changed.
Add a password rule
To create a password rule:
1
Select System Status/Settings | Password Rules from the menu.
2
Click the New Rule button.
TPAM 2.5
System Administrator Guide
85
3
Enter a rule name.
4
Enter a description for the password rule. (Optional)
5
Enter values for the password rule definitions describes in the table below.
Table 14. Password Rules Configuration: Password Rule definitions
Field
Description
Default
Password Length Specifies the shortest and longest password that can be generated.
Valid entries are between 4-128.
6/10
First Character
Value
Any
Character
Permitted
Uppercase
Requirements
Lowercase
Requirements
Numeric
Requirements
Specifies the properties for the first character of the password. Select
from:
•
Alpha characters only
•
Any Character Permitted
•
Alphanumeric Permitted
Specifies the use of uppercase characters within the password. Select
from:
•
Not Permitted
•
Permitted
•
Require at least 1 - 5
Specifies the use of lowercase characters within the password. Select
from:
•
Not Permitted
•
Permitted
•
Require at least 1 - 5
Specifies the use of numeric characters in the password. Select from:
•
Not Permitted
•
Permitted
•
Require at least 1 - 5
Require at
least 1
Require at
least 1
Require at
least 1
TPAM 2.5
System Administrator Guide
86
Table 14. Password Rules Configuration: Password Rule definitions
Field
Description
Default
NonAlphanumeric
Requirements
Specifies the use of non-alphanumeric characters in the password.
Select from:
Not
Permitted
Valid NonAlphanumeric
Characters
•
Not Permitted
•
Permitted
•
Require at least 1 - 5
Specifies the non-alphanumeric characters in the password. This is only Null
an option if Non-alphanumeric characters are Permitted. Choices are:
•
(blank space)
•
~ (tilde)
•
‘ (left quote)
•
! (exclamation mark)
•
@ (at)
•
# (pound)
•
$ (dollar sign)
•
% (percent)
•
^ (carat)
•
& (ampersand)
•
* (asterisk)
•
( (open parenthesis)
•
) (close parenthesis)
•
_ (underscore)
•
- (hyphen)
•
+ (plus sign)
•
= (equals)
•
{ (open brace)
•
} (close brace)
•
[ (open bracket)
•
] (close bracket)
•
| (pipe)
•
\ (backslash)
•
: (colon)
•
; (semicolon)
•
< (less than)
•
, (comma)
•
> (greater than)
•
. (period)
•
? (question mark)
•
/ (forward slash)
Invalid
Characters
Designates alphanumeric characters that will not be allowed in the
password. Examples would be uppercase I and lowercase L.
Null
Total # of
characters
available
The total number of unique characters available to create a
password.When the Maximum Password length is longer than half this
value the Nonconsecutive Repeat Characters option is set to
Permitted and disabled.
62
TPAM 2.5
System Administrator Guide
87
Table 14. Password Rules Configuration: Password Rule definitions
Field
Description
Default
Last Character
Value
Specifies the last character of the password. Select from:
Any
Character
Permitted
Password reuse
(global)
Password reuse
per account
•
Alpha characters only
•
Any Character Permitted
•
Alphanumeric Permitted
Options are:
Permitted
•
Permitted - password generator can reuse a password
•
Not Permitted - password generator will not reuse any account
or synchronized account password for as long as the passwords
are retained. In order to enable this option the password
minimum length must be at least 10, the max length at least 20,
and must require at least 1 of each uppercase, lowercase, and
numeric characters. Editing Min or Max Length may reset this to
Permitted. This applies across all accounts and synchronized
passwords that use this password rule. This applies only to
passwords generated by TPAM. Passwords that have been
manually typed in are used to prevent reuse, but a user will not
be blocked from reusing an existing password.This only applies
to generated passwords. It does not apply to user login
passwords.
Options are:
Permitted
•
Permitted - password generator can reuse a password
•
Not Permitted - password generator will not reuse any account
or synchronized account password for as long as the passwords
are retained on a per-account basis. In order to enable this
option the password minimum length must be at least 10, the
max length at least 20, and must require at least 1 of each
uppercase, lowercase, and numeric characters. Editing Min or
Max Length may reset this to Permitted.This applies only to
passwords generated by TPAM. Passwords that have been
manually typed in are used to prevent reuse, but a user will not
be blocked from reusing an existing password.This only applies
to generated passwords. It does not apply to user login
passwords. This is per-account or synchronized password. It does
not prevent the same password from being generated for
multiple accounts or synchronized passwords.
Consecutive
Repeat
Characters
Whether to allow a password with consecutive repeat characters. Case Permitted
sensitive so aA is not considered repeating but AA would be.
Nonconsecutive
Repeat
Characters
Whether to allow a password with any repeated characters anywhere in Permitted
the password, consecutive or not. Case sensitive so e and E would not
be considered repeating.
Consecutive
Uppercase
•
Permitted
•
Not Permitted
•
Permitted
•
Not Permitted - if selected, this will override Consecutive
Repeat Characters setting.
•
Not allowed - a password will not contain any consecutive
uppercase letters
•
Permitted, no limit - a password may contain any number of
consecutive uppercase characters.
•
No more than N - a password will not contain more than N
consecutive uppercase characters.
Permitted,
No limit
TPAM 2.5
System Administrator Guide
88
Table 14. Password Rules Configuration: Password Rule definitions
Field
Consecutive
Lowercase
Consecutive
Alpha
Consecutive
Numeric
Consecutive
Alphanumeric
Consecutive
Nonalphanumeric
Description
Default
•
Not allowed - a password will not contain any consecutive
lowercase letters
•
Permitted, no limit - a password may contain any number of
consecutive lowercase characters.
•
No more than N - a password will not contain more than N
consecutive lowercase characters.
•
Not allowed - a password will not contain any consecutive
alphabetic characters (A-Z or a-z).
•
Permitted, no limit - a password may contain any number of
consecutive alphabetic characters.
•
No more than N - a password will not contain more than N
consecutive alphabetic characters.
•
Not allowed - a password will not contain any consecutive
numeric characters (0-9).
•
Permitted, no limit - a password may contain any number of
consecutive numeric characters.
•
No more than N - a password will not contain more than N
consecutive numeric characters.
•
Not allowed - a password will not contain any consecutive
alphanumeric characters (A-Z , a-z ,0-9).
•
Permitted, no limit - a password may contain any number of
consecutive alphanumeric characters.
•
No more than N - a password will not contain more than N
consecutive alphanumeric characters.
•
Not allowed - a password will not contain any consecutive nonalphanumeric characters. Nonconsecutive non-alphanumeric
characters are still allowed.
•
Permitted, no limit - a password may contain any number of
consecutive non-alphanumeric characters.
•
No more than N - a password will not contain more than N nonalphanumeric characters.
Permitted,
No limit
Permitted,
No limit
Permitted,
No limit
Permitted,
No limit
Not
Permitted
6
Click the Save Changes button.
7
Click the Test Password rule button. Take note of the number of passwords requiring 10 or more
attempts. A large number of these for a rule may create performance bottlenecks during the password
change process. The test process limits the number of attempts to 30. If there are multiple “UNABLE TO
CREATE PASSWORD” messages the rule is still allowed to be used, but should be restricted to low volume
or infrequently changed accounts.
The password rule is now available in the /tpam interface for assignment to systems and accounts.
Delete a password rule
A password rule cannot be deleted if it is assigned to a system or account.
To delete a password rule:
1
Select System Status/Settings | Password Rules from the menu.
2
Select the password to be deleted.
3
Click the Delete Rule button.
TPAM 2.5
System Administrator Guide
89
4
Click the OK button on the confirmation window.
TPAM 2.5
System Administrator Guide
90
13
Email Configuration
•
Introduction
•
Configure mail agent
•
Start/Stop the mail agent
•
Sent mail report
•
Clear the mail queue
•
Mail agent log
•
Configure email notification
•
Reset to factory defaults
Introduction
TPAM uses mail (SMTP) to provide notifications to approvers, requestors, reviewers, system contacts, account
contacts, as well as providing error alerting for defined administrators.
Configure mail agent
The mail agent settings allow the System Administrator to define the local SMTP server so that TPAM can send
email. The table below explains all of the options available on the Mail Agent Settings tab.
Table 15. Mail Agent Management: Settings tab options
Field
Description
Required?
Default
Use MX Lookup?
If selected, to send mail TPAM will query DNS for the SMTP
server’s MX record.
No
Off
SMTP Server Address
IP address for the SMTP server.
Yes
SMTP Sender Email
This address will display as the sender email address for email
that TPAM generates.
Yes
SMTP Reply To Address This is the address that will be used is a user replies to a TPAM
generated email.
No
TPAM 2.5
System Administrator Guide
91
Table 15. Mail Agent Management: Settings tab options
Field
Description
Send mail every ...
minutes
The frequency, in minutes, that the mail agent will send email. Yes
Valid values are 1-20.
Required?
2
Default
Delete messages after The number of times the mail agent must try and send an email Yes
... failed attempts
that fails to be delivered before it deletes the message.
5
Auto Start when
system restarts
If selected, the mail agent will automatically restart when TPAM No
is restarted.
Off
Test Email Address
Enter an email address to send a test email from TPAM. The
Send Test Email button is not enabled until the mail agent has
already been saved and has a status of Running. The email
address entered here is not saved.
No
To configure the mail agent:
1
Select Mail Agent | Mail Agent from the menu.
2
Enter the information on the Settings tab. For more information see Configure mail agent.
3
Click the Save Changes button.
4
Click the Start button.
5
Enter a Test Email Address.
6
Click the Send Test Email button.
7
Click the OK button on the confirmation window.
NOTE: The agent has to have a current status of Running before you will be able to send a test
email.
8
Check to see if you received the test email.
To clear the mail agent log:
1
Select Mail Agent | Mail Agent from the menu.
2
Click the Clear Agent Log button.
Start/Stop the mail agent
The status of the mail agent is visible on the top right of Mail Agent Management pages.
The Start and Stop buttons at the bottom of the page give the System Administrator the ability to stop and start
the agent on demand.
IMPORTANT: Anytime a primary appliance is put in maintenance mode, the mail agent agent will be
stopped. It will not restart automatically when the appliance is put back in operational mode unless the
Auto Start when system restarts? check box is selected.
Sent mail report
The sent mail report provides a list of every email that has been queued for delivery by the mail agent. The sent
mail report uses server time (UTC).
TPAM 2.5
System Administrator Guide
92
To view the sent mail report:
1
Select Mail Agent | Sent Mail Report from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Results tab.
Clear the mail queue
TPAM provides a way to clear the mail queue. This could be helpful if the mail server has been down and you do
not want to flood users will old emails that have been queuing up when the mail server is brought back up.
TIP: To avoid sending unwanted email, it is recommended to stop the mail agent before clearing the mail
queue, and then restarting it.
To clear the mail queue:
1
Select Mail Agent | Sent Mail Report from the menu.
2
Enter the filter criteria for the messages that you want to remove from the queue.
3
Select Queued for Delivery as the Mail Status.
4
Click the Clear Mail Queue button.
5
Click the OK button on the confirmation window.
6
This will populate the Failed Date column on the Results page for these email.
Mail agent log
The mail agent log provides a detailed report on SMTP activity. The mail agent log uses server time (UTC).
To view the mail agent log:
1
Select Mail Agent | Mail Agent Log from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Results tab.
To clear the mail agent log:
1
Select Mail Agent | Mail Agent Log from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Results tab.
TPAM 2.5
System Administrator Guide
93
Configure email notification
The subject line and body text of the email messages sent by TPAM can be customized. The verbiage in the body
of the email, embedded field information from TPAM (message tags) and hyperlinks can by customized for
certain types of emails.
Email notifications that include a date/time reflect the user’s local time zone. For example on a session request
the :SubmittedDate: reflects the server date, and :SubmittedUserDate:, reflects the date relative to the user
making the request.
The table below describes the options on the Email Config page.
Table 16. Email Notification Configuration page options
Field
Description
Use the same
URL for all
Application
Page links
If selected, all the different email notification
No
types will use the URL entered here for application
page links. Typically the URL of the TPAM appliance
should be entered here. It is important to consider
whether this URL is accessible to all recipients of
the email. For example, if TPAM has a RFC-1918
non-routable address, it is only accessible within
that network (internally). If there is a NAT
associated with an internal IP address for TPAM,
that NAT address may be substituted.
Required?
Default
DefaultNetworkAddress
Application page links are not available for all
email types. Typically they are included with
approval and review notifications. This provides a
convenient method for the approver to gain direct
access to the request detail page for approval.
NOTE: Requestors may receive copies of an email
with approval links, but will not be able to gain
access to the approval page by following the
hyperlink because TPAM verifies each user’s
authorization before displaying the page.
Email Type
A unique type of email notification. Email types
Yes
preceded with an asterisk (*) have edits which have
not been saved.
TPAM 2.5
System Administrator Guide
94
Table 16. Email Notification Configuration page options
Field
Description
Required?
Subject Line
This is the subject line that the recipient will see.
This can be edited
Yes
Message Body
Each email type has a default message body that
can be edited.
Yes
Message Body
Tags
For each email type a list of Message Body tags is
provided to copy and paste into the message body
as desired.
No
Application
Page Link
This address will be used for any links in the email Yes
which reference a URL in the appliance. This
address can be edited for each email type if Use
the Same URL for all Application Page Links check
box is not selected.
Send To
For many of the Request notification email types
you can select who the notification should be sent
to: the Approvers, ISAs, and/or Requestor.
Default
No
To configure email notification:
1
Select Mail Agent | Email Config from the menu.
2
If all email types should use the same URL for application page links, select this check box and enter the
URL to be used for the TPAM appliance.
3
Select an Email Type from the list and edit the subject line, message body, application page link, and
send as desired.
4
Repeat this for each email type as needed.
5
Click the Save Changes button.
Reset to factory defaults
You can use the Reset to Default button for changing an individual email to the default. To change all altered
email types back to the factory default click the Reset All Emails to Factory Default button.
TPAM 2.5
System Administrator Guide
95
14
Date and Time Configuration
•
Introduction
•
Set date and time
•
Configure network time protocol
Introduction
The server time of the appliance is based on coordinated universal time (UTC). The UTC time zone never
undergoes transitions between Standard and Daylight Savings time.
Set date and time
To set the date and time of the appliance:
1
Select System Status/Settings | Date/Time Configuration | System Date from the menu.
2
Enter the date.
3
Enter the time.
4
Click the Save Settings button.
NOTE: If the TPAM appliance is configured to synchronize with an NTP server then the ability to manually
set the system date and time is disabled.
Configure network time protocol
TPAM can use network time protocol (NTP) to keep the system clock in synchronization with a time server.
To configure NTP:
1
Select System Status/Settings | Date/Time Configuration | NTP Config from the menu.
TPAM 2.5
System Administrator Guide
96
2
Enter the network address of a primary and secondary (optional) NTP server.
3
Select the Enable Time Synchronization check box.
4
Click the Save Settings button.
To troubleshoot NTP synchronization click the Diagnostics tab.
Click one of the option buttons and click the Perform Scheduled Diagnostic button. The table below provides
an overview of the options.
Table 17. NTP synchronization: Diagnostics tab options
Option
Description
Status
Displays Windows time service status.
Configuration
Displays the configuration of run-time and where the setting comes from.
Restart W32Time Service
Stops and starts the Windows time service.
Resync with Current NTP
Servers
Tells a computer that is should re-synchronize its clock as soon as possible,
throwing out all accumulated error statistics.
Strip Chart
Displays a strip chart of the offset between this computer and another computer.
TPAM 2.5
System Administrator Guide
97
15
Keys and Certificates
•
Introduction
•
Manage host keys
•
Manage SSH keys
•
Generate web certificate request
•
Import web certificate
•
TPAM trusted CA certificates
•
Web access trusted CA certificates
•
Reset certificate to factory default
•
Certificate based web access for user IDs
•
Sybase trusted root certificates
•
MySQL trusted root certificates
•
Upload a certificate on a replica
Introduction
The options under the Keys menu allows the System Administrator to manage keys and certificates.
Manage host keys
The Manage Host Keys page is used to view and delete entries from the known_hosts file.
To delete an entry from the known_hosts file:
1
Select Keys | Manage Host Keys from the menu.
TPAM 2.5
System Administrator Guide
98
2
Select the network address to be deleted.
3
Click the Details tab for more information.
4
To delete the entry click the Clear Known Host button.
Manage SSH keys
The SSH Private Key is stored on TPAM, and is used to make secure connections to remote managed systems. The
remote systems have the public key of the key pair. Dell Software provides an initial key pair for these
connections when TPAM is shipped. It is common (and recommended) that these keys eventually be replaced.
This ensures that no one, not even Dell Software, has the private key.
You have the ability to have up to three SSH Keys active simultaneously.
To add an SSH key:
1
Select Keys | Manage SSH Keys from the menu.
2
Click the Add Key button.
TPAM 2.5
System Administrator Guide
99
3
Enter the Key File Name.
4
Enter a Start Date and End Date. (Optional) If a start date is not entered, the key will not be active. If an
end date is not entered, the assumed end date is 12/31/2037. If you enter an end date, a start date is
required. TPAM will not allow you to save a key that will make more than 3 keys active at the same time.
You will not be able to save the key until the dates are adjusted on the other keys so that only 3 will be
active at one time.
5
Select a key source from the following choices:
6
•
Gen 2048bit key - TPAM will generate 2048 bit keys.
•
Gen 1048bit key - TPAM will generate 1048 bit keys.
•
Enter private key - Paste your private key in the field below.
•
Upload private key file - Click the Select File button. Click the Browse button and select the
file. Click the Upload button.
Click the Save Changes button.
When the process is complete, the new public key is available for download to TPAM managed systems.
To delete a key:
1
Select Keys | Manage SSH Keys from the menu.
2
Select the key to be deleted on the Listing tab.
3
Click the Delete Key button.
4
Click the OK button on the confirmation window.
NOTE: If deleting a key will create a gap with no active keys, they key will not be deleted and you will get
a warning message.
You have the ability to regenerate the TPAM appliances’ ssh host keys. Please use with caution. Changing the
appliances' ssh host key can affect CLI/API operations since the identification string for the appliance has been
changed and will report an error to clients that have previously connected to the appliance. Also if you have
DPAs enrolled and you regenerate the ssh host keys you must log onto the DPA console and delete TPAM from
known_hosts. This is option is under the Network Settings menu.
To regenerate a key:
1
Select Keys | Manage SSH Keys from the menu.
2
Click the Regen HostKey button.
TPAM 2.5
System Administrator Guide
100
3
Click the OK button on the confirmation window.
Generate web certificate request
Replacing the certificate is a process that includes generating a request, downloading and submitting the
request file to a certificate authority (CA), obtaining and loading CA certificates as TPAM Trusted CA certificates
and uploading the newly issued certificate to TPAM.
NOTE: Certificates must be generated or imported on all TPAM devices, the primary TPAM device will NOT
replicate the certificate to replicas.
To replace a certificate on TPAM:
1
Select Keys | Web Certificate Request from the config menu.
2
Enter the information in the fields marked with asterisks.
3
Enter subject alternative names separated by semi-colons. (Optional)
4
Click the Generate button.
5
Click the Download File button to download the request file generated by TPAM. Use this request file
with CA to obtain a new certificate.
6
Upload the issuing root CA’s certificate (and any other intermediate CA’s certificates) of the new web
certificate into TPAM. See TPAM trusted CA certificates for instructions.
7
Click the Select File button.
8
Click the Browse button to locate the new certificate. Select the file.
9
Click the Upload button.
10 Click the Install Web Certificate button to upload the new certificate provided by CA. If an invalid
certificate is loaded TPAM will revert back to the last valid certificate.
11 Click the OK button on the confirmation window.
12 Refresh the page to view the new certificate.
TPAM 2.5
System Administrator Guide
101
Import web certificate
NOTE: Certificates must be generated or imported on all TPAM devices, the primary TPAM device will NOT
replicate the certificate to replicas.
IMPORTANT: BEFORE importing a web certificate, intermediate certificates and root certificate authority
certificates must be imported first.
To install your own web certificate on the TPAM appliance:
1
Select Keys | Web Certificate Request from the config menu.
2
Click the Import cert button.
3
Click the Select File button.
4
Click the Browse button. Select the file.
5
Click the Upload button.
6
Enter the import password.
7
Click the Import Web Certificate button.
8
Click the OK button on the confirmation window. If an invalid certificate is loaded TPAM will revert back
to the last valid certificate.
TPAM trusted CA certificates
If you are adding a web certificate for your appliance, the certificate authority certificate(s) for the web
certificate must be loaded into TPAM before the web certificate is installed or imported.
Also, if users will be authenticating with a client certificate (including smart card based authentication), the
certificate authority for these client certificates must be loaded in TPAM, so TPAM recognizes it as a valid
source.
First, obtain the CA certificate from the issuing certificate authority.
To load the trusted CA certificate:
1
Select Keys | TPAM Trusted CA Certs from the admin menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select one of the Fail options: (Fail options do not apply to certificates used for PSM Web Access)
6
•
None - only the Thumbprint is used for verification.
•
Failsafe - authentication is permitted if the OCSP response is “good”, or if the thumbprint
matches.
•
Failsecure - authentication is denied if the OCSP repsonder gives any repsonse other than “good”.
Click the Import Certificate button.
TPAM 2.5
System Administrator Guide
102
Web access trusted CA certificates
Trusted CA certificates can be installed into the browser used during PSM Web Access sessions to avoid warnings
about invalid web site security certificates. These Trusted CA certificates can be imported into TPAM, and the
certificates will be pushed to the DPA and installed into the browser when starting a PSM web access session.
To load the trusted CA certificate:
1
Select Keys | Web Access Trusted CA Certs from the admin menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Click the Import Certificate button.
Reset certificate to factory default
To reset the web certificate to the factory default:
1
Select Keys | Web Certificate Request from the config menu.
2
Click the Reset button.
3
Click the OK button on the confirmation window.
Certificate based web access for user IDs
User IDs can be configured to authenticate to the TPAM web interface using client certificates. As with web
certificates, the certificate(s) of the CA’s that issued the client certificate must be loaded into TPAM. Sha1
certificate thumbprint for user IDs can be entered for users wanting to authenticate using a trusted authority.
TPAM 2.5
System Administrator Guide
103
When users log on to TPAM they will be prompted to confirm the certificate by clicking the OK button.
Sybase trusted root certificates
To use the secure communication channel from TPAM to ASE, there is additional configuration that must be
performed on TPAM.
NOTE: If you decide to use a tunnel through SSL, these steps are not needed.
To configure Sybase® trusted certificates:
1
Select Keys | Sybase Trusted Root Certs from the menu.
TPAM 2.5
System Administrator Guide
104
2
Paste the Base64 encoded certificate that was used to sign the certificate installed at the Sybase data
server into the text box.
NOTE: If you use multiple Trusted Roots for signing certificates used at different Sybase instances
in your organization (for example, having some issued from an internal Certificate Authority (CA)
and others issued by a commercial CA), this text box should include All the root certificates used in
your Sybase environment. This is accomplished by appending additional certificates (denoted by
a -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- .) You can also place
comment information in between the certificates to make it easier to identify the information in
there, as shown in the example below.
3
Click the Save Settings button.
4
After the certificate(s) has been loaded, set up the Sybase managed systems in TPAM to use this secure
channel for communication. Update or add the Sybase managed system to specify the correct port for
the secure channel (Sybase default is 5000) and select Use SSL, as shown below.
TPAM 2.5
System Administrator Guide
105
5
Click the Save Changes button.
6
Click the Test System button to test the connection to the Sybase managed system.
MySQL trusted root certificates
To use the secure communication channel from TPAM to MySQL, there is additional configuration that must be
performed in TPAM.
NOTE: If you decide to use a tunnel through SSH, these steps are not needed.
To configure MySQL trusted certificates:
1
Select Keys | MySQL Trusted Root Certs from the menu.
2
Paste in your MySQL certificate.
3
Click the Save Settings button.
4
After the certificate(s) has been saved, set up the MySQL managed systems in TPAM to use this secure
channel for communication. Update or add the MySQL managed system to specify the correct port for
the secure channel (MySQL default is 3306) and select Use SSL, as shown below.
5
Click the Save Changes button.
6
Click the Test System button to test the connection to the MySQL managed system.
TPAM 2.5
System Administrator Guide
106
Upload a certificate on a replica
To generate and upload a certificate on a replica:
1
Log on to the /admin interface of the primary.
2
Select System Status/Settings | Cluster Management from the menu.
3
Select the replica you want to generate/load a certificate on.
4
Click the Force Failover button.
5
Click the Continue with Change button on the confirmation window.
6
Log on to the /admin interface of the replica.
7
See Generate web certificate request, and Import web certificate. Once these steps are completed on
the replica you will need to unforce the failover.
8
Log on to the /admin interface of the primary appliance.
9
Select System Status/Settings | Cluster Management from the menu.
10 Select the cluster member that is currently failed over.
11 Click the Un-force Failover button.
TPAM 2.5
System Administrator Guide
107
16
Automation Engine
•
Introduction
•
Agent status tab
•
Start/Stop the auto management engine
•
Disable/Enable an agent
•
Auto Management settings tab
•
Check password queue schedule
•
Manually load the check password queue
•
Agent logs
Introduction
The automation engine is the heart of TPAM. This portion of the TPAM architecture is where password
management on remote systems is configured and scheduled. Once the automation engine is running, several
different agents can be enabled on the engine to perform privileged password management functions. Logs
provide a record of agent activities and messages of success or failure.
Agent status tab
The current status of all the agents, either Enabled or Disabled, is displayed on the status tab, as well as events
queued on the engine for processing. The table below describes the functions of the different agents.
TPAM 2.5
System Administrator Guide
108
Table 18. Auto Management Agent: Status tab options
Field
Description
Default
Auto
Management
The auto management engine that runs all the various password management and Enabled
discovery agents.
Check
If enabled, this agent periodically checks the passwords on remote managed
system accounts and compares it to the password stored in the TPAM database.
This provides an automated integrity checking mechanism that ensures that the
password that is released for use by TPAM is valid on the remote system.
Change
If enabled, this agent looks for accounts that are scheduled for a password change Enabled
and performs the change.
DA Change
If enabled, the domain account agent looks for services that must have their
password changed because they rely on a managed account.
Enabled
Man Pwd
Change
If enabled, the manual password agent triggers email notifications to the email
address listed at the account level, when it is time to change the password.
Disabled
Sync Pass
Change
If enabled, the synchronized password change agent looks for accounts that are
subscribers of a synchronized password that must be changed.
Disabled
Account
Discovery
If enabled, this agent looks for new and deleted account changes on remote
managed systems.
Disabled
Enabled
Start/Stop the auto management engine
To start/stop the engine:
1
Select Automation Engine | Auto Mgt Agent from the menu.
2
Click the Start or Stop button next to the Auto Management agent status.
Stopping the Automation Engine, stops all agents that are enabled on the engine.
IMPORTANT: Anytime a primary appliance is put in maintenance mode, the automation engine will be
stopped. It will not restart automatically when the appliance is put into operational mode unless the Start
Management Agent when system restarts? check box is selected.
NOTE: The automation engine cannot be started on a failed over replica.
Disable/Enable an agent
To disable/enable an agent:
1
Select Automation Engine | Auto Mgt Agent from the menu.
2
Click the Disable or Enable button for the desired agent.
NOTE: If you disable an agent and the change process is currently busy processing changes, it may take
some time for the service to stop.
TPAM 2.5
System Administrator Guide
109
Auto Management settings tab
The table below describes the fields on the auto management settings tab. The default settings for threads is
dependent on whether you have a standard or enterprise TPAM appliance.
Table 19. Auto Management Agent: Settings tab options
Field
Description
Max Worker Threads
TPAM uses a pool of worker threads to service a larger number of queries, which
improves performance. Valid entries are 1-10.
Start Management Agent If selected, the automation engine will automatically start when the TPAM appliance
when system restarts?
restarts.
NOTE: This option is not available on a failed over replica.
Full Load Percentages
allocates the number of agent processes based on the number of max worker
threads.
Maximum Threads
Sets upper limits that will override the percentage allocation of threads.
Retry Intervals
The amount of time in minutes, that an agent will wait before trying to change or
check a failed attempt on an account. If the check process completes (even if it is
unsuccessful) it will not retry. When checking an account on a system that is
unreachable TPAM will retry the check using the retry interval, schedule and settings
of the assigned password check profile.
Check password queue schedule
The check password schedule that was previously controlled by the settings on this page are now controlled by
the Password Check Profile assigned to the account or synchronized password. For more details please see the
TPAM Administrator Guide.
TPAM 2.5
System Administrator Guide
110
.
IMPORTANT: Passwords will not be checked if the Check agent is disabled. The Check agent must also be
enabled to process the passwords in the queue.
Manually load the check password queue
To manually load the check password queue:
1
Select Automation Engine | Auto Mgt Agent from the menu.
2
Click the Load Test Queue button.
Agent logs
The table below describes the check and change logs available in TPAM. These logs use server time (UTC).
Table 20. TPAM Check and Change logs
Log
Description
Test Agent Log
This log provides details on all password checks performed by the check agent.
Test Log
This logs provides details on password checks performed by the check agent and by users
performing manual password checks.
Change Agent Log
This log provides details on all password changes performed by the change agent.
Change Log
This logs provides details on password changes performed by the change agent and by
users performing manual password changes or by clicking the reset password button in the
/tpam interface.
To view the logs:
1
Select Automation Engine | Auto Mgt Agent from the menu.
2
Click the Logs Filter tab.
3
Enter your filter criteria.
4
Click one of the Logs tabs to view the results.
To clear a log:
1
Select Automation Engine | Auto Mgt Agent from the menu.
2
Click the Log tab that you want to clear.
TPAM 2.5
System Administrator Guide
111
3
Click the Clear Agent Log button.
4
Click the OK button on the confirmation window. This will clear all the data in the log.
TPAM 2.5
System Administrator Guide
112
17
Agents
•
Introduction
•
Daily Maintenance agent
•
Auto Discovery agent
•
Post-Session Processing agent
•
SSH daemon
Introduction
The agents in TPAM execute scheduled tasks for different functions on a regular basis.
Daily Maintenance agent
The daily maintenance agent combines several back end jobs (batch report start time, purging of old data) into
one. The daily maintenance agent and log uses server time (UTC).
To configure the start time for the daily maintenance agent:
1
Select System Status/Settings | Agents | Daily Maintenance from the menu.
2
Enter the start time using a 24-hour clock.
3
Click the Save Changes button.
To view the logs:
1
Select System Status/Settings | Agents | Daily Maintenance from the menu.
2
Click the Processing Log tab.
3
Enter your search criteria on the filter tab.
4
Click the Results tab.
Auto Discovery agent
The auto discovery agent controls LDAP and generic integration and the ability of TPAM to automatically create
and update systems and users.
TPAM 2.5
System Administrator Guide
113
To start/stop the auto discovery agent:
1
Select System Status/Settings | Agents | Auto Discovery from the menu.
2
Click the Start or Stop button to start or stop the agent.
Select the Auto Start when system restarts? check box to have the auto discovery agent automatically restart
whenever TPAM is restarted and click the Save Changes button.
IMPORTANT: Anytime a primary appliance is put in maintenance mode, the auto discovery agent will be
stopped. It will not restart automatically when the appliance is put back in operational mode unless the
Auto Start when system restarts? check box is selected.
The auto discovery agent log displays server time (UTC).
To view the log:
1
Select System Status/Settings | Agents | Auto Discovery from the menu.
2
Click the Agent Log tab.
3
Enter your search criteria on the filter tab.
4
Click the Results tab.
Post-Session Processing agent
For any post session profile activities to be triggered after a session expires, the post-session processing agent
must be started. The agent will check and/or change passwords on accounts depending on how the post-session
profile is configured.
Synchronized password subscribers are processed in priority order. If any of the subscribers fail to change, the
agent stops and tries again based on the Synch Pass Change agent retry interval setting. If the prioritized
subscribers succeed but some non-prioritized subscribers fail, then the failures will be processed by the regular
change agent. Manual subscribers are scheduled with the regular manual change agent.
To start/stop the post-session processing agent:
1
Select System Status/Settings | Agents | Post-Session Processing from the menu.
TPAM 2.5
System Administrator Guide
114
2
Click the Start or Stop button to start or stop the agent.
To configure the agent interval select an agent frequency from the list and click the Save Changes button.
The post session processing agent log displays server time (UTC).
To view the logs:
1
Select System Status/Settings | Agents | Post-Session Processing from the menu.
2
Click the Agent Log tab.
3
Enter your search criteria on the filter tab.
4
Click the Results tab.
SSH daemon
The SSH daemon can be restarted without having to reboot the TPAM appliance.
To stop/start the SSH daemon:
1
Select System Status/Settings | Agents | SSHD Agent from the menu.
2
Click the Stop or Start button.
TPAM 2.5
System Administrator Guide
115
18
Backups
•
Introduction
•
Backup settings tab
•
Configure the backup schedule
•
On demand backup
•
View backup log
•
View backup history
•
Download an online backup
•
Delete a backup
Introduction
Considering the value of the information stored in TPAM the backup engine is an integral part of TPAM. Backups
can be configured to run on automatically and moved securely to offline storage. The backup is always
encrypted, so the backup can be maintained without the risk of exposing sensitive data.
IMPORTANT: If PSM sessions are being recorded on the appliance and they are not sent to an archive
server the TPAM backups can get extremely large. It is recommended to send session logs to an archive
server to avoid this.
Backup settings tab
The table below describes all the options on the backup settings tab.
TPAM 2.5
System Administrator Guide
116
Table 21. Backup Management: Settings tab options
Field
Description
Default
Enabled
If selected, the backup will occur based on the schedule selected.
On
Daily
If selected, the backup will occur daily at the time designated.
On
Weekly
If selected, the backup will occur on the day/s selected at the time designated. Off
Monthly
If selected, the backup will occur on the day of the month specified at the time Off
designated.
Secondary
Encryption
The backup will already be encrypted by default. To add secondary encryption No
select Password, and enter a password that will be required when performing a secondary
restore. To view the masked password, click the Show Password button.
encryption
Viewing the password is logged in the Sys-Admin Activity log.
Transfer the
backup to this
archive server
Select an archive server from the list to transfer the backups to.
No
Send Backup
Results to the
following Email
address
Enter an email address to send Failed or All backup results to.
No
Configure the backup schedule
To configure the backup schedule:
1
Select Backup | Modify Backup Settings from the menu.
2
Set the backup frequency and start time.
3
Enter password for secondary encryption. (Optional)
4
Select an archive server from the list to store the backup on. To configure an archive server see
Configure archive servers. By default the backup files will also be stored online.
TIP: It is strongly advised that backups be sent to an archive server. In the event of disaster
recovery, it may be necessary to have a recent backup stored safely offline.
5
Enter an email address to receive all or just failed notifications on the backup process.
6
Click the Save Changes button.
On demand backup
To run a backup on demad:
1
Select Backup | Modify Backup Settings from the menu.
2
Click the Backup Now button. A message will be displayed on the bottom of the page that the backup
has started.
View backup log
By default TPAM will store 30 days worth of backup logs. To change the retention period for the logs see Edit
global settings. The backup log uses server time (UTC).
TPAM 2.5
System Administrator Guide
117
To view backup logs:
1
Select Backup | Backup Log from the menu.
2
Enter your search criteria on the filter tab.
3
Click the Results tab.
To clear the backup log click the Clear Backup Log button.
View backup history
The backup history report uses server time (UTC).
To view backup history:
1
Select Backup | Backup History from the menu.
2
Enter your search criteria on the filter tab.
3
Click the Results tab.
Download an online backup
The number of online backups that can be stored at one time is configured in Global Settings. See Edit global
settings. The archive files are named TPAM_Date_Time.zip and listed in ascending order. The online backup
completion time is displayed in server time (UTC).
IMPORTANT: Do not rename backup files, doing so will cause a restore to fail.
To download an online backup:
1
Select Backup | Manage OnLine Backups from the menu.
TPAM 2.5
System Administrator Guide
118
2
Select the backup to download.
3
Click the Download button.
4
Select Save File to save the backup offline.
5
Click the OK button.
Delete a backup
To delete an online backup:
1
Select Backup | Manage OnLine Backups from the menu.
2
Select the download to delete.
3
Click the Delete button.
4
Click the OK button on the confirmation window.
TPAM 2.5
System Administrator Guide
119
19
Alerts
•
Introduction
•
Add an alert receiver
•
Delete an alert receiver
•
Alert thresholds
Introduction
The alerts in TPAM allow you to receive notification via email or SNMP, for over eighty different errors or status
notifications.
Add an alert receiver
To add an alert receiver:
1
Select System Status/Settings | Alerts | Receivers from the menu.
2
Click the Add Alert Receiver button.
3
Enter a receiver name.
4
Clear the Receiver Enabled? check box if you want to save the alert receiver without it being enabled.
(Optional)
5
Enter a description for the alert receiver. (Optional)
TPAM 2.5
System Administrator Guide
120
6
Use one of the following methods to select the receiver type:
•
Select E-mail. Enter the email addresses that will receiver these alerts.
•
Select SNMP. Enter the network address, community, port, and version.
NOTE: If SNMP is selected, the MIB cannot be downloaded until after you select the alerts
on the Alerts tab, click the Save Changes button and return to the Details tab.
7
Enter the number of times TPAM should attempt to re-send the alert if there is an unsuccessful attempt.
An entry of 0 means indicates that no retries will be made.
8
Click the Save Changes button.
9
To send a test email click the Send Test Message button. (Optional)
10 Click the Alerts tab.
11 Select the subscribe check boxes for the alerts you want to subscribe to. Select the subscribe check box
next to the component name to subscribe to all the alerts under that component. Clicking the Select All
button will select all alerts. Clicking the Select None button will clear all the subscribe check boxes.
Clicking the Toggle button selects any check box that was clear, and clears all the check boxes that were
selected.
12 Click the Save Changes button.
Where you see %1%,%2% in the message, it represents a variable that will be populated on the alert notification
when received. The alert severity will be displayed in the subject line of the message.
Delete an alert receiver
To delete an alert receiver:
1
Select System Status/Settings | Alerts | Receivers from the menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the receiver to delete.
5
Click the Delete Alert Receiver button.
6
Click the OK button on the confirmation window.
Alert thresholds
Some of the alert receivers that you can subscribe to, such as CPU checks, have configurable thresholds. For
example, the alert “The utilization of the appliance hard drive is %1%, exceeding the threshold of %2%.” The
%2% that this alert references is configured here in the disk space threshold.
TPAM 2.5
System Administrator Guide
121
To configure alert thresholds:
1
Select System Status/Settings | Alerts | Thresholds from the menu
2
To change the default value enter the number and click the Save Changes button.
TPAM 2.5
System Administrator Guide
122
20
External Authentication
•
Introduction
•
Certificate based authentication
•
SafeWord
•
RSA SecurID
•
LDAP
•
Windows Active Directory
•
RADIUS
•
Defender
Introduction
TPAM supports several different methods of external authentication. These are described in detail below.
Certificate based authentication
TPAM supports PKI based external authentication through smart cards and web certificates. If users are
authenticating with a client certificate, the certificate authority for these client certificates must be loaded in
TPAM, so TPAM recognizes it as a valid source. For details on how to load the certificate see TPAM trusted CA
certificates. When the user ID is added to TPAM the certificate sha1 thumbprint is entered as part of the user
setup.
SafeWord
The table below explains the options when configuring SafeWord.
TPAM 2.5
System Administrator Guide
123
Table 22. Configure Safeword: Settings tab options
Field
Description
Required? Default
Server Address
The IP address if the SafeWord server.
Yes
Weight
Consult your SafeWord administrator
Yes
0
Conns
Consult your SafeWord administrator
Yes
0
Port
Enter the TCP port that the SafeWord server will be listening on.
Yes
EASSP Version
Select one of the following as the SafeWord version:
Yes
•
SafeWord 5.1.1 and older
•
SafeWord 5.1.2 and newer
•
SafeWord Plus
•
Premier Access
Socket Timeout
The number of seconds before an unanswered request is dropped.
Yes
System Name
Consult your SafeWord administrator.
Yes
Agent Name
Consult your SafeWord administrator.
Yes
Authentication
Timeout
The maximum number of hours that an authenticated session can
persist.
Yes
To configure select System Status/Settings | External Authentication | SafeWord Config from the menu.
Enter the required information as described in the table above and click the Save Changes button.
Make sure that the port number entered in TPAM matches the port number for the SafeWord authentication
engine server port.
To clear existing server verification data files click the Clear Swec button. The next successful log on attempt
recreates this data file.
A TPAM user configured with SafeWord as external authentication method will see the following logon prompt
when logging on to TPAM and be required to enter their token.
TPAM 2.5
System Administrator Guide
124
RSA SecurID
SecurID® requires two files be imported into TPAM, sdconf.rec and sdopts.rec. These files contain specific
information regarding the ACE server configurations and necessary parameters.
To configure SecurID:
1
Select System Status/Settings | External Authentication | SecurID Config from the menu.
2
Enter the max number of hours a session can persist in the Authentication Timeout field.
3
Select SDOpts.rec from the Import File Type list.
4
Click the Select File button.
5
Click the Browse button. Select the file.
6
Click the Upload button.
7
Click the Import Options File button.
8
Click the OK button on the confirmation window.
9
Select SDConf.rec from the Import File Type list.
10 Click the Select File button.
11 Click the Browse button. Select the file.
12 Click the Upload button.
13 Click the Import Config File button.
14 Click the OK button on the confirmation window.
The Save button is only related to the Authentication Timeout attribute of the SecurID external authentication.
The upload of the SDConf.rec file is what is required to allow for SecurID external authentication. The
SDOpts.rec file is optional. Once the SDConf.rec file has been imported to establish SecurID as an external
authentication source, subsequent visits to the page will default the Import File Type to SDOpts.rec. The Clear
Settings button will remove the files and clear SecurID as an external authentication source.
NOTE: The RSA® Administrator must enter the host IP address of the TPAM appliance in the RSA server,
making sure there are no existing node secrets, and the host is open to locally known users. The agent
type must be netOS or Single Comm Trans.
LDAP
TPAM supports Windows or Unix® LDAP environments.
To configure LDAP:
1
Select System Status/Settings | External Authentication | LDAP Config from the menu.
2
Click the New System button.
TPAM 2.5
System Administrator Guide
125
3
Enter the LDAP server name.
4
Enter the IP address of FQDN of the authentication server.
5
Enter the number of maximum hours that an authenticated session can persist.
6
Select the SSL check box to enable SSL. (Optional)
7
Click the Save Changes button.
Windows Active Directory
To configure Windows Active Directory®:
1
Select System Status/Settings | External Authentication | WinAD Config from the menu.
2
Click the New System button.
3
Enter the Windows Active Directory server name.
4
Enter the IP address of FQDN of the authentication server.
5
Enter the number of maximum hours that an authenticated session can persist.
6
Click the Save Changes button.
RADIUS
TPAM can support challenge/response protocol for Radius when used as primary authentication.
To configure RADIUS:
1
Select System Status/Settings | External Authentication | RADIUS Config from the menu.
2
Click the New System button.
TPAM 2.5
System Administrator Guide
126
3
Enter the RADIUS server name.
4
Enter the IP address of FQDN of the authentication server.
5
Enter the number of maximum hours that an authenticated session can persist.
6
Change the Port if needed.
7
Enter the secret needed for authentication.
8
Click the Save Changes button.
Defender
TPAM can support challenge/response protocol for Defender when used as primary authentication
To configure Defender:
1
Select System Status/Settings | External Authentication | Defender Config from the menu.
2
Click the New System button.
3
Enter the Defender server name.
4
Enter the IP address of FQDN of the authentication server.
5
Enter the number of maximum hours that an authenticated session can persist.
6
Change the Port if needed.
7
Enter the secret needed for authentication.
8
Click the Save Changes button.
TPAM 2.5
System Administrator Guide
127
21
Ticket Systems
•
Introduction
•
Details tab
•
Data tab
•
Rules listing tab
•
Rule details tab
•
Add a ticket system
•
Add a ticket system rule
•
Duplicate a ticket system rule
•
Delete a ticket system rule
•
Duplicate a ticket system
•
Delete a ticket system
Introduction
Ticket Systems are configured so that TPAM will validate ticket numbers and other information about the
request that are entered at the time the password, file, or session request is submitted. If a password, file, or
session is requested that requires a Ticket Number, the number is passed to the indicated ticket system for a
“yes/no” answer. The validation may be as simple as “they entered a number and that’s all we need” or as
involved as “not only must the ticket number exist in the ticket system but the data returned must match the
user’s name, request, requested account, system, dates, and so on.” More than one ticket system can be
configured.
If a password, file, or session request fails the validation rules that have been configured the request is
immediately canceled and the requestor has the option to try again.
To set up ticket systems you must complete the following steps:
•
Configure the ticket system in the /admin interface.
•
Assign the ticket system to systems, accounts and files in the /tpam interface
To add a ticket system, information is entered on the following tabs in the /admin interface:
Table 23. /admin interface tabs
Tab name
Description
Details
Where name and connection information is configured.
Data
Where the commands are configured to retrieve the validation information.
Rules
Used to describe what to do with the data returned from the query.
TPAM 2.5
System Administrator Guide
128
Details tab
The table below explains the fields available on the ticket system details tab.
Table 24. Ticket System Management: Details tab options
Field
Description
Required?
Default
Ticket System Name Descriptive name for the ticket system. Must be unique
and no longer that 30 characters.
Yes
Description
The description box may be used to provide additional
information about the ticket system.
No
Enable Validation for If selected, TPAM will perform a validation against this
this Ticket System
ticket system.
No
Off
If selected, and the Enable Validation for this Ticket
No
System is not selected, then any requests made against
this ticket system still require a ticket number, but the
ticket number will not be validated when the request is
submitted. When the approver goes to approve/deny the
request they will see the following note on the page:
Off
Allow provisional
validation when
system is disabled
The ticket number listed above was provisionally
validated because the Ticket System was disabled at the
time of the request. Press the Revalidate button to
attempt to revalidate the Ticket.
The approver has the option to:
•
Approve/Deny the request without revalidating
the ticket.
•
Clicking the Revalidate Ticket button before
approving/denying the request. If the approver
tries to revalidate the ticket and the ticket
system is now enabled, and the ticket fails
validation, the request is automatically denied.
NOTE: This option is not available on Manual ticket
system types.
TPAM 2.5
System Administrator Guide
129
Table 24. Ticket System Management: Details tab options
Field
Description
Required?
Default
Ticket System Type
Select from:
Yes
Not Managed
•
Not Managed - A system not managed by TPAM. All
connection information must be provided.
•
Managed - The system and account must be set up
as managed in the /tpam interface.
•
Web Service - The service must reside on a system
that is reachable from the TPAM appliance, using
either HTTP POST or GET protocol and return a
stream of XML with either data related to the
ticket or an error condition.
•
Manual - There is no database integration for this
type of ticket system. Validation of ticket
numbers will be accomplished with an expression
entered in the Connection Information.
Yes
ODBC Driver (applies Select from:
to Not Managed)
• MS SQL Server
•
Oracle
•
Sybase
•
MySQL
Use SSL? (applies to
Not Managed)
If selected, the validation query will use SSL to
communicate with the target database unless a nondefault value is entered.
No
Network Address
(applies to Not
Managed)
An IP address or system name that is resolvable from the Yes
appliance.
Port Number
(applies to Not
Managed)
The port number will be automatically filled in after the Yes
ticket system is saved.
Timeout (applies to
Not Managed)
The number of seconds the validation routines wait for a No
response before the database times out.
Database Name
(applies to Not
Managed)
Applies to SQL Server, MySQL or Sybase databases. The
name of the ticket system database on the indicated
server.
SID/Service Name
(applies to Not
Managed)
Applies to Oracle® databases. The SID or service name to Yes
connect to on the Oracle server.
User Name (applies
to Not Managed)
The log on to get into the database. For SQL Server
databases this must be a SQL server authentication ID.
Windows authentication is not supported.
Yes
Password (applies to The password is stored in TPAM using the same
Not Managed)
encryption method that is used for managed accounts.
Blank passwords are supported, but not recommended.
When editing a ticket system, leave the password field
blank unless you want to change it.
No
System (applies to
Managed)
The system name of the managed system configured in
the /tpam interface. The platform must be MS SQL
Server, Oracle or Sybase.
Yes
Account (applies to
Managed)
The managed account name for the managed system that Yes
has been set up in the /tpam interface.
Off
Yes
TPAM 2.5
System Administrator Guide
130
Table 24. Ticket System Management: Details tab options
Field
Description
URI (applies to Web
Service)
Enter the URI (uniform resource identifier) of the ticket Yes
system. Include extra query string information if the URI
requires it, but do not include any query string data that
passes the actual ticket number. That information is
defined on the Data tab.
Required?
Type: (applies to
Web Service)
Select a type of HTTP POST,HTTP GET, REST GET, and
Yes
REST POST as the protocol.
As opposed to HTTP GET/POST, REST calls incorporate
substitution values into the Ticket System URI instead of
a query string or form body. This means that the instead
of adding name/value pairs in the Data tab's Web Service
Parameters, you put the desired :name: substitution
values directly into the URI on the Details tab, for
instance
https://192.168.164.1:8443/tickets/:TicketNumber:
Default
HTTP POST
XML Path (applies to The optional path entered here uses the XPATH 1.0
No
Web Service)
standard to reference specific subsections of the XML. If
no path is entered the system uses the top level element
as the base element for the returned data. Only simple
element values are processed as data, no complex subelements or attributes are processed.
XML Error Path:
(applies to Web
Service)
An error may be returned by the web service in one of
No
two ways. If no value is entered for the XML error path
the error is expected to be returned through an HTTP
response value. If a value is entered the system examines
the XML and considers it to be an error if the error path
object os present. Make sure that the value entered for
the error path is only present when the web service
returns an error. If both the XML path and the XML error
path are found in the returned XML the call is considered
to have failed.
User Name /
If the web service requires a fixed username and
Password (applies to password to perform validation enter those values here.
Web Service)
If the web service supports anonymous calls leave these
values blank
No
System Name /
Account (applies to
Web Service)
No
A TPAM managed system and account can be used to
supply a username and password for the web service
request. The managed system does not have to be a
specific platform type and may be a different platform
than that used by the web service. The system uses the
account name and current account password as the user
name and password for the call.
TPAM 2.5
System Administrator Guide
131
Table 24. Ticket System Management: Details tab options
Field
Description
Required?
Default
Validation
Expressions (applies
to Manual)
Select from one of the following validation expressions:
Yes
Any number
or character
Test Ticket Number
(applies to Manual)
•
Any number or character
•
Only umbers
•
Only uppercase letters
•
Any letters
•
Letters, numbers, underscores
•
Letters, numbers, underscores, dashes
•
Custom expression - accepts *.NET regular
expression syntax. The expressions are case
sensitive by default. Beginning the expressions
with (?i) make the whole expression case
insensitive. For more information on regular
syntax expression go to
http://msdn.microsoft.com/enus/library/az24scfc(v=VS.110).aspx
Enter in a ticket number to test the regular expression.
The test ticket number is not saved.
No
Data tab
The data tab is where the actual commands being issued against the target system to retrieve ticket
information are configured.
SQL command
Special note regarding MySQL data sources
If your MySQL data source contains any columns with string data types which have a collation other than Latin1,
you must use the following syntax in your SQL command:
TPAM 2.5
System Administrator Guide
132
;CharSet=X;YourSQLCommand
The semi-colon before CharSet and after X are required, and there are no spaces before or after the semicolon. Replace the X with the name of the character set for the collation being used. For example:
;CharSet=utf8;select * from userintegration.usersource
Note that all of the string type columns which are present in the data set must use the same collation. You
cannot have one returned column as Latin1 and another as utf8. The CharSet indicator is not needed if your
result set contains only numeric, date, or time column types.
The table below explains the fields available on the ticket system data tab for the SQL command option.
Table 25. Ticket System Management: Data tab options for SQL command
Field
Description
Required? Default
SQL Command
Enter a simple SELECT query or execute a stored procedure to return a
single row result set. Substitution parameters may be entered in the
command using :param: syntax. Oracle databases only support SELECT
type syntax, no EXEC stored procedure for a result set. SQL Server
supports SELECT and EXEC. Case sensitivity is controlled by the target
database. The SELECT and EXEC statement must be written to produce
a result set of exactly one row if successful. When validating ticket
numbers for requests a results set of zero rows or more than one row is
considered as a failed validation.
NOTE: This command is executed against the target database. Please
ensure that the database login has proper safeguards to prevent
accidental or intentional loss of data.
Substitution
Values
This list shows all the valid substitution values from a file, password,
session request or ISA retrieval. Not all values apply to all types of
requests. Any values which are entered in this list are only used when
testing the SQL command by clicking the Generate List button. The
values are saved, but are global to all ticket systems. The values are
not used during regular ticket validation.
Fields Returned This is the list of fields returned from the SQL command that will be
used for ticket validation. Field Names, types, and length are from the
database result set description. These field names will be usable when
building the validation rules for this ticket system.
You can edit the description of the result set by clicking on each field
entry and editing field name, type, or length using the controls to the
right. You may also use these to manually create a result set if you
cannot successfully test your SQL command.
TPAM 2.5
System Administrator Guide
133
Web services
The table below explains the fields available on the ticket system data tab for the web services option.
Table 26. Ticket System Management: Data tab options for web services
Field
Description
Required? Default
Web Service
Parameters
Web service parameters consist of one or more sets of parameter name No
and value pairs. The parameter name must be unique and may only
contain letters, numbers, hyphens (-), underscores (_) and periods. The
parameter value may be any of the ticket system substitution values,
blank or static text.
If static text is selected from the Parameter Value list, then up to 255
characters of static text can be entered. When the validation call is
made the text is passed as is. If you enter static text that includes one
of the :substitution: values in the Parameter Value list, it will become
that substitution value when it is validated.
Substitution
Values
This list shows all the valid substitution values from a file, password, or
session Request or ISA Retrieval. Not all values apply to all types of
requests. When using a substitution value in the SQL command make
sure to put colons on either side of the value name and quote the string
appropriately, e.g., ':AccountName:', not 'AccountName'.
The values in the list are only used when testing the web service call via
the Generate List button. The test values are saved, but they are global
to all ticket systems. The values are not used during regular ticket
validation.
You should enter a value for any substitution you reference in the r Web
Service Parameters before clicking the Generate List button.
Fields Returned This is the list of fields returned from the web service call that will be
used for ticket validation. Field Names, types, and length are from the
database result set description. These field names will be usable when
building the validation rules for this ticket system.
You can edit the description of the result set by clicking on each field
entry and editing field name, type, or length using the controls to the
right. You may also use these to manually create a result set if you
cannot successfully test your Web Service call.
TPAM 2.5
System Administrator Guide
134
Rules listing tab
The rules and rules details tabs are used to describe what to do with the data returned from the query to
determine if a valid ticket number has been entered.
The Listing tab shows a summary of all rules defined for the currently selected ticket system. If a ticket is
entered that requires validation, all the enabled rules associated with the ticket system are executed in the
order shown in this list. If all rules return a true value then the ticket number is accepted. The first rule that
returns a false value makes the ticket number invalid and the password/session/release request is canceled.
After a ticket system is added the Ticket Exists rule appears as a default. This rule ensures that the SQL
command from the Data tab must return one and only one row. If the SQL command returns 0 (zero) or more
than one row of data this rule fails and no further rule checking is performed. This rule cannot be moved or
disabled and is always executed first.
Rule details tab
The Rule Details tab lets you create arbitrarily complex rules that can be used to validate the data returned
from the SQL command or web services call in the context where the ticket number is being used.
TPAM 2.5
System Administrator Guide
135
The table below describes the fields on the Rule Details tab.
Table 27. Ticket System Management: Rules: Rule Details tab options
Field
Description
Required? Default
Rule Name
Enter the rule name. It does not need to be unique. A default rule
Yes
name is created based on the ID of the ticket system and the position
in the list of rules.
Description
A brief description about the rule.
Enabled
After the rule has been validated, select this check box to enable the No
rule.
Syntax Results
Displays a WHERE clause-like version of the entered syntax. After the
rule syntax is created and validated this read only area shows the
syntax and/or any errors that were detected.
No
Off
If all the syntax looks acceptable the indicator turns green. If any
portion of the syntax is invalid (bad quoting, missing group start or
end, missing conjunction, and so on) the error is included in the
Syntax Results and the indicator to the left of it turns red.
Sequence
This is a read only value showing the execution order of this rule.
NOT
The NOT indicator at the left of the line and the conjunction on the
right can each be cycled through their allowed values by clicking on
the block. NOT toggles to either show the word NOT or blank.
AND/OR
The Conjunction block cycles between AND, OR, and blank.
Add Row
Above/Below
buttons
If clicked, these buttons add a new row of syntax above or below the
Delete Current
Row button
If clicked, this button deletes the current row of syntax. The last row
of syntax cannot be removed.
Clear button
If clicked, this button clears the syntax area and creates a single,
default line.
Start Group
button
If clicked, this button inserts a left parenthesis above the current
row.
End Group
button
If clicked, this button inserts a right parenthesis below the current
row.
current row (indicated by the
symbol). The conjunction block
defaults to either AND or blank and the conditional defaults to =.
TPAM 2.5
System Administrator Guide
136
Table 27. Ticket System Management: Rules: Rule Details tab options
Field
Description
Validate button
If clicked, this checks all entered syntax and converts it to WHERE
clause format in the Syntax Results area of the page.
Required? Default
Nesting Level
This is a read only value that attempts to keep track of start/end
groupings. If the user has more start groups than end groups the
value is greater than zero. If the user has more end groups than start
groups the value is negative. The value here does not reflect the
nesting level of the current line, only the total nesting level of the
entire syntax area.
NOTE: The :PwdCurrentlyReleased: substitution value can only be used on the Rules tab, it cannot be used
as a substitution value when entering the SQL command on the Data tab.
:PwdCurrentlyReleased: can be used to control the retrieval of a password by an ISA if the ISA is using the Proxy
Release For field to act as a proxy for another user. It evaluates to Y or N according to the following rules:
•
An ISA release where the ISA does not enter a value for the Proxy Release For field
:PwdCurrentlyReleased: evaluates to “N”.
•
An ISA release where the ISA does enter a value for “Proxy Release For”:
•
If another ISA has retrieved the password as a proxy for somebody AND the password has not yet
been reset :PwdCurrentlyReleased: evaluates to “Y”
•
If the ISA issuing the request has already retrieved the password for a different proxy AND the
password has not yet been reset :PwdCurrentlyReleased: evaluates to “Y”
•
If the password has been released due to an approved request AND the password has not yet been
reset :PwdCurrentlyReleased: evaluates to “Y”
•
A requester enters a request where the request window (Requested Release Date + Duration) overlaps an
ISA Release where the ISA has entered a proxy then :PwdCurrentlyReleased: evaluates to “Y”
•
Under all other conditions :PwdCurrentlyReleased: evaluates to “N”
Add a ticket system
To add a ticket system:
1
Select System Status/Settings | Ticket Systems from the menu.
2
Click the Add Ticket System button.
3
Enter the information on the Details tab.For more information on this tab see Details tab.
4
Click the Save Changes button.
5
Click the Test Connection, Test Account, or Test Expression button to make sure that TPAM can connect
to the ticket system.(Optional)
6
For manual ticket systems types, the set up is complete. For Not Managed, Managed and Web Service
ticket system types click the Data tab.
7
Enter information on the Data tab. For more information on this tab see Data tab. Click Generate List
button. Click the Save Changes button.
8
Click the Rules tab. (Optional) Define additional ticket validation rules. For more information see Rule
details tab and Add a ticket system rule.
TPAM 2.5
System Administrator Guide
137
Add a ticket system rule
To add a ticket system rule:
1
Select System Status/Settings | Tickets Systems from the menu.
2
Select the ticket system from the Listing tab.
3
Click the Rules tab.
4
Click the Add Rule button.
5
Enter the data for the rule using the fields described in Rule details tab.
6
Click the Save Changes button.
To prioritize the order that the ticket system rules are executed, select a rule on the Listing tab and click the
Move Up and Move Down buttons as needed.
Duplicate a ticket system rule
To duplicate a ticket system rule:
1
Select System Status/Settings | Tickets Systems from the menu.
2
Select the ticket system from the Listing tab.
3
Click the Rules tab.
4
Select the rule to duplicate.
5
Click the Duplicate Rule button.
The name, description, and syntax of the rule is copied, but is disabled by default.
Delete a ticket system rule
To delete a ticket system rule:
1
Select System Status/Settings | Tickets Systems from the menu.
2
Select the ticket system on the Listing tab.
3
Click the Rules tab.
4
Select the rule to be deleted.
5
Click the Delete Rule button.
6
Click the OK button on the confirmation window.
Duplicate a ticket system
To duplicate a ticket system:
1
Select System Status/Settings | Tickets Systems from the menu.
2
Select the ticket system to duplicate on the Listing tab.
3
Click the Duplicate button. The new ticket system will be saved with a default name of Copy of XXXXXXX
and validation will be disabled by default.
TPAM 2.5
System Administrator Guide
138
Delete a ticket system
Any ticket system that is assigned to a system, account, or file will revert to Require a Ticket Number from
Any Ticket System, if the assigned ticket system is deleted.
To delete a ticket system:
1
Select System Status/Settings | Tickets Systems from the menu.
2
Select the ticket system to be deleted on the Listing tab.
3
Click the Delete Ticket System button.
4
Click the OK button on the confirmation window.
TPAM 2.5
System Administrator Guide
139
22
Custom Logo
•
Introduction
•
File requirements
•
Upload custom logo
•
Remove custom logo
Introduction
Customers have the ability to upload a custom logo, that will be displayed in the header of the TPAM web
interface.
File requirements
In order to be uploaded as a custom logo the file must meet the following requirements:
•
JPEG, PNG, GIF or BMP file format
•
GIF files must be static, no animation allowed
•
Maximum size of 30KB
•
Image dimensions must be between 10H x 10W and 47H x 120W pixels
Upload custom logo
To upload a custom logo:
1
From the /admin interface, select System Status/Settings | Custom Logo Image from the menu.
2
Click the Select File button.
3
Click the Browse button and locate your logo file.
4
Click the Upload button. Once the image is loaded you will see a preview of what the header will look
like with your logo added.
TPAM 2.5
System Administrator Guide
140
5
Click the Apply Sample Logo button.
6
Click the OK button on the confirmation window.
7
Refresh the page to see new header.
Remove custom logo
To remove a custom logo from the header of the TPAM interface:
1
From the /admin interface, select System Status/Settings | Custom Logo Image from the menu.
2
Click the Remove Logo button.
3
Click the OK button on the confirmation window.
4
Refresh the page.
TPAM 2.5
System Administrator Guide
141
23
License Management
•
Introduction
•
Adjust license limits
•
License management change log
Introduction
When initially configuring your TPAM appliance you need to update the license quantities that were purchased.
This is also needed if additional licenses are purchased at a later date.
The table below describes the different license options for TPAM.
Table 28. License options for TPAM
Field
Description
MaxSystems
Maximum number of systems that can be managed in the Privileged Password Manager
module of TPAM. A system is defined as a device that has a unique IP address or unique IP
address/port. Soft deleted systems, system templates, and PSM only systems, are not
included in this count.
MaxUsers
Maximum number of users that can be created in TPAM. All user IDs are included in this
count, with the exception of cache user types.
MaxCachedAccounts The number of accounts that can be assigned to a cache server.
MaxCacheServers
The number of cache servers that can be configured in TPAM.
MaxDesktops
Maximum number of desktops that can be managed in the Privileged Password Manager
module of TPAM. If you add and save more desktops in TPAM than the limit set here,
available system licenses will be used until that limit is met.
MaxSessions
Maximum number of concurrent sessions, whether they are live sessions or replays.
MaxSPCWSystems
The number of managed systems that can be added under one of the SPCW platforms.
MaxDPAs
The number or DPAs that be configured in TPAM. Total includes virtual and physical DPAs.
Adjust license limits
System Administrators have the ability to adjust the license limits on the TPAM appliance.
To adjust license limits:
1
Select System Status / Settings | License Management from the menu.
TPAM 2.5
System Administrator Guide
142
2
Enter a number for the Current Limit for each license needed.
IMPORTANT: Changing license limits has financial implications. License usage will be reviewed with
Dell Software at the time of maintenance renewal.
3
Click the Save Changes button.
License management change log
A record of any changes to the license counts is recorded in a change log. The license management change log
displays server time (UTC).
To view the change log:
1
Select System Status / Settings | License Management from the menu.
2
Click the Change Log tab.
3
Click the Export to Excel or Export to CSV buttons to save the data offline.
TPAM 2.5
System Administrator Guide
143
24
Login Banner and Message of the Day
•
Introduction
•
Login banner
•
Message of the day
Introduction
The login banner and message of the day are two ways that TPAM system administrators can post information
for users that log on to TPAM. They can be customized to display any text, such as a company policy or legal
warning message.
Login banner
To add/edit a login banner:
1
Select System Status/Settings | Login Banner from the menu.
2
Enter a message.
3
Click the Save Settings button.
Upon logging on to the /tpam, /admin, or/config interface the login banner will be presented to the user as
shown below prior to landing on the home page.
TPAM 2.5
System Administrator Guide
144
Message of the day
Message of the day is a brief text message that will appear on the home page of the /tpam, /admin, and /config
interfaces. The message of the day can also be added as an optional message body tag in the email notifications
sent by TPAM. The tag for message of the day is :MOTD:. See Configure email notification for more details.
To configure the message of the day:
1
Select System Status/Settings | Message of the Day from the menu.
2
Click the New Message button.
3
Enter a start date for the message.
4
Enter an end date for the message.
5
Enter the message.
6
Click the Save Changes button.
The message of the day will be displayed as shown in the example below.
TPAM 2.5
System Administrator Guide
145
25
Net Tools
•
Introduction
•
The ping utility
•
Nslookup utility
•
TraceRoute utility
•
Telnet test utility
•
Route table management
Introduction
To assist the TPAM System Administrator with troubleshooting common network related problems, TPAM
contains network tools that are accessible from the configuration interface. In addition, some specialized
configurations can be made to add or manage static routes.
The ping utility
The ping utility can be used to verify connectivity to remote hosts and determine latency. Many of the optional
parameters for the ping command are available. The available command options are listed along with the short
description of each.
To use the ping utility:
1
Select Net Tools | Ping from the menu.
2
Enter the IP or Hostname.
3
Select the options desired.
4
Click the Ping button. The results will be displayed.
TPAM 2.5
System Administrator Guide
146
Nslookup utility
Nslookup is a common TCP/IP tool used to test DNS settings and perform similar information gathering using DNS
resolution. The TPAM utility for nslookup will use the DNS server(s) configured to TPAM only. The option to
specify a server is not provided. TPAM System Administrators can benefit from the ability to use nslookup to
resolve hostnames to IP addresses and vice versa.
To use Nslookup:
1
Select Net Tools | Nslookup from the menu.
2
Enter the IP address or Hostname to look up.
3
Click the Lookup button.
TraceRoute utility
The traceroute utility is available for examining network routing and connectivity from TPAM to a remote IP
address or hostname. The use of traceroute is often disallowed by firewalls, routers, and other network security
infrastructure – but if allowed, it can be a valuable diagnostic tool.
To use Traceroute:
1
Select Net Tools | TraceRoute from the menu.
2
Enter the IP or Hostname to trace.
3
Select the -d check box. (Optional)
4
Change the default number of hops and timeout wait. (Optional)
5
Click the Trace button.
TPAM 2.5
System Administrator Guide
147
Telnet test utility
The Telnet test utility lets a test be performed from the appliance to another system over a specific port. The
tool will test the defined port using telnet functionality to verify the port, whether a connection can be made,
and then immediately close the connection.
To use the Telnet test utility:
1
Select Net Tools | TelnetTest from the menu.
2
Enter the network address, port and timeout period.
3
Click the Trace button.
Route table management
Several tools are available to manage the routing table on TPAM, if the need arises.
IMPORTANT: It is strongly recommended that the routing tools not be used unless absolutely necessary and
a network engineer is consulted for the proper routes required. Incorrectly defining a route can cause a
communication outage.
To display current routes:
1
Select Net Tools | Show Routes from the menu.
To add a route:
1
Select Net Tools | Add Route from the menu.
TPAM 2.5
System Administrator Guide
148
2
Enter the IP address of the destination host or network, the proper subnet mask, and the default
gateway for the new static route.
3
Select Check to make this route permanent, to retain the route after a reboot of the appliance.
To delete a route:
1
Select Net Tools | Delete Route from the menu.
2
Enter the IP address of the destination host.
3
Click the Delete Route button.
TPAM 2.5
System Administrator Guide
149
26
System Status Page and O/S Patch Status
Page
•
Introduction
•
O/S patch status
•
System status page
•
System status graphs
•
How to create a support bundle
Introduction
The O/S patch status page and the system status page provide important information about the patch level of
the TPAM appliance.
O/S patch status
Patches for the underlying operating system of TPAM are posted in the same manner as software updates and
are applied using the same method. See Apply a software update for details. To view the history of patches
applied to the operating system select System Status/Settings | O/S Patch Status from the menu. The install
date and time displayed is server time (UTC).
TPAM 2.5
System Administrator Guide
150
System status page
The system status page displays valuable information about the TPAM appliance such as license levels, software
version, build number, serial number, memory and CPU usage.
To view the system status page select System Status/Settings | System Status from the menu.
NOTE: The PPM systems defined does not include the 2 default local appliances.
System status graphs
The system status graphs provide a visual presentation of key statistics for system administrators and technical
support. There are three categories of time series graphs:
•
Appliance - appliance or OS information.
•
Application - PSM or PPM statistics
•
Cluster - High availability and replication statistics
There are three possible time frames for the graphs:
•
Daily - displays the last day’s data, sometimes with prior day's average for comparison, updated every
minute.
•
Weekly - displays the last week's data, sometimes with prior week's average for comparison, updated
every 15 minutes.
•
Yearly - displays the last year's data, updated every 60 minutes.
When a prior period average is graphed for comparison it is rendered as a dotted line.
To view the graphs select System Status/Settings | System Status from the menu. Click the Graphs tab. The
time displayed on the graphs is server time (UTC).
TPAM 2.5
System Administrator Guide
151
Select the Auto-refresh check box to refresh the graphs every 60 seconds or click the Refresh Graphs button to
refresh them on demand. You can choose to display Daily, Weekly or Yearly graphs by selecting the check boxes.
The following appliance graphs are available:
Table 29. System Status: Graphs tab Appliance Graphs
Graph name
Description
Active Logins
The number of active logins on each of the TPAM web sites (/admin, /config and /tpam).
Database Backup
Set Usage
Amount of disk space used by full and incremental backups in the database backup set
(varies due to daily backup job and replication activity). When the total size of the
incremental backup size grows continually over time it indicates that regular full backups
are not occurring. The size of the last full backup is also visible.
C: Disk Free
Percentage of the system disk that is free. If free disk space is trending down for long
periods of time it may indicate that a problem is occurring.
C: Disk Time
Percentage busy of the system disk for read and write activity. If the disk is busy for long
periods of time it may indicate that a problem is occurring.
C: Disk Transfer
Read/write throughput for the system disk.
OS CPU Time
Percent utilization of the appliance CPUs by user and system processes. If the appliance
CPU is consumed by either type of process for long periods of time it may indicate that a
problem is occurring.
OS Paging Activity
Multiple measures of OS low-level virtual memory activity.
OS Memory
Utilization
Total amount of memory allocated by the OS versus total amount of free memory. Note
that the OS and database will tend to use large amounts of memory for buffer caches.
OS Scheduler
Objects
Total number of processes and threads managed by the OS. Also shows the number of
processes that are waiting in the run queue. If the number of processes or threads is
trending up for long periods of time it may indicate that a problem is occurring. If a large
number of processes are waiting in the run queue for long periods of time it indicates that
the system is CPU-bound.
Primary/Config
Interface Network
Utilization
Total amount of traffic sent/received on network interfaces
SQL User
Connections
Total number of database connections. If the number of database connections is trending
up for long periods of time it may indicate that a problem is occurring.
SQL Query Activity
Multiple measures of database activity.
Other SQL Graphs
Multiple views of database server information. Used by TPAM developers and support.
TPAM 2.5
System Administrator Guide
152
The following application graphs are available:
Table 30. System Status: Graphs tab Application Graphs
Graph name
Description
Configured Accounts Total number of accounts.
Configured Systems
Total number of systems.
Configured Users
Total number of TPAM users.
PSM Active Sessions
Currently active sessions, on both the local console appliance as well as all DPAs.
PSM Session
Requests
Session request activity.
PPM Releases
Password release activity.
PPM Release
Requests
Password release request activity.
PPM Pending Queue
Number of PPM checks and changes that are queued. Queues that are constant or
growing over time may indicate that a problem is occurring.
PPM Changes
Password change activity. Failures are displayed.
PPM Checks
Password check activity. Mismatched and unreachable system checks are displayed.
How to create a support bundle
In order to troubleshoot issues with your TPAM appliance, Technical Support may ask you to generate a support
bundle. The support bundle includes vital information about the TPAM appliance.
The support bundle is an un-encrypted file but does not contain any sensitive customer data such as passwords,
only information about the appliance itself.
To create a support bundle:
1
Select System Status/Settings | System Status from the menu.
2
Click the Support Bundle tab.
3
Based on your conversation with technical support, select/clear the check boxes in the Optional Items
section. Enter a Start and End Date to narrow the results.
4
Click the Create Support Bundle button. Once the bundle is complete it is displayed in the Bundle list.
5
Select the bundle name from the list that you want to download.
6
Click the Download Bundle button.
TPAM 2.5
System Administrator Guide
153
7
Click the OK button to save the file offline. Now the zip file can be emailed to Technical Support.
To delete all bundles click the Delete All Bundles button.
TPAM 2.5
System Administrator Guide
154
27
Software Updates
•
Introduction
•
Types of software updates
•
Check TPAM current version
•
Download a software update from the customer portal
•
Apply a software update
•
View patch log
•
View patch history
Introduction
This chapter covers the process to update your TPAM appliance with the latest software patches provided by
Dell Software.
Product patches are not always cumulative. This means that some product patches must be applied to the
system in order and none can be skipped. The release notes for each product update list the prerequisite
version of TPAM required before the update can be applied to the appliance.
To apply a patch to TPAM perform the following steps:
•
Check the current version of TPAM
•
Take a backup. See On demand backup
•
Download the patch from the Customer Portal
•
Stop any applicable agents
•
Apply the Patch
•
Check the Patch Log for errors
•
Restart any applicable agents
Types of software updates
There are several different types of software updates that are released for the TPAM appliance.
•
Hotfix - a hotfix is a single, cumulative package that includes one or more files that are used to address
a problem in the product that cannot wait until the next scheduled upgrade. A hotfix does not increment
the software version number.
•
Feature Pack - a feature pack is new product functionality that is distributed outside the context of a
product release and is typically included in the next scheduled upgrade. The software version number is
changed after an upgrade.
•
Upgrade - an upgrade is a software package that replaces an installed version of TPAM with a newer
version of the product. The software version number is changed after an upgrade.
TPAM 2.5
System Administrator Guide
155
•
OS Patches - patches for the specific purpose of upgrading the underlying TPAM OS. These patches bear
the distinct naming convention beginning with TPAM_OS.
•
Documentation Patch - these patches update the online documentation available under the Help menu in
TPAM.
Check TPAM current version
The current version of the TPAM appliance can be found by clicking on the user menu and selecting About
TPAM.
Download a software update from the
customer portal
To download a software update:
1
Log in to https://hq01.e-dmzsecurity.com/edmzcust. If you have not been issued a login and password
to the customer portal, please contact Technical Support.
TPAM 2.5
System Administrator Guide
156
2
Select Downloads from the main menu.
3
Enter filter criteria to narrow the results of the downloads listed. Click the List Downloads button.
4
Click the File Name of the specific download.
5
Click the File Name link.
6
Click the I Accept button to accept the terms of the Dell Software transaction agreement.
TPAM 2.5
System Administrator Guide
157
7
Click the OK button to save the file locally.
8
If the patch requires a specific key, click in the License Key field to generate a key for the appropriate
serial number. You will need to have this key available to paste during the apply patch process.
Apply a software update
TIP: If the software update you are applying is a software upgrade, which will change the version number
of the software you are running, it is strongly recommended that the appliance have a run level of
"maintenance" before applying the update. By changing the run level users in a session running on the
appliance will be given a warning before their session is terminated. For more details see Change the run
level.
TIP: If the software update you are applying is a major upgrade that takes several minutes to apply, you
may be advised in the release notes to increase the failover timeout on the replica appliances in your
cluster. This will prevent the replicas from failing over during the patch process.
To apply a software update:
1
Log in to the /admin interface.
2
Select Maint | Apply a Patch from the menu.
3
Click the Select File button.
4
Click the Browse button. Select the patch file that you saved locally.
5
Click the Upload button.
6
Paste in the key that was generated on the Customer Portal in the Key field.
TPAM 2.5
System Administrator Guide
158
7
If any options have been provided by Dell, enter them in the Options field, otherwise leave it blank.
8
By default, if you are applying a patch to a primary member of a cluster, the replicas in the cluster will
be listed and highlighted in the Target Replicas list. If any of the replicas are deselected, the patch will
not be applied to it. The replica can be patched at a later date by logging on directly to the /admin
interface of the replica. If the software version numbers (excluding the build number) of the primary and
the replica still match them the primary will still be able to send data to the replica. We recommend
that you contact Technical Support before deciding to deselect any of the replicas on this list.
9
Click the Apply Patch button.
10 To verify the status of the patch installation click the Patch Log tab.
11 To set the log refresh interval, select Refresh Results every X seconds.
View patch log
It is recommended that Patch Log be reviewed after each upgrade to look for errors or other messages that may
require action. The patch log displays time in server time (UTC).
To view the patch log:
1
Log in to the /admin interface.
2
Select Maint | View Patch Log from the menu.
3
Enter your search criteria on the Filter tab.
4
Click the Results tab.
View patch history
Patch history allows you to view a cumulative history of all updates that have been applied to the TPAM
appliance. The patch history results display time in server time (UTC).
To view patch history:
1
Log in to the /admin interface.
2
Select Maint | View Patch History from the menu.
3
Enter your search criteria on the Filter tab.
4
Click the Results tab.
TPAM 2.5
System Administrator Guide
159
TPAM 2.5
System Administrator Guide
160
28
Shut Down/Restart the Appliance
•
Introduction
•
Shutdown appliance
•
Restart appliance
Introduction
If the need arises to shutdown or restart your appliance this can be done from the /config or /admin interface.
Shutdown appliance
To shutdown the appliance:
1
Select Shutdown from the /config or /admin menu.
2
Clear the Restart? check box.
3
Click the Shutdown button.
4
Click the OK button on the confirmation window.
Restart appliance
To restart the appliance:
1
Select Shutdown from the /config or /admin menu.
2
Make sure the Restart? check box is selected.
3
Click the Shutdown button.
4
Click the OK button on the confirmation window.
TPAM 2.5
System Administrator Guide
161
29
Restore and Revert
•
Introduction
•
Restore from a backup
•
Apply backup to a cluster
•
Revert to factory default
•
Revert to restore point
Introduction
In the event of a catastrophic failure a System Administrator can restore the data using an offline backup to
another appliance.
Another use for restore is for test environments where customers may be testing an upgrade to a new version of
TPAM
IMPORTANT: Applying a restore will stop the automation engine, mail agent, and auto discovery agents.
These will not automatically restart when the restore is complete, even if the auto start check boxes were
selected prior to the restore.
IMPORTANT: Applying the restore will set any non-primary cluster members (replicas, DPAs) to inactive.
Once the restore is complete these will have to manually be set to active on the cluster management
page.
Restore from a backup
IMPORTANT: Do not rename backup files. Doing so will cause the restore to fail.
IMPORTANT: If applying a restore from one appliance to another, verify that the software version of the
appliance you performing the restore on is the same version as the appliance the backup was taken from.
The software version can be found under the User Menu | About TPAM.
To restore the data from a backup:
1
First the appliance must have a run level of “maintenance” and have a role of "Primary". From the
/admin interface select System Status/Setting | Cluster Management.
2
Select appliance from the cluster member list.
3
Select the Run Level check box.
4
Select Maintenance from the Run level list.
5
Click the Change Run Level button.
TPAM 2.5
System Administrator Guide
162
6
Click the Continue with Change button. This puts the appliance in maintenance mode.
7
From the /config interface select Restore | Restore Appliance from the menu.
8
Use one of the following methods to select the backup file:
•
Select a file from the Online Backup list.
•
Select Upload Backup File. Click the Select File button. Click the Browse button and select the
file. Click the Upload button.
•
Select Retrieve from Archive Server. Select an archive server from the list. Select a file from the
archive server.
NOTE: The archive server has to either be a *nix box and allow the "ls -l" command via the archive
user OR if it's a windows box it needs to recognize the "ls -l" and treat it like a "dir" command (or
have a cygwin or posix environment that understands ls).
9
If the backup file has secondary encryption, enter and confirm the password.
10 If any options have been provided by Technical Support enter them in the Options field, otherwise, leave
it empty.
11 Click the Restore Now button.
12 Click the OK button on the confirmation window.
13 You will be disconnected from the /config interface. Log on to the /admin interface.
14 Select Restore | View Restore Log. The restore log displays results in server time (UTC).
15 Click the Results tab to monitor the progress of the restore. Once the restore is complete, log on to the
/admin interface and select System Status/Setting | Cluster Management.
16 Select appliance from the cluster member list.
17 Select the Run Level check box.
18 Select Operational from the Run level list.
19 Click the Change Run Level button.
20 Click the Continue with Change button. This puts the appliance in operational mode.
TPAM 2.5
System Administrator Guide
163
Apply backup to a cluster
If your appliances are currently configured in a cluster, with a primary device and one or more replicas, the
backup is applied to the primary device and the data will be replicated to the replicas. During the restore
process any replicas and DPAs enrolled in the cluster will automatically be flagged as Not Active. After the
restore on the primary is complete all these appliances must be flagged as active again so that replication can
begin again.
To apply a backup to a cluster:
1
Follow steps 1 through 20 in the above procedure.
2
On the cluster management page select one of the replicas in the cluster.
3
Select the Appliance Active check box.
4
Select Active from the list.
5
Click the Save button.
6
Repeat steps 2-6 for all other appliances enrolled in the cluster, including DPAs.
IMPORTANT: When making the replicas active again after the restore you may initially see the message
that the IP address is not yet registered in the cluster. This is a timing issue and should resolve itself
within a few minutes.
Revert to factory default
Reverting the appliance to the factory default will erase all the data and configuration settings you have
entered since you have received the box. Once the system revert is complete, a monitor and keyboard will have
to be connected to the appliance to start configuration of the appliance from scratch.
IMPORTANT: Do not perform a revert to factory default without the assistance of Dell Software Technical
Support.
NOTE: The appliance must have a run level of Maintenance to allow a system revert.
To perform a system revert:
1
From the /config interface, select Restore | System Revert from the menu.
2
If the appliance is already in maintenance mode process to step 8. To change the appliance to
maintenance mode log on to the /admin interface and select System Status/Setting | Cluster
Management.
3
Select the appliance from the list.
4
Select the Run Level check box.
5
Select Maintenance from the list.
TPAM 2.5
System Administrator Guide
164
6
Click the Change Run Level box.
7
Click the Continue with Change button on the confirmation window.
8
Select the Appliance Factory Defaults restore point.
9
Click the Revert button.
10 Click the OK button on the confirmation window.
After the revert is complete a keyboard and monitor must be connected to the appliance and configuration
must start from scratch. Refer to the TPAM Quick Start Guide for instructions.
Revert to restore point
A restore point is a snapshot taken of TPAM at a specific point in time. Restore points are created by TPAM
automatically in two instances:
•
Prior to applying specific patches, as indicated in the release notes. If there are issues with the patch
after it is applied, reverting to the restore point allows you to roll back as if the patch was never
applied.
•
Prior to enrolling a replica in a cluster. If the enrollment process has errors the appliance can be reverted
to that restore point.
A restore point can be applied to an appliance through the TPAM web interface or through the CLI.
To revert to a restore point using the TPAM web interface:
1
Log on to the admin interface of the appliance you want to restore.
2
select System Status/Setting | Cluster Management.
3
Select the appliance from the list.
4
Select the Run Level check box.
5
Select Maintenance from the list.
6
Click the Change Run Level box.
7
Click the Continue with Change button on the confirmation window.
8
Log on to the config interface of the appliance you want to restore.
9
Select Restore | System Revert from the menu.
10 Select the restore point to revert to.
TPAM 2.5
System Administrator Guide
165
11 Click the Restore button.
12 Click the OK button on the confirmation window.
IMPORTANT: Restoring an appliance can take some time. If you are unsure whether the restore is still
running check with technical support.
To revert to a restore point using the CLI:
1
Log on to the appliance using the CLI system administrator user ID.
2
Run the ListRestorePoints command to see the snapshots available.
3
Run the Revert command with the sequence number of the selected snapshot.
NOTE: The appliance must be in maintenance mode before the Revert command can be run.
TPAM 2.5
System Administrator Guide
166
30
Remote Access
•
Introduction
•
Disable remote access
Introduction
Remote access to the /config interface is enabled by default. When enabled, TPAM will allow access to the
/config interface through port 8443. To access the /config interface remotely enter https://[IP
address]:8443/config.
Disable remote access
To disable remote access:
1
From the /config interface select Remote Access from the menu.
2
Select Disabled from the list.
3
Click the Save Changes button.
TPAM 2.5
System Administrator Guide
167
31
CLI Commands for the System
Administrator
•
Introduction
•
Command standards
•
Commands
Introduction
The TPAM command line interface (CLI) provides a method for authorized system administrators or automated
processes to retrieve information from the TPAM system. Commands must be passed to TPAM via SSH (secure
shell) using an identity key file provided by TPAM. A specific CLI system administrator user ID is also required.
See Add a CLI sys-admin user for more details on creating the user ID. CLI user IDs are case sensitive when
logging on.
SSH software must be installed on any system before it can be used for TPAM CLI access.
Commands accept parameters in the style of --OptionName option value (two dashes precede the option name)
with the exception of the GetStatus command. Existing commands prior to TPAM v2.2.754 still also accept the
comma-separated syntax, so existing scripts do not need to be modified unless you wish to take advantage of
new parameters that have been added to the command in later versions of TPAM.
All commands recognize an option of --Help. This expanded help syntax will show all valid options for each
command, whether the option is required or optional, and a description of the option and allowed values.
Command standards
•
Options may be specified in any order in the command
•
Option names are not case sensitive, --SystemName and --systemname are equivalent
•
When the --Help option is used, no other processing takes place. The help text is printed and the
command terminates.
•
Options marked as “optional” are just that – optional. They do not need to be included in the command
line to “save space” for commands that come afterwards.
•
Option names may be abbreviated “to uniqueness” for each command. For example if a command
accepts options of --SystemName, --AccountName, and --Description the option names can be
abbreviated to --S, --A, and --D, respectively. However if the options were --AccountName and -AccountDescription they can only be abbreviated to --AccountN and --AccountD.
•
Any option value that contains spaces, e.g., --Description or --RequestNotes, must surround the
description with single or double quotes, depending on your command line shell. It’s also recommended
that you surround the entire command invocation with quotes to prevent the shell from unintentionally
stripping desired quotes from your command. Additionally your shell environment may require escaping
extra quotes within your command. The following is an example using Windows cmd.exe
[...]"UpdateSystem[...]\"Sytem1[...]\"Description for System1\"[...]
TPAM 2.5
System Administrator Guide
168
Commands
ApplyPatch--options
Installs a software update. Prerequisite is that the patch file must first be uploaded to TPAM vis SCP.
Table 31. ApplyPatch options
Option name
Req/Opt
Description
--PatchName
Req
Patch file name. Include the .ZIP extension.
--Key
Req
The patch key generated for your appliance.
--Clear
Opt*
Clear the patch log. All other options are ignored if --Clear is used.
--Options
Opt
Supply these only if instructed by technical support.
--ExcludeList
Opt
List of cluster member appliance names to exclude. The default is to include all
cluster member appliances when applied to the primary and local only when
applied to a replica. Semicolon separated.
Legacy support:
ApplyPatch PatchName.zip key [/options]
Backup
Schedules a backup to be taken immediately. No parameters.
ChangeAdminPassword--options
Forces a change to the password for the system administrator user listed.
Table 32. ChangeAdminPassword options
Option name Req/Opt Description
--UserName
Reg
User ID that you want to change the password for. The user cannot be a CLI user.
--Password
Req
New password for the user ID. If password contains spaces or other non-alphanumeric
characters it must be enclosed in double quotes.
Legacy support:
ChangeAdminPassword UserName Password
CreateSupportBundle
Creates a support bundle. No parameters.
FlushDNS
Attempts to flush the DNS settings on the appliance immediately. Take no parameters.
ForceFailover
Allows you to force or unforce a failover from the primary to the replica or from the replica to itself.
TPAM 2.5
System Administrator Guide
169
Table 33. ForceFailover options
Option name Req/Opt Description
--force
Opt
Used to force a failover to the replica.
--unforce
Opt
Used to unforce the failover to the replica.
GetChangeQueue
Returns the current number of pending changes. Takes no parameters.
GetStatus--options
Get information on specified statistics. You must select at least one option to display.
Table 34. GetStatus options
Option name Req/Opt
Description
-a
Opt
All information.
-db
Opt
Database status/state.
-x
Opt
Resources used: CPU utilization, memory virtualization, last reset time of network
adapter.
-p
Opt
OS patches applies to the system.
-u
Opt
Appliance uptime.
-i
Opt
Appliance information.
-h
Opt
Usage information.
GetTestQueue
Returns the current number of entries in the test queue. No parameters.
ImportIntermediateCert
As of TPAM v2.5.909 this command is now obsolete. This function can be done through the TPAM web interface.
ListBackups--option
Lists available online backup files.
Table 35. ListBackups option
Option name
Req/Opt
Description
--ArchiveServer
Opt
The name of an archive server where backups are stored.
ListRestorePoints
Returns a list of all restore points currently available for revert on the appliance. Takes no parameters.
ListUsers--options
Lists all non-CLI system administrator users defined in TPAM.
TPAM 2.5
System Administrator Guide
170
Table 36. ListUsers options
Option name
Req/Opt
Description
--UserName
Opt
User name to filter. Use * for wildcard.
--EmailAddress
Opt
Email address to filter. Use * for wildcard.
--Status
Opt
Filter for ENABLED, DISABLED, LOCKED, or ALL (default).
--ExternalAuthType
Opt
obsolete, replace by --SecondaryAuthType
--SecondaryAuthType
Opt
Filter for SAFEWORD, SECUREID, LDAP, WINAD, RADUIS, DEFENDER,
NONE, or ALL (default).
UserCustom(1-6)
Opt
Filter based on contents of user custom level coulumns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SortOrder
Opt
Sort results by UserName (default), FirstName, or LastName.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Restore--options
Restore TPAM using the specified backup file.
Table 37. Restore options
Option name
Req/Opt Description
--BackupName
Req
Name of the backup to restore, including the .ZIP extension.
--Password
Req
Either the secondary encryption password or the phrase NOPASSWORD. The
password is case sensitive. If the password contains spaces or other nonalphanumeric characters it must be surrounded by double-quotes.
--ArchiveServer Opt
The name of an archive server where backups are stored. The archive server must
be
--NoDB
Do not pass a value with this parameter, just use --NoDB. Normally the appliance
must have a run level of maintenance to perform a restore. If the appliance
cannot be put in maintenance mode the --NoDB parameter can be used to override
this requirement and perform an emergency restore.
Opt
Legacy support:
restore TPAM_YYYYMMDD_HHMMSS.zip[<2 EncryptionPassword>:NOPASSWORD [/nodb]]
Revert--option
Revert the TPAM appliance to a specified restore point.
Table 38. Revert option
Option name
Req/Opt
Description
--SequenceNumber
Req
Valid sequence number of a restore point.
RunLevel--options
Used to display the current run level for an appliance (operational or maintenance) or set the run level for an
appliance.
TPAM 2.5
System Administrator Guide
171
Table 39. RunLevel options
Option name
Req/Opt Description
--Action
Opt
Indicate whether ro retrieve or set the current run level. If no action is
specified GET is assumed. If action of SET is supplied then --RunLevel must be
provided. GET/SET
--ApplianceName
Opt
If no appliance name is provided then the local appliance is assumed. If
appliance name is provided it must be a TPAM appliance and not a DPA.
--RunLevel
Required if --Action is SET. OPERATIONAL/MAINTENANCE
--
Shutdown--options
Shuts down or reboots the TPAM appliance.
Table 40. Shutdown options
Option name
Req/Opt
Description
--Reboot
Req*
Shutdown the appliance and restart.
--NoReboot
Req*
Shutdown
Legacy support:
Shutdown /R (for reboot)
Shutdown /N (for shutdown)
SSHKey--options
Retrieves system standard keys.
Table 41. SSHKey options
Option name
Req/Opt
Description
--KeyFormat
Opt
Format of the SSH key output - OpenSSH (default) or SecSSH.
--StandardKey
Req*
Name of the system standard key to export.
UnlockAdminUser--option
Unlocks system administrator user IDs. Cannot unlock CLI users.
Table 42. UnlockAdminUser option
Option name
Req/Opt
Description
--UserName
Req
Name of user to unlock. Cannot unlock CLI users.
Legacy support:
UnlockAdminUser <username>
UpdateAdminUser--options
Modifies an existing system administrator user ID.
Table 43. UpdateAdminUser options
Option name
Req/Opt
Description
--UserName
Opt
User Name. Maximum 30 characters.
--LastName
Opt
Maximum of 30 characters.
TPAM 2.5
System Administrator Guide
172
Table 43. UpdateAdminUser options
Option name
Req/Opt
Description
--FirstName
Req
Maximum of 30 characters.
--Email
Opt
Maximum of 255 characters. Use !NULL to clear.
--Phone
Opt
Maximum of 30 characters. Use !NULL to clear.
--Mobile
Opt
Maximum of 30 characters. Use !NULL to clear. Also recognizes the
value --pager for legacy support.
--Disable
Opt
Whether the user's ID is currently disabled. Y/N. Disabled users cannot
log in to the appliance.
--SecondaryAuth
Opt
Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
LDAP.
--SecondaryAuthSystem
Opt
Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.
--SecondaryUserID
Opt*
User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
--PrimaryAuthExtra
Opt
The LDAP Primary Authentication Types support an “Extra” UserID. The
User logs in using a shorthand value in the PrimaryAuthID, but the data
in the PrimaryAuthExtra will be used to do the actual authentication
against the external system. Use !NULL to clear.
--PrimaryAuthID
Opt*
The User ID to use for primary authentication when a non-local
authentication system is used.
--PrimaryAuthType
Opt
The type of the primary authentication system for this user. Current
values are Local, LDAP, WinAD, Radius or Defender. When Local is used
the PrimaryAuthID, PrimaryAuthExtra and PrimaryAuthSystem values
are ignored.
--PrimaryAuthSystem
Opt*
Name of the defined system to use when the PrimaryAuthType is not
local. Systems are defined by the appliance System Administrator.
--CertThumbprint
Opt
The SHA1 or SHA256 thumbprint of the user’s certificate. SHA1
thumbprints must be 40 characters long. SHA256 must be 64
characters. Both should consist of only numbers and the letters A-F.
--Description
Opt
Maximum of 255 characters. Use !NULL to clear.
--LogonHoursFlag
Opt
Indicates whether the LogonHours value represents allowed or
prohibited hours. Valid values are A, P, or N (no restrictions).
--LogonHours
Opt
A listing of up to 4 hour ranges. Times must be expressed in 24-hour
format in any of the following forms: 7, 07, 700, 0700, 07:00 (all
indicating 07:00 AM). Separate multiple ranges with semi-colons,
07:00-12:00;18:00-23:59 (7AM-12AM and 6PM-11:59PM). If the
LogonHoursFlag value is N this value is ignored.
--LogonDays
Opt
When Logon Hours are specified you may also specify the days of the
week those hours are effective. Specify days with a string of 7 X's (to
indicate an “on” day) or periods (for an “off” day) to represent the
week from Sunday-Saturday. For example, .XXXXX. is Mon-Fri on, Sun
and Sat off. If LogonHours are specified and LogonDays is left empty
the default is all days “on”, e.g., XXXXXXX.
--LocalTimezone
Opt
The user's local time zone. You may enter any part of the time zone
name as long as it is unique in the list, e.g., entering Guam will only
find one time zone while entering 02:00 or US will find multiple
entries. A value of “Server” indicates that the user is in the same time
zone as the server and follows the same DST rules.
--DstFlag
Opt
Obsolete. Users will now automatically adjust DST per the local time
zone which they are assigned.
TPAM 2.5
System Administrator Guide
173
Table 43. UpdateAdminUser options
Option name
Req/Opt
Description
--Custom1
Opt
Custom user columns, if defined. Use !NULL to clear the value when
updating.
--Custom2
Opt
see --Custom1
--Custom3
Opt
see --Custom1
--Custom4
Opt
see --Custom1
--Custom5
Opt
see --Custom1
--Custom6
Opt
see --Custom1
UserSSHKey--options
Regenerate or retrieve a key for yourself or others.
IMPORTANT: If regenerating your own key make sure not to overwrite the old key file before the command
has completed.
IMPORTANT: Regenerating a user’s key will immediately make their old key invalid. The user will have to
put this new key in place before being able to access TPAM again.
Table 44. UserSSHKey options
Option name Req/Opt
Description
--UserName
Opt
User name to retrieve. If no user name is supplied your own user name will be used.
If retrieving or regenerating a key for a user other than yourself the user must be
key based with no TPAM web access.
--KeyType
Opt
Must be CLIA.
--PassPhrase
Opt
Only allowed when regenerating a CLIA key. Passphrase must be at least 5
characters long and may be up to 128 characters and contain anything except
double quote characters (").
--Regenerate
Opt
Regenerate the key before retrieving. Users without web access must retrieve and
regenerate their own keys. Y/N. Default is N.
ViewLog--options
Can view the specified log. Only one log may be viewed at a time.
Table 45. ViewLog options
Option name
Req/Opt
Description
--restore
Opt
View the restore log.
--backup
Opt
View the backup log.
--patch
Opt
View the patch log.
TPAM 2.5
System Administrator Guide
174
32
Relocating/Readdressing an Appliance
•
Introduction
•
Change a primary’s IP address
•
Change a replica’s IP address
Introduction
If it becomes necessary to relocate and readdress a TPAM primary or replica, follow the instructions below to
ensure a smooth and trouble free move.
Change a primary’s IP address
To change the primary’s IP address:
1
Log on to the config interface of the primary.
2
Select Network Settings | Modify Network Settings from the menu.
3
Enter the new IP Address, Subnet Mask, and Default Gateway. Click the Save Settings button.
NOTE: These settings take effect immediately, so if you change the IP address, upon clicking the save
changes button your user session will end and you will have to log on to TPAM at the new IP address.
Once the new settings are saved all the other cluster members (replicas and DPAs) will discover the IP address
change through the normal replication updates.
Change a replica’s IP address
To change the primary’s IP address:
1
Log on to the config interface of the replica that is changing.
2
Select Network Settings | Modify Network Settings from the menu.
TPAM 2.5
System Administrator Guide
175
3
Enter the new IP Address, Subnet Mask, and Default Gateway. Click the Save Settings button.
NOTE: These settings take effect immediately, so if you change the IP address, upon clicking the
save changes button your user session will end and you will have to log on to TPAM at the new IP
address.
4
Log on to the admin interface of the PRIMARY.
5
Select System Status/Settings | Cluster Management from the menu.
6
Select the replica that is changing in the cluster member list.
7
Select the Network Address check box.
8
Enter the new IP address.
9
Click the Check Address button.
10 If the address is found, click the Save button. This is how all the other cluster members are notified of
the replica’s new address.
NOTE: When you click Save, you will see a message that the device is not enrolled in the cluster,
this is a timing issue. Please disregard and refresh the page after a few minutes.
Now all of the cluster members will be able to communicate with the replica at its new address.
TPAM 2.5
System Administrator Guide
176
33
Kiosk Access
•
Introduction
•
How to access the kiosk
•
Reset the parmaster password
•
Restore from a backup
•
Revert to a snapshot
Introduction
The kiosk should ONLY be accessed if recommended by Technical support. You will not be able to perform any of
these functions without technical support providing you the keys needed.
The functions available on the kiosk are to be used as a last resort before having to return the appliance if an
issue cannot be fixed over the phone with technical support.
How to access the kiosk
To access the TPAM Kiosk, connect a monitor and keyboard to the TPAM appliance that is already powered on
and connected to your network.
Before contacting support please write down the software version, serial number, config MAC, and Windows
product key displayed on the home page. You will need to give these to support but will not be able to go back
to this screen until the entire process is complete.
TPAM 2.5
System Administrator Guide
177
Reset the parmaster password
The reset password option resets the parmaster password to factory default.
To reset the password:
1
Click on Reset.
2
Enter your email address and click the Next button.
3
Do not leave this screen until support gives you the keys. If you do you will have to start the entire
process over again because a new Nonce identifier is generated every time you land on this page. Enter
the keys provided to you by technical support and click the Next button.
TPAM 2.5
System Administrator Guide
178
4
Click the Finish button.
5
Log on to the /admin interface as parmaster with the factory default password. You will be prompted to
change the password for the parmaster account.
Restore from a backup
All of the online backups will be displayed and the user can select an online backup to restore from.
To restore from a backup:
1
Click on Restore.
2
Enter your email address and click the Next button.
TPAM 2.5
System Administrator Guide
179
3
Do not leave this screen until support gives you the keys. If you do you will have to start the entire
process over again because a new Nonce identifier is generated every time you land on this page. Enter
the keys provided to you by technical support and click the Next button.
4
Select the backup file you wish to you for the restore. Click the Next button.
5
If you are sure you want to proceed, click the Finish button. The appliance will automatically reboot
after a successful restore from the backup. Depending on the size of the database the restore process
may take some time to complete, be patient.
TPAM 2.5
System Administrator Guide
180
Revert to a snapshot
All of the snapshots will be displayed and the customer can select one to revert to.
To revert to a snapshot:
1
Click on Revert.
2
Enter your email address and click the Next button.
3
Do not leave this screen until support gives you the keys. If you do you will have to start the entire
process over again because a new Nonce identifier is generated every time you land on this page. Enter
the keys provided to you by technical support and click the Next button.
TPAM 2.5
System Administrator Guide
181
4
Select the snapshot and click the Next button.
5
If you are sure you want to proceed, click the Finish button. The appliance will automatically reboot
after successfully reverting to the snapshot. Depending on the size of the database the revert process
may take some time to complete, be patient.
TPAM 2.5
System Administrator Guide
182
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
[email protected]
Technical Support Resources
Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
https://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
•
Create, update, and manage Service Requests (cases)
•
View Knowledge Base articles
•
Engage in community discussions
•
Chat with a support engineer
TPAM 2.5
System Administrator Guide
183
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement