TPAM Administrator Guide

TPAM Administrator Guide
The Privileged Appliance and Modules
(TPAM) 2.5
Administrator Guide
Copyright© 2015 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and
AIX are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.
Juniper, JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
Linux® is a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered
trademark of MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are
registered trademarks of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and
other countries. Nokia is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the
United States and/or other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS
is a registered trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc.
PROXYSG is a trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered
trademark of Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in
the United States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States
and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks
and names or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
TPAM Administrator Guide
Updated - November 2015
Software Version - 2.5
TPAM 2.5
Administrator Guide
2
Contents
Privileged Password Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Resource requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Access the privileged password appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Initial Set Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Recommended steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Permission Based Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Message of the day tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Recent activity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Approvals tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Pending reviews tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Current requests tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
User ID’s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Web tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Key based tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Cache tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Time tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Group membership tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Add a web user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Add a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Add a user ID using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Add a CLI user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Add an API user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Regenerate keys for CLI/API users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Duplicate a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Disassociate a user from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Delete a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Delete a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Disable/enable a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Unlock a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Reset user ID password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Manage the paradmin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
TPAM 2.5
Administrator Guide
3
List user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Manage your TPAM user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Add a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Duplicate a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Delete a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
List groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Default global groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Permission Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Permission precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Permissions example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Add an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Make an access policy inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Reactivate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Duplicate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Delete an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Rebuild assigned policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Password Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Add a password check profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Add a password change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Delete a password check/change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Assign a password check /change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Connection tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Ticket system tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
LDAP schema tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Account discovery tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
TPAM 2.5
Administrator Guide
4
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Add a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Add a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Add a system using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Test a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Clear a stored system host entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Duplicate a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Disassociate a system from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Delete a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Delete a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
List systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Local appliance systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Custom Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Custom platform Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Add a conversational custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Add a jump box custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Test a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Duplicate a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Delete a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Using custom platforms in TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Batch processing custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
CLI and API commands for custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . .88
Jump boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Add a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Duplicate a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Delete a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
List collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Reviews tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Custom Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
TPAM 2.5
Administrator Guide
5
Dependents tab (Windows® AD only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Past Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Current Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
PSM Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Session Authentication tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
File Transfer tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Review Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Add an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Duplicate an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Delete an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Retrieve a password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
List accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
List PSM accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Password current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Manual password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Managing services in a Windows® domain environment . . . . . . . . . . . . . . . . . . . . . . 126
Add generic account to TPAM for PSM sessions to a user specified Windows account . . . 127
Using Quest Authentication Services with TPAM . . . . . . . . . . . . . . . . . . . . . . . . . .129
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configure QAS integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
TPAM Account Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configure account discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Account discovery profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Add an account discovery profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Delete an account discovery profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Assign an account discovery profile to a system/system template . . . . . . . . . . . . . . . 139
Combine account discovery with auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
File History tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Current File tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
TPAM 2.5
Administrator Guide
6
Add a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Duplicate a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Review file history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Delete a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Retrieve a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
List files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Auto Discovery - LDAP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
LDAP directory mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Source tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Add a LDAP data source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Add user/system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Add LDAP user/system mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Delete a LDAP system/user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Discover accounts on auto discovered systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Auto Discovery - Generic Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Generic directory mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Source tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
User tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Add a generic system mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Add a generic user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Delete a generic system/user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Application Password Virtual Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Importing the virtual cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Boot the cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Configure network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Enable remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Change setup password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Define remote IP address restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Prepare the cache for enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Add the cache in the TPAM interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Add cache users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Add cache client hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Add cache trusted root certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Add the cache server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
WSDL tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Accounts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Root Certificates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
TPAM 2.5
Administrator Guide
7
Hosts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Cache current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Create a cache team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Remove a cache team member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Alerts for the cache appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Delete a cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
List cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Cache logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Usage examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Batch Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Advanced file settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Import user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Import systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Import accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Import or update collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Import or update groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Add or drop collection members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Add or drop group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Batch update user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Batch update systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Batch update accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Batch update PSM accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Batch update permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Batch update cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Cancel a batch process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
View batch job history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
PSM Connection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Add a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Delete a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Assign a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Post Session Processing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Add a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Delete a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Assign a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Privileged Command Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Add a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Commands to assist with authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
TPAM 2.5
Administrator Guide
8
Duplicate a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Delete a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Create access policy with the command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Assign access policy to user or group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Setup requirement for Windows® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Restricted Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
System requirements for restricted commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Add a restricted command profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Assign profile to access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Restricted command account settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Command detection during a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Archive Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configure session log archive settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configure session log archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Test the archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
View archive files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
View archive log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Delete a session log archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Clear a stored system host entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Synchronized Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Candidates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Subscriber status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Add synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Add subscriber to a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Remove a subscriber from a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . 237
Delete a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Force reset of synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Enable/disable scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Send scheduled reports to archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Subscribe/unsubscribe to scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Add/remove additional recipients to scheduled reports . . . . . . . . . . . . . . . . . . . . . . 241
View scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Resubmit scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Data Extracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
TPAM 2.5
Administrator Guide
9
Configure data extracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Customize data extract dataset file names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
TPAM CLI IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Add a TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Connect PSM account to TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Delete a TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Password Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Request a password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
View submitted password requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Access the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Cancel/expire a password request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Approve/Deny Password Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Approve/deny password request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Review a Password Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Review status definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Review a password release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Provisional ticket validation on a password release . . . . . . . . . . . . . . . . . . . . . . . . . 260
Session Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Request a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
View submitted session requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Cancel/expire a session request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Approve/Deny Session Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Approve/deny session request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Start a Remote Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Client requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Start a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
File transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
End a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
TPAM 2.5
Administrator Guide
10
Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Session playback controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Meta data window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Replay a session log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Add a bookmark to a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
View bookmarks/captured events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Jump to a bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Jump to an event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Monitor a live session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Terminate a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Review a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Review status definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Review a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Provisional ticket validation on a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
File Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Request a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
View submitted file requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Access the file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Cancel/expire a file request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Approve/Deny File Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Approve/deny file request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
On Demand Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Report time zone options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Run a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Report descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
The ping utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Nslookup utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
TraceRoute utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Telnet test utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Display routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
TPAM 2.5
Administrator Guide
11
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Command standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Application Programming Interface (API) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
C++ library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
.NET library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
PERL library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Java® library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
C++ examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
.NET examples (C#) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Configuration for Capturing Events on Windows® Systems . . . . . . . . . . . . . . . . . . .357
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
General j-Interop requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Summary of common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Firewall related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Explicitly opening DCOM ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Dynamically opening DCOM ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Remote registry related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Local security policy related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
User account control (UAC) related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Registry key related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Windows® event requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Appliance Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
TPAM 2.5
Administrator Guide
12
1
Privileged Password Management
Overview
•
Introduction
•
Resource requirements
•
Access the privileged password appliance
Introduction
TPAM is a robust collection of integrated modular technologies designed specifically to meet the complex and
growing compliance and security requirements associated with privileged identity management and privileged
access control.
NOTE: This guide explains the core functionality available in TPAM regardless of the product licenses that
has been applied.
Privileged Password Manager
The Privileged Password Manager (PPM) module provides secure control of administrative accounts. TPAM
is a repository where these account passwords are stored until needed, and released only to authorized
persons. Based on configurable parameters, the PPM module will automatically update these passwords.
Privileged Session Manager
The Privileged Session Manager (PSM) module provides a secure method of connecting to remote
systems, while recording all activity that occurs to a session log file that can be replayed at a later time.
All connections to remote systems are proxied through Privileged Account Management (TPAM) appliance
ensuring a secure single access point.
The TPAM appliance has several methods of access:
•
Configuration interface (HTTPS via direct connection, with network option)
•
Administrative interface (HTTPS via network access)
•
User interface (HTTPS via network access)
•
Admin CLI (SSH via network access)
•
User CLI (SSH via network access)
•
User API (SSH client application via network access)
All data stored in TPAM is encrypted in storage and transit. Careful attention has been placed on the security
and audit capabilities of the appliance, due to the high security implications of the data it contains.
To support this high level of security, TPAM is designed to ensure segregation of duties and dual control. The
segregation of duties is accomplished through permission based authorization. Dual control is accomplished by
optionally requiring multiple pre-defined individuals to be involved in the connection to a system.
TPAM 2.5
Administrator Guide
13
Resource requirements
One IP address is required for each TPAM appliance in a cluster. The 1U hardware design provides a small
footprint for the device and requires minimal rack space.
Access the privileged password appliance
To access TPAM, point the browser to TPAM’s IP address or FQDN followed by /tpam. For example, if the IP
address for the appliance has been configured as 192.168.1.100, the URL would be
https://192.168.1.100/tpam/. The initial TPAM administrator account is paradmin and the initial password is
provided with your licensing information.
Connectivity
To communicate with TPAM and successfully initiate a session your computer needs to be able to pass traffic on
ports 443 (HTTPS), 8000, and 22 (SSH).
If TPAM will be accessed via Microsoft® Internet Explorer® (IE), there is one important setting to verify or
change in the IE configuration:
Pop-Up blocker
When the /tpam website is accessed, the initial instance of the browser is closed and a new window opens
without menu or title bars. Browsers that are configured to block pop-ups often interpret this as a Popup and
the page will not display. Be sure to add the URL for TPAM to the list of allowed pop ups. If your desktop
environment does not allow pop-up blockers to be disabled, this functionality may be disabled by the system
administrator with a global setting in the /admin interface.
TPAM 2.5
Administrator Guide
14
2
Initial Set Up
•
Introduction
•
Recommended steps
Introduction
This chapter covers the recommended steps for the initial set up of the TPAM appliance in the /tpam interface.
Before proceeding, the configuration of the /config and /admin interface should be completed. See the System
Administrator Guide for details. The order of the information presented in this manual reflects the
recommended steps outlined below.
Recommended steps
To configure the /tpam interface:
1
Login to the /tpam interface with the paradmin user ID.
2
Add a CLI user ID with a user type of administrator. Download and store the key outside of the appliance.
See Add a CLI user ID for details.
3
Create password check and change profiles. See Password Profiles.
4
Create password rules. See the TPAM System Administrator Guide.
5
If LDAP or Generic Integration will be utilized, add the necessary system and user templates. See Add a
system template and Add a user template.
6
Outline the desired groups within LDAP that will be used to create TPAM groups for assigning permissions.
With those groups, add LDAP mappings to create the groups and provision the users. See .
7
If Auto Discovery is not utilized, load TPAM users through Import user IDs.
8
Configure any Cache servers. See Add the cache in the TPAM interface.
9
Outline the desired OU’s within LDAP that will be used to create TPAM Collections and provision systems.
With those OU’s, add LDAP mappings to create the collection and provision the system.
NOTE: The system template can be used to add accounts as well.
10 If Auto Discovery is not used, load the systems to be managed through Import systems or Add a system.
See the Client Set Up Guide for details on configuring specific platforms.
11 If desired, add any files to be managed. See Add a file.
12 If Cache servers and/or DPAs were purchased, make the affinity assignments at the system level. See
Affinity tab.
13 For any accounts that were not provisioned using the auto-discovery process for adding systems, load the
accounts in TPAM through Import accounts.
TPAM 2.5
Administrator Guide
15
14 To utilize collections (buckets of systems, accounts and/or files) other than the ones created using autodiscovery, add collections and then load collection membership. See Add a collection and Add or drop
collection members.
15 To utilize groups (buckets of users) other than the ones created using auto-discovery, add groups and
then load group membership. See Add a group and Add or drop group members.
16 See Permissions tab to add the permissions desired to allow the group access to the collections or to
individual systems.
17 If Privileged Session Manager (PSM) was purchased and Privileged Command Manager (PCM) will be used,
configure PCM Commands. See Add a command.
18 Create any custom Access Policies. See Add an access policy.
19 Update permissions with access policy assignment. See Batch update permissions.
20 If a PSM customer, add any PSM Connection Profiles and Post Session Processing Profiles. See Add a PSM
connection profile and Add a post session processing profile.
NOTE: In the admin interface the Post Processing Agent must be started for post session profiles to
take effect.
21 If a PSM customer see Batch update PSM accounts to update the PSM permissions for accounts.
22 If a PSM customer see Configure session log archive settings and Configure session log archive server to
configure retention settings for session logs.
23 Configure the Batch Report subscriptions and recipients. See Enable/disable scheduled reports.
24 Configure the Data Extract Schedule and data Sets. See Configure data extracts.
25 Configure Synchronized Passwords. (Optional) See Add synchronized password.
26 Configure TPAM CLI IDs. (Optional) See Add a TPAM CLI ID.
TPAM 2.5
Administrator Guide
16
3
Permission Based Home Page
•
Introduction
•
Message of the day tab
•
Recent activity tab
•
Approvals tab
•
Pending reviews tab
•
Current requests tab
Introduction
Your home page is based on the user type and permissions assigned to your user ID in the TPAM application.
Return to the home page from anywhere in the TPAM application by clicking the home icon located on the far
left side of the menu ribbon.
Message of the day tab
The first tab that displays is the default message of the day, which is configured through the admin interface. To
immediately make a session, password or file request as well as approve any pending requests click the links.
TPAM 2.5
Administrator Guide
17
Recent activity tab
The recent activity tab shows all your activity in TPAM for the last 7 days.
Approvals tab
The Approvals tab displays any requests (Password, File or Session) that require approval. After they are
approved or denied the request can be seen on this list until the release duration expires. Clicking on the
request id opens the appropriate Requests Approval Detail tab to approve or deny the request. To use the autorefresh option select the box and type the number of minutes you would like the window refreshed.
TPAM 2.5
Administrator Guide
18
Pending reviews tab
Eligible reviewers for any post password releases or sessions see the Pending Reviews tab on the home page. Any
password releases or sessions that are pending review are seen on this tab. Clicking on the request ID opens the
Password Release Review Details or Session Review Details tab. To use the auto-refresh option select the box
and type the number of minutes you would like the window refreshed.
Current requests tab
The Current Requests tab displays any request (Password, File or Session) that you have made. The requests stay
visible on this tab until the release duration expires. Clicking on the Request ID link opens the Session, Password
or File Request Management tabs to view details on a request.
TPAM 2.5
Administrator Guide
19
4
User ID’s
•
Introduction
•
Add a web user ID
•
Add a user template
•
Add a user ID using a template
•
Add a CLI user ID
•
Add an API user ID
•
Regenerate keys for CLI/API users
•
Duplicate a user ID
•
Disassociate a user from a template
•
Delete a user ID
•
Delete a user template
•
Disable/enable a user ID
•
Unlock a user ID
•
Reset user ID password
•
Manage the paradmin user ID
•
List user IDs
•
Manage your TPAM user ID
Introduction
This chapter covers, adding and managing TPAM User ID’s.
To add and manage user ID’s, information is entered on the following tabs in the TPAM interface:
Table 1. Management: TPAM interface tabs
Tab name
Description
Details
Define main information, such as name, contact information, and user type.
Details/Web
Configure access and authentication methods.
Details/Key Based
Define key based authentication method.
Details/Cache
For cache users only, generate or upload the user’s certificate.
Details/Time
Define time zone and access times.
Details/Custom Information
Custom boxes available for use.
Template
Used to save user ID settings as a template.
Group Membership
Assign group membership.
Permissions
Assign access policies for systems, accounts, and/or files for this user.
TPAM 2.5
Administrator Guide
20
Details tab
The table below explains all of the box options available on the Details tab.
Table 2. User Management: Details tab options
Element
Description
Required?
User Name
The user’s login id. User names may be a maximum of 30
characters long. The following special characters are allowed
in the user name: `~#%&(){}.!'
Yes
User Disabled?
If selected, the user cannot access TPAM.
No
Last Name
Last name of the user.
Yes
First Name
First name of the user.
Yes
Phone Number
Phone number associated with the user ID in TPAM.
No
Mobile Number
Mobile number associated with the user ID in TPAM.
No
Email Address
The email address that TPAM will use for email notifications
from TPAM.
No
Default
Off
If multiple email addresses are to be associated with the user,
this may be accomplished by using a semicolon and no spaces
to separate them. An alias name can also be designated for
the email (this name is displayed in the To: box). Example:
John Doe<[email protected];[email protected]>,…
To create an alias, type it as: alias<email-address-1;emailaddress-2> Double quotes may be required to include spaces
in email addresses.
TPAM 2.5
Administrator Guide
21
Table 2. User Management: Details tab options
Element
Description
Description
The description box may be used to provide additional details No
about the user.
User Type
Select the user type. Available choices are:
•
Basic: If selected, the user can be a requestor,
approver, reviewer, privileged access, denied or ISA but
does not have any administrator privileges.
•
Administrator: If selected, this user account has
Administrator privileges to the TPAM interface. The
administrator is the most powerful user type for the
TPAM user interface. This user type can create and
delete systems, users, groups, and collections. The
administrator user type may also assign access policies
to any user – including themselves. An administrator
may view all reports. It is recommended that this user
type be assigned carefully. The administrator may not
delete or disable their user id.
•
Auditor: If selected, this user has Auditor privileges in
TPAM. Auditor is a special user type that may view
reports, systems, and users, but may not request or
approve passwords, files and sessions or modify any
data. Auditors may also review completed password
and session requests. At this time Auditors cannot view
the key stoke log for a session.
•
User Administrator: If selected, this user has the
authority to manage Basic user types. User
Administrators may disable and enable users, unlock
user accounts, and update account information. The
User Administrator does not have the ability to add
users to groups or modify permissions. CLI/API user
accounts cannot be managed by a User Administrator.
•
Cache User: If selected, this user can only retrieve
passwords through an assigned Cache server and
cannot log in to TPAM. A security certificate must be
loaded for each Cache user. If using a user-supplied
certificate, the customer may also have to provide the
certificate password depending on format of
certificate being uploaded.
Required?
Yes
Default
Basic
Web tab
The table below explains all of the box options available on the Web tab:
TPAM 2.5
Administrator Guide
22
Table 3. User Management: Details Web tab options
Field
Description
Required?
Default
Allow this user
to access TPAM
from a Mobile
Device?
If selected, users can make requests, deny or approve
requests, and review password releases and sessions by using
their personal mobile device (Blackberry®, iPhone®). User
administrators and cache user types may not access TPAM via
a mobile device.
No
Off
Allow WEB
Access?
If selected, the user can access TPAM via the web.
No
On
Password/
Confirm
Password
Enter/confirm a password for the user account.If left blank, a No
random password is generated by the TPAM system. The TPAM
default password rule configured by the System Administrator
is used for these passwords.
Certificate
Thumbprint
For users who authenticate using a client certificate, the
No
certificate’s SHA1 or SHA2 thumbprint should be entered here.
This option will not appear unless certificate is selected as the
primary user authentication type.
Primary User
Authentication
If selected, user can use primary authentication to
authenticate. The primary authentication user ID cannot be
the same as any other user’s TPAM user name or primary
authentication ID. Available choices are:
Secondary User
Authentication
NOTE: Allowing web access is permanent once saved. The only
way to remove web access for the user id is to delete the user
and add the user back.
•
Certificate - User’s authenticate using a client
certificate.
•
Local - TPAM
•
Windows Active Directory® - WinAD is configured in
the admin interface as an external source of
authentication. The Windows® AD primary user ID must
always be in (user principle name) format, allowing the
use of multiple domains. The primary authentication ID
cannot be the same as any other user’s User Name or
primary ID.
•
LDAP - LDAP is configured in the admin interface as an
external source of authentication. Users can type a
shortened version of their LDAP user ID that expands to
the full LDAP user ID for authentication.
•
Radius - Radius is configured in the admin interface as
an external source of authentication.
•
Defender - Defender is configured in the admin
interface as an external source of authentication
If the user is using secondary authentication select the type,
source and enter their user ID here. Choices of secondary
authentication are:
•
None
•
Safeword
•
SecurID
•
LDAP
•
Radius
•
WinAD
•
Defender
Yes
Local
No
None
TPAM 2.5
Administrator Guide
23
Key based tab
The table below explains all of the box options available on the Key Based tab:
Table 4. User Management: Details Key Based tab options
Field
Description
Required?
Default
CLI
If selected, the user can access TPAM via the command line
interface (CLI).
No
Off
API
If selected the user can access TPAM via the API.
No
Off
CLI Key
Passphrase
Only applies to CLI users. This is an optional pass phrase to
No
encrypt the user’s private key. The phrase is case sensitive, up
to 128 characters, and does not allow double quotes (“). The
phrase is not stored and cannot be retrieved after the key is
generated. Remember to give the pass phrase to the CLI user
along with their private key file.
NOTE: If the CLI user ID and key are going to be used in any
type of scripting or automation, be aware that any time a CLI
key with a passphrase is used the passphrase must be typed by
the user via the keyboard. Passphrase entry via any type of
scripting is not allowed for DSS Keys
Restricted IP
Address
Only applies to CLI/API users. If an address is specified, the
No
user may only access TPAM from this address. More than one IP
address may be specified by separating each with a comma –
up to a limit of 100 characters for the entire string. The use of
wildcards is also permitted to specify a complete network
segment – i.e. 10.14.10.*
Since a CLI/API user cannot be disabled with a check box, this
box can be used to temporarily disable the user access by
setting the value to an invalid IP address such as “disabled”.
Cache tab
The Cache tab is only enabled when a user type of cache user is selected. For more details on cache users see
Add cache users.
The table below explains all of the box options available on the Cache tab:
TPAM 2.5
Administrator Guide
24
Table 5. User Management: Details Cache tab options
Field
Description
Required?
Certificate Type A security certificate must be loaded for the cache user. If
Yes
User-Supplied is selected, certificate is loaded by clicking the
Select File button. If Created by TPAM is selected, the
certificate is generated by clicking the Download the TPAM
Root Certificate button.
Password /
Confirm
Password
If uploading a PKCS12 file or generating a certificate a
password must be supplied.
Default
UserSupplied
No
Time tab
The Time tab allows administrators and user administrators to set a user’s local time zone. This tab is not
enabled for Cache, CLI and API users.
NOTE: The TPAM server is always at UTC time and never uses daylight savings time.
The table below explains all of the box options available on the User ID Time tab:
Table 6. User Management: Details Time tab options
Field
Description
Required? Default
User Timezone
Select a local time zone for the user.
Yes
Will default to
the default user
timezone global
setting value.
Yes
No Restrictions
NOTE: If the user is in a time zone that follows DST, TPAM
will automatically adjust the time for them.
Time Based System Choices are:
Access
• No Restriction - if selected, the user can access
TPAM at any time/day.
•
Allow - To limit a user’s access to TPAM, select the
Allow button, select days of the week and enter up
to 4 time ranges. Multiple ranges must be separated
by semi-colons. The ranges must be entered using
24-hour times with a hyphen between start and end
times.
•
Prohibit - To restrict a user’s access to TPAM, select
the Prohibit button, select days of the week and
enter up to 4 time ranges. The ranges must be
entered using 24-hour times with a hyphen between
start and end times.
TPAM 2.5
Administrator Guide
25
Custom information tab
There are six custom boxes that can be used to track information about each user. These custom boxes are
enabled and configured by the System Administrator in the /admin interface. If these boxes have not been
enabled the Custom Information tab will not be visible.
Template tab
The template tab is used to save all the settings for a user ID as a template. Templates may be used to quickly
create new users with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. User templates do not store a default password. Only TPAM
Administrators and ISAs may use templates.
The table below explains all of the box options available on the User ID Template tab:
Table 7. User Management: Details Template tab options
Field
Description
Required?
Default
Create a Template
from this User
Selecting this flag saves the values for this user ID as a User No
Template.
Off
Use this as the
default template
If selected, this template is used when adding new user IDs No
unless another template is chosen with the Use Template
button.
Off
Only one template can be designated as the “Default” at a
time. Only a template with a user type of Basic and user
interface of Web can be used as a default template. If a
template is designated as the “Default” it is listed in green
italics on the Manage UserIDs listing.
Retain Group
Membership in the
template
If selected, TPAM creates the template with all the group
memberships currently defined on this user. User IDs
created from this template will have the same group
memberships.
No
Off
If selected, TPAM creates the template with all the system No
and collection permissions (Access Policy assignments)
currently defined for the user. User IDs created from this
template will have the same permissions.
Off
NOTE: If this user ID is a member of an AD Integration
Group, that membership is not transferred to the template
and subsequent users.
Retain Permissions
in the template
TPAM 2.5
Administrator Guide
26
Group membership tab
A group is a container of users, which can share common permissions. The group membership tab is used to
assign users to groups.
NOTE: If a group is tied to either AD or Generic Integration the user’s membership status in that group
cannot be changed.
The table below explains all of the box options available on the User ID Group Membership tab:
Table 8. User Management: Group Membership tab options
Field
Description
Required?
Name
The name of the group. Clicking on the name will opens the
group management listing tab.
No
Membership
Status
To modify group membership, simply click the Not Assigned or
No
Assigned buttons next to each collection name and click the
Save Changes button. Pressing the Ctrl key and clicking on any
Assigned or Unassigned option will set all the rows in that
column to the same value.
Default
Not
Assigned
NOTE: If the System Administrator has disabled Global Groups
in the admin interface the groups will not be visible in this
listing.
Permissions tab
The permissions tab is used to assign systems, accounts, files and/or collections an access policy for this user.
TPAM 2.5
Administrator Guide
27
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the system/s, account/s, file/s and/or
collection/s to which the selected access policy is to be assigned.
2
Select an access policy from the Access Policy list in the access policy details pane, located in the right
upper side of the results tab. Selecting an access policy on the list displays the detailed permissions
describing this access policy on the rows below.
3
Select one of the icons in the access policy details pane (right upper side of page) to make the
assignment.
Table 9. Access policy details pane icons
Icon
Action
Refreshes the list of Access Policies.
Scrolls the currently selected row into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. Confirmation of the
assignment is required if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. Confirmation the assignment is
required if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
Pressing the SHIFT key and left clicking the mouse can be used to select a range of rows. The first row
clicked will be surrounded by purple dashed lines. The next row that you “Shift-Click” on will cause all
the rows in between the original row and current row to be highlighted.
4
When finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: The results list can be re-filtered and re-retrieved without losing existing edits. As the Results
tab is reloaded any systems, accounts, files, or collections that have already been edited reflect
their edited policy assignment. When the Save Changes button is clicked all the Access Policy
assignment changes for the user are saved. The appliance saves these in batches, reporting of the
number of assignments added, removed, or changed for each batch.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a web user ID
When adding a user ID in TPAM, information is entered on the following tabs to configure the user:
•
Details
•
Details/Web
TPAM 2.5
Administrator Guide
28
•
Details/Time
•
Details/Custom
•
Template
•
Group Membership
•
Permissions
The following procedure describes the steps to add a user ID.
To add a new web user ID:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Enter information on the Web tab. For more information on this tab see Web tab.
4
To set time zone and access rules, click the Time tab and make changes. For more details see Time tab.
(Optional)
5
TO enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6
To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7
Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
9
Click the Save Changes button.
Add a user template
NOTE: Any templates used by LDAP or generic integration and have a WinAD primary authentication type,
the primary user ID must be empty, or one of the following values: UPN, UserPrimaryName or
SAMAccountName.
If any external authentication is set the external user ID must still be populated to save the template,
however when a user is created from the template the UserName is used as the default externalID.
To add a User Template:
1
Select Users & Groups | UserIDs | Add User Template from the menu.
TPAM 2.5
Administrator Guide
29
2
Enter the template name and placeholder first and last names.
3
Change any other settings on the various tabs.
4
Click the Save Changes button.
Add a user ID using a template
Users added using a template will automatically inherit the time information, group membership and
permissions from the template used.
To add a user using a template:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Click the Use Template button.
3
Select a template on the Listing tab.
4
Click the Details tab.
5
Enter the user name, first name, last name, and other contact information.
6
Make any other changes as desired.
7
Click the Save Changes button.
TPAM 2.5
Administrator Guide
30
Add a CLI user ID
A CLI user ID is a special user account used to access TPAM remotely via the CLI (command line interface). It is
now possible for one user ID to be both a web and CLI user. When accessing TPAM through the CLI they can only
execute specific commands supported by the TPAM CLI.
NOTE: The paradmin user ID cannot be given CLI access.
To add a new CLI user ID:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Enter information on the Web tab. For more information on this tab see Web tab.
4
Click the Key Based tab. Select the CLI check box. Enter information on the Key Based tab. For more
information see Key based tab.
5
To enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6
To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7
Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
9
Click the Save Changes button.
TIP: If a user ID that has both Web access and CLI or API access is added, to generate keys they must first
log in to TPAM and go to the User menu to generate and download their keys. Steps 10-13 do not apply.
10 Click the Details tab.
11 Click the Key Based tab.
12 Click the Download Key button.
13 Save the key file that is generated.
14 Give this key file to the user. This key file must be placed on any computer that uses this user ID to
access TPAM’s command line functions.
NOTE: The name of the key file can be renamed.
IMPORTANT: If a user ID has both web and API or CLI access to TPAM you will not be able to download or
generate keys for that user ID. They must log on to TPAM to download and/or regenerate their own DSS
key.
Add an API user ID
An API user ID is required to use TPAM’s Application Programming Interface (API).The TPAM API allows client
applications, via an SSH (Secure Shell) connection to the TPAM appliance, to perform many of the operations
provided in the TPAM User Interface. For more on the API see the Application Programming Interface chapter
later in this guide.
To add an API user ID:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
TPAM 2.5
Administrator Guide
31
3
Enter information on the Web tab. For more information on this tab see Web tab.
4
Click the Key Based tab. Select the API check box. Enter information on the Key Based tab. For more
information see Key based tab.
5
To enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6
To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7
Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
9
Click the Save Changes button.
TIP: If you are adding a user ID that has both Web access and CLI or API access, to generate keys they must
first log in to TPAM and go to the User menu to generate and download their keys. Steps 10-13 do not
apply.
10 Click the Details tab.
11 Click the Key Based tab.
12 Click the Download Key button.
13 Save the key file that is generated.
14 Give this key file to the user. The key file created by TPAM and a the user ID are required for the API to
be able to establish the SSH connection.
Regenerate keys for CLI/API users
TIP: You cannot regenerate a key for a CLI/API user that also has web access. These users must log on to
the TPAM web interface to retrieve or regenerate their own keys.
To generate a new key:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user.
5
Click the Details tab.
6
Click the Key Based tab.
7
If you require a CLI Key Passphrase, enter one. If not proceed to step 8.
8
Click the Regenerate Key button.
Duplicate a user ID
To ease the burden of administration and help maintain consistency, user IDs can be duplicated. This allows the
administrator to create new user IDs that are very similar to those that exist, while only having to modify a few
details. The new user ID inherits time information, group membership, and permissions settings from the
existing user ID.
TPAM 2.5
Administrator Guide
32
To duplicate a user ID:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be duplicated.
5
Click the Duplicate button. A new user ID is created and the User ID Details page displays. The name of
the new user ID is automatically DuplicateoOfXXXXX.
6
Enter a first name and last name for the user.
7
Make any changes to the user configuration on the various tabs.
8
Click the Save Changes button.
Disassociate a user from a template
To disassociate a user from the template is was created from:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user to disassociate.
5
Click the Details tab.
6
Click the Disassociate button.
7
Click the OK button on the confirmation window.
8
Click the Save Changes button.
Delete a user ID
To delete a user ID:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
Delete a user template
To delete a user template:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
TPAM 2.5
Administrator Guide
33
4
Select the user template to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
NOTE: A template that is currently being used by AD or Generic Integration cannot be deleted.
Disable/enable a user ID
To disable/enable a user ID:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be changed.
5
Click the Details tab.
6
Select/Clear the User Disabled? box.
7
Click the Save Changes button.
Unlock a user ID
A user may need to be unlocked if they enter an incorrect password multiple times.
To unlock a user:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be unlocked.
5
Click the Unlock button.
Reset user ID password
To reset a user’s password:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be reset.
5
Click the Details tab.
6
Enter the new password in the Password and Confirm boxes.
7
Click the Save Changes button.
8
Notify the user of their new password.
TPAM 2.5
Administrator Guide
34
This creates a one time use password that the user will be forced to change upon logging on.
NOTE: You cannot change passwords for users with external primary authentication. If Primary
Authentication has been minimilized then you cannot change the user’s local password.
Manage the paradmin user ID
There is the option to have TPAM manage the paradmin user ID, so that any user wanting to log on as paradmin
must go through the TPAM request and approval process to obtain the account password. When the paradmin
account is managed through TPAM you cannot enter a new password for this account on the User Management
Details page. Additionally, when a user is logged on as paradmin they will not have access to the User menu
Change Password option.
To manage the paradmin user ID:
1
Create an administrator account. See Add a web user ID.
2
Log on to the /tpam interface using the new administrator account.
3
Select Users & Groups | Manage Sys-Admin UserIDs from the menu.
4
Filter for the paradmin account. Click the Listing tab.
5
Select the paradmin account.
6
Click the Details tab.
7
Select the Administer account password with local PPM? check box.
8
Click the Save Changes button.
After this is saved the paradmin account on the managed system Local_Appliance_paradmin will be set with the
Automatic Password Management selected.
NOTE: The Local_Appliance systems cannot be deleted, duplicated or tested. Users cannot add or delete
accounts on the Local_Appliance. The Local_Appliance systems do not count against licensed systems.
TPAM 2.5
Administrator Guide
35
9
Select Accounts | Manage Accounts from the menu.
10 Filter for the paradmin account. Click the Details tab.
11 Click the Management tab. Verify that the password check and changes profiles you want used to manage
this account are assigned.
The password will be scheduled for an immediate reset. Depending on the number of password changes in the
queue it may take some time to reset. Any users currently logged on as paradmin will be prompted to enter a
new password once it has been reset.
To disable management of the paradmin user ID:
1
Log on to the /tpam interface using an admin account other than paradmin
2
Select Users & Groups | Manage UserIDs from the menu.
3
Filter for the paradmin account. Click the Listing tab.
4
Select the paradmin account.
5
Click the Details tab.
6
Clear the Administer account password with local PPM? check box.
7
Enter a new password in the password and confirm boxes.
8
Click the Save Changes button.
List user IDs
The List UserIDs option allows you to export the user data from TPAM to Microsoft Excel® or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
The last access date/time on the report is in server time (UTC).
To list the user IDs:
1
Select Users & Groups | UserIDs | List UserIDs from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
TPAM 2.5
Administrator Guide
36
6
To view group membership for a user, select the user ID and click the Groups tab.
7
To view the permissions assigned to the user, select the user and click the Permissions tab.
Manage your TPAM user ID
Any user may change their password and update individual account details using the User menu option.
To reset your password:
1
From the User Menu select Change Password.
2
Enter the Old Password, the New Password, and Confirm New Password.
3
Click the Save Changes button.
NOTE: User passwords are subject to the requirements of the Default Password Rule.
To edit your user details:
1
From the User menu select User Details.
2
Make changes in the following boxes:
Table 10. Fields available on My User Details
Field name
Description
Phone Number
Phone number that is associated with your user id in TPAM.
Mobile Number
Mobile number that is associated with your user id in TPAM.
E-mail
The email address that TPAM will use for email notifications from
TPAM.
My Timezone
The appropriate time zone must be chosen from the list. With this
option most dates and times that the user sees in the application or
on reports are converted to their local time. If a date or time still
reflects server time it is noted on the window.
Description
The description box may be used to provide additional details about
the user.
TPAM 2.5
Administrator Guide
37
Table 10. Fields available on My User Details
Field name
Description
CLI Key Passphrase
Only applies to CLI users. This is an optional pass phrase to encrypt
the user’s private key. The phrase is case sensitive, up to 128
characters, and does not allow double quotes (“). The phrase is not
stored and cannot be retrieved after the key is generated.
Reset CLI Key
Click this button to create a new CLI key for the user ID.
Get CLI Key
Click the button to retrieve the new CLI key.
Get API Key
Click this button to create a new API key for the user ID.
Get API Key
Click the button to retrieve the new API key.
NOTE: If the System-Administrator disables User Time zone changes in the /admin interface the
User Time Zone Information block shown above is visible only for Administrator users.
3
Click the Save Changes button.
TPAM 2.5
Administrator Guide
38
5
Groups
•
Introduction
•
Add a group
•
Duplicate a group
•
Delete a group
•
List groups
•
Default global groups
Introduction
Groups are defined sets of users. Groups can be used to simplify the process of assigning permissions.
To add and manage groups, information is entered on the following tabs in the TPAM interface:
Table 11. Group Management: TPAM interface tabs
Tab name
Description
Details
Define group name.
Members
Assign members to the group.
Permissions
Assign systems, accounts, files and/or collections permissions for the group.
Details tab
Table 12. Group Management: Details tab options
Field
Description
Required?
Group Name
Unique name for the group.
Yes
Description
Used to provide additional information about the group.
No
TPAM 2.5
Administrator Guide
39
Members tab
The table below explains the fields on the Members tab.
Table 13. Group Management: Members tab options
Field
Description
Required?
Name
Name of the user.
Membership
Status
To modify group membership, simply click the Not Assigned or Assigned
buttons next to each user. You can set all displayed users to either Assigned or
Not Assigned by holding down the Ctrl key when clicking on any button.
Yes
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this group.
TPAM 2.5
Administrator Guide
40
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s to which the selected access
policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Table 14. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Users that you have already edited reflect their edited policy assignment. When you click
the Save Changes button all the Access Policy assignment changes for the account are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a group
When adding a group in TPAM, information is entered on the following tabs to configure the group:
•
Details
•
Members
TPAM 2.5
Administrator Guide
41
•
Permissions
The following procedure describes the required steps to add a group.
To add a new group:
1
Select Users & Groups | Groups | Add Group from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Click the Members tab.
4
Enter your search criteria on the Filter tab.
5
Click the Results tab to assign/remove members from the group. For more detail see the Members tab.
NOTE: A group used by either AD or Generic Integration cannot have its membership changed here.
The current member status is displayed, but all buttons in the list are disabled.
TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.
6
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
NOTE: The Permissions tab is disabled for any of the default Global Groups because you cannot
change the Access Policy for a system generated group.
7
Click the Save Changes button.
Duplicate a group
To ease the burden of administration and help maintain consistency, groups can be duplicated. This allows the
administrator to create new groups that are very similar to those that exist, while only having to modify a few
details. The new group inherits membership and permissions from the existing group.
To duplicate a group:
1
Select Users & Groups | Groups | Manage Groups from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the group to be duplicated.
5
Click the Duplicate button. A new group is created and the Group Details page displays. The name of the
new group is automatically DuplicateofXXXXX.
6
Make any changes to the group on the various tabs.
7
Click the Save Changes button.
Delete a group
To delete a group:
1
Select Users & Groups | Groups | Manage Groups from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the group to be deleted.
5
Click the Delete button.
TPAM 2.5
Administrator Guide
42
6
Click the OK button on the confirmation window.
List groups
The List Groups option allows you to export the group data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
To list the groups:
1
Select Users & Groups | Groups | List Groups from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the list of group names outside of the TPAM interface, click the Export to Excel
button, or the Export to CSV button. To view and store the list of group members outside of the TPAM
interface, click Export Members to Excel button, or the Export Members to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view membership of a group, select the group and click the Members tab.
7
To view the permissions granted to the group, select the group and click the Permissions tab.
Default global groups
Included with TPAM are several default global groups that can be used for assigning permissions. These are only
visible in TPAM if the System Administrator has enabled these in the admin interface.
IMPORTANT: Any users assigned to a global group will gain the associated permissions on all systems unless
overridden by other assignments.
To view global groups:
1
Select Users & Groups | Groups | Manage Groups from the main menu.
2
Click the Listing tab.
TPAM 2.5
Administrator Guide
43
3
Select a global group.
4
Click the Members tab to edit membership to the group.
5
Select the Not Assigned or Assigned button.
6
Click the Save Changes button.
NOTE: The Permissions tab is disabled for all global groups because you cannot change the Access Policy
for a global group.
TPAM 2.5
Administrator Guide
44
6
Permission Hierarchy
•
Introduction
•
Permission precedence
•
Permissions example
Introduction
Because TPAM allows groupings of users (Groups) and remote systems (Collections), it is possible, even likely,
that a user could appear to have multiple conflicting permissions for a particular system, account, and or file.
To prevent this, TPAM implements a precedence of permissions.
Permission precedence
The precedence, in order of decreasing priority is:
•
An Access Policy assigned to a User for an Account/File (most specific)
•
An Access Policy assigned to a User for a Collection containing Accounts or Files
•
An Access Policy assigned to a User for a System
•
An Access Policy assigned to a User for a Collection of Systems
•
An Access Policy assigned to a Group for an Account /File
•
An Access Policy assigned to a Group for a Collection containing Accounts or Files
•
An Access Policy assigned to a Group for a System
•
An Access Policy assigned to a Group for a Collection of Systems (least specific)(*)
(*) This category includes Users who are assigned to any of the “Global XXX” Groups. The groups grant their
respective permissions to an internally-maintained “All Systems” collection.
IMPORTANT: A Denied access policy assignment at any level overrides all other permissions at that level.
After any permissions are changed, for example, by adding or removing a user from a group, the precedence is
recalculated, and if necessary, the permissions for the user are changed to reflect the new level that results.
TPAM 2.5
Administrator Guide
45
Permissions example
In the scenario shown above, the groups and users have been assigned Access Policies that grant the permissions
specified. In this situation, the precedence of permissions will be applied and the effective permissions would
be as follows:
•
User A has Approver permission on System C through the Group to System assignment.
•
User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection
B assignment. These Review rights on File C1 take precedence over the Approve rights on System C
because assignment to a Collection containing an Account or File is more specific than a collection
containing just the System. User A may still Approve requests to all accounts on System C and all of C’s
files with the exception of File C1.
•
Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that
as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override
the Approver rights from Group A.
•
Since User A is in both Groups A and B he has both Review and Request rights on all the items in
Collection B. Assignments at the same hierarchy level are combined.
•
User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though
the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still
denied access because the User to Collection assignment trumps the Group to Account in a Collection
assignment. If User B had instead been assigned the Review permission directly (as opposed to through
Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that
one account.
•
User B also has Review rights on all Accounts and Files on System A and File C1 on System C.
•
User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes
both policies User C received via the Group to Collection assignments, but only for Account B1. User C
still has Review and Request permissions to System A and File C1.
•
User D has been granted ISA rights over Collection A. This assignment takes precedence over D’s Request
permission on System A, which is through the Group B to Collection B. D still retains the Request
permissions on Account B1 and File C1 from the Group assignment, however that removes D’s ISA
permissions on Account B1 (although D still has ISA permissions over any other accounts on System B).
Where there is more than one permission granted at the same level of the permission hierarchy those
permissions are combined, as long as one of those permissions is not “Denied”. If a User is in 3 different groups
TPAM 2.5
Administrator Guide
46
(A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor)
the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead
of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System.
TPAM 2.5
Administrator Guide
47
7
Access Policies
•
Introduction
•
Details tab
•
Permission types
•
Add an access policy
•
Make an access policy inactive
•
Reactivate an access policy
•
Duplicate an access policy
•
Delete an access policy
•
Rebuild assigned policies
Introduction
Access polices allow permissions to be assigned at the system, account and file level. Access policies allow
permissions to be broken down and assigned at a more granular level. For example you could create one access
policy that would allow someone to review password releases, request password releases and request a session
that would limit them to two commands. Default access policies exist in TPAM that mimic the old TPAM roles of
“EGP Requestor”, “PAR ISA” etc, so that existing permission assignments are migrated to the new access policy
model and so that the default Global Groups can be supported.
Details tab
The table below explains all of the box options available on the details tab.
TPAM 2.5
Administrator Guide
48
Table 15. Access Policies: Details tab options
Field
Description
Required?
Policy Name
The unique policy name. When assigning access policies you select this
name from a list so make it as descriptive as possible. Limited to 30
characters.
Yes
Description
The description box may be used to provide additional information about
the access policy. This information is only visible to Administrators when
editing the policy.
No
System
Generated
This box is selected if the access policy was automatically crated by TPAM. No
System generated access policies are created for backwards compatibility
in the migration from system level permissions and aliases to account level
permissions and access policies. System generated access policies cannot
be altered in any way, only made inactive. System generated access
policies can be duplicated but not deleted.
Active
If selected, this access policy can be assigned to users/groups.
Yes
Used By
Summary
Displays the count of entities that are using this access policy.
NA
Access Policy
Type
Choices are All, Password, File, Session or Command. When command is
selected a list of commands is available to select from. These are the
entities that you are granting permissions on.
Yes
Access Policy
Permission
Permission choices are:
Yes
•
DEN - Denied
•
ISA - Information Security Administrator
•
APR - Approver
•
REQ - Requester
•
REV - Reviewer
•
PAC - Privileged Access
See Permission types for a detailed explanation of each permission.
Use Defaults
from System,
Account, or File
The data on this section of the page replaces the details that were
No
formerly configured on the Alias Account Details tab in releases prior to
v2.4. To override the settings at the system, account or file, clear the Use
defaults check box and adjust the settings.
Allow Clipboard
This option is only enabled for session and command types. If selected, the No
user can use the clipboard function for copy/paste of text during a
session.
Allow File
Uploads
This option is only enabled for session and command types. If selected, file No
uploads are allowed during sessions with this account.
Allow File
Downloads
This option is only enabled for session and command types. If selected, file No
can be downloaded from the remote system to the local system/network
drive during a session.
Prevent
Password
Release
This option is only enabled for session and command types. If selected,
prevents a user from requesting a session where the proxy type is
interactive login.
Record Sessions
This option is only enabled for session and command types. If selected, the No
session is recorded.
Record
Keystrokes
If selected, creates a keystroke log (KSL) of the user’s activity during the
session.
No
No
NOTE: A DPA is required for a keystroke log to be created.
Allow KSL View
If selected, allows people replaying the session to see the keystroke log.
This check box applies only when ISA, APR, or REV permissions are
selected.
No
TPAM 2.5
Administrator Guide
49
Table 15. Access Policies: Details tab options
Field
Description
Record Events
If selected, a log of events during the session is created. These events can No
be searched or book marked during playback.
Required?
Restr. Cmd Prof. Can select a profile which restricts the commands the user may run during No
a session. The Record Session option must be selected in order to select a
profile.
Min Approvers
The request will use the value here or the value set at the account,
whichever is greater.
No
Max Duration
The request will use the value here or the value set at the account,
whichever is less.
No
Permission types
When creating access policies in TPAM there are several different permission types to choose from. The table
below explains the different types.
Table 16. Access Policies: Available permission types
Type
Description
Denied
This permission type was created so that collection permissions could be assigned
to a user and then the denied permission set for specific entities within this
collection that the user should not have access to. If a user is Denied for a system
but has access to a specific account/file on that system they can still access the
account/file, because account or file permission assignment holds precedence over
system.
ISA (Information Security The role of ISA is intended to provide the functionality needed for security help
Administrator)
desk personnel, and as a way to delegate limited authority to those responsible for
resource management.
An ISA permission with a type of session allows the user to add and update all
aspects of PSM Only systems, PSM only accounts, and for PSM supported platforms.
An ISA permission with a type of password allows the user to add and update
systems and accounts for all platforms except those that are PSM only.
A user must be assigned an access policy with a type of both password and session
and permission of ISA to be able to assign access policies to other entities. The ISA
permission does not allow the user to delete a system.
Approver
An approver can be configured to approve password, session and / or file requests.
An approver can also be configured to only approve sessions that are requesting
specific commands.
Requestor
A Requestor can be configured to request password, session, and / or file requests.
A requestor can also be configured to only request sessions that run specific
commands.
NOTE: A user requesting a session that has an interactive proxy type must also have
an access policy assigned to them that includes password/requestor for that
account.
Reviewer
The reviewer role permits the individual to view reports on specific systems that
they have been granted reviewer rights. A session/command reviewer can also
replay sessions and review/comment on these sessions. If the user has password
reviewer permissions they can review a password release that has expired and
comment on that password release.
TPAM 2.5
Administrator Guide
50
Table 16. Access Policies: Available permission types
Type
Description
PAC (Privileged Access)
With a PAC permission type, the user must go through the request process for
passwords, files, and sessions but after they submit the request it is automatically
approved, regardless of the number of approvers required.
NOTE: If a user has session /PAC permissions but does NOT have password/PAC
permissions on an account, they can only start a session that is configured for one
of the automatic proxy connection types, since they do not have permissions to
access the password.
Add an access policy
To add an access policy:
1
Select Management | Access Policies from the menu.
2
Click the Add Policy button.
3
Enter the policy name.
4
Enter the policy description. (Optional)
5
Select a type/s. If command is selected, select a command from the list.
6
Select the permission/s.
7
If Session is selected as a type, along with a permission of REQ or PAC, you have the option to clear the
User defaults check box, and selecting Allow Clipboard, Allow File Uploads, Allow File Downloads,
Prevent Password Release, Record Sessions, Record Keystrokes, Allow KSL Monitor, Record Events,
and or select a Command Restriction Profile. (Optional)
8
If REQ is selected as a permission, you have the option to clear the Use defaults check box and enter Min
Approvers and Max Duration. (Optional)
9
To add another type/permission combination, click the Add button and repeat steps 5-8.
10 Click the Save Changes button.
IMPORTANT: Commands on access policies are not limited by proxy type, so it IS possible to create an
access policy with commands that cannot be executed on the assigned account due to proxy type
limitations.
NOTE: There is no way to create a policy that allows a user to “Request, Approve or Review any Session
using any PCM Command”. A separate detail row must be created for each PCM command that is allowed
through the policy.
TIP: Any detail rows on an access policy that include a command permission need to have their own line.
See the example screen shot below.
Detail rows should not conflict with each other in the same policy. For example, if you have one row granting
Password/REQ, you cannot have another row with Password/DEN. Nor are you allowed to have two rows in the
policy that grant the same permission to the same type or command, e.g., you cannot have two rows both
granting Password/REQ, however you may have two (or more) rows granting Command/REQ as long as all the
rows reference different PCM Commands.
TPAM 2.5
Administrator Guide
51
Make an access policy inactive
Making an access policy inactive removes it from the list of possible access polices that can be assigned to users
or groups for a system, account, collection or file. Also making the policy inactive will remove it from any entity
it is assigned to.
To make an access policy inactive:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the access policy to make inactive.
5
Click the Details tab.
6
Clear the Active check box. If the access policy is currently assigned, you will see the following warning
message.
7
After reading the warnings, to proceed select the Yes, this is really what I want to do check box.
8
Click the Save Changes button.
NOTE: If this is a system generated policy it makes the associated Global XXX Group effectively useless,
but does not change membership in the group.
Reactivate an access policy
To reactivate an access policy:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the access policy to make active.
5
Click the Details tab.
6
Select the Active check box.
TPAM 2.5
Administrator Guide
52
7
Click the Save Changes button.
NOTE: Reactivating a system-generated access policy brings back assignments of the associated global
group to the “All Systems” collection.
Duplicate an access policy
To ease the burden of administration and help maintain consistency, access policies can be duplicated. This
allows the administrator to create new policies that are very similar to those that exist, while only having to
modify a few details.
Duplicating an access policy duplicates all information about the policy itself (with the exception of the System
Generated setting), but does not duplicate any policy assignments.
To duplicate an access policy:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the access policy to be duplicated.
5
Click the Duplicate Policy button. A new policy is created and the Details tab displays.
6
Enter the Policy Name.
7
Make any changes to the access policy.
8
Click the Save Changes button.
Delete an access policy
NOTE: An access policy can only be deleted if it is currently marked inactive.
To delete an access policy:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the access policy to be deleted.
5
Click the Delete Policy button.
6
Click the OK button on the confirmation window.
Rebuild assigned policies
If the "Always use cached permission data" global setting is set to Yes or Not for Password/File Retrieval and
Session Start, then it is recommended that Administrators and ISAs use the rebuild assigned policy page to
update the cached permissions to the latest changes they have made. These changes include:
•
Editing any permission assignment
•
Adding/deleting systems, accounts, files, users, groups, or collections
•
Changing the Ignore System Policies check box on the account
•
Changing the user type (Administrator, Basic, Auditor, User Admin)
TPAM 2.5
Administrator Guide
53
•
Changing collection membership
•
Changing the Global Groups setting in Global Settings
The Rebuild Assigned Policies page shows how much data is in the cache, when it was last updated, and the
current state of the background job. An Administrator or a user with both PPM and PPM ISA permissions may use
the Run Now button to run the job immediately if there are pending changes. This job will automatically run in
the background every 60 seconds as needed to update changes.
To rebuild the assigned policies:
1
Select Management | Rebuild Assigned Policies from the menu.
2
Click the Run Now button to update TPAM with the latest changes.
The Refresh Data button can be clicked to see if there are any new changes in the queue that need to be
processed.
TPAM 2.5
Administrator Guide
54
8
Password Profiles
•
Introduction
•
Add a password check profile
•
Add a password change profile
•
Delete a password check/change profile
•
Assign a password check /change profile
Introduction
Password check and change profiles define the rules for the checking and changing of an account’s password.On
a brand new TPAM appliance there will be 3 factory default check profiles and 5 factory default change profiles
that can be used to assign to systems/accounts as desired or new ones can be configured. The three check
profiles available are:
•
Check and Reset- marked as default until another profile is marked as default.
•
Check, No Reset
•
Check Disabled.
The change profiles available are:
•
Change Disabled
•
Change Daily
•
Change Every 5 days
•
Change on First of Month - marked as default until another profile is marked as default.
•
Change on Last of Month
Add a password check profile
To add a password check profile:
1
Select Management | Profile Management from the menu.
2
Select Password Check from the Profile Type list.
3
Click the New Profile button.
4
Complete the boxes as the table below describes.
Table 17. Password check profile page options
Field
Description
Required?
Profile Name
Enter a unique profile name.
Yes
Description
Enter information about the password check profile.
No
Default
TPAM 2.5
Administrator Guide
55
Table 17. Password check profile page options
Required?
Default
Default Check If selected, this password check profile will automatically be
Profile
assigned to any new system added.
Field
Description
No
Off
Schedule
Yes
Daily, 1 time
per day
Specifies the interval that the password is checked.Choices
are:
•
No scheduled password checks
•
Daily - password checked n time(s) per day.
•
Weekly - password is checked once on the day(s)
selected.
•
Every n Days- password is checked every n days. The n
value can be between 1 and 999.
•
Monthly - if selected then the password is checked every
month depending on one of the options below:
•
First Day of the Month – the password is checked
every month, on the first day of the month
•
Last Day of the Month – the password is checked
every month, on the last day of the month,
•
Days of the Month- specific days can be entered.
Multiple days can be entered separated with
semi-colons. -1 can be entered to represent the
last day of the month.
Checks will be
scheduled
during the
following
window(s)
The time windows entered indicate the time(s) the password is Yes
scheduled to be checked. Time windows are entered as
StartTime-EndTime. Times must be entered using a 24 hour
format. Multiple time windows may be entered separated by a
semi-colon. Up to 4 windows may be entered. Each window
must be a minimum of 60 minutes long, and there must be at
least 30 minutes in between each window. Windows that cross
midnight will be listed as two separate windows once the
profile is saved.
00:00-23:59
Allow system
to notify TPAM
it is available
for check
If selected, the system can notify TPAM that is online and
No
available for password checks. If this selected and the system is
online, a password check will be scheduled if the last
successful check date indicates that a password check is
overdue. The system must have a unique certificate thumbprint
assigned in order to use this option. See How to call the
notification service for details. Account that are overdue for a
check will be scheduled regardless of the current schedule
settings, unless this account has No scheduled password
checks selected. Accounts subscribed to a Synchronized
Password will be checked against the current synchronized
password and reset if needed.
Off
NOTE: If the account is on a custom platform system, the
custom platform must have the Automation Active check box
selected.
Check
password
timeout
Determines the amount of time in seconds that an attempt to
check the password remains active before being aborted. In
most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with
the system, this value can be increased
Yes
20
TPAM 2.5
Administrator Guide
56
Table 17. Password check profile page options
Field
Description
Required?
Default
After n
consecutive
failures to
check do ...
n is a value between 0-99. Options available if failure occur
are:
Yes
0, Do nothing
•
Do nothing
•
Disable check schedule -account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Check
schedule disable check box.
•
Lock - locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
•
Increase retry interval- if selected enter retry interval
>0 and greater than the current check retry interval
setting on the Auto management agent in the admin
interface.
Also notify
account
owner of
check failure
Only available if consecutive failures setting is greater than 0. No
Email addresses saved on the system detail information tab will
receive notifications when the nth failure occurs and every nth
time after. Ex. 3 failures, email sent, 3 more failures, email
sent.
On password
mismatch do
...
Option selected determines how TPAM handles the scenario.
Options are:
Also notify
account
owner of
mismatch
5
•
Do nothing
•
Reset Password - schedule the account for immediate
password change.
•
Disable check schedule - account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Check
schedule disable check box.
•
Lock-locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
Off
Yes
Email addresses saved on the system detail information tab will No
receive notifications when there is a password mismatch.
Do nothing
Off
Click the Save Changes button.
Add a password change profile
To add a password change profile:
1
Select Management | Profile Management from the menu.
2
Select Password Change from the Profile Type list.
3
Click the New Profile button.
4
Complete the boxes as the table below describes.
Field
Description
Required?
Profile Name
Enter a unique profile name.
Yes
Description
Enter information about the password change profile.
No
Default
TPAM 2.5
Administrator Guide
57
Field
Description
Required?
Default
Default
If selected, this password change profile will automatically be
Change Profile assigned to any new system added.
No
Off
Schedule
Yes
Daily, 1 time
per day
Specifies the interval that the password is changed.Choices
are:
•
No scheduled password changes - accounts or
synchronized password with this setting will never be
scheduled for changes. Post-release resets may still
occur based on the account level setting.
•
Daily - password changed n time(s) per day.
NOTE: If a password is scheduled to be changed more than
once a day the recommendation is to use the Test Port option
as well.
•
Weekly - password is changed once on the day(s)
selected.
•
Every n Days- password is changed every n days. The n
value can be between 1 and 999.
•
Monthly - if selected then the password is changed every
month depending on one of the options below:
•
First Day of the Month – the password is changed
every month, on the first day of the month
•
Last Day of the Month – the password is changed
every month, on the last day of the month,
•
Days of the Month- specific days can be entered.
Multiple days can be entered separated with
semi-colons. -1 can be entered to represent the
last day of the month.
Changes will
be scheduled
during the
following
window(s)
The time windows entered indicate the time(s) the password is Yes
scheduled to be changed. Time windows are entered as
Starttime-EndTime. Times must be entered using a 24 hour
format. Multiple time windows may be entered separated by a
semi-colon. Up to 4 windows may be entered. Each window
must be a minimum of 60 minutes long, and there must be at
least 30 minutes in between each window. Windows that cross
midnight will be listed as two separate windows once the
profile is saved.
00:00-23:59
Allow system
to notify TPAM
it is available
for change
If selected, the system can notify TPAM that is online and
No
available for password changes. If this selected and the system
is online, a password change will be scheduled if the last
successful change date indicates that a password change is
overdue. The system must have a unique certificate thumbprint
assigned in order to use this option. The certificate is assigned
to the system on the System Management tab. See Management
tab for details.
Off
Account that are overdue for a change will be scheduled
regardless of the current schedule settings, unless this account
has No scheduled password changes selected. Accounts
subscribed to a Synchronized Password will be checked against
the current synchronized password and reset if needed.
Do not change If selected, the password while not be changed while the
password
account has an active request open.
while release
is active
No
Off
TPAM 2.5
Administrator Guide
58
Field
Description
Required?
Default
Change
password
timeout
Determines the amount of time in seconds that an attempt to
change the password remains active before being aborted. In
most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with
the system, this value can be increased
Yes
20
Test
Port/Timeout
If selected, the port that is used for the password change is
No
tested before attempting to change the password. If selected a
timeout in seconds is required. Recommend a small value for
timeout. Using the test port helps reduce the number failed
passwords that TPAM has to store as well as reduces network
resources waiting on unsuccessful change password attempts. A
test port failure is logged, but does not count as a failed
password change.
Off
After n
consecutive
failures to
change do ...
n is a value between 0-99. Options available if failure occur
are:
0, Do nothing
•
Do nothing
•
Disable change schedule -account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Change
schedule disable check box.
•
Lock - locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
Yes
NOTE: Test port failures do no count toward consecutive
failures.
Also notify
account
owner of
change failure
5
Only available if consecutive failures setting is greater than 0. No
Email addresses saved on the system detail information tab will
receive notifications when the nth failure occurs and every nth
time after. Ex. 3 failures, email sent, 3 more failures, email
sent.
Off
Click the Save Changes button.
Delete a password check/change profile
To delete a password check or change profile:
1
Select Management | Profile Management from the menu.
2
Select Password Change or Password Check as the profile type.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: A password check or change profile can only be deleted if it is not assigned to any systems,
accounts or synchronized passwords.
Assign a password check /change profile
Password check and change profiles can be assigned using the batch processing, CLI/API or by following the
procedure below.
TPAM 2.5
Administrator Guide
59
To assign a password check or change profile to an system:
1
Select Systems, Accounts, & Collections | Accounts | Manage Systems.
2
Select the system on the Listing tab.
3
Click the Management tab.
4
Select the profiles from the lists.
5
Click the Save Changes button.
TPAM 2.5
Administrator Guide
60
9
Systems
•
Introduction
•
Add a system
•
Add a system template
•
Add a system using a template
•
Test a system
•
Clear a stored system host entry
•
Duplicate a system
•
Disassociate a system from a template
•
Delete a system
•
Delete a system template
•
List systems
•
Local appliance systems
Introduction
This chapter covers the steps to add and manage systems in TPAM. To add and manage systems, information is
entered on the following tabs in the TPAM interface:
Table 18. Systems Management: TPAM interface tabs
Tab name
Description
Details/Information
Define main system information, such as name, IP address, contact.
Details/Custom Information
Enter data in custom fields, if they have been defined.
Details/Connection
Define functional account credentials.
Details/Management
Configure the settings for how TPAM will manage the passwords for the
accounts on this system.
Details/Ticket System
Configure Ticket System Validation for requests on this system.
Details/LDAP Schema
For LDAP Directory systems, whose schema may require customizing.
Template
Used to save system settings as a template.
Account Discovery
Assign the account discovery profile to be used for this system.
Affinity
Define Distributed Processing Appliance (DPA) assignment for a system.
Collections
Assign a system to a collection/s.
Permissions
Assign users and groups permissions on this system.
TPAM 2.5
Administrator Guide
61
Information tab
The table below explains all of the box options available on the details information tab.
Table 19. Systems Management: Details information tab options
Field
Description
Required?
System Name
Descriptive name of the system. Typically, the host name (for
Yes
UNIX® systems) or the machine name (for Windows® systems) is
used.
Default
Within TPAM, the system name must be unique. The name can
be 1-30 characters long, but cannot include empty space (i.e.
spaces, carriage-returns, etc.).
Network
Address
The IP address (example: 192.168.0.15) or DNS name
(example:server1.domain.bigco.com) of the system.
Yes
It is imperative that this information is entered correctly, as the
back-end automation procedures use this address to connect to
the remote system.
NOTE: MS SQL Server® systems with dynamic ports can be
entered as the networkaddress\namedinstance in this box. For
more details see the Client Set Up Guide.
ISA Policy
This option is listed after adding a system if your user ID is
assigned an Access Policy that contains an ISA permission. From
this list, select the ISA policy to be applied which allows you to
access the system after it has been saved. If you have ISA access
granted via a single Access Policy it is pre-selected.
NOTE: If you select Do not Assign an ISA Policy you must assign
the system to a collection to which you have access; otherwise
once the system is saved you will no longer have access unless
you are an administrator.
Platform
This list shows the operating system platforms currently
supported for proxied connections by TPAM. The platform of
Other can be chosen for platforms not currently supported for
TPAM auto management. Select the appropriate platform for
the operating system running on the remote host.
Yes
AIX
For PSM this box is primarily descriptive, since it is the proxy
connection type that actually determines how the session is
established. However, if the passwords for this system are
managed by PPM, ensure the correct platform is selected, as
PPM uses it to determine the most secure and reliable way to
manage the passwords on the remote system.
TPAM 2.5
Administrator Guide
62
Table 19. Systems Management: Details information tab options
Field
Description
Required?
Default
Password Rule
The password rule to serve as the default for all accounts
defined for the system. If the selection is not changed (or if no
other rules have been defined in TPAM) the Default Password
Rule is selected. The password rule governs the construction
requirements for new passwords generated by PPM. Password
rules are managed by Sys-Admin users in the admin interface.
Yes
Default
Password
Rule
Maximum
Duration
This is the maximum duration for a password release on the
account. If this is overridden by an Access Policy assignment,
the lower of the two durations is used. The default duration
that the requestor sees for any new password request is 2
hours, or the maximum duration, whichever is less.
Yes
7 Days
Contact E-mail Allows support personnel to receive email notifications from
TPAM. Alerts are sent when there is a:
No
•
Password check or change failure based on password
profile settings.
•
Scheduled password changes for a manually managed
account
•
A PSM session expires
•
A non-managed account password release notification
This box can be left blank, in which case errors are logged but
notifications are not sent.
Description
The description box may be used to provide additional
information about the system, special notes, business owner,
etc.
No
Enable
Automatic
Password
Management?
Tells TPAM whether to automatically manage remote system
No
account passwords, based upon configuration parameters for
each system. Auto-management includes automatic testing and
changing of the passwords. Selected = enabled, cleared =
disabled. This option is available at both the system and
account levels, therefore it is possible to allow TPAM to automanage one account on a specific system, while another
account on the same system is not auto-managed. However, if
the option is not selected at the system configuration level, no
accounts on the system can be auto-managed.
Enabled on
appliances
with
Privileged
Account
Manager
licenses.
NOTE: If the appliance has exceeded the number of PPM
managed systems that were licensed this option cannot be
selected for any new systems until you select the Disable all
PPM functions ... check box on another managed system or
increase your system license quantity.
Disable all PPM
functions and
delete any
existing
password
history or
secured files?
(PSM
Customers
Only)
This check box sets the system to “PSM only”, which means you No
cannot use any of the PPM features on this system such as
password change history, release logs, password checking and
changing, and releasing passwords.
Approver
Escalation
You have the ability to send an escalation to a specific email
address if no approvers have responded to a Password/File
request within X minutes. You can enter multiple email
addresses by separating them with a comma up to the box
maximum of 255 characters.
Off
The reason for this is product licensing. You are not limited to
the number of “PSM only” systems you can add, but the number
of managed (PPM) systems you can add is limited to the number
of system licenses you purchased.
No
TPAM 2.5
Administrator Guide
63
Table 19. Systems Management: Details information tab options
Field
Description
Required?
Default
Delegation
This box can be used to preface the commands that PPM uses to No
Prefix (specific manage passwords for this system. The delegation prefix can
platforms only) also be used to specify an absolute path to the command that
PPM uses to manage passwords for the system.
Computer
This box is designated for the system’s computer name and is
Yes for
Name (specific required for proper password management. If it is not
specific
platforms only) populated, TPAM attempts to determine the system’s computer platforms.
name when the system is tested and update the box. The
Computer Name box is also used with TPAM’s Autologon feature.
You have the option to have TPAM log the user into the remote
system using the WORKSTATION\USERID format.This prevents
any incorrect logon if the Default domain is saved as the
DOMAIN name versus the Local Workstation. If a Domain user is
selected from the Session Authentication window on PSM
details, the user credentials are passed as DOMAIN\USERID.
With both options the DOMAIN box is disabled at login.
Workstation ID For AS400 systems a specific workstation ID can be entered here No
(Specific
that will be used when TPAM tries to connect to the system.
platforms only)
Restricted
URL(PSM Web
Access
platform only)
If a URL is entered the user is restricted to this address during
the PSM web access session. If ALLOWNAV; is typed in before
the restricted URL, the user can navigate away from the
restricted URL.
No
Initial
Command (HP
Non-Stop
platform only)
Initial command sent to the system.
No
Client ID (SAP® ALS Client ID.
platform only)
No
Password
Release on
Change (SPCW
Pwd platform
only)
Type in OLD, NEW, or BOTH to indicate which password should
be supplied to the command.
No
Extra DB
Used to store extra database connection string. For details see
Connection
the Client Setup Guide.
String (DB
platforms only)
No
Custom information tab
TPAM 2.5
Administrator Guide
64
There are six fields that can be customized to track information about each system. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.
Connection tab
The connection tab is used to configure the functional account that TPAM will use to connect to the system. This
tab is not enabled unless the Enable Automatic Password Management? check box is selected on the details
information tab (except for the SPCW platforms). The fields available on the connection tab are dependent on
the platform type of the system being configured.
The table below describes the different box options on the Connection tab.
Table 20. Systems Management: Details Connection tab options
Field
Description
Required?
Functional
Account Name
The functional account defines the account that is used to
Yes
manage the accounts on the managed system. This account
must be defined and configured on the managed system as
defined in the appropriate Client Setup Instructions. The
credential defines whether SSH uses a predefined key (DSS)
to authenticate or a standard password. DSS is the preferred
and more secure way of managing accounts on systems that
support SSH. You have the option to let PPM manage the
functional account.
Default
funcacct
The auto-change parameters for this password may then be
configured via the account information tab, as with any
other account. This helps to secure the managed system, by
not maintaining a “static” password on a functional account.
NOTE: After a system is saved for the first time, any changes
in the system parameters are not automatically applied to
the functional account, unless the Push defaults out to All
Accounts switch on the management tab has been selected.
The auto manage function never propagates to the
functional account. It must be manually set.
Alternate Port
(platform
specific)
No
Most non-Windows® platforms allow alternate ports to be
configured for communication of standard protocols, such as
SSH, Telnet, or database ports.
TPAM 2.5
Administrator Guide
65
Table 20. Systems Management: Details Connection tab options
Field
Description
Required?
Domain Name
(platform
specific)
When the system platform being created represents a
central authority such as Active Directory®, BokS, or
PowerPassword®, the fully qualified domain name must be
specified. DO not enter an alias, simple name or NetBIOS
name. Max of varchar(255).
Yes
Distinguished
Name (platform
specific)
LDAP/LDAPS and Novell® systems require this field. Max is
varcahr(2000).
Yes
Default
NetBIOS Domain Windows® domain systems (Active Directory® or SPCW) also Yes
Name (platform include the NetBIOS Domain Name box. Specify the name of
specific)
the domain in NetBIOS format.
SID/
Service_Name
(Oracle® DB
only)
Specifies either the security ID (SID) or the service name for Yes
Oracle® databases, and should match the setting in
SQLNET.ORA at the database server.
Server O/S
(BoKS only)
Select the O/S running on the server from the list.
Yes
Use Domain
Account
(platform
specific)
If selected, uses the domain account to change accounts
passwords on the central authority.
No
Local Computer If selected, uses Windows® account on the host system,
Account (MS SQL which also must be configured as a managed account in
TPAM, to connect to the system. Format should be
Server® only)
system\account. Named pipe connections must be enabled
using SQL Server® Configuration Manager on the target
system.
AIX
No
Connection
Timeout
Yes
The connection timeout value determines the amount of
time in seconds that a connection attempt to the managed
system remains active before being aborted. In most cases,
it is recommended to use the default value (20 seconds). If
there are problems with connection failures with the
system, this value can be increased (for example,
connections to Windows® systems are often slower than SSH
connections and may require a significantly higher timeout
value). Max value 9999.
20
PSM Functional
Account (SPCW
only)
The PSM functional account is used to provide secure
communication during the session and file transfer during a
session. If the PSM enabled account on the system is
configured to use a proxy type of RDP through SSH, the PSM
functional account is used during this connection.
psmfuncacct
Tunnel DB
Connection
Through SSH
(platform
specific)
Database tunneling through SSH provides the ability to
No
securely connect to a remote database. Enter the account
name used to connect to the remote system. If SSH is not
listening on port 22, enter the correct port number to be
used. For DBMS accounts, SSH tunneling only uses the public
key for establishing the SSH connections.
Yes
Off
NOTE: Make sure that the default of AllowTCP Forwarding is
set to Yes on the SSH Configuration file of the managed
system.
TPAM 2.5
Administrator Guide
66
Table 20. Systems Management: Details Connection tab options
Field
Description
DSS Account
Credentials
When using DSS key authentication, a function is available to No
permit specific configuration of the public/private keys
used.
•
Required?
Default
Avail. System Std. Keys – uses the single standard
SSH keys (either Open SSH or the commercial key)
stored centrally on TPAM. You have the ability to
have up to three active keys simultaneously. These
keys are configured in the admin interface. Use the
list to select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to
use all currently active keys when communicating with the
remote system.
•
Password
Account
Credentials
Use System Specific Key – allows the generation and
download of a specific SSH key to be used with this
system only. The key must first be generated using
the Get/Regen Key button, and then downloaded in
either Open SSH or Sec SSH (commercial) format.
If a password is entered it must match the password for the
account on the managed system, otherwise password
changes for accounts on this system will fail.
No
Enable Password Some systems may require the use of very specific accounts
(platform
for access. Password to use for the “ENABLE” account (Cisco
specific)
platforms only) or “EXPERT” account (for CheckPoint SP
platforms only.
Authentication
Username/password is used when a username is needed to Yes
Method (Cisco
connect to the system. Line definition is used when there is
Router TEL only) no username to be specified, it is simply a password on the
terminal connection.
Username/
Password
Expert Password Setting up an Expert Password allows configuration access to Yes
(CheckPoint SP the system.
only)
Custom
Command
(Mainframe
only)
If there is a special command that needs to be entered prior No
to being prompted for authentication credentials, it is
specified by placing the command in the custom command
box.
Use SSL?
(platform
specific)
Select this box if communications between TPAM and the
device requires the SSL option.
No
Off
Non-Privileged
Functional
Account
(Windows® AD
only)
If selected, any password changes for accounts on this
system use the managed account’s current password to log
in and make the password change instead of using the
functional account password.
No
Off
Allow Functional
Account to be
Requested for
Password
Release
If selected, requestors on this system can make a request to No
release the password for the functional account. If not
selected, the functional account passwords are not available
for release to a requestor and are only accessible to an ISA.
Off
TPAM 2.5
Administrator Guide
67
Management tab
The management details tab is used to configure how TPAM manages the passwords for accounts on this system.
This tab is not enabled unless the Enable Automatic Password Management? check box is selected on the
details information tab. Once set, these parameters are inherited by accounts added to this system. These
options can be overridden at the account level.
The table below explains the options on the Management Details tab.
Table 21. Systems Management: Details Management tab options
Field
Description
Required?
Default
Password
Check Profile
Name
Select a password check profile from the list to determine the
rules for how the password is checked on the system against
what is stored in TPAM. The password check profiles are
configured by the TPAM Administrator. See Password Profiles for
more details.
Yes, if
automatic
password
management
has been
selected.
Default
from
system
template,
or one
marked as
default.
Password
Change Profile
Name
Select a password change profile from the list to determine the
rules for how the password is changed on the managed
system.The password change profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Yes, if
automatic
password
management
has been
selected.
Default
from
system
template,
or one
marked as
default.
Push Defaults
out to All
Accounts
Default change settings and management properties can be
configured differently between systems and the defined
accounts for those systems. If the desire is to ensure
consistency throughout this parent-child relationship, it is
possible to push the configuration of the default check and
change settings from the system object to all child objects
defined for the system. If selected, these settings will be
pushed to the accounts when the Save Changes button is
clicked. This is a one-time synchronization and may still be
changed at the account level.
No
Off
NOTE: Synchronized password subscribers will not receive these
updates.
TPAM 2.5
Administrator Guide
68
Table 21. Systems Management: Details Management tab options
Field
Description
Required?
Enable auto
To enable this check box the Push Defaults out to All Accounts No
management
must be selected first. If selected, auto management will be
on All Accounts enabled on all accounts under this system when the Save
Changes button is clicked. This is a one-time synchronization
and may still be changed at the account level.
Default
Off
NOTE: The functional account defined for the system does not
receive the Enable Auto Management on All Accounts setting
during a push. The auto-manage property must be manually
enabled for the functional account.
NOTE: Synchronized password subscribers will not receive these
updates.
Default
duration for
ISA releases of
password
The duration for an ISA release may be specified up to a
No
maximum of 7 days. This is the amount of time that transpires
between the initial ISA retrieval and the automatic reset of the
password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
2 Hours
Allow ISA to
enter Duration
on Release
If selected, an ISA may enter a release duration other than the
default when retrieving a password. The duration must be
greater than zero and less than or equal to the maximum
specified for either the ISA Duration or Max Release Duration
(details information tab).
Off
No
This check box is disabled when the Default duration for ISA
releases of passwords is set to 0.
Profile
Notification
Certificate
This is required if this system is using a check or change profile Yes,
that is using the Allow system to notify TPAM it is available for depending on
check/change.
password
profile
• No certificate - no thumbprint or certificate. Default
options.
• Thumbprint Only - The SHA1 thumbprint of the
certificate used by the system to notify TPAM of
availability for check/change operations.
•
User-Supplied - user can upload their own certificate to
TPAM.
•
Created by TPAM -TPAM will generate a certificate and
record the thumbprint. This certificate must be installed
on the system in order to call the TPAM notification
service. There is an optional password on a TPAM
generated certificate. This password will be required to
install the certificate on the target system. The
password is NOT stored and cannot be retrieved if
forgotten.
How to call the notification service
For systems that are going to notify TPAM that they are online and available for check and changes, there is a
new REST service endpoint is available on the TPAM appliance.
A system can make a call to the following address to notify TPAM that it is online and available for
check/change: https://tpamAddress:9443/available
The call can be made using a language or scripting environment of the user's choice.It requires a certificate to
be included with the http request. The thumbprint of that certificate must be on file in TPAM for a managed
system. When the call succeeds and TPAM finds the thumbprint all accounts on that system which have profiles
allowing notification will be scheduled for checks/changes as required. The service returns a JSON dataset with
the following information:
TPAM 2.5
Administrator Guide
69
•
CertificateThumbprint - 40-byte hexadecimal value of the certificate attached to the request. This does
not indicate the request was accepted or not - it's just an echo of what the cert is. Debug purposes
primarily. This value may or may not stay.
•
ErrorID - number - 0 = good, non-zero = error occurred. Note that "success" does not necessarily mean
anything was added flagged for processing.
•
ResultMessage - text. Either "Success" or some error message. Right now it will return an error message
informing you of an unrecognized thumbprint.
•
If no certificate is attached the call will result in a 403 error (403 - Forbidden: Access is denied).
Ticket system tab
The ticket system tab is used to configure third party ticket system requirements when submitting password
release, file release or session requests for this system. The ticket system tab is only enabled if the TPAM
System Administrator has configured ticket system/s in the admin interface. The settings on this tab become
the default settings for any accounts or files added to this system.
The following table explains the options on this tab.
Table 22. Systems Management: Details Ticket system tab options
Field
Description
Required?
Default
Ticket
Required for
By selecting the check boxes you can require that ticket
No
validation is enforced for Password/Files requests and/or
Session requests.You also have the option to require ISAs to
supply a ticket number prior to retrieving a password or file as
well as requests made through the CLI or API. If a check box is
not selected, users can still enter a ticket number on a request,
but it is not required.
Off
Require Ticket
Number from
If multiple ticket systems are enabled they are listed in the list No
for selection. You can specify the ticket system or allow entry
of a ticket number from any system that is enabled.
Off
Send Email to
If any of the ISA, CLI or API required check boxes are left clear
you have the option of entering one or more email addresses
(up to 255 characters) that will receive an email when an ISA,
CLI or API user releases or retrieves a password or file without
supplying a ticket.
No
No
Push ticket
defaults out to
all accounts
and files
If selected, when the Save Changes button is clicked, it will
push these settings to all accounts and files under the system.
New accounts and files will inherit these settings.
No
Off
NOTE: The propagation is a one time update each time this
check box is selected and the Save Changes button is clicked.
After that there is no forcing of the settings to remain in synch.
The settings on the accounts and files can be overridden.
TPAM 2.5
Administrator Guide
70
LDAP schema tab
This tab is only enabled for LDAP, LDAPS and Novell® NDS® systems. It is used to customize the schema. The
fields in this tab specify the value of core attributes as well as the name(s) of optional attributes. For example
‘objectClass’ is a core attribute with defined values that distinguish the specific directory object as group, user
or computer. Similarly with attribute naming, a group object’s member attribute may be called ‘member’
‘uniquemember’ or ‘memberUid’, first name attribute may be called ‘givenName’, etc.
Template tab
The template tab is used to save all the settings for a system as a template. Templates may be used to quickly
create new systems with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. Only TPAM Administrators and ISAs may use templates.
The table below explains all of the box options available on the Template tab.
TPAM 2.5
Administrator Guide
71
Table 23. Systems Management: Template tab options
Field
Description
Required?
Default
Create a
Template from
this System
Selecting this flag saves this system as a System Template.
No
Off
Use this as the
Default
Template
If selected, this template is used when adding new systems
unless another template is chosen with the Use Template
button.
No
Off
Retain
Collection
Membership in
the template
If selected, TPAM creates the template with all the collection
No
memberships currently defined on this system. Systems created
from this template will have the same collection memberships.
Off
Retain
User/Group
Permissions in
the template
If selected, TPAM creates the template with all the User and
No
Group permissions (Access Policy assignments) currently defined
on the system. Systems created from this template will have
the same permissions.
NOTE: After a template has been created you cannot clear this
flag.
Only one template can be designated as the “Default” at a
time. If a template is designated as the “Default” it is listed in
green italics on the Manage Systems listing.
NOTE: If this system is a member of an AD Integration
Collection, that membership is not transferred to the template
and subsequent systems.
Retain Existing When creating a template based on an existing system, this
Accounts in the option allows you to retain up to 10 accounts from the existing
template
system (including the functional account.)
No
Off
Off
If this option is selected, use the table located below this
option to select the accounts to be included in the template.
The functional account cannot be cleared.
NOTE: Accounts included in the template do not retain any
passwords, password history, or dependent system information.
Account discovery tab
Account discovery profiles allow TPAM to periodically check for accounts on a managed system and add or
remove them from TPAM. Account discovery profiles can only be assigned to Windows®, *nix and database
systems. If account discovery is going to be used for a system, the account discovery profile to be used is
assigned on this tab. The time displayed on the Log tab is the user’s time zone.
The table below describes the options available on the Account Discovery tab
TPAM 2.5
Administrator Guide
72
Table 24. Systems Management: Account Discovery tab options
Field
Description
Required?
Discovery
Profile
Select the profile to be used for account discovery. Only
available for Windows®, *nix, and database platforms.
No
Exclude List
Any accounts that you want to be excluded from the account
discovery process can be listed here. Up to 1000 characters,
case insensitive.
No
Timeout
The number of seconds the auto discovery process will run
No
before it will time out. If the discovery process times out it will
continue to discover the remaining accounts during the next
scheduled run. If the box is left null the default value of 300
seconds is used.
(seconds)
Test Discovery
Profile
Once the profile has been saved, click the Test Discovery
Profile button to see what accounts and actions are found. No
changes are made, it is only a test.
Run Discovery
Profile
Click this button to run account discovery for this system on
n/a
demand, rather than waiting for the scheduled run. The number
of accounts that can be discovered by clicking this button is
limited to 5,000. More than 5,000 can be discovered during the
automated runs.
Default
300
n/a
Affinity tab
The Affinity tab is used to assign the system to a distributed processing appliance (DPA) if DPA’s are configured
to work with the TPAM appliance. Assigning the system to a DPA can help optimize performance for session
recording, session playback and password checking and changing. The affinity tab is not enabled until the
system has been saved.
The table below describes the options available on the Affinity tab.
TPAM 2.5
Administrator Guide
73
Table 25. Systems Management: Affinity tab options
Field
Description
Required?
Default
Allow PSM
Sessions to be
run on any
defined DPA
If selected, TPAM will select the DPA that has the least number
of sessions running on it to conduct the session.
No
Yes
Selected DPA
affinity and
priority
Select this option to prioritize which DPA is used for sessions
No
conducted on this system. The default DPA is LocalServer, which
is the local TPAM appliance.
No
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for session recordings.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot.
Use local PPM
appliance for
password
checks and
changes
If selected, then all password checks and changes will be run on No
the TPAM appliance.
Yes
Selected DPA
Affinity
Select this option to prioritize which DPA is used for password
checking and changing on this system.
No
No
NOTE: We do not support using named instances for SQL
Server® when using a DPA for password checks and changes. The
workaround is to specify the port.
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for password management.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot. A value of 0 (zero) is simply “more important”
than any other value.
Collections tab
A collection is a group of systems, accounts and or files. The collections tab is used to assign the system to a
collection/s. Systems can belong to more than one collection. The collections list shows all collections that
have been defined to the TPAM appliance if the user modifying the system is an administrator. If the user
modifying the system is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the system to collections, the system automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: A system cannot belong to a collection that already contains any of its accounts or files.
Conversely, an account or file cannot be added to a collection that already contains that entity’s parent
system.
NOTE: If a collection is tied to either AD or Generic Integration the system’s membership status in that
collection cannot be changed.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
TPAM 2.5
Administrator Guide
74
The table below explains the fields on the Results tab.
Table 26. Systems Management: Collections Results tab options
Field
Description
Required?
Type
On this tab type will always say Collection.
Name
The name of the collection. Clicking on the name will take you
to the collection management listing tab.
Membership
Status
To modify collection membership, simply click the Not Assigned No
or Assigned buttons next to each collection name and click the
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.
Default
No
Not
Assigned
Permissions tab
The permissions tab is used to assign users and/or groups an access policy for this system.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an access policy from the Access Policy list in the access policy details pane, located in the right
upper side of the results tab. When you select an access policy on the list the detailed permissions
describing this access policy are displayed on the rows below.
3
Select one of the icons in the access policy details pane (right upper side of page) to make the
assignment.
TPAM 2.5
Administrator Guide
75
Table 27. Access policy details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the system are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over a system to be allowed to assign an access policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a system
When adding a system in TPAM, information is entered on the following tabs to configure the system:
•
Details
•
Template
•
Connection
•
Management
•
Affinity
•
Ticket System
•
Collections
TPAM 2.5
Administrator Guide
76
•
Permissions
•
Account Discovery
•
LDAP Schema
The following procedure describes the required steps to add a system.
To add a system:
1
Select Systems, Accounts, & Collections | Systems | Add System from the menu.
2
Enter information on the details information tab. For more information on this tab see Information tab.
3
Click the Custom Information tab to add custom information about this system. (Optional) For more
details see Custom information tab.
4
Click the Connection tab to configure the functional account that TPAM will use to connect to the
system. For more details see Connection tab.
5
Click the Management tab and select preferences for managing account passwords. For more details see
Management tab.
6
Click the Ticket System tab and set external ticket system requirements for submitting password release
requests. For more details see How to call the notification service. (Optional)
7
Click the LDAP Schema tab to tweak LDAP mapping attributes. For more details see LDAP schema tab.
(Optional)
8
To save this system as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
9
Click the Account Discovery tab to assign an account discovery profile. (Optional) For more details see
Account discovery tab.
10 Click the Affinity tab and make DPA assignments. For more details see How to call the notification
service. (Optional)
11 Click the Collections tab and assign/remove membership. For more details see Collections tab.
(Optional)
12 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
13 Click the Save Changes button.
Add a system template
To add a system template:
1
Select Systems, Accounts, & Collections | Systems | Add System Template from the menu.
TPAM 2.5
Administrator Guide
77
2
Enter the template name and a placeholder network address.
3
Change any other settings on the various tabs.
4
Click the Save Changes button.
Add a system using a template
To add a system using a template:
1
Select Systems, Accounts, & Collections | Systems | Add System from the menu.
2
Click the Use Template button.
3
Select a template on the listing tab.
4
Click the Details tab.
5
Enter the system name.
6
Change the system IP address.
7
Make any other changes as desired.
8
Click the Save Changes button.
Test a system
Once a system has been saved, to test TPAM’s connectivity to the system, click the Test System button. The
results of the test will be displayed on the Results tab.
Clear a stored system host entry
The Clear Sys. Host Entry button removes the host entry from TPAM’s known hosts file. An example of the
necessity for this would be a situation where the SSH package on a managed system has been reinstalled, or the
OS itself may be reinstalled. A test of the system would indicate that the host key entry does not match, and is
preventing password authentication because of a perceived “man in the middle” attack. This can be performed
through the CLI by running the ClearKnownHosts command.
TPAM 2.5
Administrator Guide
78
To clear the System Host entry:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the system whose host entry is to be removed from TPAM’s known hosts file.
5
Click the Clear Sys. Host Entry button.
Duplicate a system
To ease the burden of administration and help maintain consistency, systems can be duplicated. This allows the
administrator to create new systems that are very similar to those that exist, while only having to modify a few
details. The new system inherits collection membership, permissions, affinity and ticket system settings from
the existing system.
To duplicate a system:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to be duplicated.
5
Click the Duplicate button. A new system object is created and the System Details page displays. The
name of the new system is automatically DupofXXXXX.
6
Make any changes to the system configuration on the various tabs.
7
Click the Save Changes button.
Disassociate a system from a template
To disassociate a system from the template is was created from:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to disassociate.
5
Click the Details tab.
6
Click the Disassociate button.
7
Click the OK button on the confirmation window.
8
Click the Save Changes button.
TPAM 2.5
Administrator Guide
79
Delete a system
When you delete a system from the Manage Systems listing it is “soft” deleted. This means that the system
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the admin interface.
NOTE: You cannot delete a system that has an active PSM session or any accounts with pending session or
password reviews.
To “soft” delete a system:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
To view “soft” deleted systems go to Systems, Accounts, & Collections | Systems | Deleted Systems on the
main menu.
TPAM allows you to undo a soft deletion prior to the Days in Trash global setting taking effect.
NOTE: A soft deleted system using an inactive custom platform cannot be un-deleted until the custom
platform is made active again.
To undo a “soft” delete:
1
Select Systems, Accounts, & Collections | Systems | Deleted Systems from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to be restored.
5
Click the Undo Delete button.
To undo a soft delete for all the systems in the listing:
1
Click the Undo Delete All button.
2
Click the Yes, continue with undo delete button.
Hard deleting a system removes all records of the system from the TPAM interface. Hard deletion is only allowed
if the Allow Manual Hard Deletes global setting has been enabled by the System Administrator.
To “hard” delete a System:
1
Select Systems, Accounts, & Collections | Systems | Deleted Systems from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to be deleted.
5
Click the Hard-Delete button.
6
Click the OK button on the confirmation window.
To hard delete all the systems in the listing:
1
Click the Hard-Delete All button.
TPAM 2.5
Administrator Guide
80
2
Click the Yes, continue with hard-delete button.
Delete a system template
To delete a system template:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system template to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
NOTE: A template that is currently being used by AD or Generic Integration cannot be deleted.
List systems
The List Systems option allows you to export the system data from TPAM to Microsoft Excel or CSV format. This
is a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
To list the systems:
1
Select Systems, Accounts, & Collections | Systems | List Systems from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view collection membership for a system, select the system and click the Collections tab.
7
To view the permissions assigned for the system, select the system and click the Permissions tab.
Local appliance systems
When looking at the system listing in TPAM, you will see two systems that are there by default,
Local_Appliance_paradmin, and Local_Appliance_parmaster. These systems do not count against the total
licensed systems in TPAM and are used for managing the paradmin and parmaster accounts if
desired.Administrator Guide
TPAM 2.5
Administrator Guide
81
10
Custom Platforms
•
Introduction
•
Custom platform Details tab
•
Add a conversational custom platform
•
Add a jump box custom platform
•
Test a custom platform
•
Duplicate a custom platform
•
Delete a custom platform
•
Using custom platforms in TPAM
•
Batch processing custom platform systems
•
CLI and API commands for custom platform systems
•
Jump boxes
Introduction
Custom Platforms allow you to create new platforms for managed systems which cannot be managed by existing
platforms. A custom platform allows you to customize the check system, check password, and change password
operations used to check and change passwords of managed accounts. PSM sessions are also available or custom
platforms. There are two types of custom platforms:
•
Jump Box - This platform type uses an intermediary server on your network to do all communication to
the target system and returns the results to the TPAM appliance. TPAM will call a script of your choosing
on the jump box passing all parameters relevant to the operation being performed. The script must
communicate with the target system, perform the indicated action, and return the result. A jump box
can be used when platforms require the use of an API or SDK that is not supported natively by TPAM. For
details on how to configure the jump box see Jump Boxes.
•
Conversational - A conversational platform is created by importing an XML file to create or update a
platform file on the appliance. The XML file describes the entire conversation with a managed system
when performing the check system, check password, or change password operations. It includes
parameters describing how the communication is done, commands issued to test a system and check or
change a password, and how to interpret the results of those commands.
Custom platform Details tab
To add and manage custom platforms information is entered on the Custom Platform Details tab.
TPAM 2.5
Administrator Guide
82
Table 28. Custom Platforms: Details tab
Field
Description
Platform Name
Yes
Descriptive name that is used to select the platform when adding a
system via the TPAM user interface, CLI, or API or batch processes. The
platform name must be unique among custom platforms but can be the
same name as an existing standard TPAM platform.
Required?
Active
If selected, this custom platform can be selected when adding a system No
to TPAM. A platform may be made inactive only if it is not being used
by any managed systems or used only by a soft-deleted system.
NOTE: A conversational platform cannot be marked selected as Active
until at least one successful upload has been processed.
Automation Active If selected, and at least one managed system is using this platform,
No
only the name and description of the platform can be edited. If clear,
the platform can be edited, but the automated check and change
password engines will skip any accounts on systems using this platform.
Manual check and change of the account passwords may still be done
from the Account Management page or via the CLI/API.
Description
The description box may be used to provide additional information
about the custom platform. This information is only visible to
Administrators when editing the custom platform.
No
Platform Type
Platform type choices are:
Yes
•
Conversational
•
Jump Box
The platform type cannot be changed once the platform is being used
by a system.
Jump Box
Select the name of jump box the custom platform will use. Applies to
jump box custom platforms only.
Yes for jump box
Script Name
The name of the script or executable which will be invoked on the
jump box to perform the check system, check password or change
password operation. A path may be included with the script name.
Yes for jump box
Port
The port number which will be used to communicate to the managed
system.
Yes
NOTE: For jump box platforms this is NOT the port used to
communicate with the jump box.
Functional Account Functional account choices are:
Access via
• DSS Key - if selected and the platform type is jump box, the
system must use a system specific key.
•
Yes
Password
Platform Specific
Label
If defined this will add a box to the Managed System Details
No
Information tab which allows input of system-specific information
which will be included with each command. This text will be the label
of the exposed box.
Enable Account
If selected, an Enable Account box will be available for input on the
Connection tab of a managed system using this platform.
No
NetBIOS Domain
Name
If selected, a NetBIOS Domain Name box will be available for input on
the Connection tab of a managed system using this platform.
No
Domain Name
If selected, a Domain Name box will be available for input on the
Connection tab of a managed system using this platform.
No
PSM Sessions
If selected, PSM sessions can be configured for accounts on this type of No
platform.
TPAM 2.5
Administrator Guide
83
Field
Description
Required?
Port Test
Applies to jump box custom platforms only. If selected and the
No
assigned password change profile also has test port selected, a call will
be made to the jump box script for test port. The script must return
“host unreachable’, “check failure”, or “check success”. If the
assigned password change profile has the test port selected and the
jump box does not, the test port call will fail.
Allowable Proxy
Types
Proxy types selected here will display on the PSM Details tab for
accounts set up on this platform type.
Yes, if PSM
sessions
selected.
Allowable File
Transfer Types
File transfer types selected here will display on the File transfer tab
for accounts set up on this platform type.
Yes, if PSM
sessions
selected.
Add a conversational custom platform
To add a conversational custom platform:
1
Select Management | Custom Platforms from the main menu.
2
Click the Add Platform button.
3
Enter information on the Details tab. Select Conversational as the platform type.
4
Click the Save Changes button.
5
Click the Select File button to upload an XML file describing the platform conversations.
IMPORTANT: For help building the XML file please contact Dell Software Professional Services.
TPAM 2.5
Administrator Guide
84
6
Click the Compile Platform from Upload button. If successful a Y will appear in the Success? column
when complete and the custom platform can me marked active. See example below:
If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.
NOTE: The platform file on the appliance will reflect the most recent successful compilation indicated by
Current in the Success? column.
Add a jump box custom platform
To add a jump box custom platform at least one jump box must be configured in TPAM. For instructions on how
to add a jump box see Jump Boxes.
NOTE: For help building the script please contact Dell Software Professional Services.
To add a jump box custom platform:
1
Select Management | Custom Platforms from the main menu.
2
Click the Add Platform button.
3
Enter information on the Details tab. Select Jump Box as the platform type.
4
Click the Save Changes button.
Test a custom platform
It is recommended that when implementing a custom platform for the first time that you leave the Automation
Active check box on the custom platform clear until you have confirmed that the platform file or jump box are
handling check system, check password, and change password operations correctly. With the check box clear
you will be able to go back and forth and change the custom platform details without having to worry that
automation will attempt to process any accounts using this platform. Once all tests confirm that the custom
platform works as expected you may select the Automation Active check box and save the custom platform.
Duplicate a custom platform
To ease the burden of administration custom platforms can be duplicated. This allows the administrator to
create new custom platforms that are very similar to those that exist, while only having to modify a few details.
To duplicate a custom platform:
1
Select Management | Custom Platforms from the main menu.
2
Click the Listing tab.
TPAM 2.5
Administrator Guide
85
3
Select the custom platform to duplicate.
4
Click the Duplicate button. A new custom platform is created and the Custom Platform Details page
displays. The name of the new custom platform is automatically named Copy_of_XXXXXXX.
5
Make any changes to the custom platform configuration.
6
Click the Save Changes button.
7
For a conversational custom type platform click the Select File button to upload an XML file describing
the platform conversations.
IMPORTANT: For help building the XML file please contact Dell Software Professional Services.
8
For a conversational custom platform type click the Compile Platform from Upload button. If successful
a Y will appear in the Success? column when complete and the custom platform can me marked active.
See example below:
If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.
Delete a custom platform
NOTE: A custom platform can only be deleted if it is not in use by any system or “soft-deleted” system.
To delete a custom platform:
1
Select Management | Custom Platforms from the main menu.
2
Click the Listing tab.
3
Select the custom platform to be deleted.
4
Click the Delete button.
5
Click the OK button on the confirmation window.
Using custom platforms in TPAM
If an active custom platform exists, the custom platform will appear in the Platform list on the System Details
Information tab and Filter tabs throughout TPAM:
TPAM 2.5
Administrator Guide
86
When using a Filter tab in TPAM you have the option to select Custom Platform (Any) to pull all custom
platforms meeting the filter criteria or you can select a specific custom platform name.
Batch processing custom platform systems
To batch import or batch update a custom platform system, the platform name is indicated by “Custom” or
“Custom Platform” followed by a forward slash (/) and the custom platform name. For example
custom/testjumpboxplatform.
TPAM 2.5
Administrator Guide
87
CLI and API commands for custom platform
systems
For CLI and API commands, when passing the PlatformName parameter the platform name is indicated by
“Custom” or “Custom Platform” followed by a forward slash (/) and the custom platform name. The “Custom
Platform” must be properly quoted on the CLI command line based on the shell being used. For example in
Windows cmd.exe the format would be as follows:
ssh -i keyFile [email protected] “AddSystem --SystemName newSystem -PlatformName \”Custom Platform/Router Jumpbox\” […other options…]”
When specifying functional account credentials using CLI, API or batch processing you can pass SPECIFIC as a
value to indicate that the account will be using a system specific key. A system specific key is required for jump
box custom platforms. Conversational custom platforms may also use the credential DSS to indicate the use of
any of the system standard keys defined on the appliance.
Jump boxes
One aspect of custom platforms is the use of a jump box. A jump box can be used when platforms require the
use of an application programing interface (API) or software development kit (SDK) that is not supported
natively by TPAM. Users can call a script on the jump box from TPAM to perform platform management on
target systems. The script (or program) is responsible for requesting the information, performing the password
management task, and reporting back the status during the connection to TPAM. The data that is available for
request will be listed in each of the function sections.
Platform management can be divided into three functions: CheckSystem, CheckPassword, and ChangePassword.
Each function is described below.
TPAM 2.5
Administrator Guide
88
Check system
The CheckSystem function is designed to determine platform connectivity using the functional account. The
table below describes the tags available for request.
Table 29. Jump Boxes: CheckSystem Tags
Tag
Description
%netaddr%
Target system’s address
%funcacct%
Target system’s functional account
%funcacctpwd%
Target system’s functional account password
%port%
Target system’s port
%timeout%
Time to wait before ending the connection
%key%
The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc%
Functional account description. Currently this is used for LDAP platforms.
%domainname%
Target system’s domain name
%netbiosname%
Target system’s netBIOS name
%enablepwd%
Target system’s enable password
The following tags are recognized as return tags from the jump box:
•
%host unreachable% - Return this to TPAM when the host is unreachable
•
%account does not exist% - Return this to TPAM when the account does not exist
•
%check failure% - Return this to TPAM when the target system fails the check
•
%check success% -Return this to TPAM when the target systems passes the check
Check password
The CheckPassword function is designed to determine if an account’s password is correct on the target system.
The table below describes the tags available for request.
Table 30. Jump Boxes: CheckPassword Tags
Tag
Description
%netaddr%
Target system’s address
%funcacct%
Target system’s functional account
%funcacctpwd%
Target system’s functional account password
%funcacctdn%
Target system’s functional account distinguished name
%port%
Target system’s port
%timeout%
Time to wait before ending the connection
%key%
The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
TPAM 2.5
Administrator Guide
89
Table 30. Jump Boxes: CheckPassword Tags
Tag
Description
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc%
Functional account description. Currently this is used for LDAP platforms.
%acctdesc%
Managed account description
%acctdn%
Managed account distinguished name
%domainname%
Target system’s domain name
%netbiosname%
Target system’s netBIOS name
%enablepwd%
Target system’s enable password
%acctname%
Account name to check the password on the system.
%acctpwd%‘
Account’s password to check on the target system.
The following tags are recognized as return tags from the jump box:
•
%host unreachable% - Return this to TPAM when the host is unreachable
•
%account does not exist% - Return this to TPAM when the account does not exist
•
%check failure% - Return this to TPAM when the target system fails the check
•
%check success% -Return this to TPAM when the target systems passes the check
Change password
The ChangePassword function uses the functional account to connect to the target and change the target
account’s password. The table below describes the tags available for request.
Table 31. Jump Boxes: ChangePassword Tags
Tag
Description
%netaddr%
Target system’s address
%funcacct%
Target system’s functional account
%funcacctpwd%
Target system’s functional account password
%port%
Target system’s port
%timeout%
Time to wait before ending the connection
%key%
The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc%
Functional account description. Currently this is used for LDAP platforms.
%acctdesc%
Managed account description
%domainname%
Target system’s domain name
%netbiosname%
Target system’s netBIOS name
%enablepassword%
Target system’s enable password
%acctname%
Account name to check the password on the system.
TPAM 2.5
Administrator Guide
90
Table 31. Jump Boxes: ChangePassword Tags
Tag
Description
%oldacctpwd%
Account’s current password on the target system.
%newacctpwd%
Account’s password to be changed to on the target system.
The following tags are recognized as return tags from the jump box:
•
%host unreachable% - Return this to TPAM when the host is unreachable
•
%account does not exist% - Return this to TPAM when the account does not exist
•
%change failure% - Return this to TPAM when the target system fails the check
•
%change success% -Return this to TPAM when the target systems passes the check
Examples of DSS key script
#!/bin/bash
echo -n "%Funcacct%"
read facct
echo -n "%funcacctpwd%"
read fcred
echo -n "%netaddr%"
read ipaddress
echo -n "%key%"
read keyin
#perform action based on inputs, if actions are successful, return change success
echo -n "%change success%"
#Log inputs for debugging
echo FA:$facct >> testlog
echo FC:$fcred >> testlog
echo IP:$ipaddress >> testlog
echo KEY:$keyin >> testlog
Jump box Details tab
To add and manage jump boxes information is entered on the Jump Box Management Details tab.
TPAM 2.5
Administrator Guide
91
TPAM 2.5
Administrator Guide
92
Table 32. Jump Boxes: Details tab
Field
Description
Required?
Jump Box Name
Descriptive name that is used to select the jump box when adding a
custom jump box platform.
Yes
Network Address
The IP address (example: 192.168.0.15) or DNS name
(example:server1.domain.bigco.com) of the system.
Yes
It is imperative that this information is entered correctly, as the backend automation procedures use this address to connect to the jump
box.
Timeout
The timeout value determines the amount of time in seconds that a
Yes
connection attempt to the jump box remains active before being
aborted. In most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with the jump
box, this value can be increased (for example, connections to Windows
systems are often slower than SSH connections and may require a
significantly higher timeout value).
Port
Alternate port to be used instead of the default SSH port of 22.
No
DSS Key Details
When using DSS key authentication, a function is available to permit
specific configuration of the public/private keys used.
No
•
Avail. System Std. Keys – uses the single standard SSH keys
(either Open SSH or the commercial key) stored centrally on
TPAM. You have the ability to have up to three active keys
simultaneously. These keys are configured in the admin
interface. Use the list to select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot specify the
key that is used. One or all available keys may be downloaded to the
remote system, but TPAM attempts to use all currently active keys
when communicating with the remote system.
•
Use System Specific Key – allows the generation and download
of a specific SSH key to be used with this jump box only. The
key must first be generated using the Get/Regen Key button,
and then downloaded in either Open SSH or Sec SSH
(commercial) format.
Account Name
Account name on the jump box used to manage target systems. This is Yes
the account that TPAM will use authenticate to the jump box and then
execute the named script for managing passwords.
Description
The description box may be used to provide additional information
about the jump box.
No
Add a jump box
Before a jump box custom platform can be added to TPAM, the jump box must first be added to TPAM.
To add a jump box:
1
Select Management | Jump Box from the main menu.
2
Click the Add Jump Box button.
3
Enter information on the Details tab.
4
Click the Save Changes button.
TPAM 2.5
Administrator Guide
93
Delete a jump box
A jump box can only be deleted if there are no custom platforms dependent on the jump box. To see a list of
dependent platforms click the Dependent Platforms tab.
To delete a jump box:
1
Select Management | Jump Box from the main menu.
2
Select the jump box to be deleted.
3
Click the Delete button.
4
Click the OK button on the confirmation window.
TPAM 2.5
Administrator Guide
94
11
Collections
•
Introduction
•
Add a collection
•
Duplicate a collection
•
Delete a collection
•
List collections
Introduction
Collections are groups of systems, accounts and/or files. Collections can be used to simplify the process of
assigning permissions.
To add and manage collections, information is entered on the following tabs in the TPAM interface:
Table 33. Collection Management: TPAM interface tabs
Tab name
Description
Details
Define collection name.
Members
Assign members to the collection.
Permissions
Assign users and groups permissions for the collection.
Affinity
Assign a DPA to be used for sessions on collection members.
Details tab
Table 34. Collection Management: Details tab options
Field
Description
required?
Collection Name
Unique name for the collection.
Yes
Description
Used to provide additional information about the collection.
No
TPAM 2.5
Administrator Guide
95
Members tab
The table below explains the fields on the Members tab.
Table 35. Collection Management: Members tab options
Field
Description
required?
Type
Indicates whether the member is a system, account of file.
Name
Name of the system, account or file.
Membership
Status
To modify collection membership, simply click the Not Assigned or
Yes
Assigned buttons next to each system, account of file. You can set all
members to either Assigned or Not Assigned by holding down the Ctrl key
when clicking on any button.
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this collection.
TPAM 2.5
Administrator Guide
96
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Table 36. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
TPAM 2.5
Administrator Guide
97
Affinity tab
The Affinity tab is used to assign the collection to a distributed processing appliance (DPA) if DPA’s are
configured to work with the TPAM appliance. Assigning the collection to a DPA can help optimize performance
for session recording and session playback. The Affinity tab is not enabled until the Collection has been saved.
The table below describes the options available on the Affinity tab.
Table 37. Collection Management: Affinity tab options
Field
Description
Required?
Default
Allow PSM
Sessions to be
run on any
defined DPA
If selected, TPAM will select the DPA that has the least number
of sessions running on it to conduct the session.
No
Yes
Selected DPA
affinity and
priority
Select this option to prioritize which DPA is used for sessions
conducted on this collection. The default DPA is LocalServer,
which is the local TPAM appliance.
No
No
NOTE: If a system has a different affinity priority assignment,
the priority at the system level takes precedence over the
collection affinity setting.
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for session recordings.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot. A value of 0 (zero) is simply “more important”
than any other value.
More than one DPA can have the same number ranking. DPA’s
with the same number will automatically be load balanced.
Add a collection
When adding a collection in TPAM, information is entered on the following tabs to configure the collection:
•
Details
•
Members
•
Permissions
•
Affinity
The following procedure describes the required steps to add a collection.
To add a new collection:
1
Select Systems, Accounts, & Collections | Collections | Add Collection from the menu.
TPAM 2.5
Administrator Guide
98
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Click the Members tab.
4
Enter your search criteria on the Filter tab.
5
Click the Results tab to assign/remove members from the collection. For more details see Members tab.
NOTE: A system cannot be in the same collection as any of its accounts or files and vice versa.
NOTE: A collection used by either AD or Generic Integration cannot have its membership changed
here. The current member status is displayed, but all buttons in the list are disabled.
TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.
6
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
7
Click the Save Changes button.
8
Click the Affinity tab and make DPA assignments. (Optional) For more details see Affinity tab.
9
Click the Save Changes button.
Duplicate a collection
To ease the burden of administration and help maintain consistency, collections can be duplicated. This allows
the administrator to create new collections that are very similar to those that exist, while only having to modify
a few details. The new collection inherits membership and permissions, affinity settings from the existing
collection.
To duplicate a collection:
1
Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the collection to be duplicated.
5
Click the Duplicate button. A new collection is created and the Collection Details page displays. The
name of the new collection is automatically DupofXXXXX.
6
Make any changes to the collection on the various tabs.
7
Click the Save Changes button.
Delete a collection
To delete a collection:
1
Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the collection to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
TPAM 2.5
Administrator Guide
99
List collections
The List Collections option allows you to export the collection data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.
TIP: Enter ! in the System, Account and File name filters to find empty collections.
To list the collections:
1
Select Systems, Accounts, & Collections | Collections | List Collections from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the list of collection names outside of the TPAM interface, click the Export to Excel
button, or the Export to CSV button. To view and store the list of collection members outside of the
TPAM interface, click Export Members to Excel button, or the Export Members to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view membership of a collection, select the collection and click the Members tab.
7
To view the user and groups with permissions on the collection, select the collection and click the
Permissions tab.
TPAM 2.5
Administrator Guide
100
12
Accounts
•
Introduction
•
Add an account
•
Duplicate an account
•
Delete an account
•
Retrieve a password
•
List accounts
•
List PSM accounts
•
Password current status
•
Manual password management
•
Password management
•
Managing services in a Windows® domain environment
•
Add generic account to TPAM for PSM sessions to a user specified Windows account
Introduction
This chapter covers the steps to add and manage accounts in TPAM. To add and manage accounts, information is
entered on the following tabs in the TPAM interface:
Table 38. Account Management: TPAM interface tabs
Tab name
Description
Details/Information
Define main account information, such as name, password rule, contact.
Details/Reviews
Set review requirements for password releases on this account.
Details/Custom Information
Enter data in custom fields, if they have been defined.
Details/Management
Configure the settings for how TPAM will manage the password for the
account.
Details/Ticket System
Configure Ticket System Validation for requests on this system.
Dependents
Set systems that are dependent on the domain level account.
Logs
Can view test, change and release history for the account.
Passwords
Can view past passwords and retrieve current password with ISA PPM
permissions.
Collections
Assign an account to a collection/s.
Permissions
Assign users and groups permissions on this account.
PSM Details/General
Enable PSM functionality for the account and set approval requirements.
PSM Details/Session
Authentication
Set authentication method sessions using this account.
PSM Details/File Transfer
Enable/disable file transfer.
PSM Details/Review Requirements Set review requirements for sessions.
TPAM 2.5
Administrator Guide
101
Information tab
The table below explains all of the box options available on the details information tab.
Table 39. Account Management: Details information tab options
Field
Description
Required?
Default
Account Name
This is the descriptive name of the account. Within TPAM, all
the account names on one system must be unique. The name
can be 1-30 characters long, but cannot include empty spaces.
Yes
Account is
Locked
This check box gives Administrators and ISA’s the ability to
No
“lock” and “unlock” an account. When an account is locked
passwords for that account cannot be retrieved, released or
changed. Password requests or session requests can be
submitted but the password or session is not available until the
account is unlocked.
Password
Enter the active current password for the account. If no
No
password is specified (left blank), PPM stores the value default
initial password as the password for the account.
Confirm
To confirm the password reenter it in this box.
No
Password Rule
Select the password rule to serve as the default for the
account. If the selection is not changed (or if no other rules
have been defined in TPAM) the Default Password Rule is
selected. The password rule governs the construction
requirements for new passwords generated by PPM.
Yes
Distinguished
Name
Only required for LDAP, LDAPS, and Novell® platforms.
Yes
Issue ndmcom
for this
account?
Only visible for HP NonStop Tandem platform. If selected the
No
ndmcom command is issued after the password for the account
is changed.
Off
Change
password for
Windows®
Services
started by this
Account?
Only visible for Windows® platforms. If this is the Administrator No
account, or another functional account that runs system
services, this option ensures that the password change is also
applied to each service the account runs.
Off
Off
Default
Password
Rule
TPAM 2.5
Administrator Guide
102
Table 39. Account Management: Details information tab options
Field
Required?
Default
Only visible for Windows platforms. If selected, after the
password is changed the services will automatically be stopped
and restarted.
No
Off
Change the
password for
Scheduled
Tasks started
by this
account?
Only visible for Windows® platforms. If selected, after a task
has been completed it will change the password.
No
Off
Use this
account’s
current
password to
change the
password?
Only visible for Windows® platforms. This may be necessary on No
Windows® XP and Windows® Server 2003 where Encrypting File
System or other third-party security products are used, and rely
on authentication certificates stored in that account’s personal
store.
Description
This is a free text box where additional descriptive information No
may be entered.
Password
Management
By default, the property of the parent system is inherited at the Yes
account level as either None or Automatic.
Automatically
restart such
services?
Description
®
See Note
NOTE: If the system is configured with a “non-privileged
functional account” then this setting defaults for all accounts
added to this system.
•
None - The Management tab will be disabled, and TPAM
will not automatically check, change or reset the
password. Manually pressing the Check Password or
Reset Password buttons WILL result in a check or reset
for this account.
•
Automatic - TPAM manages the password for this
account based on the settings configured on the
Management tab.
•
Manual - TPAM sends an email to the primary contact at
the system and account level when it is time to manually
reset the password. The email is sent based on the
change frequency settings on the Management tab. The
contact/s will keep receiving this email at regular
intervals based on how this is configured by the SysAdmin in the Auto Management Agent settings, until the
password has been confirmed to be reset in PPM.
Defaults to
what is set
at the
system
level.
NOTE: The manual password email notification relies on the
Man Pwd Change Agent. If it is not running no email
notifications to reset the password will be sent.
Ignore System
Access Policies
If selected, any access policies assigned to the system will not
apply to this account.
No
Off
TPAM 2.5
Administrator Guide
103
Table 39. Account Management: Details information tab options
Field
Description
Enable account Only visible for Windows® platforms. If selected TPAM will
before release enable the account when:
Required?
Default
No
Off
- releasing the password for a request
- ISA password release
- starting a PSM session which uses password authentication
If the account cannot be enabled the password will not be
released and the session will not start. If the account cannot be
disabled when the password is changed the change will be
marked as successful but an alert will raised. The alert must be
subscribed to in the admin interface. See the help bubble text
in the TPAM interface for more details.
If this check box is selected, this account cannot be added as a
Synchronized Password subscriber.
Approvals
Required
Yes
The default value of 1, indicates that a single approval allows
the requestor to view the password. A value greater than 1
requires multiple approvers to approve each release request. A
value of 0 means any release requests will be auto-approved by
TPAM. If this value is overridden by an access policy the greater
of the two values is used.
Require Multi- Can only be selected if Approvals Required is greater than 1. If
Group Approval selected, you can require that approvals for requests come
from
from two or more groups. At least 1 approval must come from
each group.
No
1
Off
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
NOTE: Any authorized approver can deny the request.
Maximum
Duration
Maximum duration for a password release on the account. If this Yes
is overridden by an Access Policy assignment, the lower of the
two durations is used. The default duration that the requestor
sees for any new password request is 2 hours, or the maximum
duration, whichever is less.
Notification
Email
The email address specified in this box receives notification of No
certain password releases. This would apply to releases by ISA
users, CLI/API users under all circumstances, and requests when
no approvals are required. This email address also receives
notification if a manually managed password needs to be
changed. Multiple email addresses can be specified by entering
each email address separated by a comma, up to a maximum of
255 characters.
Null
Any time a change is made to the notification email address
box, an email is automatically sent to the old email address
with a notification that this change has occurred.
TPAM 2.5
Administrator Guide
104
Table 39. Account Management: Details information tab options
Field
Description
Simultaneous
This option allows an Admin or a PPM ISA to grant more than
Privileged
one Privileged Access User (PAC) to request and retrieve a
Access Release password/session during the same or overlapping time period.
Required?
Default
Yes
1
NOTE: If another Requestor already has the password checked
out the Privileged Access users must wait for that release
window to expire before they can gain access.
Override
Individual
Accountability
The System Administrator must have this global setting turned
on in order for the TPAM Administrator or ISA to select this flag.
If selected, more than one requestor can request the password
at the same time or during an overlapping duration. Any
changes made to the override individual accountability check
box at the account level are logged in the Activity Log.
If the System Administrator disables the Global Setting allowing
account override, any accounts that had been selected to
override individual accountability will have their check boxes
cleared.
Reviews tab
The table below explains all of the options available on the Reviews tab.
Table 40. Account Management: Review tab options
Field
Description
Required?
Default
Reviews
Required
Number of reviews required after a password release has
expired.
No
0
Any Authorized If selected, any auditor, and any user or group member with an No
Reviewer
access policy of Review Password permission will be eligible to
(excluding
complete the review.
Requestor)
Off
Specific User
If selected, the specific user with review permission will be the No
only user allowed to review password releases for this account.
Off
Any Auditor
If selected, any user with a user type of auditor will be eligible No
to review password releases for this account.
Off
TPAM 2.5
Administrator Guide
105
Table 40. Account Management: Review tab options
Field
Description
Required?
Default
Member of a
Group
If selected, any users that are members of the group that is
chosen will be eligible to review password releases for this
account. Only groups that have review permissions will be
available in the list.
No
Off
If the review
isn’t complete
...
To have a user receive an email notification if the review is not No
complete within X hours, enter the hours threshold and the
email address. The password release is not eligible for review
until the release duration expires.
NullDetails
Custom Information tab
There are six fields that can be customized to track information about each account. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.
Management tab
The Management tab is used to configure how TPAM manages the passwords for this account. This tab is not
enabled unless Automatic or Manual is selected on the Details Information tab. The settings here will default
from the system settings but can be overridden.
The table below explains the options on the Management Details tab.
TPAM 2.5
Administrator Guide
106
Table 41. Account Management: Details Management tab options
Field
Description
Required?
Default
Password
Check Profile
Name
Select a password check profile from the list to determine the
rules for how the password is checked on the system against
what is stored in TPAM. The password check profiles are
configured by the TPAM Administrator. See Password Profiles for
more details.
Yes, if
automatic
password
management
has been
selected.
Whatever
profile is
assigned for
the system.
Password
Change Profile
Name
Select a password change profile from the list to determine the
rules for how the password is changed on the managed
system.The password change profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Yes, if
automatic
password
management
has been
selected.
Whatever
profile is
assigned for
the system.
Pull Defaults
from System
If selected, upon saving, the Management settings of the system No
are populated at the account level. This is a one time action
and does not prevent any of these settings from being modified
again at the account level.
Off
Default
duration for
ISA releases of
password
The duration for an ISA release may be specified up to a
No
maximum of 7 days. This is the amount of time that transpires
between the initial ISA retrieval and the automatic reset of the
password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
From
System
Allow ISA to
enter Duration
on Release
If selected, an ISA may enter a release duration other then the
default when retrieving a password. The duration must be
greater than zero and less than or equal to the maximum
specified for either the ISA Duration (Mgt Details tab) or Max
Release Duration (Details tab).
From
System
No
This check box is disabled when the Default duration for ISA
releases of passwords is set to 0.
Ticket System tab
The Ticket System tab is used to configure third party ticket system requirements when submitting password
release requests for this account. The Ticket System tab is only enabled if the TPAM System Administrator has
configured ticket system/s in the /admin interface.
The following table explains the options on this tab.
TPAM 2.5
Administrator Guide
107
Table 42. Account Management: Details Ticket System tab options
Field
Description
Required?
Default
Ticket
Required for
By selecting the check boxes you can require that ticket
No
validation is enforced for Password/Files requests and/or
Session requests.You also have the option to require ISAs to
supply a ticket number prior to retrieving a password or file as
well as requests made through the CLI or API. If a check box is
not selected, users can still enter a ticket number on a request,
but it is not required.
Off
Require Ticket
Number from
If multiple ticket systems are enabled they are listed in the list No
for selection. You can specify the ticket system or allow entry
of a ticket number from any system that is enabled.
Off
Send Email
notification to
If any of the ISA, CLI or API required check boxes are left clear
you have the option of entering one or more email addresses
(up to 255 characters) that will receive an email when an ISA,
CLI or API user releases or retrieves a password without
supplying a ticket.
No
From
System
Pull defaults
from system
If selected, when the Save Changes button is clicked, it will
pull these settings from the system
No
Off
The propagation is a one time update each time this check box
is selected and the Save Changes button is clicked. After that
there is no forcing of the settings to remain in synch. The
settings on the accounts can be overridden.
Dependents tab (Windows® AD only)
If the account managed by PPM is a Windows® domain account (the system is defined as Active Directory® ),
services running on domain member systems using this account can also be managed in terms of password
changes.
Logs tab
The Logs tab contains three sub-tabs that provide detailed password history for the account. The log data
displays the user’s time zone. The following table explains the sub-tabs.
TPAM 2.5
Administrator Guide
108
Table 43. Account Management: Logs tab sub-tabs
Tab
Description
Filter
This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log
Provides details on password change history.
Test Log
Provides details on password test activity.
Release Log
Provides details on password release history.
Dependent
Change Log
Only visible if account resides on Windows® Domain Controller with dependent systems
assigned. Provides details on changes of the domain account.
Change Agent
Log
Provides details on change agent log records for the account that have occurred after a 2.3+
TPAM upgrade.
Past Password tab
This tab allows an administrator to view past password for an account. This allows you to select a password that
was valid for a specific period of time. This is especially important if the managed system has been restored
from a backup and the password that was effective at the time of the backup is required.
Current Password tab
The tab allows users with ISA password permissions to retrieve the current password. By default administrators
do not have ISA permissions, they must be assigned.
TPAM 2.5
Administrator Guide
109
Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the account to a
collection/s. Accounts can belong to more than one collection. The collections list shows all collections that
have been defined in the TPAM appliance if the user modifying the account is an administrator. If the user
modifying the account is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the account to collections, the account automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: An account cannot belong to the same collection as its parent system, or vice versa.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
The table below explains the fields on the Results tab.
Table 44. Account Management: Collection Results tab options
Field
Description
Required?
Type
On this tab type will always say Collection.
Name
The name of the collection. Clicking on the name will take you
the collection management listing tab.
Membership
Status
To modify collection membership, simply click the Not Assigned No
or Assigned buttons next to each collection name and click the
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.
Default
No
Not
Assigned
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this account.
TPAM 2.5
Administrator Guide
110
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Table 45. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
TPAM 2.5
Administrator Guide
111
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
PSM Details tab
The PSM Details tab is composed of four sub-tabs: General, Session Authentication, File Transfer, and Review
Requirements, that allow users to configure the account for Privileged Session Manager (PSM). PSM licences are
required for this functionality to be enabled.
NOTE: PSM sessions to Windows® machines using an RDP proxy connection type can be configured on the
Windows® machine to use SSL/TLS security for RDP connections. Note that the computer name set in
TPAM for the system may need to be uppercase for the connections to succeed.
General tab
The following table explains the options on this tab.
TPAM 2.5
Administrator Guide
112
Table 46. Account Management: PSM General tab options
Field
Description
Required?
Default
Enable PSM
Sessions?
If selected, allows users to request access to this account
through a recorded session. All subsequent options on the PSM
tabs are contingent upon this being selected.
No
Off
Proxy
Connection
Type
Used to select the type of remote connection compatible with
the configuration of the remote systems. Options are
dependent on the system platform.
Yes, if PSM
Enabled
NOTE: When choosing any of the proxy methods listed below
that use Automatic Login, the password is not automatically
reset after the session is completed because the password is
never displayed to the user.
Available choices are:
•
DPA - ICA Access - Using a DPA, establish a connection to
the system using Citrix ICA web client. (For PSM ICA
Access only)
•
DPA - Web Browser - Using a DPA, establish a connection
to the system using a web browser. (For PSM Web Access
only)
•
RDP-Automatic Login Using Password – Connect to the
system using RDP (Terminal services protocol) client and
automatically login using the password retrieved from
the local or remote TPAM. This ensures that the
password is never displayed or known to the user.
•
RDP-Interactive Login – Connect to the system using an
RDP client that PSM does not provide automatic login for.
If the password is managed by PPM, it is displayed on the
window when the session is started, otherwise the user
must know the account password when the
authentication dialog is presented.
•
RDP Through SSH – Automatic Login Using Password
(for SPCW systems only) Connect to the system using RDP
client via the SSH protocol and automatically login using
the password retrieved from the local or remote TPAM.
•
RDP Through SSH – Interactive Login (for SPCW systems
only) Connect to the system using RDP client via the SSH
protocol and allow the user to manually type the
password. If the password is managed by PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
•
SQLPlus – Automatic Login Using Password - Connect to
the system using the SQLPlus client and automatically
login using the password retrieved from the local or
remote TPAM.
•
SQLPlus –Interactive Login - Establish a connection to
the remote system using the SQLPlus client. The user
must know the SQLPlus password for the system. If the
password is managed by PPM, it is displayed on the
window when the session is started, otherwise the user
must know the account password when the
authentication dialog is presented.
•
SQL Window – Automatic Login Using Password Connect to the system using the Sql Window Client and
automatically login using the password retrieved from
the local or remote TPAM.
TPAM 2.5
Administrator Guide
113
Table 46. Account Management: PSM General tab options
Field
Proxy
Connection
Type
Description
•
SQL Window – Interactive Login - Establish a connection
to the remote system using the SQL Window client. The
user must know the SQL Window password for the
system. If the password is managed by PPM, it is
displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
•
SSH-Automatic Login Using DSS Key – Connect to the
system using SSH and authenticate via DSS private key.
The private key must be previously uploaded to TPAM for
this purpose.
•
SSH – Automatic Login Using Password (for UNIX®
systems only) – Connect to the system using SSH and
automatically login using the password retrieved from
the local or remote TPAM.
•
SSH - Interactive Login – Establish an SSH session to the
remote system and allow the user to manually type the
password. If the password is managed by a PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
•
Telnet-Automatic Login Using Password – Connect to
the system using the Telnet protocol and automatically
login using the password retrieved from the local or a
remote TPAM. This ensures that the password is never
displayed or known to the user.
•
Telnet-Interactive Login – Connect to the system using
the Telnet protocol, to which PSM does not provide
automatic login. If the password is managed by a PPM, it
is displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
•
VNC Enterprise - Interactive Login - Establish a
connection to the remote system using the VNC®
Enterprise client. The user must know the VNC password
for the system. If the password is managed by a PPM, it
is displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
•
VNC-Interactive Login – Establish a connection to the
remote system using the VNC client. The user must know
the VNC password for the system. If the password is
managed by PPM, it is displayed on the window when the
session is started, otherwise the user must know the
account password when the authentication dialog is
presented.
•
x3270 - Automatic Login - Establish a connection to the
remote system using a 3270 emulator and automatically
login using the password retrieved from the local or a
remote TPAM.
Required?
Default
TPAM 2.5
Administrator Guide
114
Table 46. Account Management: PSM General tab options
Field
Proxy
Connection
Type
Description
•
x3270 - Interactive Login Using Password - Connect to
the system using a 3270 emulator and allow the user to
manually type the password. If the password is managed
by a PPM, it is displayed on the window when the session
is started, otherwise the user must know account
password when the authentication prompt is presented.
•
x5250 - Interactive Login - Connect to the system using
a 5250 emulator and allow the user to manually type the
password. If the password is managed by a PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
Required?
Default
Custom
Connection
Profile
The connection profile can be used to override the default
connection parameters. If any custom profiles have been
created they will be available in this list. See Add a PSM
connection profile for more on creating custom connection
profiles.
No
Use
Standard
Settings
Post Session
Profile
The post session file is used to add additional steps at the end
of a session request. If any post session profiles have been
created they will be available in this list. For more details on
Post Session Profiles see Add a post session processing profile.
No
Use
Standard
Settings
Color Depth
Only an option for some proxy types. Used to set the number of No
possible colors displayed in the recorded sessions for this
account. The choices are proxy type dependent. Options are:
Required # of
Approvals
•
8 - 256 colors
•
16 - 65,000 colors
•
0 - very low
•
1 - low
•
2 - medium
•
3 - auto select/full color
The number of approvers required for each session request. A
value greater than 1 requires multiple approvers to approve
each session request. A value of 0 means any session requests
will be auto-approved by TPAM.
8 or 0,
depending
on proxy
type.
Yes
0
No
Off
If this value is overridden by an access policy the greater of the
two values is used.
If the system/account is managed by PPM it is possible to have a
different value for session and password request approvals. In
the event of such a conflict, the value set on the password
approvals required may override the value set here. This occurs
only for connection types that use interactive login (where the
password is displayed).
Require Multi- Can only be selected if Approvals Required is greater than 1. If
Group Approval selected, you can require that approvals for requests come
from
from two or more groups. At least 1 approval must come from
each group.
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
NOTE: Any authorized approver can deny the request.
TPAM 2.5
Administrator Guide
115
Table 46. Account Management: PSM General tab options
Field
Description
Maximum
Simultaneous
Sessions
Specifies the maximum number of simultaneous sessions that
may be established for account.
Required?
Default
1
This option only exists for accounts configured to autoauthenticate the user. If the password is provided by TPAM for
interactive logon then only one concurrent session is allowed to
preserve individual accountability.
Default Session Session duration that is displayed by default when requesting a
Duration
session. It can be changed within the limits set by the max
password duration and the access policy session duration.
Yes
2 hours
Notify primary
contact ....
Allows email notifications to be sent to the primary contact
specified for the system if a session exceeds the maximum
session time for the request. Configurable parameters are:
frequency (in minutes) of notifications; and threshold time (in
minutes) before initial notification is sent for a session. Both
values must be non-zero for notifications to be sent.
No
0,0, null
Send PSM Start Email address that receives notification when a session on this
Notification
account starts. The following special addresses may also be
included:
No
null
No
On
Enable Console If selected, during a session, the user can connect to the system No
Connection?
console. This option is only available with RDP proxy types.
Off
Record All
Sessions?
If selected, all sessions for this account will be recorded.
No
On
Enable File
Uploads?
If selected, files can be uploaded from the remote system
during the session.
No
Off
No
Off
If selected, events during the session are captured and listed in No
session logs with hyper links to that point in the session. This
option is only available for specific platforms. Clicking the Test
Event Configuration button will mimic event capture during a
session for testing with the system. There is a scheduled report,
Daily Session Activity Detailed, that will list captured events
during a session.
Off
Enable
Clipboard?
•
:AllApprovers - all users who can approve the request
•
:Approvers - users that approved the request
•
:Group=Group1,Group2... - comma separated list of one
or more group names
•
:RelNotify - release notification email for the account
•
:System - primary email contact for the account
If selected, during a session, the user can use the clipboard
option for copy/paste.
NOTE: This option cannot be selected until file transfer is
enabled on the File Transfer tab.
Enable File
Downloads?
If selected, files can be downloaded to the remote system
during the session.
NOTE: This option cannot be selected until file transfer is
enabled on the File Transfer tab.
Capture
Events?
NOTE: For capturing events on Windows® systems see
Configuration for Capturing Events on Windows® Systems.
NOTE: A DPA is required to capture events.
TPAM 2.5
Administrator Guide
116
Session Authentication tab
The following table explains the options on this tab.The option selected on the session authentication tab
determines the authentication credential storage method.
Table 47. Account Management: PSM Details Session Authentication tab options
Field
Description
Required?
Default
Password
Managed by
Local TPAM
If selected, the local TPAM manages this account.
No
Yes
Use Remote
TPAM CLI
Select this option if the account is managed by another TPAM
No
appliance, and specify the CLI user ID to be used to retrieve the
password. This TPAM appliance makes a CLI call to the remote
TPAM and pulls the password for the system/account specified
and formats the account name at login time using the specified
Domain. If the System and Account box are left blank then the
system and account name of the account being configured is
used. Access to the public key for the CLI ID is required, and
must be supplied to TPAM. When this method of password
retrieval is used, the number of approvals specified on the
remote TPAM is ignored and access to the password is not
limited to a single release.
No
Use DSS Key
No
Select this option if an authentication key is used for the
account instead of a password. You have the additional options
of using a system standard DSS Key (TPAM allows you to
configure up to 3 active keys) or having TPAM generate a pair of
keys for you.
No
Not Stored Specify
password
during session
Select this option if the account’s password is not stored or
managed by any TPAM. When this option is used the password
must be specified when the session is initiated.
No
No
Use Windows®
Domain
Account
No
Select this option if the account’s password is not stored or
managed by any TPAM. The named account is a placeholder for
the domain account TPAM uses to authenticate to the system.
Through this method you can connect to a system using a
domain account instead of a local account. On the Session
Authentication tab the user name used to log in to the remote
session must be added as an account associated with a Windows
Active Directory® System.
No
TPAM 2.5
Administrator Guide
117
File Transfer tab
The following table explains the options on this tab.
Table 48. Account Management: PSM Details File Transfer tab options
Field
Description
Required?
Default
File Transfer
Method
Select the method used to transfer the files. The options
available in this list are platform dependent.
No
File
Transfer
Disabled
Yes, if file
transfer
enabled.
Null
Same as Session If selected, the same credentials that are used for the session
Authentication will be used to transfer the file.
No
Yes
Specify at file
transfer time
No
No
NOTE: If using Windows® File copy make sure that port 139 or
445 is open on the target system.
File Transfer
Share/Path
The share where the files will be uploaded/downloaded.
If selected, the user is prompted to specify the account name
and password at the time of file transfer.
Review Requirements
The following table explains the options on this tab.
Table 49. Account Management: PSM Details Review Requirements tab options
Field
Description
Required?
Default
Reviews
Required
Number of reviews required after a session has expired.
No
0
Specific User
If selected, the specific user with review permission will be the No
only user allowed to review sessions for this account.
Off
TPAM 2.5
Administrator Guide
118
Table 49. Account Management: PSM Details Review Requirements tab options
Field
Description
Any Auditor
If selected, any user with a user type of auditor will be eligible No
to review sessions for this account.
Required?
Default
Off
Member of a
Group
If selected, any users that are members of the group that is
No
chosen will be eligible to review sessions for this account. Only
groups that have review permissions will be available in the
list.
Off
If the review
isn’t complete
...
To have a user receive an email notification if the review is not No
complete within X hours, enter the hours threshold and the
email address. The session is not eligible for review until the
release duration expires.
Null
Add an account
When adding an account in TPAM, information is entered on the following tabs to configure the account:
•
Details - Information, Reviews, Custom Information, Management, Ticket System
•
Dependents
•
Collections
•
Permissions
•
PSM Details - General, Session Authentication, File Transfer, Review Requirements
The following procedure describes the required steps to add an account.
To add a new account:
1
Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
2
Enter filter criteria on the Filter tab to find the system to add the account to.
3
Click the System tab.
4
Select the system or system template.
NOTE: A total of 10 accounts can be added to a system template (including the functional
account). Any accounts added in this way are added to new systems created from the template.
Existing systems based on the template will not have any new accounts added or existing accounts
removed. ISA users cannot add, view, or edit accounts on template systems.
5
Click the Details tab. Enter information on the Details tab. For more information on this tab see
Information tab.
6
Click the Reviews sub-tab to configure review requirements for password releases. For more information
on this tab see the Reviews tab. (Optional)
7
Click the Custom Information sub-tab to enter custom information for the account. For more
information on this tab see Custom Information tab. (Optional)
8
Click the Management sub-tab and select preferences for managing account passwords. For more details
see Management tab.
9
Click the Ticket System sub-tab and set external ticket system requirements for submitting password
release requests. For more details see Ticket System tab. (Optional)
10 Click the PSM Details tab to enable/disable PSM sessions. For more information see PSM Details tab.
(Optional)
11 Click the Session Authentication sub-tab to select session authentication method. For more information
see The following table explains the options on this tab.. (Optional)
TPAM 2.5
Administrator Guide
119
12 Click the File Transfer sub-tab to enable file transfers during sessions. For more information see File
Transfer tab. (Optional)
13 Click the Review Requirements sub-tab to set review requirements for sessions. For more information
see Review Requirements. (Optional)
14 Click the Save Changes button.
15 Click the Dependents tab to assign/remove dependents to Windows Active Directory® systems. For more
details see Dependents tab (Windows® AD only). (Optional)
16 Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
17 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
18 Click the Save Changes button.
Duplicate an account
To ease the burden of administration and help maintain consistency, accounts can be duplicated. This allows the
administrator to create new accounts that are very similar to those that exist, while only having to modify a few
details. The new account inherits password management, review, ticket system, and PSM details settings from
the existing account. Collections and permissions assignments are not inherited.
To duplicate an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to be duplicated.
5
Click the Duplicate button. A new account object is created and the Details tab displays.
6
Enter the Account Name.
7
Make any changes to the account configuration on the various tabs.Click the Collections tab and assign
membership. (Optional)
8
Click the Permissions tab and assign access policies. (Optional)
9
Click the Save Changes button.
Delete an account
When you delete an account from the Manage Accounts listing it is “soft” deleted. This means that the account
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the /admin interface.
IMPORTANT: The only way to delete a functional account is to delete the system.
NOTE: You cannot delete an account that has an active PSM session.
To “soft” delete an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
TPAM 2.5
Administrator Guide
120
4
Select the account to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
To view “soft” deleted accounts go to Systems, Accounts, & Collections | Accounts | Deleted Accounts on the
main menu.
TPAM allows you to undo a soft deletion prior to the Days in Trash global setting taking effect.
To undo a “soft” delete:
1
Select Systems, Accounts, & Collections | Accounts | Deleted Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to be restored.
5
Click the Undo Delete button.
To undo a soft delete for all the accounts in the listing:
1
Click the Undo Delete All button.
2
Click the Yes, continue with undo delete button.
Hard deleting an account removes all records of the account from the TPAM interface. Hard deletion is only
allowed if the Allow Manual Hard Deletes global setting has been enabled by the System Administrator.
To “hard” delete an account:
1
Select Systems, Accounts, & Collections | Accounts | Deleted Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to be deleted.
5
Click the Hard-Delete button.
6
Click the OK button on the confirmation window.
To hard delete all the accounts in the listing:
1
Click the Hard-Delete All button.
2
Click the Yes, continue with hard-delete button.
Retrieve a password
A user with PPM ISA permission over an account can retrieve a password.
To retrieve a password:
1
Select Retrieve | Retrieve Password from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account.
5
Click the Passwords tab.
6
Complete the following fields:
TPAM 2.5
Administrator Guide
121
Table 50. Password tab fields
7
Field name
Description
Release Reason
Used to provide a brief description of the reason for the password
release. May be optional, required or not allowed, depending on
configuration.
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional, required, or not allowed depending on how they
are configured.
Ticket System
May be required, based on configuration.
Ticket Number
May be required, based on configuration. If the ticket number fails
validation the ISA will not be able to retrieve the password.
Proxy Release For
If the ISA is retrieving the password on behalf of another user, enter
the user’s name here. This name will be displayed on the Password
Release Activity report.
Click the Password tab. The password will be displayed for 20 seconds after which time the ISA must
click the password tab again to view the password.
List accounts
The List Accounts option allows you to export the account data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.
To list the accounts:
1
Select Systems, Accounts, & Collections | Accounts | List Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view collection membership for an account, select the account and click the Collections tab.
7
To view the permissions assigned to the account, select the account and click the Permissions tab.
List PSM accounts
The List PSM Accounts option allows you to export the account data from TPAM to Microsoft Excel or CSV format.
This lists all accounts that are PSM enabled or have the option of being PSM enabled. This is a convenient way to
provide an offline work sheet and also to provide data that may be imported into another TPAM – for example,
to populate a lab appliance with data for testing, without making the lower level changes that restoring a
backup would cause.
To list the accounts:
1
Select Systems, Accounts, & Collections | Accounts | List PSM Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
TPAM 2.5
Administrator Guide
122
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
Password current status
The current status of a password for an account will report last password release, open password requests,
scheduled password resets, password checks and reset history.
To check the current status of a password:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to check.
5
Click the Current Status button.
Manual password management
Accounts that are not auto-managed by PPM may still take advantage of the secure storage and release
mechanisms, as well as the logging and reporting functions of TPAM. Password changes for such system accounts
can be accomplished in two ways – PPM generated passwords and User generated passwords.
When a non-managed account’s password has been released to a user, the defined system contact email address
for the system receives a notice when the release duration expires. This provides the opportunity to have the
password manually reset. If the request is expired early, the email notification is sent immediately.
To use passwords generated by PPM:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account from the listing.
5
Click the Details tab.
6
Select Manual for the password management setting. If this was already selected, skip to step 8.
7
Click the Save Changes button.
8
Click the Reset Password button.
TPAM 2.5
Administrator Guide
123
9
Take the new password that PPM has generated, in this example, rHH1omoG1, and set it to this on the
remote system.
10 If the password update on the remote system was successful, click the Update Successful button. If the
password was unable to be reset on the remote system, click the Update Failed button. PPM will discard
the new password and rollback to the previously stored password.
To use password not generated by PPM:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account from the listing.
5
Click the Details tab.
6
Select Manual for the password management setting. If this was already selected, skip to step 8.
7
Click the Save Changes button.
8
Enter the new password in the Password and Confirm fields.
9
Click the Save Changes button.
Password management
Password Management allows TPAM Administrators and PPM ISA’s to do a “mass” forced reset of account
passwords that are auto-managed. If manually managed passwords are scheduled for reset, the automatic email
notification will be generated to the system contact to manually reset the password.
NOTE: If the account is a synchronized password subscriber, it cannot be reset from this window.
This window also gives you a central location to view the current password status for all passwords.
TPAM 2.5
Administrator Guide
124
To perform a mass password reset:
1
Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
To select all passwords returned on the Listing tab for reset, select the All check box in the column
header. To select more than one, but not all, select the check box in the Select for Scheduling column
for the passwords to be reset.
5
Click the Schedule Resets button.
To select one password for reset:
1
Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the individual row.
5
Click the Reset Individual button.
6
If the account is manually managed, after manually resetting the password on the system, click the
Update Successful or Update Failed button, according to the results.
To view password history:
1
Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
TPAM 2.5
Administrator Guide
125
4
Select an account.
5
Click the Logs tab.
6
Enter your search criteria on the Filter tab.
7
Click the Change Log, Test Log, Release Log, Dependent Change Log, or Change Agent Log to view the
specific history.
Managing services in a Windows® domain
environment
If the account managed by PPM is a Windows® domain account (the system is defined as Active Directory® in
TPAM), services running on domain member systems using this account can also be managed in terms of
password changes.
The prerequisite for domain members systems to have these service account passwords changed is that each
system must be configured in TPAM and the domain functional account must be properly privileged on that
system (i.e. member of local Administrators group).
NOTE: Dependent systems will always have the passwords for Windows Services and Scheduled Tasks
changed regardless if the check boxes are selected on the Account Details Information tab.
To assign domain members to have their passwords changed:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the Windows® Domain account.
5
Click the Dependents tab.
6
Enter your search criteria on the Filter tab.
7
Click the Results tab.
TPAM 2.5
Administrator Guide
126
8
Select the Dependent button for systems with dependencies on the domain level account.
9
Click the Save Changes button.
When the password for the managed domain account (i.e. Administrator) is changed, PPM enumerates the
services on each selected dependant system and changes the password for all services being run by the domain
account.
In the example used in the figures above, ‘Administrator’ is a domain account, specified on a domain controller
called Saturn. The system Jupiter is defined as a dependant system to this account, indicating that services are
running on Jupiter using the domain Administrator account. When the password for ‘Administrator’ is changed
by PPM, each system defined as dependant, such as Jupiter, has the password changed for any service using the
domain Administrator password.
Add generic account to TPAM for PSM
sessions to a user specified Windows
account
TPAM provides the ability to create a generic TPAM account that can be used to log in to any user-specified
Windows account during a PSM session. The user is prompted to input the desired Windows account name and
password when the PSM session is starting. This allows TPAM to provide the account name and password during
RDP session initiation, thereby allowing the RDP session to succeed even when the RDP session security layer is
set to SSL/TLS on the Windows machine.
To configure a generic TPAM account:
1
The target system must be added to TPAM. The platform for the system can be any of the Windows or
SPCW platforms. For details on how to add a system see Add a system.
2
Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
3
Enter filter criteria on the Filter tab to find the system to add the account to.
4
Click the System tab.
5
Select the system in the listing.
6
Click the Details tab.
7
Enter :prompt: for the account name.
8
Select None for the Password Management option.
9
Click the PSM Details tab.
10 Select the Enable PSM Sessions check box.
TPAM 2.5
Administrator Guide
127
11 Select RDP- Interactive Login as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.
How it works
A TPAM user requests a session using the :prompt: account on the target system. When the PSM session is
initiated, the user is prompted to enter the Windows account name and password.
After the account name and password are entered, the RDP session is connected as desired.
NOTE: It is not possible to monitor events in this scenario,
NOTE: If performing file transfer, credentials must be specified at file transfer time.
TPAM 2.5
Administrator Guide
128
13
Using Quest Authentication Services
with TPAM
•
Introduction
•
Configure QAS integration
•
How it works
Introduction
Quest Authentication Services (QAS) is patented technology that empowers non-Windows® systems to become
members of Active Directory® (AD) for centralized authentication. The ability for Linux®, UNIX® and Mac®
systems to join the Active Directory® domain provides the benefit of central control over which an AD user is
permitted to authenticate to which non-Windows® system.
TPAM is able to leverage QAS with UNIX®, Linux®, and Mac® systems to allow for Active Directory® functional
accounts on UNIX®, Linux®, and Mac systems. TPAM also allows for currently logged on users to request a session
using it’s currently logged on username through a special account defined in TPAM for each system called
:myaccount: This is beneficial because many implementations use Active Directory® as the primary
authentication source and are granted permissions through this integration. A user may request access to a
system using their own username and password by requesting a session with the account :myaccount:. The user
then proxies access to the system through TPAM using their own credentials, without having to store additional
information on each defined system in TPAM for that user.
Configure QAS integration
Before integration with TPAM can be configured QAS must be installed on the target system prior to configuring
the integration in TPAM. See the documentation provided with QAS for these steps.
The target system must be added to TPAM. For details on how to add a system see Add a system template.
To create an account for QAS to use with TPAM:
1
Log on to the /tpam interface.
2
Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
3
Enter filter criteria on the Filter tab to find the system to add the account to.
4
Click the System tab.
5
Select the system in the listing.
6
Click the Details tab.
7
Enter :myaccount: for the account name.
8
Select None for the Password Management option.
NOTE: The password for the domain account is not stored in this account.
TPAM 2.5
Administrator Guide
129
9
Click the PSM Details tab.
10 Select the Enable PSM Sessions check box.
11 Select one of the "interactive" proxy types as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.
14 Click the Save Changes button.
How it works
A TPAM user requests a session using :myaccount: on the target system. In this example the TPAM user ID of the
requestor is testuser.
The user requests a session.
TPAM 2.5
Administrator Guide
130
When the PSM session is initiated the account of the user is sent to the target system as the TPAM user ID and
they must provide the domain password for authentication. The domain password is then sent to QAS for
authentication.
TPAM 2.5
Administrator Guide
131
14
TPAM Account Discovery
•
Introduction
•
Configure account discovery
•
Account discovery profiles
•
Add an account discovery profile
•
Delete an account discovery profile
•
Assign an account discovery profile to a system/system template
•
Combine account discovery with auto discovery
Introduction
For Windows®, *nix, and database systems, account discovery can be configured in TPAM. Configuration allows
these accounts to be added or removed from TPAM as they are discovered or removed from the remote system.
Administrators can also opt to just have email notifications sent when these accounts are discovered/removed.
Configure account discovery
To configure account discovery:
1
Create a system template.
2
Add an account to the system template. Select Accounts | Add Account from the menu. Filter for the
system template you just created. Select the template from the System tab and click the Details tab.
TPAM 2.5
Administrator Guide
132
Configure the account and click the Save Changes button.
When creating the account discovery profile you will select this account to be the template account.
The template account is what is used to add accounts during account discovery. The accounts added will
be set up with the same permissions, collections membership, etc as the account on this template.For
more information on system templates see Add a system template and Add an account.
NOTE: For a disabled account that is newly discovered, if the Enable Account Before Release check box
is selected on the template used in account discovery the account WILL be brought into TPAM. If the
Enable Account Before Release check box is clear on the template the disabled account will not be
brought into TPAM.
NOTE: For a disabled account that exists in TPAM, and the Enable Account Before Release check box is
selected on the template used in account discovery, the account WILL NOT be considered deleted. For a
disabled account that exists in TPAM, and the Enable Account Before Release check box is clear on the
template used in account discovery, the account WILL be considered deleted.
3
Create an account discovery profile. For more information on how to create an account discovery profile
see Account discovery profiles.
TPAM 2.5
Administrator Guide
133
4
Assign the account discovery profile to the system and click the Save Changes button. Click the Test
Account Discovery button to see what accounts are found.
5
If desired click the Run Discovery Profile button to immediately have the profile run instead of waiting
for the next scheduled run. A maximum of 5,000 accounts can be discovered this way.(Optional)
Accounts will display on the Discovered Accounts tab if the Delete Account Action or New Account
Action setting is set to Notify via Email on the account discovery profile. If accounts are discovered,
select from the following options:
•
Add Account - If selected, the account will be added to the system using the indicated template
account.
•
Turn Off Auto - Accounts with this option have been deleted from the target system, but are still
set up as a managed account in TPAM. If Turn Off Auto is selected, the password management
setting for this account will be set to None.
•
Add to Exclude - If selected, the account will be added to the system’s exclude list. The account
will be ignored during auto discovery processing.
After making selections click the Process Selected Actions button to execute the selections.
TPAM 2.5
Administrator Guide
134
Clicking the Clear All Staged Accounts button clears out all staged account rows for this system without
processing them.
Clicking the Refresh Current List button refreshes the list with whatever filter applies.
6
Confirm with the System Administrator that the Account Discovery agent has been enabled in the admin
interface.
Account discovery profiles
Account Discovery profiles allow TPAM to periodically check for accounts on a managed system and add or
remove them from TPAM. Account Discovery profiles can only be assigned to Windows®, *nix and database
systems.
The table below explains the options on the Account Discovery profile page.
Table 51. Account Discovery profile page options
Field
Description
Required?
Default
Profile Type
Account Discovery should be selected from the list.
Yes
Account
Discovery
Profile Name
Enter a unique profile name
Yes
TPAM 2.5
Administrator Guide
135
Table 51. Account Discovery profile page options
Field
Description
Required?
Description
Enter a brief description of this profile.
No
Time of Day
Enter the time of day that TPAM should check the assigned
managed systems for account changes.
Yes
23:00/Daily
The action to take when an existing account has been removed Yes
from the system.
Do Nothing
Delete
Account
Action
Delete
Notification
Email
New Account
Action
Template
Account
•
Disabled - Processing of the account discovery profile is
suspended. The profile can still be assigned to systems,
and clicking the Test and Run buttons on the Account
Discovery tab on the systems page will still work, but
future runs will not be scheduled.
•
Daily - If selected, the check will occur every day at the
configured time.
•
Weekly - If selected, the check will occur on the days
selected, at the configured time.
•
Monthly - If selected, the check will occur on the days of
the month listed. Multiple days may be entered
separated by a semi-colon. Use a value -1 to run on the
last day of the month, regardless of length.
•
Do Nothing - no action taken
•
Turn off Auto-Management - If the managed account is
currently set to be auto-managed or is a subscriber to a
synchronized password, the password management
setting for the account will be change to None.
•
Notify via Email - the account is not changed, but an
email is sent to the addresses specified that it has been
removed from the remote system. Information will also
be displayed on the Discovered Accounts tab when this
option is selected.
•
Both - the account’s auto-management is set to None,
and an email notification is sent out.
A list of email addresses, separated by semi-colons, to be
notified based on the New/Delete Account Action selections.
Allows up to 255 characters. Two special addresses are
recognized:
•
:System: - sends an email to the primary contact
entered on the System Details tab.
•
:Functional: - sends an email to the notification email
entered for the functional account.
The action to take when a new account is entered on an
assigned system. Choices are:
•
Do Nothing - no action taken
•
Create an Account - a new managed account will be
created on the system using the template account
•
Notify - the account is not created, but an email is sent
to the addresses specified.
•
Both - the account is created, and an email notification
is sent out.
Select a template from the list to be used for the accounts
created. They will be listed as template name/account name.
The discovered accounts will assigned the attributes of the
template account selected.
Default
No
Yes
Do Nothing
Yes
First
template in
the list
TPAM 2.5
Administrator Guide
136
Table 51. Account Discovery profile page options
Field
Description
Required?
UID
Only applies to *nix systems. A comma separated list of numeric
filter values. Only UID (User Id) values that match one of the
following values will be discovered. Values may be entered as
follows:
At least one
filter criteria
is required to
save the
profile.
SID
Name
Group
Role
•
# - only a numeric UIDs will be recognized.
•
#-# - numeric UIDs between these two values.
•
<# - UIDs less than, but not equal to
•
># - UIDs greater than, but not equal to
•
!# - UIDs not equal to
Default
Only applies to Windows® systems. A string list values. Only SID At least one
filter criteria
(Security Identifier) values that match one of the following
is required to
values will be discovered. Values may be entered as follows:
save the
• # - only a numeric SIDs will be recognized.
profile.
• #-# - numeric SIDs between these two values.
•
<# - SIDs less than, but not equal to
•
># - SIDs greater than, but not equal to
•
!# - SIDs not equal to
A comma separated list of values. Only account names that
match one of the following values will be discovered. Values
may be entered as follows:
•
text - only this account will be recognized
•
*text - account names ending in text
•
text* - account names starting with text
•
!text - account names not equal to text
Only applies to Windows® and *nix platforms. A comma
separated list of group names. Only accounts which are
members of the indicated group(s) will be discovered. Vales
may be entered as follows:
•
text - only this group will be recognized
•
*text - group names ending in text
•
text* - group names starting with text
•
!text - group names not equal to text
At least one
filter criteria
is required to
save the
profile.
At least one
filter criteria
is required to
save the
profile.
At least one
Only applies to database systems. A comma separated list of
role names. Only accounts which are members indicated role(s) filter criteria
is required to
will be discovered. Values may be entered as follows:
save the
• text - only this role will be recognized
profile.
• *text - role names ending in text
•
text* - role names starting with text
•
!text - role names not equal to text
Task
At least one
Only applies to Windows® systems. If selected, discovers an
filter criteria
®
account if it is being used to run any Windows scheduled task.
is required to
save the
profile.
Off
Service
Only applies to Windows® systems. If selected, discovers an
account if it is being used to run any Windows®services.
At least one
filter criteria
is required to
save the
profile.
Off
TPAM 2.5
Administrator Guide
137
Add an account discovery profile
IMPORTANT: An account discovery profile cannot be added unless at least one system template has been
added to TPAM.
To add an account discovery profile:
1
Select Management | Profile Management from the menu.
2
Select Account Discovery from the Profile Type list.
3
Click the New Profile button.
4
Enter a unique name for the profile.
5
Enter a description for the profile. (optional)
6
Enter a time of day and frequency for the auto discovery check to run.
7
Click the Add Detail button.
8
Select the various detail options available. For more information on how these are configured see the
table in the Account discovery profiles section.
9
To add another detail row repeat steps 7 and 8.
10 Click the Save Changes button.
Delete an account discovery profile
To delete an account discovery profile:
1
Select Management | Profile Management from the menu.
TPAM 2.5
Administrator Guide
138
2
Select Account Discovery as the profile type.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: An account discovery profile can only be deleted if it is not assigned to any systems.
Assign an account discovery profile to a
system/system template
Account Discovery connection profiles can be assigned using the Import Systems or Update Systems batch
processing functions, or by following the procedure below.
To assign a connection profile to a system:
1
Select Systems, Accounts, & Collections | Systems| Manage Systems.
2
Select the system/system template on the listing tab.
3
Click the Account Discovery tab.
4
Select the profile from the discovery profile list.
5
Enter any accounts to be excluded from the discovery profile actions in the excluded box.
6
Click the Save Changes button.
IMPORTANT: The profile being assigned to the template cannot have any accounts in common with the
template it is being assigned to.
Combine account discovery with auto
discovery
TPAM can be configured to integrate with LDAP, LDAPS, Novell® NDS and Windows Active Directory® to
automatically detect, enroll, and modify users and systems through Auto Discovery integration. To take this
process once step further, once a system is “auto discovered” and added to TPAM, account discovery can also be
configured to find accounts on this newly added system. To combine auto discovery with account discovery see
Discover accounts on auto discovered systems.
TPAM 2.5
Administrator Guide
139
15
Files
•
Introduction
•
Add a file
•
Duplicate a file
•
Review file history
•
Delete a file
•
Retrieve a file
•
List files
Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.
To add and manage files, information is entered on the following tabs in the TPAM interface:
Table 52. Files Management: TPAM interface tabs
Tab name
Description
Details
Define main file information, such as name, approvals required, contact.
Ticket System
Configure Ticket System Validation for requests on this file.
Collections
Assign a file to a collection/s.
Permissions
Assign users and groups permissions on this file.
Details tab
The Details tab is where you upload the file to TPAM and set approval requirements.
TPAM 2.5
Administrator Guide
140
The table below explains all of the options available on the File Details tab.
Table 53. Files Management: Details tab options
Field
Description
Required?
File Display
Name
The name users see when requesting access to stored files.
Yes
Default
Filesize (in
bytes)
Display only. The size of the file that is uploaded.
Select Local
Filename
Where the file is uploaded by clicking the browse button.
Approvals
Required
The default value of 1, indicates that a single approval allows
No
the requestor to access the file. A value greater than 1 requires
multiple approvers to approve each request. A value of 0 means
any requests will be auto-approved by TPAM. If overridden by an
access policy the greater of the two values will be used.
1
Maximum
Duration
Yes
This is the maximum duration for a file release. If this is
overridden by an Access Policy assignment, the lower of the two
durations is used. The default duration that the requestor sees
for any new file request is 2 hours, or the maximum duration,
whichever is less.
7 Days
Yes
Require Multi- Can only be selected if Approvals Required is greater than 1. If No
Group Approval selected, you can require that approvals for requests come
from:
from one or more groups. If only one group is selected, all
approvals must come from members of this group. If more than
one group is selected, at least 1 approval must come from each
group.
Off
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
Any authorized approver can deny the request.
TPAM 2.5
Administrator Guide
141
Table 53. Files Management: Details tab options
Field
Description
Required?
Default
Notification
Email
The email address specified in this box receives notification of
certain file releases. This would apply to releases by ISA users,
CLI/API users under all circumstances, and requests when no
approvals are required. Multiple email addresses can be
specified by entering each email address separated by a
comma, up to a maximum of 255 characters.
No
Null
Any time a change is made to the notification email address
box, an email is automatically sent to the old email address
with a notification that this change has occurred.
Description
The description box may be used to provide additional
information about the file, special notes, business owner, etc.
No
Ticket System tab
The Ticket System tab is used to configure third party ticket system requirements when submitting file release
requests for this file. The Ticket System tab is only enabled if the TPAM System Administrator has configured
ticket system/s in the /admin interface.
The following table explains the options on this tab.
Table 54. Files Management: Ticket System tab options
Field
Description
Require Ticket
Number from
Select this check box to require ticket number validation every time a No
file request is submitted. If multiple Ticket Systems are enabled they
are listed in the list for selection. You can specify the ticket system or
allow entry of a ticket number from any system that is enabled. If this
check box is not selected, users can still enter a Ticket Number on a
request, but it is not required.
Required?
Default
From
System
Perform Ticket If ticket validation is required, then all requestors are required to
Validation for
provide a ticket number. You also have the option to require ISAs to
supply a ticket number prior to retrieving a file.
No
From
System
Send Email
notification to
If any of the ISA, CLI or API required check boxes are left clear you
have the option of entering one or more email addresses (up to 255
characters) that will receive an email when an ISA, CLI or API user
releases or retrieves a file without supplying a ticket.
No
From
System
Pull defaults
from system
If selected, when the Save Changes button is clicked, it will pull
these settings from the system.
No
Off
The propagation is a one time update each time this check box is
selected and the Save Changes button is clicked. After that there is
no forcing of the settings to remain in synch. The settings on the file
can be overridden.
TPAM 2.5
Administrator Guide
142
Logs tab
The Logs tab for stored files shows the activity associated with accessing the file.
The following table explains the fields on this tab.
Table 55. Files Management: Logs tab options
Field
Description
Request ID
Request ID for the file request.
User Name
User ID of the requestor.
User Full Name
Full name of the requestor.
Release Date
Date and time that the file was retrieved.
Release Type
Indicates of the file was retrieved by a requestor or an ISA.
File History tab
This tab shows the history of all physical files that have been associated with the file display name as well as
the dates the file was originally stored and replaced. The older files, though no longer associated with the
display name, remain on the appliance and may be accessed by and administrator using the filename link. Older
files may also be deleted from history.
The following table explains the fields on this tab.
Table 56. Files Management: File History tab options
Field
Description
Actual Filename
The name of the file that was stored on TPAM.
Stored Date
The date the file was uploaded to TPAM.
Replaced Date
The date the file was replaced with another file.
Filesize
Size of the file in bytes.
Current File tab
The Current File tab allows you to retrieve the file if you have ISA permission for the file.
TPAM 2.5
Administrator Guide
143
The following table explains the options on this tab.
Table 57. Files Management: Current File tab options
Field
Description
Required?
Release Reason
The reason for the file release.
Depends on configuration by System
Administrator
Reason Code
The reason for the file release.
Depends on configuration by System
Administrator
Ticket System
Ticket system to validate the request against.
Depends on configuration by
Administrator.
Ticket Number
Ticket number to validate the request against.
Depends on configuration by
Administrator.
Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the file to a
collection/s. Files can belong to more than one collection. The collections list shows all collections that have
been defined in the TPAM appliance if the user modifying the file is an administrator. If the user modifying the
file is an ISA, only the collections that the user holds the ISA role for are displayed. By assigning the file to
collections, the file automatically inherits user and group permissions that have been assigned at the collection
level.
NOTE: A file cannot belong to the same collection as its parent system, or vice versa.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
The table below explains the fields on the Results tab.
Table 58. Files Management: Collections Results tab options
Field
Description
Type
On this tab type will always say Collection.
Name
The name of the collection. Clicking on the name will take you
the collection management listing tab.
Required?
Default
No
TPAM 2.5
Administrator Guide
144
Table 58. Files Management: Collections Results tab options
Field
Description
Membership
Status
To modify collection membership, simply click the Not Assigned No
or Assigned buttons next to each collection name and click the
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.
Required?
Default
Not
Assigned
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this file.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Table 59. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment.This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
TPAM 2.5
Administrator Guide
145
Table 59. Access Policy Details pane icons
Icon
Action
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the file are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a file
When adding a file in TPAM, information is entered on the following tabs to configure the file:
•
Details - File name, Approvals required
•
Ticket System
•
Collections
•
Permissions
The following procedure describes the required steps to add a file.
To add a new file:
1
Select Systems, Accounts, & Collections | Files | Add File from the menu.
2
Enter filter criteria on the Filter tab to find the system to add the file to.
3
Click the System tab.
4
Select the system.
5
Click the Details tab. Enter information on the Details tab. For more information on this tab see Details
tab.
6
Click the Ticket System tab and set external ticket system requirements for submitting file release
requests. For more details see Ticket System tab. (Optional)
7
Click the Save Changes button.
TPAM 2.5
Administrator Guide
146
8
Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
9
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
10 Click the Save Changes button.
Duplicate a file
To ease the burden of administration and help maintain consistency, files can be duplicated. This allows the
administrator to create new files that are very similar to those that exist, while only having to modify a few
details. The new file inherits approval requirements, ticket system settings, collection and permission
assignments from the existing file.
To duplicate a file:
1
Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the file to be duplicated.
5
Click the Duplicate button. A new file object is created and the Details tab displays.
6
Enter the file name.
7
Upload the file.
8
Make any other additional changes on the Details and Ticket System tabs. (Optional)
9
Click the Save Changes button.
10 Click the Collections tab and assign membership. (Optional)
11 Click the Permissions tab and assign access policies. (Optional)
12 Click the Save Changes button.
Review file history
To view file history:
1
Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the file.
5
Click the File History tab. For more information see File History tab.
Delete a file
To delete a file:
1
Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2
Enter your search criteria on the Filter tab.
TPAM 2.5
Administrator Guide
147
3
Click the Listing tab.
4
Select the file to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
Retrieve a file
A user with ISA permission over a file can retrieve it.
To retrieve a file:
1
Select Retrieve | Retrieve File from the menu.
2
Select the file to retrieve.
3
Click the Current File tab.
4
Complete the following fields:
Table 60. Current File tab fields
5
Field name
Description
Release Reason
Used to provide a brief description of the reason for the password release. May be
optional, required or not allowed, depending on configuration.
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and may be optional,
required, or not allowed depending on how they are configured.
Ticket System
May be required, based on configuration.
Ticket Number
May be required, based on configuration. If the ticket number fails validation the
ISA will not be able to retrieve the file.
Click the Retrieve File button.
List files
The List Files option allows you to export the account data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet.
To list files:
1
Select Systems, Accounts, & Collections | Files | List Files from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view collection membership for the file, select the file and click the Collections tab.
7
To view the permissions assigned to the file, select the file and click the Permissions tab.
TPAM 2.5
Administrator Guide
148
16
Auto Discovery - LDAP Integration
•
Introduction
•
Source tab
•
Add a LDAP data source
•
Add user/system template
•
Delete a LDAP system/user mapping
•
Discover accounts on auto discovered systems
Introduction
TPAM can be configured to integrate with LDAP, LDAPS, Novell® NDS and Windows Active Directory® to
automatically detect, enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
•
Set up the LDAP data source as system in TPAM
•
Add templates for the systems and/or users you want to import
•
Set up the LDAP Directory Mapping
•
Confirm that the Auto Discovery Agent is running
LDAP directory mapping
To configure the LDAP Directory Mapping, information is entered on the following tabs in the TPAM interface:
Table 61. LDAP Directory Mapping: TPAM interface tabs
Tab name
Description
Source
Define the source for the LDAP data and collision strategies for integrating users or systems.
Also specify the group/collection and template to be used for mapping integrated
users/systems.
Template
Displays selected template details when clicking the “eye” button below the template list.
Source tab
The table below explains all of the options available on the LDAP Source tab. The field names and collision
strategy questions and answers will differ based on whether you are mapping systems or users.
TIP: Hover your mouse over the buttons on this page for descriptions of how each button functions. Click
the help buttons for more details on the Filter and Template Name fields.
TPAM 2.5
Administrator Guide
149
Table 62. LDAP Directory Mapping: Source tab options
Field
Description
Required?
LDAP Directory
Select a system from the list. The system must be set up as a Yes
Windows® AD, LDAP, LDAPS or Novell® NDS system in TPAM.
TPAM Collection
Name
Enter name of the TPAM Collection for these systems. This
needs to be a collection name that does not already exist in
TPAM and membership changes are not allowed outside this
mapping.
Default
Yes
TPAM Group Name Enter name of the TPAM Group for these users. This needs to Yes
be a group name that does not already exist in TPAM and
membership changes are not allowed outside this mapping.
System
Administrator?
If selected, any users created are created as system
administrator users.
Distinguished
Name/Directory
Explorer
Click the Plus button to enter the full distinguished name of
the source container. The other option is to click the
magnifying glass button browse the LDAP directory to select
an entry.
Filter
Using LDAP filter syntax, you can narrow the results of the
No
Distinguished Name entry. The filter is wrapped with a
standard filter used to return only computers or users based
on the type of LDAP mapping. The standard filter syntax is
included in the listing above once you enter any text into the
filter, but you cannot edit any part of the standard filter. The
filter you enter will be validated for basic syntax as you edit,
but the content is not checked until the Distinguished Name
is validated. Valid/invalid syntax will be indicated with a
green check mark or red X to the left of the text.
Template Name
Select or edit an existing system/user template. Each
Yes
Distinguished Name/Filter row can be assigned a different
template. System/User Templates are used to create
systems/users from the LDAP directory source. Any new
systems/users added are created in TPAM using the default
settings from the template chosen here. This includes all
parameters on the Details tab, as well as all the other tabs.
Template values only affect new systems/users added from
the LDAP container. The template is not used when updating
existing systems/users. If the template selected has an
Account Discovery profile assigned to it, then the account
discovery process will occur at the next schedule run of the
Account Discovery agent.
Automatically
Update every...
Select how often you want TPAM to pull updates from the
LDAP directory. The update pulls changes in last name, first
name, email, phone number, mobile number, network
address, comments/notes and if the user has been disabled
or a system/user added.
Yes
No
0
NOTE: This can be set to 0 when the host is unavailable.
Send Messages
to...
You have the option of sending an email to a specific user
every time an update occurs, or only when failures occur
trying to perform an update.
No
None
What to do for
usernames that
conflict with
TPAM restricted
usernames
Option selected determines how TPAM handles the scenario.
Options are:
Yes
Report as
Error
•
Report as Error
•
Create Unique
TPAM 2.5
Administrator Guide
150
Table 62. LDAP Directory Mapping: Source tab options
Field
Description
Required?
Default
System/User
name exists in
TPAM with no
distinguished
name mapping
Option selected determines how TPAM handles the scenario.
Options are:
No
No Action
No
No Action
No
Leave
System/
User,
Remove
mapping
•
No Action
•
Create Unique TPAM System/User
•
Map to existing
•
Report as Error
System/User
name exists in
TPAM with a
distinguished
name mapping
Option selected determines how TPAM handles the scenario.
Options are:
What to do when
LDAP Directory
system/user
mapped to a
system/user in
TPAM is removed
from the source
container
Option selected determines how TPAM handles the scenario.
Options for systems are:
•
No Action
•
Create Unique TPAM System/User (system/user will
be added as "newsystemname_1" or
"newusername_1")
•
Report as Error
•
Leave System, remove mapping
•
Soft Delete System, regardless of other mappings,
remove mapping
•
Report as Error
Options for users are:
•
Leave User, remove mapping
•
Disable user in TPAM
•
Report as Error
Ignore Updates to Updates from the mapped data source will always overwrite No
existing TPAM data. To preserve data which may be updated
in TPAM use Ctrl-Click to select or clear individual columns in
the list. TPAM data in the selected columns will not be
overwritten by updates from the data source.
Clear
Add a LDAP data source
To add a LDAP data source:
1
Add the LDAP Directory server as a managed system in TPAM. For more details on adding a system see
Add a system.
TPAM 2.5
Administrator Guide
151
2
Click the Connection tab to configure the details for the functional account, distinguished name and
other communication options.
NOTE: When setting up a Windows Active Directory® domain controller for LDAP integration TPAM
relies on the domain name to leverage Active Directory’s built in fail over capabilities. TPAM must
be able to resolve the domain name, either via DNS or by adding a mapping in the hosts file. See
the System Administrator manual.
3
Click the LDAP Schema tab. This tab is pre-populated with well known attributes and changes to the
mappings can be made here.(Optional)
4
Click the Save Changes button.
Add user/system template
Templates must be added to TPAM for the systems and/or users that are found and added to TPAM during the
auto discovery process. The systems and users added to TPAM use the attributes as they have been set on the
template when they are added to TPAM. For instructions on how to add a system template see Add a system
template. For instructions on how to add a user template see Add a user template.
Templates can also be added or edited using the buttons below the Templates list on the Source tab of the LDAP
Directory Mapping.
NOTE: Any templates used by LDAP or generic integration and have a WinAD primary authentication type,
the primary user ID must be empty, or one of the following values: UPN, UserPrimaryName or
SAMAccountName.
If any external authentication is set the external user ID must still be populated to save the template,
however when a user is created from the template the UserName is used as the default externalID.
TPAM 2.5
Administrator Guide
152
Add LDAP user/system mapping
To add a LDAP User/System Mapping:
1
Select Auto Discovery | LDAP Directory from the menu.
2
Click the Add Systems or Add Users button.
3
Complete the information on the Source tab.
1
Select the LDAP Directory.
2
Enter the TPAM Group/Collection name.
3
Click the Plus button to add a Distinguished Name and Filter (optional). Click the check box
button to validate the DN name and the filter. Repeat as needed to add more filters.The validate
button will either return the number of discovered entities or an error.
NOTE: During auto discovery the query will be executed in the order that the filters are
listed. This order can be changed by using the arrow buttons on the left of the Filters
listing.
4
Select or create a template. Click the Save Changes button.
NOTE: Each Distinguished Name/Filter row can have a different template assigned.
5
Complete the automatically update section.
6
Select the collision strategy choices.
4
Click the Save Changes button. All Distinguished Name/Filter rows must be validated and a template
selected before the Save Changes button will enable.
5
Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
For users discovered from LDAP directory, the full primary user ID is set to their distinguished name if primary
authentication is set to LDAP. Similarly, the secondary authentication user ID is set to the distinguished name if
secondary authentication is set to LDAP. This facilitates LDAP directory synchronized Users to be able to login to
TPAM.
TPAM 2.5
Administrator Guide
153
Delete a LDAP system/user mapping
To delete a LDAP System/User Mapping:
1
Select Auto Discovery | LDAP Directory from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the mapping to delete.
5
Click the Delete button.
When the mapping is deleted the association of the system/user with that mapping are removed.
Discover accounts on auto discovered
systems
To take auto discovery one step further and discover accounts on a system once it has been found, make sure
that the system template that is selected on the System tab has an account discovery profile assigned. For more
information on Account Discovery see Assign an account discovery profile to a system/system template.
TPAM 2.5
Administrator Guide
154
17
Auto Discovery - Generic Integration
•
Introduction
•
Source tab
•
System tab
•
User tab
•
Add a generic system mapping
•
Add a generic user mapping
•
Delete a generic system/user mapping
Introduction
TPAM can be configured to integrate with MySQL®, Oracle®, SQL Server® and Sybase® to automatically detect,
enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
•
Set up the database server as system in TPAM
•
Create templates for the systems and/or users you want to import
•
Set up the Generic Directory Mapping
•
Confirm that the Auto Discovery Agent is running
Generic directory mapping
To configure the Generic Directory Mapping, information is entered on the following tabs in the TPAM interface:
Table 63. Generic Auto Discovery Mappings: TPAM interface tabs
Tab name
Description
Source
Define the source for the data (database server and source SQL query) and define
collision strategies.
User
Define the group and template to be used for mapping integrated users.
System
Define the collection and template to be used for mapping integrated systems.
TPAM 2.5
Administrator Guide
155
Source tab
Special note regarding MySQL® data sources
If your MySQL® data source contains any columns with string data types which have a collation other than
Latin1, you must use the following syntax in your SQL command:
;CharSet=X;YourSQLCommand
The semi-colon before CharSet and after X are required, and there are no spaces before or after the semicolon. Replace the X with the name of the character set for the collation being used. For example:
;CharSet=utf8;select * from userintegration.usersource
Note that all of the string type columns which are present in the data set must use the same collation. You
cannot have one returned column as Latin1 and another as utf8. The CharSet indicator is not needed if your
result set contains only numeric, date, or time column types
The table below explains all of the options available on the Generic Source tab. The collision strategy questions
and answers will differ based on whether you are mapping systems or users.
Table 64. Generic Auto Discovery Mappings: Source tab options
Field
Description
Required?
System Name
Enter the data source system name. This must be configured Yes
as a managed system in TPAM with a platform type of
Sybase® , Oracle®, MySQL®, or MS SQL Server®.
Account Name
Enter the account name. The account must be configured on Yes
the system in TPAM and have the permissions to execute the
SQL command.
SQL Command
Enter the SQL command that will pull the data from the data Yes
source.
Default
TPAM 2.5
Administrator Guide
156
Table 64. Generic Auto Discovery Mappings: Source tab options
Field
Description
Required?
Result Set Map
This table is populated after completing the Source, User or
System tabs, saving changes and clicking the Test SQL
button. After the Source Columns are populated you must
map the data to the TPAM Target columns.
Yes
Default
Auto-Map Result Set - Attempts to match Source
Columns to Target columns based on column names and
types. The code will look for names that match
alphanumerically (spaces, case, and punctuation are
ignored), have the same data type (char and varchar are
interchangeable), and where the width of the source column
is less than or equal to the width of the target column. Any
column that's not an exact match on type and length will be
highlighted will show in bold red text. Hovering the mouse
over the target column will explain any discrepancy in a hint
bubble.
Clear all target columns - Clears all TPAM Target
Column assignments.
Show only unmapped or multiple mapped - Filters the
result set to show only unmapped (no Target Column
assigned) or multiple mapped (same target column assigned
to 2 or more Source Columns) target columns.
Show all columns - Removes filter set by clicking Show
only unmapped[…] button
NOTE: The value assigned to the target column labeled
UniqueUserID is used to identify one specific user regardless
of the user name or data source. For example: You have two
Generic Integration Data Sources using a MySQL® database,
one for “Management” users and one for “Operations”. The
data sources both point to the same database, but use
different query strings to select the different types of users
based on a Department box. A user with UserName of
JGreene has just been promoted from Operations to
Management. In the MySQL® database you change her
department from Operations to Management. When the
Generic Integration mappings are processed they see that
JGreene no longer displays in the “Operations” source and
removes her UserName from the associated group in TPAM.
Later it sees a “new” user named JGreene in the mapping for
the “Management” source. The UniqueUserID value is used to
tell TPAM if this is the same JGreene as before, in which case
she is simply added to the new TPAM Group, or a totally new
JGreene user that is handled by the collision strategy.
Automatically
Update every...
Select how often you want TPAM to pull updates from the
No
data source. All of TPAM’s system parameters (those that can
be set by batch system import) can be pulled from the data
source. This can be set to 0 when the host is unavailable.
Send Messages
to...
You have the option of sending an email to a specific user
every time an update occurs, or only when failures occur
trying to perform an update.
No
0
None
TPAM 2.5
Administrator Guide
157
Table 64. Generic Auto Discovery Mappings: Source tab options
Field
Description
Required?
Default
What to do for
usernames that
conflict with
TPAM restricted
usernames
Option selected determines how TPAM handles the scenario.
Options are:
Yes
Report as
Error
System/User
name exists in
TPAM with no
unique
SystemID/UserID
mapping
Option selected determines how TPAM handles the scenario.
Options are:
No
No Action
No
No Action
No
Leave
System
/User,
Remove
mapping
System/User
name exists in
TPAM and a
unique
SystemID/UserID
mapping exists
•
Report as Error
•
Create Unique
•
No Action
•
Create Unique TPAM System/User
•
Map to existing
•
Report as Error
Option selected determines how TPAM handles the scenario.
Options are:
•
No Action
•
Create Unique TPAM System/User (system will be
added as “newsystemname_1” or “newusername_1”)
•
Report as Error
What to do when Option selected determines how TPAM handles the scenario.
a computer
Options are:
mapped to a
• Leave System/User, remove mapping
TPAM system/user
• Disable User in TPAM
is removed from
• Soft Delete System, regardless of other mappings,
the source
remove mapping
container
• Report as Error
NOTE: If a user is a member of more than one group, it will
only be disabled when it is removed from all groups.
Ignore Updates to Updates from the mapped data source will always overwrite No
existing TPAM data. To preserve data which may be updated
in TPAM use Ctrl-Click to select or clear individual columns in
the list. TPAM data in the selected columns will not be
overwritten by updates from the data source.
Clear
System tab
The table below explains all of the options available on the Generic Auto Discovery System tab. Clicking on the
Edit Template button will take you to the system template page to make your changes.
TPAM 2.5
Administrator Guide
158
Table 65. Generic Auto Discovery Mappings: System tab options
Field
Description
Required?
TPAM Collection
Name
Enter name of the TPAM Collection for these systems. This
needs to be a collection name that does not already exist in
TPAM and membership changes are not allowed outside this
mapping.
Yes
Use Template
System/Edit
Template
Select or edit an existing system template. System Templates Yes
are used to create systems from the Generic data source. Any
new systems added are created in TPAM using the default
settings from the template chosen here. This includes all
parameters on the Systems Details tab, as well as all the other
tabs. Template System values only affect new systems added
from the generic data source. The template is not used when
updating existing systems.
Default
User tab
The table below explains all of the options available on the Generic User tab. Clicking on the Edit Template
button will take you to the user template page to make your changes.
Table 66. Generic Auto Discovery Mappings: User tab options
Field
Description
Required?
TPAM Group
Name
Enter name of the TPAM Group for these users. This needs to
be a group name that does not already exist in TPAM and
membership changes are not allowed outside this mapping.
Yes
Default
TPAM 2.5
Administrator Guide
159
Table 66. Generic Auto Discovery Mappings: User tab options
Field
Description
System
Administrator?
If selected, any users created are created as system
administrator users.
Required?
Use Template
User/Create
Template
Select or create a user template. User Templates are used to Yes
create users from the generic data source. Any new users
added are created in TPAM using the default settings from the
template chosen here. This includes all parameters on the
User Details tab, as well the Time Information tab. User
templates may also include Group Membership and
System/Account/Collection permissions. Template user values
only affect new users added from the generic data source. The
template is not used when updating existing users.
Default
Add a generic system mapping
To add a Generic System Mapping:
1
Add the generic data source as a managed system in TPAM. For more details see Add a system.
2
Create a system template for systems that are imported through this mapping. For more details see
Connection tab.
3
Select Auto Discovery | Generic from the menu.
4
Click the Add Systems button.
5
Complete the information on the Source tab. For more details see Source tab.
6
Click the System tab.
7
Complete the information on the System tab. For more details see System tab.
8
Click the Save Changes button.
9
Click the Test SQL button to retrieve the source column set.
10 Map the source columns to the TPAM target columns.
11 Click the Save Changes button.
12 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
Add a generic user mapping
To add a Generic User Mapping:
1
Add the generic data source as a managed system in TPAM. For more details see Add a system.
2
Create a user template for users that are imported through this mapping. For more details see Template
tab.
3
Select Auto Discovery | Generic from the menu
4
Click the Add Users button.
5
Complete the information on the Source tab. For more details see Source tab.
6
Click the User tab.
7
Complete the information on the User tab. For more details see User tab.
TPAM 2.5
Administrator Guide
160
8
Click the Save Changes button.
9
Click the Test SQL button to retrieve the source column set.
10 Map the source columns to the TPAM target columns.
11 Click the Save Changes button.
12 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
Delete a generic system/user mapping
To delete a Generic System/User Mapping:
1
Select Auto Discovery | Generic from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the mapping to delete.
5
Click the Delete button.
When the mapping is deleted the association of the system/user with that mapping are removed.
TPAM 2.5
Administrator Guide
161
18
Application Password Virtual Cache
•
Introduction
•
Importing the virtual cache
•
Boot the cache
•
Configure network settings
•
Enable remote access
•
Change setup password
•
Define remote IP address restrictions
•
Prepare the cache for enrollment
•
Add the cache in the TPAM interface
•
Add cache users
•
Add cache client hosts
•
Add cache trusted root certificates
•
Add the cache server
•
Cache server permissions
•
Cache current status
•
Create a cache team
•
Remove a cache team member
•
Alerts for the cache appliance
•
Delete a cache
•
List cache server permissions
•
Cache logs
•
Usage examples
Introduction
The Password Virtual Cache is an add-on product designed to provide additional performance capability and
support distributed architecture deployment for TPAM. It provides extremely fast, concurrent, password
retrieval to support high demand application to application (A2A) requirements. To support this, the data stored
on the cache(s) must be current. The following gives a very high level overview of how this is accomplished.
As cache provisioning data (such as users, accounts, hosts, and permissions) is set up within TPAM, the relevant
data is pushed by TPAM to the virtual cache via secure connection. Passwords that are cached on the virtual
cache need to be updated whenever TPAM changes the account passwords. This is accomplished by pushing the
new password to the cache as soon as the password is successfully changed on the device and stored within
TPAM. The password is updated on the cache within a few seconds of being changed and stored within TPAM.
TPAM 2.5
Administrator Guide
162
All updates are pushed from TPAM to the necessary cache(s). The cache does not pull any data from TPAM. If a
cache is restarted for any reason, during the cache initialization, a message will be sent to TPAM requesting that
all data for that cache to be sent to it again. TPAM will then push the required data to the cache.
Retrieval of passwords from the cache is via secure web service using certificate authentication. Using this
technology makes access possible from clients written in numerous programming languages. Client
authentication is described and programming examples are provided later in this document.
To get the cache up and running you must perform the following steps:
•
Import the cache file
•
Boot the cache virtual
•
Configure the network settings
•
Enable remote access (Optional)
•
Define remote access IP restrictions (Optional)
•
Prepare the cache for enrollment
•
Add the cache to the TPAM interface
•
Test the connection between TPAM and the cache.
Importing the virtual cache
The virtual cache is distributed as an open virtual appliance (.OVA) file. There are numerous virtualization
products available which can be used as the host for the virtual cache machine. Please consult your virtual
product's documentation for instructions on deploying the OVA file.
Minimum resources required for the cache are 1 gigabyte of memory and 1 processor. These numbers may need
to be increased depending on the number of account passwords contained in the cache and the number of
requests expected to be made to the cache. Performance improvements will be realized with the allocation of
more memory and additional processor(s) to the cache.
Boot the cache
To boot the cache:
1
Power on the cache using your virtualization product.
2
The appliance will boot to a login prompt.
3
Enter accsetup for the user ID and Setup4ACC as the password. Both the user ID and password are casesensitive, enter them exactly as shown. This is the only user ID that can be used to connect to the cache,
and it can be logged on from the console only.
The following menu will appear listing all of the commands available from the configuration console.
TPAM 2.5
Administrator Guide
163
Configure network settings
1
Enter 4 and press the ENTER key to configure the network settings.
2
Enter 2 and press the ENTER key.
3
Enter the IP Address for eth0 as prompted and press the ENTER key
4
Enter the Network Mask for eth0 as prompted and press the ENTER key.
5
Enter the Gateway for eth0 as prompted and press the ENTER key.
6
Enter Y and press the ENTER key to save your changes.
7
From the Manage Network Settings menu, enter 1 and press the ENTER key to display the new running
values.
8
If a different network address is required/desired for application access to the cache, enter 3 and press
the ENTER key.
9
Repeat steps 3-6 for eth1.
10 Press the ENTER key to return to the manage network settings menu.
11 Enter 4 and press the ENTER key to modify the DNS settings.
TPAM 2.5
Administrator Guide
164
12 Enter the DNS IP and press the ENTER key.
13 Enter the Secondary DNS IP and press the ENTER key. (Optional)
14 Enter the DNS Domain and press the ENTER key. (Optional)
15 Enter Y and press the ENTER key to save your changes.
16 Press the ENTER key to return to the manage network settings menu.
17 Enter Q and press the ENTER key to return to the main menu.
Enable remote access
This step allows remote SSH access to the cache appliance setup menu. You may elect to skip this step but be
mindful that Step 4 involves a rather long “enrollment string” that must be provided in the TPAM application
interface when pairing the cache Server to TPAM. Allowing remote SSH access gives you the ability to copy and
paste the string rather than having to write it down and type it in manually. By default remote access to the
cache is disabled.
To enable remote access:
1
From the main menu, enter 5 and press the ENTER key.
2
Enter 2 and press the ENTER key.
3
Enter E and press the ENTER key to enable remote access to the cache.
4
Enter and confirm a password for the raccsetup user.
5
Enter Q and press the ENTER key to return to the main menu.
6
Enter 8 and press the ENTER key to shutdown the appliance.
7
Place the cache on your network.
8
Power the virtual appliance on.
9
Using an SSH client, connect to the cache with the user ID raccsetup using the password you just set.
Change setup password
This step allows you to change the password associated with the accsetup account.
To change the password for the accsetup account:
1
From the main menu enter 5 and press the ENTER key.
2
Enter 1 and press the ENTER key.
3
Enter Y and press the ENTER key.
TPAM 2.5
Administrator Guide
165
4
Enter the current password and press the ENTER key.
5
Enter the new password and press the ENTER key.
Define remote IP address restrictions
If remote IP address restrictions are configured, the IP address of the remote machine is checked against all
restrictions that are entered. If it meets all specified criteria, the login is allowed to proceed.
All restrictions must be entered at one time, comma separated. Wildcards and negation are allowed. An asterisk
(*) matches zero or more characters. A question mark (?) matches exactly one character. An exclamation point
(!) negates the criterion. In the example below, “192.168.30.*” says all IP addresses starting with “192.168.30.”
are allowed. Then, the “!192.168.30.???” excludes 192.168.30.100 through 192.168.30.255. Also, 192.168.30.1
is explicitly excluded.
To configure restrictions:
1
From the main cache menu, enter 5 and press the ENTER key.
2
Enter 3 and press the ENTER key.
3
Enter the restriction rules and press the ENTER key.
4
Enter Y and press the ENTER key.
Prepare the cache for enrollment
The next step is to prepare the cache for enrollment to your TPAM appliance. This step prepares temporary keys
that will be used to establish the secure connections between cache and your TPAM appliance(s). This step is
best done remotely as the string necessary to enroll the cache is rather long and remote accessing the cache
allows you to copy the string more easily.
TPAM 2.5
Administrator Guide
166
To prepare for enrollment:
1
From the main menu, enter 3 and press the ENTER key.
2
When prompted, enter the IP address of the TPAM primary or standalone device, and press the ENTER
key.
3
Enter the IP address (es) of the replica(s), if applicable, and press the ENTER key.
4
Enter E and press the ENTER key to enroll the cache.
5
Enter Y and press the ENTER key.
6
Copy the key that is presented. You will need to enter this key in procedure below.
Add the cache in the TPAM interface
Once the cache virtual has been booted and prepared for enrollment in TPAM it is ready to be configured in the
TPAM interface. The Cache Details page is where the cache is configured.
To configure the cache in the TPAM interface you must perform the following steps:
•
Add cache users.
•
Add cache client hosts. (Optional)
•
Add cache trusted root certificate. (Optional)
•
Add and configure the cache server.
Add cache users
To add a cache user:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Select Cache User as the User Type.
4
Applications requesting passwords from the Password Virtual Cache must provide a client certificate in
order to be authenticated by the Cache. The client, or user certificate can be created by TPAM or
TPAM 2.5
Administrator Guide
167
supplied by the customer. Each certificate is associated with a user type of Cache User in TPAM. Use one
of the following methods to select certificate type:
•
Select User-Supplied. Click the Select File button. Click the Browse button and select the file.
Click the Upload button. When uploading a user-supplied certificate, you can upload a
PKCS12/PFX file (password is typically associated with this type of file since they contact a
private key) or a PEM-encoded text file (password not required). Additionally, when using a usersupplied certificate, a trusted root certificate that can establish trust in the user certificate must
be uploaded to TPAM and assigned to the Cache(s) from which the user will request passwords.
This is needed so that applications requesting passwords using this user-supplied certificate can
be authenticated by the Cache. See Add cache trusted root certificates.
•
Select Created by TPAM. Click the Download TPAM Root Certificate button to generate the
certificate.The generated user certificate must be downloaded and used by applications
requesting passwords from the Cache.
5
Enter and confirm the Password. The password is not required if uploading a PEM encoded text file.
6
Click the Save Changes button.
Add cache client hosts
As an extra security precaution you have the option to specify the client host that the cache users are using to
access the cache server.
To configure the client host/s:
1
Select Management | Cache Servers | Manage Client Hosts from the menu.
2
Click the Add Host button.
3
Enter the Network Address for the client host.
4
To enable the host, select the Enabled? check box.
5
Enter a description for the client host. (Optional)
6
Click the Save Changes button.
Add cache trusted root certificates
A trusted root certificate needs to be added to the cache server if a user-supplied certificate is used for a cache
user.To add a root certificate:
1
Select Management | Cache Servers | Manage Trusted Roots from the menu.
2
Click the Add Certificate button.
TPAM 2.5
Administrator Guide
168
3
Enter a name for the certificate.
4
Enter a description for the certificate. (Optional)
5
Use one of the following methods to select the certificate source:
6
•
Select Upload certificate file. Click the Select File button. Click the Browse button and select
the file. Click the Upload button.
•
Select Enter Certificate. Paste the certificate in the text area.
Click the Save Changes button.
Add the cache server
To add a cache server, information is entered on the following tabs in the TPAM interface:
Table 67. Cache Server Management: TPAM interface tabs
Tab name
Description
Details
Define name, network addresses and contact information.
WSDL
XML provided to program interface to virtual cache.
Accounts
Where accounts are assigned to the cache.
Root Certificates
Where trusted root certificates are assigned to the cache.
Users
Where cache user IDs are assigned to the cache server.
Hosts
Where you can assign client hosts that are allowed to access this cache server.
To add a cache server in the TPAM interface:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Click the Add Server button.
3
Enter the information on the Details tab. For more information on these fields see Details tab.
4
Click the Save Changes button.
5
Click the Accounts tab. Assign and enable the desired accounts. See Accounts tab for details.
6
Click the Root Certificates tab. Load root certificates. See Root Certificates tab. (Optional)
7
Click the Users tab. Assign users to the cache. See Users tab.
8
Click the Hosts tab. Assign hosts to the cache. See Hosts tab. (Optional)
9
Click the Save Changes button.
10 Click the Permissions button. Assign permissions to the cache. See Cache server permissions.
11 Click the Save Changes button.
TPAM 2.5
Administrator Guide
169
Details tab
The table below explains the fields available when adding a cache server in the TPAM interface.
Table 68. Cache Server Management: TPAM interface fields
Field
Description
Required?
Cache Server
Name
Descriptive name for the cache.
Yes
Enabled?
If selected, this cache server will be available to be assigned to No
systems.
Secure Bus
The network address that TPAM and the cache use to
communicate.
Appl Interface The network address that cache user IDs use to access the
cache server.
Upload
Custom
Application
Interface
Certificate?
Default
Off
Yes
Yes
A Custom Application Interface Certificate (or server
No
certificate) for cache servers can be uploaded. This enables the
use of third-party certificates as the server certificate for
cache servers. If a custom certificate is not uploaded, a default
server certificate will still be generated by TPAM. Note that for
client applications to trust the cache server when requesting
passwords, the client will need to have access to either the
root certificate of the CA that generated the Custom
Application Interface Certificate if a custom server certificate
is in use on the cache server or the TPAM root certificate
(downloadable from User Management) if the default server
certificate generated by TPAM is in use on the cache server. If
the Application Interface Certificate is changed by uploading a
custom certificate or by reverting back to the default
certificate by removing a Custom Application Interface
Certificate, a restart of the application running on the cache
server is triggered. This will result in unavailability of the cache
server for a couple of minutes.
Off
TPAM 2.5
Administrator Guide
170
Table 68. Cache Server Management: TPAM interface fields
Field
Description
Required?
Description
The description box may be used to provide additional
information about the cache, special notes, business owner,
etc.
No
Retention?
If selected, and the cache server does not communicate with
TPAM within X minutes entered in the Disable After box, the
cache server will shut down. This is a safeguard to prevent
users retrieving passwords when the TPAM appliance may be
down.
No
Enroll String
The enroll string functions as the key exchange with the cache. Yes
The enroll string is provided by the cache when you execute
the prepare to enroll/re-enroll with TPAM option of the Setup
menu.
Logging
You have the option of having logs sent to a syslog address
and/or a specific email address.
No
Alerting
You have the option of having alerts sent to an SNMP address
and/or a specific email address.
No
SMTP
Required if you want the cache server to send email
notifications.
No
Use DNS?
If selected, DNS is used to ask for the MX record, specifying the No
correct server to use for sending mail.
Default
Off
WSDL tab
On the WSDL (Web Services Description Language) tab the developers can find the XML they need when
programming the interface to the cache server.
TPAM 2.5
Administrator Guide
171
Accounts tab
The table below explains all of the options available on the Accounts tab:
Table 69. Cache Server Management: Accounts tab options
Field
Description
System Name
The system name.
Account Name
The account name.
Sys Auto?
Indicates whether the system is auto-managed by TPAM (Y) or not managed (N).
Acct Auto?
Indicates whether the account is auto-managed by TPAM (Y), manually managed (M), not
managed (N), or a member of a synchronized password (S).
Assigned?
If selected, the account is assigned to this cache server. Pressing the Ctrl key and selecting
one row will select or clear all check boxes in the column.
Enabled?
If selected, the password for this account can be retrieved from the cache server. Pressing
the Ctrl key and selecting one row will select or clear all check boxes in the column.
Root Certificates tab
By default TPAM generates its own root certificate that can be assigned to the cache server. You also have the
option to upload your root certificates that can be assigned to the cache server. To add your certificates see Add
cache trusted root certificates. Select the Assigned box to assign the certificate to the cache server and then
click the Save Changes button.
TPAM 2.5
Administrator Guide
172
Users tab
The Users tab is where you configure the users that can access the cache server. Select the Assigned? box next
to the users for this cache server and click the Save Changes button.
Hosts tab
Any hosts that you have configured in TPAM are listed on the Hosts tab. See Add cache client hosts to configure
cache client hosts. Select the Assigned? check box next to each host you want to be able to access this cache
server and click the Save Changes button.
Cache server permissions
The cache server permissions page is where you configure the combination of accounts, users and hosts to
specify who and what are able to be accessed on a specific cache server
IMPORTANT: This page will accommodate a maximum of 512 possible permissions (#users * #accounts*
#hosts) before forcing you to use Update Cache Server Permissions under the Batch Processing menu.
To add permissions:
1
Select Management | Cache Servers | Manage CS Permissions from the menu.
TPAM 2.5
Administrator Guide
173
2
Select the cache server from the list.
3
Using the mouse, select the combination of accounts, users, and hosts that you want to configure for the
cache server.
4
Click the Add Items button to add the selections to the list.
5
To remove any combinations on the list select the Select? check box and click the Remove Selected
button.
6
After you are finished adding and removing entries to the list click the Save Changes button.
TIP: You can use Shift-Click and Ctrl-Click mouse gestures to select more than one item on each list. Then
when you click Add Items it adds all combinations of the selected items to the list.
Cache current status
If you click the Current Status button you see if the cache server is found/enabled and the current values for
the number of users, hosts, accounts and permissions.
Create a cache team
More than one cache appliance can added to a "team". Any cache servers added to a team after the first team
member has been added will inherit the accounts, users, and permissions configured for the first team member
and lose any previously configured assignments. As instructed below the cache server should be "disabled" when
joining a team.
Team members will become mirror images of one another, so that if needed users can be redirected to use
another cache server team member for password requests. Once a cache server is a team member, any changes
in assignments on a team member will effect assignments on all team members.
To create a cache team:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Enter the filter criteria and click the Listing tab.
3
From the list select the cache that will act as the initial cache team member.
4
Click the Details tab.
5
Enter the team name in the HA Team Name box. This box will only appear for enrolled cache servers.
6
Click the Save Changes button.
7
Click the Listing tab.
TPAM 2.5
Administrator Guide
174
8
Select the cache server you want to add to the team. This cache will act as a mirror image of the first
team member.
9
Click the Details tab.
10 If selected, clear the Enabled check box.
11 Click the Save Changes button.
12 Enter the same exact team name from Step 5 in the HA Team Name box. This box will only appear for
enrolled cache servers.
13 Click the Save Changes button.
14 Select the Enabled check box.
15 Click the Save Changes button.
16 Repeat steps 8-15 to add additional team members.
Remove a cache team member
When a cache server is removed from a team, it will retain all its existing account, user and permission
configurations but will no longer receive any updates or changes to these relationships. It will lose these
configurations if it is assigned to a new team.
To remove a cache team member:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Enter the filter criteria and click the Listing tab.
3
Select the cache server to be removed from the team.
4
Click the Details tab.
5
If selected, clear the Enabled check box.
6
Click the Save Changes button.
7
Delete the team name from the HA Team Name box.
8
Click the Save Changes button.
9
Select the Enabled check box.
10 Click the Save Changes button.
Alerts for the cache appliance
There are alerts that are issued from the Cache server when specific situations arise. These alerts can be
subscribed to through the /admin interface. These alerts are listed under the Cache Server Component Name on
the Alerts tab.
In addition to the alerts above, these alerts can also be generated by the cache server:(% shows variable data)
“Alert from Password Cache Appliance: Communication with TPAM restored.
%“
AlertDate:
"Alert from Password Cache Appliance: Communication with TPAM has failed.
AlertDate: %"
TPAM 2.5
Administrator Guide
175
"Alert from Password Cache Appliance: The Password Cache(%) at % is shutting down
because there has been no communication to/from TPAM for over % minutes AlertDate:
%"
"Alert from Password Cache Appliance: The Password Cache needs to be disabled and
re-enabled to complete configuration changes. AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate with any SMTP servers
returned in the MX lookup for %. No mail will be sent. AlertDate: %"
"Alert from Password Cache Appliance: Unable to locate MX records for %: %
AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate to the SMTP server at
%. No mail will be sent. AlertDate: %"
Delete a cache
To delete a cache:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the cache to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
List cache server permissions
To view a list of existing cache server permissions:
1
Select Management | Cache Servers | List CS Permissions from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
Cache logs
On the cache console there are a variety of logs that can be viewed.
To view cache logs:
1
From the cache console main menu enter 6 and press the ENTER key.
TPAM 2.5
Administrator Guide
176
2
Enter the number for the log you wish to view and press the ENTER key.
Usage examples
Any programming language capable of invoking secure web services over SSL/TLS using client certificates for
authentication can be used to request passwords from the Password Virtual Cache. Below are some examples of
requesting a password from the Cache using various programming languages. In all cases, the WSDL file,
available within TPAM for each Cache, is used to generate web service client code that is used by the client
application when requesting passwords.
For brevity, in each example, only one password is retrieved and displayed, and there is no error handling.
Note that if a nonzero value is returned when invoking the web service method handleRequestWS, a descriptive
reason for the failure is provided in place of the password. This can prove useful when setting up accounts,
users, and permissions for the Cache within the TPAM web interface.
Perl
Perl package SOAP::Lite can be used when requesting passwords from the Cache.
The first thing to do is to generate client stubs from the WSDL file. The SOAP::Lite package contains a Perl
script named stubmaker.pl that can generate the client stubs. Assuming the WSDL file is named cache.wsdl,
execute the following command to generate the client stub file:
perl path\to\stubmaker.pl file:cache.wsdl
A file named HandlePWRequestService.pm will be created. You can see by editing this file that it uses
SOAP::Lite, so this package must be present on the machine where the Perl application will be run.
Next, create the Perl application that will use the client stub file generated by stubmaker.pl, and add code to
request a password. Here is a very simple example, in a file named perlclient.pl.
use HandlePWRequestService;
my
my
my
my
$certfile = "cacheuser.p12";
$certpw = "CertPassword";
$system = "linux10";
$account = "linuxacct1";
$ENV{HTTPS_PKCS12_FILE} = $certfile;
$ENV{HTTPS_PKCS12_PASSWORD} = $certpw;
my $pwservice = new HandlePWRequestService;
my @rc = $pwservice->handleRequestWS($system,$account);
print "rc=$rc[0], password=$rc[1]\n";
TPAM 2.5
Administrator Guide
177
The output from execution of "perl perlclient.pl" is:
rc=0, password=linuxacct1pw
There are other Perl packages besides SOAP::Lite that can be used to generate web service client stubs and
request passwords, but SOAP::Lite is one of the simplest.
NOTE: Perl installations vary due to different versions of Perl itself and different versions of installed Perl
modules. The differences in installations may sometimes keep this simple example from working as
expected. Also, for simplicity, this client intentionally omits some security checks such as server
certificate validation and server host name validation.
Java®
This Java® example was created using MyEclipse™. For this example, a Java® project has been created, and
within that project, packages sample.client and sample.generated have been created.
Within MyEclipse, use the New Web Service Client tool and provide the location of the WSDL file. MyEclipse will
generate the client web service code (have the tool put the generated code in the package sample.generated).
Next, create a new Java® class in package sample.client, and write the code that requests a password. This
example shows setting of the keystore and truststore properties inline, but this can also be done by providing
the appropriate arguments when starting the Java® application.
package sample.client;
import javax.xml.ws.Holder;
import sample.generated.HandlePWRequest;
import sample.generated.HandlePWRequestService;
public class Client {
public static void main(String[] args)
{
System.setProperty("javax.net.ssl.keyStore",
"path\\to\\cacheuser.p12");
System.setProperty("javax.net.ssl.keyStoreType",
System.setProperty("javax.net.ssl.keyStorePassword",
"pkcs12");
"CertPassword");
// Need to convert parRootCA.crt downloaded from TPAM
// into jks type truststore using Java's keytool.
// keytool -importcert -trustcacerts -file parRootCA.crt -keystore
truststore.jks
System.setProperty("javax.net.ssl.trustStore",
"pat\\to\\truststore.jks");
System.setProperty("javax.net.ssl.trustStoreType",
"jks");
System.setProperty("javax.net.ssl.trustStorePassword", "TruststorePassword");
HandlePWRequestService service = new HandlePWRequestService();
HandlePWRequest port = service.getHandlePWRequestPort();
Holder<String> pw = new Holder<String>();
int rc = port.handleRequestWS("linux10", "linuxacct1", pw);
if (rc == 0)
{
System.out.println("Password is " + pw.value);
}
else
{
System.err.println("Request failed: rc=" + rc + ", msg=" + pw.value);
TPAM 2.5
Administrator Guide
178
}
}
}
The output from execution of the Java® client application is:
Password is linuxacct1pw
Other IDEs that are used for Java® development should also provide a way to generate the client stub code from
the WSDL.
C#
This C# example was created using Visual Studio® 2010. For this example, a C# Console Application has been
created.
Within Visual Studio, use the Add Service Reference tool and provide the location of the WSDL file. In this
example, when adding the service reference, we named it HandlePWRequestReference. Visual Studio will
generate the client web service code, and then the client application can make use of that reference. Now, add
the code that requests a password.
using
using
using
using
System;
System.Net;
System.Security.Cryptography.X509Certificates;
System.ServiceModel;
namespace CacheWSClient
{
class Program
{
static void Main(string[] args)
{
// For testing, we'll accept the server certificate instead of
// having to put the trusted root in our certificate store.
ServicePointManager.ServerCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) => true;
// The configuration file created when adding the service reference
// does not indicate that the client credential is certificate. The
// configuration file can be modified for this, or override as below.
// Create a BasicHttpBinding and set credential type to certificate.
var binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
// The Cache is at 192.168.30.241.
var ea = new EndpointAddress
("https://192.168.30.241/HandlePWRequestService/HandlePWRequest");
// Get a reference to the web service.
var client = new HandlePWRequestReference.HandlePWRequestClient(binding, ea);
// Get our client certificate.
client.ClientCredentials.ClientCertificate.Certificate =
new X509Certificate2("path\\to\\cacheuser.p12", "CertPassword");
string pw;
// Invoke the web service to get the password.
var rc = client.handleRequestWS(out pw, "linux10", "linuxacct1");
if (rc == 0)
TPAM 2.5
Administrator Guide
179
{
Console.WriteLine("Password is {0}", pw);
}
else
{
Console.WriteLine("Request failed: rc={0}, msg={1}", rc, pw);
}
}
}
}
The output from execution of the C# client application is:
Password is linuxacct1pw
TPAM 2.5
Administrator Guide
180
19
Batch Processing
•
Introduction
•
Advanced file settings
•
Import user IDs
•
Import systems
•
Import accounts
•
Import or update collections
•
Import or update groups
•
Add or drop collection members
•
Add or drop group members
•
Batch update user IDs
•
Batch update systems
•
Batch update accounts
•
Batch update PSM accounts
•
Batch update permissions
•
Batch update cache server permissions
•
Cancel a batch process
•
View batch job history
Introduction
For ease of administration, new systems, accounts, and users can be imported into TPAM. Also if mass changes
are needed these same entities can be updated without having to make individual changes one at a time in the
GUI. The following sections will describe the various import and update options available in TPAM.
Advanced file settings
TPAM 2.5
Administrator Guide
181
Advanced File Settings are an option on all of TPAM’s batch processing pages. These settings allow the user to
specify in more detail how TPAM should process the upload file. The table below explains all of the Advanced
File Settings options.
Table 70. Advanced File Settings options
Field
Description
Default
Column headers in
first non-blank
row?
Possible values are Yes, No and Detect.
Detect
Skip first X non
blank rows
If Yes is selected for Column Headers, then TPAM will skip the first X non- 0
blank rows before the header. If No is selected for Column Headers, then
TPAM will skip the first X non-blank rows.
Skip first X rows of If Yes is selected for Column Headers, then TPAM will skip the first X rows 0
data, after header, of data after the header. If No is selected for Column Headers, then TPAM
if found.
will skip the first X rows of data.
Only process X
rows of data, not
including header
If Yes is selected for Column Headers, then TPAM will process X rows of
0
data not including the header. If No is selected for Column Headers, then 0 = all
TPAM will process X rows of data.
Row Delimiters
Possible values are CR (carriage return)/LF (line feed), LF only, CR only
and other.
Auto detect
Column Delimiters
Possible values are Tab, comma-separated value (CSV), or Other.
Auto detect
Text Delimiter
Any single character allowed, but usually either single or double quotes.
(’ or ") Can only be changed when Column Delimiter is set to Other.
Double Quote
(“)
Import user IDs
Rather than individually adding users to TPAM, they may be bulk imported. Importing users can ease
administrative burden and expedite migration to TPAM.
When importing users it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
To create an import file:
1
Select Batch Processing | Import UserIDs from the main menu.
TPAM 2.5
Administrator Guide
182
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
As of the writing of this manual, the valid local time zone values for a user can be used from the list
below. As needed Dell Software will post OS patches on the Customer Portal to update time zone
information. Any portion of the time zone name may be used as long as it is unique. For example, using
TPAM 2.5
Administrator Guide
183
“Guam” will find only one time zone but using “02:00” or “US” will find multiple entries. A value of
“Server” sets the user to follow the Server time zone.
Table 71. Time zones
(UTC+04:00) Abu Dhabi, Muscat
(UTC+02:00) Harare, Pretoria
(UTC+09:30) Adelaide
(UTC-10:00) Hawaii
(UTC-09:00) Alaska
(UTC+02:00) Helsinki, Kyiv, Riga, Sofia,
Tallinn, Vilnius
(UTC+02:00) Amman
(UTC+10:00) Hobart
(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm,
Vienna
(UTC-05:00) Indiana (East)
(UTC-07:00) Arizona
(UTC-12:00) International Date Line West
(UTC+06:00) Astana
(UTC+09:00) Irkutsk
(UTC-04:00) Asuncion
(UTC+05:00) Islamabad, Karachi
(UTC+02:00) Athens, Bucharest
(UTC+02:00) Istanbul
(UTC-04:00) Atlantic Time (Canada)
(UTC+02:00) Jerusalem
(UTC+12:00) Auckland, Wellington
(UTC+04:30) Kabul
(UTC-01:00) Azores
(UTC+03:00) Kaliningrad, Minsk
(UTC+03:00) Baghdad
(UTC+05:45) Kathmandu
(UTC-08:00) Baja California
(UTC+08:00) Krasnoyarsk
(UTC+04:00) Baku
(UTC+08:00) Kuala Lumpur, Singapore
(UTC+07:00) Bangkok, Hanoi, Jakarta
(UTC+03:00) Kuwait, Riyadh
(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
(UTC+12:00) Magadan
(UTC+02:00) Beirut
(UTC-02:00) Mid-Atlantic
(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana,
Prague
(UTC) Monrovia, Reykjavik
(UTC-05:00) Bogota, Lima, Quito
(UTC-03:00) Montevideo
(UTC-03:00) Brasilia
(UTC+04:00) Moscow, St. Petersburg,
Volgograd
(UTC+10:00) Brisbane
(UTC-07:00) Mountain Time (US & Canada)
(UTC+01:00) Brussels, Copenhagen, Madrid, Paris
(UTC+03:00) Nairobi
(UTC-03:00) Buenos Aires
(UTC-03:30) Newfoundland
(UTC+02:00) Cairo
(UTC+02:00) Nicosia
(UTC+10:00) Canberra, Melbourne, Sydney
(UTC+07:00) Novosibirsk
(UTC-01:00) Cape Verde Is.
(UTC+13:00) Nuku'alofa
(UTC-04:30) Caracas
(UTC+09:00) Osaka, Sapporo, Tokyo
(UTC) Casablanca
(UTC-08:00) Pacific Time (US & Canada)
(UTC-03:00) Cayenne, Fortaleza
(UTC+08:00) Perth
(UTC-06:00) Central America
(UTC+12:00) Petropavlovsk-Kamchatsky Old
(UTC-06:00) Central Time (US & Canada)
(UTC+04:00) Port Louis
(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi
(UTC-03:00) Salvador
(UTC-07:00) Chihuahua, La Paz, Mazatlan
(UTC+13:00) Samoa
(UTC) Coordinated Universal Time
(UTC-04:00) Santiago
(UTC+12:00) Coordinated Universal Time+12
(UTC+01:00) Sarajevo, Skopje, Warsaw,
Zagreb
(UTC-02:00) Coordinated Universal Time-02
(UTC-06:00) Saskatchewan
TPAM 2.5
Administrator Guide
184
Table 71. Time zones
(UTC-11:00) Coordinated Universal Time-11
(UTC+09:00) Seoul
(UTC-04:00) Cuiaba
(UTC+11:00) Solomon Is., New Caledonia
(UTC+02:00) Damascus
(UTC+05:30) Sri Jayawardenepura
(UTC+09:30) Darwin
(UTC+08:00) Taipei
(UTC+06:00) Dhaka
(UTC+05:00) Tashkent
(UTC) Dublin, Edinburgh, Lisbon, London
(UTC+04:00) Tbilisi
(UTC-05:00) Eastern Time (US & Canada)
(UTC+03:30) Tehran
(UTC+06:00) Ekaterinburg
(UTC+08:00) Ulaanbaatar
(UTC+12:00) Fiji
(UTC+11:00) Vladivostok
(UTC-04:00) Georgetown, La Paz, Manaus, San Juan
(UTC+01:00) West Central Africa
(UTC-03:00) Greenland
(UTC+01:00) Windhoek
(UTC-06:00) Guadalajara, Mexico City, Monterrey
(UTC+10:00) Yakutsk
(UTC+10:00) Guam, Port Moresby
(UTC+06:30) Yangon (Rangoon)
(UTC+04:00) Yerevan
7
Save the file.
NOTE: The file format requirements and a description of all the columns in the import file are listed on
the Import Users page.
To load the import users file into TPAM:
1
Select Batch Processing | Import UserIDs from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Enter an import comment. This comment will be saved with the import history. (optional)
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
As the user IDs are being imported the results will be displayed on the Details tab. There will be a count
of the number of users successfully imported and error messages for any user IDs that did not import.
TPAM 2.5
Administrator Guide
185
To view import history:
1
Select Batch Processing | Import UserIDs from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Import systems
Rather than individually adding systems to TPAM, they may be bulk imported. Importing systems can ease
administrative burden and expedite migration to TPAM.
When importing systems it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
To create an import file:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
TPAM 2.5
Administrator Guide
186
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Systems page.
7
Save the file.
To load the import systems file into TPAM:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Enter an import comment. This comment will be saved with the import history. (optional)
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the systems are being imported the results will be displayed on the Details tab. There will be a count
of the number of systems successfully imported and error messages for any systems that did not import.
TPAM 2.5
Administrator Guide
187
NOTE: Platform Name is not required when importing systems if a system template is being used or if a
default template has been defined in TPAM.
1
To view import history:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
To cancel a System Import:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the History tab.
3
Select the import you want to cancel.
4
Click the Cancel Batch button.
NOTE: A System Import can only be cancelled if the Start Date column on the History tab is still null.
Import accounts
Rather than individually adding accounts to TPAM, they may be bulk imported. Importing accounts can ease
administrative burden and expedite migration to TPAM.
When importing accounts it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
To create an import file:
1
Select Batch Processing | Import Accounts from the main menu.
TPAM 2.5
Administrator Guide
188
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
TPAM 2.5
Administrator Guide
189
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Accounts page.
7
Save the file.
To load the import accounts file into TPAM:
1
Select Batch Processing | Import Accounts from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Enter an import comment. This comment will be saved with the import history. (optional)
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the accounts are being imported the results will be displayed on the Details tab. There will be a count
of the number of accounts successfully imported and error messages for any accounts that did not
import.
To view import history:
1
Select Batch Processing | Import Accounts from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
TPAM 2.5
Administrator Guide
190
To cancel an Account Import:
1
Select Batch Processing | Import Accounts from the main menu.
2
Click the History tab.
3
Select the import you want to cancel.
4
Click the Cancel Batch button.
NOTE: An Account Import can only be cancelled if the Start Date column on the History tab is still null.
Import or update collections
In TPAM you can mass add, update or delete collection names.
To create the file:
1
Select Batch Processing | Import/Update Collections from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
TPAM 2.5
Administrator Guide
191
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collections page.
7
Save the file.
To load the changes into TPAM:
1
Select Batch Processing | Import/Update Collections from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
NOTE: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
Administrator Guide
192
To view import history:
1
Select Batch Processing | Import/Update Collections from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Import or update groups
In TPAM you can mass add, update or delete group names.
To create the file:
1
Select Batch Processing | Import/Update Groups from the main menu.
2
Click the Show Template button.
TPAM 2.5
Administrator Guide
193
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Groups page.
7
Save the file.
To load the changes into TPAM:
1
Select Batch Processing | Import/Update Groups from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
TPAM 2.5
Administrator Guide
194
As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view import history:
1
Select Batch Processing | Import/Update Groups from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Add or drop collection members
Rather than individually adding/editing collection members in TPAM, they may be bulk loaded.
To create the membership file:
1
Select Batch Processing | Add/Drop Collection Members from the main menu.
2
Click the Show Template button.
TPAM 2.5
Administrator Guide
195
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collection Membership page.
7
Save the file.
To load the collection changes into TPAM:
1
Select Batch Processing | Add/Drop Collection Members from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
TPAM 2.5
Administrator Guide
196
As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view import history:
1
Select Batch Processing | Add/Drop Collection Members from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Add or drop group members
Rather than individually adding/editing group members in TPAM, they may be bulk loaded.
To create the membership file:
1
Select Batch Processing | Add/Drop Group Members from the main menu.
2
Click the Show Template button.
TPAM 2.5
Administrator Guide
197
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Group Membership page.
7
Save the file.
To load the group changes into TPAM:
1
Select Batch Processing | Add/Drop Group Members from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
TPAM 2.5
Administrator Guide
198
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view import history:
1
Select Batch Processing | Add/Drop Group Members from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Batch update user IDs
In cases where a large number of user IDs require edits, batch updates can be performed using CSV or .txt files
as input.
To create a batch update file:
1
Select Users & Groups | List UserIDs.
2
Create a CSV or Excel file using List UserIDs with the data you want to update. See for the steps to create
the file.
3
Open the file.
4
If you exported the User Listing to Excel, delete the first row in the file.
5
Select Batch Processing | Update UserIDs from the main menu.
6
Select update action to be taken on each row.
TPAM 2.5
Administrator Guide
199
•
To delete all rows, select the Delete option. Skip to step 9.
•
To update all rows, select the Update option. Skip to step 9.
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each account.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Users page.
10 Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update UserIDs from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
Administrator Guide
200
To cancel a batch update:
1
Select Batch Processing | Update UserIDs from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update UserIDs from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
Batch update systems
In cases where a large number of systems require edits, batch updates can be performed using CSV or .txt files
as input.
To create a batch update file:
1
Select Systems, Accounts, & Collections | Systems | List Systems.
2
Create a CSV or Excel file using List Systems with the data you want to update. See List systems for the
steps to create the file.
3
Open the file.
4
If you exported the System Listing to Excel, delete the first row in the file.
TPAM 2.5
Administrator Guide
201
5
Select Batch Processing | Update Systems from the main menu.
6
Select update action to be taken on each row.
•
To delete all systems, select the Delete option. Skip to step 9.
•
To update all systems, select the Update option. Skip to step 9.
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each system.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.
10 Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update Systems from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
Administrator Guide
202
To cancel a batch update:
1
Select Batch Processing | Update Systems from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update Systems from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
Batch update accounts
In cases where a large number of accounts require edits, batch updates can be performed using CSV or .txt files
as input.
To create a batch update file:
1
Select Systems, Accounts, & Collections | Accounts | List Accounts.
2
Create a CSV or Excel file using List Accounts with the data you want to update. See List accounts for the
steps to create the file.
3
Open the file.
4
If you exported the Account Listing to Excel, delete the first row in the file.
TPAM 2.5
Administrator Guide
203
5
Select Batch Processing | Update Accounts from the main menu.
6
Select update action to be taken on each row.
•
To delete all rows, select the Delete option. Skip to step 9.
•
To update all rows, select the Update option. Skip to step 9.
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each account.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.
10 Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update Accounts from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
Administrator Guide
204
To cancel a batch update:
1
Select Batch Processing | Update Accounts from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update Accounts from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
Batch update PSM accounts
Batch updating PSM accounts allows mass updating of the PSM settings for accounts.
For details on the update values available see PSM Details tab.
To create a batch update file:
1
Select Systems, Accounts, & Collections | Accounts | List PSM Accounts.
2
Create a CSV or Excel file using List PSM Accounts with the data you want to update. See List PSM
accounts for the steps to create the file.
3
Open the file.
4
If you exported the Account Listing to Excel, delete the first row in the file.
TPAM 2.5
Administrator Guide
205
5
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update PSM Accounts page.
6
Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update PSM Accounts from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To cancel a batch update:
1
Select Batch Processing | Update PSM Accounts from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update PSM Accounts from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
TPAM 2.5
Administrator Guide
206
Batch update permissions
System, Account, File, Collection, User and Group permissions can be updated through Update Permissions.
To create an import file:
1
Select Batch Processing | Update Permissions from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the batch update permissions file.
TPAM 2.5
Administrator Guide
207
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Permissions page.
7
Save the file.
To load the batch update file into TPAM:
1
Select Batch Processing | Update Permissions from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
9
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view batch update history:
1
Select Batch Processing | Update Permissions from the main menu.
2
Click the History tab.
TPAM 2.5
Administrator Guide
208
3
Select the import to view.
4
Click the Detail tab.
To cancel a batch update:
1
Select Batch Processing | Update Permissions from the main menu.
2
Click the History tab.
3
Select the batch you want to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
Batch update cache server permissions
Cache server permissions can be updated through Update Cache Server Permissions.
To create an import file:
1
Select Management | Cache Servers | List CS Permissions from the main menu.
2
Create a CSV or Excel file using List UserIDs with the data you want to update. See List cache server
permissions for the steps to create the file.
3
Open the file.
4
If you exported the User Listing to Excel, delete the first row in the file.
5
Select Batch Processing | Update Cache Server Permissions from the main menu.
6
Select update action to be taken on each row.
•
To delete all rows, select the Delete option. Skip to step 9.
•
To update all rows, select the Update option. Skip to step 9.
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each account.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Users page.
10 Save the file.
To load the batch update file into TPAM:
1
Select Batch Processing | Update Cache Server Permissions from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
TPAM 2.5
Administrator Guide
209
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
6
Click the Process File button.
7
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view batch update history:
1
Select Batch Processing | Update Cache Server Permissions from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
To cancel a batch update:
1
Select Batch Processing | Update Cache Server Permissions from the main menu.
2
Click the History tab.
3
Select the batch you want to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
Cancel a batch process
NOTE: We do not recommend canceling a batch job unless the wrong file was selected for processing or if
there is a degradation in the TPAM appliance performance as a result of the batch job.
To cancel a batch import/update that is still running:
1
Select Batch Processing | Manage Batches from the main menu.
2
Enter your filter criteria on the Filter tab and click the Listing tab.
3
Select the batch job on the Listing tab.
4
Click the Details tab.
TPAM 2.5
Administrator Guide
210
5
Click the Cancel Select Batch button.
6
Enter the text displayed to continue with the batch job cancellation and click the Continue button.
View batch job history
To view batch job history:
1
Select Batch Processing | Manage Batches from the main menu.
2
Enter your filter criteria on the Filter tab and click the Listing tab.
3
Select the batch job on the Listing tab and click the Details tab.
TPAM 2.5
Administrator Guide
211
20
PSM Connection Profiles
•
Introduction
•
Add a PSM connection profile
•
Delete a PSM connection profile
•
Assign a PSM connection profile
Introduction
PSM connection profiles allow for overriding the default connection parameters during a session. These
connection profiles can be modified by the Administrator to specify other connection settings for mainframe
connections.
The table below explains the options on the PSM Connection profile page.
Table 72. PSM Connection profile page options
Field
Description
Required?
Default
Profile Type
PSM Connection should be selected from the list.
Yes
PSM
Connection
Proxy Type
This PSM connection will only be available for sessions using the Yes
proxy type selected from the list.
Domain User
Format
This option is available for SSH- Automatic Login Using
No
Password, RDP-Automatic Login Using Password, RDP Through
SSH-Automatic Using Password. When connecting to a PSM
session using a domain account you may adjust the format of
the account here. Enter a string using the words account
and/or domain with other characters as necessary. Any text
entered other than the words account and domain will be used
as-is. Common formats are [email protected] (default) and
domain\account.
Profile Name
Enter a unique profile name
Description
Enter a descriptive text for the profile
Alternate Port Option to enter an alternate port for the connection
Yes
No
No
SSL
Option for x3270 and x5250 proxy types. If selected, SSL will be No
used during the connection.
Custom
Command
Option for x3270 and x5250 proxy types.This command is sent
at the beginning of the connection.
Post-Auth
Control Char
Option for x3270 and x5250 proxy types. Used in conjunction
No
with the post-auth command in which after typing the
password the post-auth control char is pressed followed by the
post -auth command.
Post-Auth
Command
Option for x3270 and x5250 proxy types. Used in conjunction
with the post-auth control char.
Off
No
No
TPAM 2.5
Administrator Guide
212
Add a PSM connection profile
To add a connection profile:
1
Select Management | Profile Management from the menu.
2
Select PSM Connection from the Profile Type list.
3
Click the New Profile button.
4
Select a proxy type from the list.
5
Enter a unique name for the profile.
6
Enter a description for the profile. (optional)
7
Enter an alternate port. (optional)
8
Complete the fields as described in the table above.
9
Click the Save Changes button.
Delete a PSM connection profile
To delete a connection profile:
1
Select Management | Profile Management from the menu.
2
Select PSM Connection as the profile type.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: A connection profile can only be deleted if it is not assigned to any accounts.
Assign a PSM connection profile
PSM connection profiles can be assigned using the Batch Update PSM Accounts function, or by following the
procedure below.
TPAM 2.5
Administrator Guide
213
To assign a connection profile to an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts.
2
Select the account on the Listing tab.
3
Click the PSM Details tab.
4
Select the profile from the Custom Connection Profile list.
5
Click the Save Changes button.
TPAM 2.5
Administrator Guide
214
21
Post Session Processing Profiles
•
Introduction
•
Add a post session processing profile
•
Delete a post session processing profile
•
Assign a post session processing profile
Introduction
Post session processing profiles can be used to trigger specific events after a session request has expired. For
post session profiles to take affect the System Administrator must have enabled the Post Session Processing
Agent in the /admin interface.
Add a post session processing profile
To add a post session processing profile select Management | Profile Management from the menu.
Click the New Profile button.
The table below explains the options on the Profile Editor page:
Table 73. Profile Editor page options
Field
Description
Required?
Default
Profile Type
Post Session Processing should be selected from the list.
Yes
Account Auto
Discovery
Profile Name
Enter a unique profile name.
Yes
Description
Enter a descriptive text for the profile.
No
Check
Password of
all Managed
Accounts on
the requested
System?
If selected, password for all accounts on the managed system
will be checked after the session expires. Passwords are only
changed if a mismatch is found and the account has the “reset
on mismatch” check box selected on its Check Password
Profile.
No
Off
TPAM 2.5
Administrator Guide
215
Table 73. Profile Editor page options
Field
Description
Trigger postrelease
processing for
requested
account’s
password?
If selected, the password will be treated as if it were released, No
which will trigger post-release processing for managed
accounts and synchronized password subscribers.
Required?
Default
Off
Synchronized password subscribers are processed in priority
order. If any of the subscribers fail to change, the agent stops
and tries again based on the Synch Pass Change agent retry
interval setting. If the prioritized subscribers succeed but some
non-prioritized subscribers fail, then the failures will be
processed by the regular change agent.
Manual subscribers are scheduled with the regular manual
change agent.
Send an email If selected, once the session expires, the primary contact for
to the Primary the system will be sent an email notifying them the session is
Contact on
over.
the System?
No
Other E-Mail
Notification
No
Option to enter additional email addresses to notify when the
session expires. Up to 255 characters can be entered, using
commas to separate multiple email addresses.
Off
Enter the settings as desired and click the Save Changes button.
Delete a post session processing profile
To delete a post session processing profile:
1
Select Management | Profile Management from the menu.
2
Select Post Session Processing from the Profile Type list.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: A post session processing profile can only be deleted if it is not assigned to any accounts.
Assign a post session processing profile
Post session processing profiles can be assigned using the Update PSM Accounts function, or by following the
procedure below.
To assign a post session processing profile to an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts.
2
Select the account on the Listing tab.
3
Click the PSM Details tab.
4
Select the profile from the Post Session Profile list.
5
Click the Save Changes button.
TPAM 2.5
Administrator Guide
216
22
Privileged Command Management
•
Introduction
•
Add a command
•
Commands to assist with authentication
•
Duplicate a command
•
Delete a command
•
Create access policy with the command
•
Assign access policy to user or group
•
Setup requirement for Windows®
Introduction
Privileged command management provides command control for administrative tasks that require elevated
credentials. The commands a user can execute using privileged session manager can be controlled.
Add a command
The first step in using privileged command manager is setting up the commands. PCM comes with a set of
default commands, but custom commands can be added.
To add a command:
1
Select Management | Command Management from the main menu.
2
Click the Add Command button.
TPAM 2.5
Administrator Guide
217
3
Enter the Command Name.
4
Enter the Command Text.
5
Enter the Working Directory.
6
Enter the Description of the command. (optional)
7
Click the Save Changes button.
8
Click the Proxy Types tab.
9
Select the Proxy Types for this command.
10 Click the Save Changes button.
Commands to assist with authentication
The following commands can be added here:
•
:accountname: - will pass the requested account name
•
:accountpwd: - will pass the requested account password
•
:myaccount: - will pass the TPAM user name.
These can be passed on the command line during a PSM session to facilitate authentication.
Duplicate a command
For the ease of creating commands that are similar, commands can be duplicated.
To duplicate a command:
1
Select Management | Command Management from the main menu.
2
Select the command to duplicate.
3
Click the Duplicate Command button.
4
Edit the Command Name, Command Text, Working Directory and Description as needed.
5
The proxy types are inherited from the command duplicated. Click the Proxy Types tab to edit the proxy
types.
6
Click the Save Changes button.
Delete a command
To delete a command:
1
Select Management | Command Management from the main menu.
2
Select the command to delete.
3
Click the Delete Command button.
4
Click the OK button on the confirmation window.
NOTE: A command cannot be deleted if it is associated with an Access Policy.
TPAM 2.5
Administrator Guide
218
Create access policy with the command
Once the commands have been created, the next step is to create an access policy that includes this command.
To add a command to an Access Policy:
1
Select Management | Access Policies from the main menu.
2
Click the Add Policy button.
3
Enter a unique policy name. This is the name that appears in the list when selecting it for assignment, so
be as descriptive as possible.
4
Enter a description. This information is only visible to administrators when editing the policy. (optional)
5
Select the Command check box.
6
Select the command from the list.
7
Select the REQ check box.
8
To add another command to the access policy click the Add button.
9
Repeat steps 5, 6 and 7.
10 Click the Save Changes button.
Assign access policy to user or group
Once the access policy is created, it can be assigned to a user or group for permissions on Systems, Accounts,
Files or Collections. The example below will cover assigning the access policy to a group of users for a system.
Access policies can also be assigned through the update permissions batch process.
To assign the access policy to a user or group:
1
Select Users & Groups | Groups | Manage Groups from the main menu.
2
Enter filter criteria to find the appropriate group.
3
Click the Listing tab.
4
Select the group.
5
Click the Permissions tab
TPAM 2.5
Administrator Guide
219
6
Enter the filter criteria to find the system.
7
Click the Results tab.
8
Select the system.
9
Select the access policy from the list.
10 Click the single green check icon.
11 Click the Save Changes button.
When a user in this group submits a session request on this system they will only be allowed to execute the
command/s specified in the access policy during the session.
Setup requirement for Windows®
For Windows® 7, 2008 and 2012 additional configuration is required to get privileged command management to
work.
Configure the following registry changes on the Windows® server:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services\fAllowUnlistedRemotePrograms = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services\fTurnOffSingleAppMode = [REG_DWORD, value: 00000000]
If the above doesn't work, additionally modify/add:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\HonorLegacySettings
= [REG_DWORD, value: 00000001]
TPAM 2.5
Administrator Guide
220
23
Restricted Commands
•
Introduction
•
Add a restricted command profile
•
Assign profile to access policy
•
Restricted command account settings
•
Command detection during a session
Introduction
Restricted command profiles enable the TPAM administrator to restrict the commands that can be executed
during a session, and/or put notifications in place when specific commands are executed.
IMPORTANT: Restricted commands cannot always detect and terminate a command when it is executed. It
is possible that some commands complete execution before TPAM has time to detect them.
Restricted commands are limited to Windows® and *nix platforms. The restricted command functionality also
requires a DPA.
To configure restricted commands you must perform the following steps:
•
Add a restricted command profile
•
Add restricted command profile to an access policy.
•
Assign access policy to a user or group for a system or account.
•
Enable account to capture events during a session.
System requirements for restricted
commands
There are requirements for the target system that must be met in order for restricted commands to be detected
during PSM sessions. For Windows® and *nix platforms, the PPM functional account is used to detect the
commands being run on the target system.The relevant configuration discussed below pertains to the PPM
functional account.
*nix platforms
In order to detect and kill processes on *nix systems, the DPA connects to and monitors the target system using
SSH. The following commands must be executable on the target system by the functional account in order to
detect and kill processes.
•
- uname
•
- echo
•
- kill
TPAM 2.5
Administrator Guide
221
•
- "ps -ef" or "ps -axlww" depending on *nix variant
•
- "netstat -ntp", "sockstat -c4", or "lsof -i -n -P" depending on *nix variant
Delegation prefixes are supported for the relevant platforms.
Windows®
In order to detect and kill processes on Windows®, the DPA connects to and monitors the target system using
WMI. There are a number of items that must be configured to allow these WMI connections, which may include
but are not limited to setting up remote WMI access, setting WMI CIMV2 namespace security, setting DCOM
security to allow remote access and launch, altering firewall settings to allow the WMI traffic, and handling
UAC. Notes related to UAC are provided when executing Test Event Configuration.
Additionally, various security events must be generated by Windows® to identify the beginning and end of PSM
sessions. For operating systems prior to Windows® Vista, events with event identifiers of 528, 538, 551, 682, and
683 must be generated. For Windows® Vista and later operating systems, events with event identifiers of 4624,
4634, 4647, 4778, and 4779 must be generated. Note that restricted command detection for operating systems
prior to Windows® XP and Windows Server 2003 in not supported.
Add a restricted command profile
To add a restricted command profile:
1
Select Management | Profile Management from the main menu.
2
Select Restricted Command from the Profile Type list.
3
Click the New Profile button.
4
Enter a unique profile name.
5
Select one or both notifications types for the commands in the profile:
•
Notify via Alert? - If command has the Notify? check box selected and the command is detected
during a session a SNMP alert will be sent. The SNMP session events alert subscriptions must be
subscribed to by the system administrator in the /admin interface.
TPAM 2.5
Administrator Guide
222
•
Notify via Email? - If command has the Notify? check box selected and command is detected
during a session an email will be sent to the email addresses listed. Multiple email addresses can
be entered separated by a semi-colon. You can also enter :System: or :Account: to have the
notification sent to the system or account contacts.
6
Click the Add Cmd Detail button.
7
Select platform/s that command applies to:
•
*nix? - any UNIX® type platform.
•
Win? - Windows® platform.
8
Enter the command. The command text accepts a regular expression pattern to identify the name of the
command executable to be restricted. For Windows® commands, TPAM searches for process name and
parameters. For *nix commands, TPAM searches the process name and parameters in the output of the
relevant "ps" command.
9
Select the Notify? check box to be notified when this command is detected during a session.
10 Select one of the following actions for when the command is detected:
•
Do Nothing - nothing is done to stop the session
•
Kill Command - the command is terminated, but the session is left open.
IMPORTANT: The command can only be terminated if TPAM has time to detect the command
before it finishes running.
•
Kill Login - the login to the remote system is terminated, but the session remains open.
•
Kill Session - the current session to the remote system is terminated.
NOTE: None of the actions above will cancel the session request.
11 To add additional commands to the profile repeat steps 6-10.
12 Click the Save Changes button.
Assign profile to access policy
Once a restricted command profile has been created, the next step is to assign the profile to an access policy.
To assign a restricted command profile to an access policy:
1
Select Management | Access Policies from the main menu.
2
Filter for an existing access policy or click the Add Policy button to add a new one.
TPAM 2.5
Administrator Guide
223
3
Select the Record Events check box.
4
Select the restricted command profile from the list.
5
Click the Save Changes button.
6
The access policy then needs to be assigned to the appropriate, system, account, or group.
Restricted command account settings
To complete command restriction for an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2
Enter filter criteria for the specific account and click the Listing tab.
3
Select the account and click the PSM Details tab.
4
The Enable PSM Sessions? check box must be selected.
5
The proxy connection type must be one of the following:
•
RDP - Automatic Login Using Password
TPAM 2.5
Administrator Guide
224
•
RDP - Interactive Login
•
SSH - Automatic Login Using Password
•
SSH- Automatic Login Using DSS key
•
SSH - Interactive Login
•
Telnet - Automatic Login Using Password
•
Telnet - Interactive Login
6
Click the Test Event Configuration button.
7
If the test events was successful, select the Capture Events? check box.
Command detection during a session
If a restricted command is executed during a session the user may see one of the following, depending on how
the restricted command policy is configured:
If the profile is configured to kill the command, the user will see the following:
If the profile is configured to kill the login, the user will see the following:
If the profile is configured to kill the session, the user will see the following and then the session is closed a few
seconds later:
TPAM 2.5
Administrator Guide
225
TPAM 2.5
Administrator Guide
226
24
Archive Session Logs
•
Introduction
•
Configure session log archive settings
•
Configure session log archive server
•
Test the archive server
•
View archive files
•
View archive log
•
Delete a session log archive server
•
Clear a stored system host entry
Introduction
This chapter covers the configuration and settings for session log archive.
Configure session log archive settings
Session logs can be archived to external storage to ensure that physical resources on the appliance are not
exhausted. The frequency of when these logs are transferred must be set as well as the retention period for the
logs on the appliance and the external storage.
To configure session log archive settings select Management | Session Mgmt | Archive Settings from the menu.
The table below explains the options on the Session Logs Archival Settings page:
Table 74. Session Logs Archival Settings page options
Field
Description
Required?
Max Age in Days This option specifies the maximum period of time that session Yes
logs are maintained on the appliance. Session logs older than
for session log
archival (0-90)
the n value are sent to the archive server. Valid configuration
is 0 to 90 days.
Default
1
TPAM 2.5
Administrator Guide
227
Table 74. Session Logs Archival Settings page options
Field
Description
Required?
Max Age in days This value specifies that session logs are permanently deleted Yes
for session log
from TPAM or the archive server after they become older than
deletion (1-999) y days. This setting is limited by the Session Request Retention
Period in global settings.
Default
90
CAUTION: Session logs are deleted regardless of their
location – whether stored on TPAM or on an archive server.
If the value (y) to delete session logs is less than the value
(n) to archive session logs, the logs are deleted on the
appliance without ever being sent to an archive server.
IMPORTANT: If TPAM tries to delete session logs from an
archive server and it fails, TPAM will not re-attempt to do so.
This means that these records may need to be manually
deleted if the archive server comes back up. A CSV export of
detailed files is available for each archive server to assist with
this.
Percentage full
to trigger forced
archival of
oldest session
logs (30-80)
This option allows for an automated safety net to ensure that
the hard disk resources of the appliance are not filled to
capacity. If the disk space reaches x% of storage capacity a
forced archive occurs to free disk space.
Send archival
messages to
Messages regarding archival events can be sent from TPAM via Yes
email to a specified address. Valid choices are:
•
All
•
Failed
•
None
Yes
80
Enter the settings as desired and click the Save Changes button.
Configure session log archive server
Archive Servers must be pre-configured to receive the archived sessions from TPAM. For a server to be eligible
to receive the archives, it must be running the UNIX®/Linux® file system. This can be accomplished on a
Windows® server by installing OpenSSH or other UNIX® emulation software that creates a directory structure
containing /home. There are readily available products that create a Linux® environment for Windows®.
TPAM uses only DSS authentication to connect to archive servers and transfer session logs. This requires a
matched public/private key pair to exist between TPAM and the archive server. The public key is located on the
archive server, while TPAM maintains the private key.
To configure an archive server select Management | Session Mgmt | Archive Servers from the menu.
TPAM 2.5
Administrator Guide
228
The table below explains the options on the archive server management page:
Table 75. Archive Server Management: Details tab options
Field
Description
Required?
Server Name
The unique server name.
Yes
Network
Address
The IP address or fully qualified domain name.
Yes
Port
Port number for TPAM to use.
No
DSS Key Details
When using DSS key authentication, a function is available to No
permit specific configuration of the public/private keys used.
•
Default
Avail. System Std. Keys – uses the single standard SSH
keys (either Open SSH or the commercial key) stored
centrally on TPAM. You have the ability to have up to
three active keys simultaneously. These keys are
configured in the paradmin interface. Use the list to
select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to use
all currently active keys when communicating with the remote
system.
•
Use System Specific Key – allows the generation and
download of a specific SSH key to be used with this
system only. The key must first be generated using the
Get/Regen Key button, and then downloaded in either
Open SSH or Sec SSH (commercial) format.
The public key must be placed into the proper directory on
the archive server. For most systems this is [user’s home
directory]/.ssh (create the directory if it does not exist). The
public key must also be specified as an authorized
authentication method for the functional account. A new DSS
key pair can be generated at any time (if for example it is felt
that the existing keys have been compromised). Clicking the
Regen Key Pair button generates a new public/private key
pair. The Regen Key Pair only regenerates the system specific
key for the selected archive server, so only that archive server
is affected.
Account Name
Used to authenticate to the archive server, and within whose
home directory the logs are stored.
Yes
TPAM 2.5
Administrator Guide
229
Table 75. Archive Server Management: Details tab options
Field
Description
Archive Server
Path
Prior to TPAM v2.0 the path was hard coded to ./egparch. It is Yes
assumed that old sessions that have already been archived are
stored in ./egparch. It is important to ensure that this
directory is owned by the functional ID, and that the
functional ID has proper permissions (600 is recommended).
Required?
Description
Descriptive text for the archive server.
No
Make Default?
If selected, this is the default archive server for all session
logs.
No
Default
Off
Enter the settings as desired and click the Save Changes button.
Test the archive server
Once the archive server has been saved it is recommended that connection to TPAM be tested by clicking the
Test button. The results of the test are displayed on the Results tab.
View archive files
To view the files stored on an archive server:
1
Select Management | Session Mgmt | Archive Servers from the menu.
2
Select the server on the Listing tab.
3
Click the Archived Files tab.
4
Enter your search criteria on the Filter tab.
5
Click the Session Logs tab or click the Export to CSV button.
TPAM 2.5
Administrator Guide
230
View archive log
To view the archive log:
1
Select Management | Session Mgmt | Archive Log from the menu.
2
Enter your filter criteria.
3
Click the Report Layout tab. (Optional)
4
Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5
Select the appropriate box in the Sort Column column to specify sort order.
6
Select the Sort Direction.
7
If viewing the report in Privileged Account Manager, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.
8
To view the report results in Privileged Account Manager click the Report tab. To adjust the column size
of any column on a report hover the mouse over the column edge while holding down the left mouse
button and dragging the mouse to adjust the width.
9
To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.
10 Open or Save the report file.
Delete a session log archive server
To delete a session log archive server:
1
Select Management | Session Mgmt | Archive Servers from the menu.
2
Select the server to be deleted.
3
Click the Delete button.
NOTE: You cannot delete an archive server that is flagged as the default archive server. This flag
must be cleared and saved before the delete button will enable.
TPAM 2.5
Administrator Guide
231
4
Click the Delete Server button.
5
Click the OK button on the confirmation window.
Clear a stored system host entry
The Clear Sys. Host Entry button removes the host entry from TPAM’s known hosts file. An example of the
necessity for this would be a situation where the SSH package on a managed system has been reinstalled, or the
OS itself may be reinstalled. A test of the system would indicate that the host key entry does not match, and is
preventing password authentication because of a perceived “man in the middle” attack.
To clear the System Host entry:
1
Select Management | Session Mgmt | Archive Servers from the menu.
2
Select the archive server whose host entry is to be removed from TPAM’s known hosts file.
3
Click the Clear Sys. Host Entry button.
TPAM 2.5
Administrator Guide
232
25
Synchronized Passwords
•
Introduction
•
Logs tab
•
Add synchronized password
•
Add subscriber to a synchronized password
•
Remove a subscriber from a synchronized password
•
Delete a synchronized password
•
Force reset of synchronized password
Introduction
Synchronized Passwords (formerly known as Collection Accounts prior to v2.3.761) provide a way to allow
multiple accounts, on different systems, to have the passwords synchronized.
The synchronized password functionality depends heavily on the Synch Pass Change Auto Agent that must be
enabled by the System Administrator in the admin interface. If the agent is not running, synch member
passwords are not changed unless you perform a manual forced reset.
To add and manage synchronized passwords, information is entered on the following tabs in the TPAM interface:
Table 76. Synchronized Password Management: TPAM interface tabs
Tab name
Description
Details
Define password name, and password management options.
Candidates
Used to assign accounts as subscribers of the synchronized password.
TPAM 2.5
Administrator Guide
233
Details tab
The table below explains all of the options available on the details tab:
Table 77. Synchronized Password Management: Details tab options
Field
Description
Required?
Default
Password Name Descriptive name of the synchronized password.
Yes
Password
If a manual password is entered here, any scheduled postrelease resets will be canceled, and any subscriber whose
password does not match will be scheduled for a mismatch
reset.
Yes
Confirm
Where the manual password is retyped for confirmation.
Yes
Disable Synch.
If selected, subscriber passwords are not synchronized. This can No
be used when changing subscriber priority and then force a
reset; otherwise new subscribers are not synchronized by
priority. While synchronization is disabled new subscribers are
not scheduled for a mismatch reset if their current password
does not match.
Off
Password Rule
The password rule to serve as the default for the synchronized
password. The password rule governs the construction
requirements for new passwords generated by PPM.
Yes
Default
Password
Rule
Description
The description box may be used to provide additional
information about the synchronized password, special notes,
business owner, etc.
No
Notification
Email
The email address specified in this box receives email
No
notifications when a password is released without approval, and
scheduled password changes for manually managed accounts.
Default ISA Rel. The duration for an ISA release may be specified up to a
No
Duration
maximum of 7 days. This is the amount of time that transpires
between the initial ISA retrieval and the automatic reset of the
password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
2 Hours
Use the check
profiles on the
subscribed
accounts
Off
If selected, the password check profile assigned to each
subscriber will be used instead of the password check profile
listed below.
No
TPAM 2.5
Administrator Guide
234
Table 77. Synchronized Password Management: Details tab options
Field
Description
Required?
Password
Check Profile
Select a password check profile from the list to determine the
rules for how the password is checked for the synchronized
password. The password check profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Opt
Password
Change Profile
Select a password change profile from the list to determine the Yes
rules for how the password is changed on the synchronized
password.The password change profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Default
Candidates tab
The table below explains all of the options available on the candidates tab:
Table 78. Synchronized Password Management: Candidates tab options
Field
Description
Candidate Name
System name and account name of the candidate. Only accounts that are auto-managed or
manually managed are eligible.
Account Auto
Management setting for the account.
Network Address
Network address for the account.
Platform
System platform for the account.
Select
If selected the account becomes a member of the synchronized password.
Priority Level
Number entered here represents the order that the Synch Pass Change agent uses to
synchronize the subscribers. Only auto-managed accounts can be assigned a priority
level.The agent attempts to synchronize the prioritized subscribers from lowest to
highest. If any subscribers fail to synchronize then the process stops, and the agent does
not attempt to process any other subscribers. Next, any auto-managed non-prioritized
accounts are synchronized. Any non-prioritized accounts that fail to synchronize are
scheduled through the regular password change agent. Then any manually managed
accounts get put in the manual password notification queue. If the subscriber is in the
regular change queue any ISA or Administrator can force a password reset through the
password management page or account management listing page.
TPAM 2.5
Administrator Guide
235
Subscriber status tab
The table below explains all of the options available on the subscriber status tab:
Table 79. Synchronized Password Management: Subscriber Status tab options
Field
Description
Subscriber Name
System name and account name of subscriber.
Account Auto
Indicates whether the account is auto-managed by TPAM (Y) or manually managed (M).
Network Address
Network address for the system.
Platform
Platform for the system.
Unsubscribe /
Priority
If unsubscribe is selected and changes saved, the subscriber is removed from the
synchronized password. Priority level can be edited and saved here.
Password Status
Password will either be current or out of synch. If the password is out of synch then the
Synch Now button will be available to force an immediate synchronization.
Pending Change
Displays status if password is in the regular change queue.
Pending Check
Displays status is password is in the regular check queue.
Logs tab
The logs tab contains three sub-tabs that provide detailed password history for the subscribers of the
synchronized password. The following table explains the sub-tabs. The time displayed on the logs is in server
time (UTC).
Table 80. Synchronized Password Management: Logs tab sub-tabs
Tab
Description
Filter
This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log
Provides details on password change history.
Test Log
Provides details on password test activity.
Release Log
Provides details on password release history.
Dependent
Change Log
Only visible if account resides on Windows® Domain Controller with dependent systems
assigned. Provides details on changes of the domain account.
Change Agent
Log
Provides details on change agent log records for the accounts that have occurred after a 2.3+
TPAM upgrade.
Add synchronized password
To add a new synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Add Synchronized Password from the menu.
2
Enter information on the details tab. For more information see Details tab.
TPAM 2.5
Administrator Guide
236
3
Click the Save Changes button.
Add subscriber to a synchronized password
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
1
Select the synchronized password.
2
Click the Add Subscribers button.
3
Enter your search criteria on the Filter tab.
4
Click the Candidates tab.
5
Select the Select check box to add candidates to the synchronized password. For more information see
Candidates tab.
IMPORTANT: If you add one or more accounts belonging to a System Template as subscribers, any
new systems added to TPAM using that template will automatically have those accounts be
subscribers to this synchronized password.
6
Enter a Priority Level for subscribers. (Optional)
7
Click the Save Changes button.
Remove a subscriber from a synchronized
password
To remove a subscriber/s from a synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the synchronized password.
5
Click the Subscriber Status tab.
6
Select the Unsubscribe check box for any subscribers to be removed.
7
Click the Save Changes button.
NOTE: Any accounts removed from the synchronized password will be immediately scheduled for a
password reset.
Delete a synchronized password
To delete a synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
TPAM 2.5
Administrator Guide
237
3
Click the Listing tab.
4
Select the synchronized password.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
NOTE: After the synchronized password is deleted the subscribers revert to the Password Management
settings that they had prior to becoming a subscriber.
Force reset of synchronized password
To schedule a forced reset of a synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the synchronized password.
5
Click the Reset Password button.
TPAM 2.5
Administrator Guide
238
26
Scheduled Reports
•
Introduction
•
Enable/disable scheduled reports
•
Send scheduled reports to archive server
•
Subscribe/unsubscribe to scheduled reports
•
Add/remove additional recipients to scheduled reports
•
View scheduled reports
•
Resubmit scheduled reports
Introduction
Scheduled reports (also known as Batch Reports) are standard reports available in TPAM. The TPAM
Administrator configures these reports to automatically run on a daily, or weekly basis. The reports are run by
the Daily Maintenance job which is configured in the /admin interface. The reports are stored on the appliance
and can be emailed to designated subscribers or sent directly to an archive server. Only Administrators and
Auditors can view these reports from the TPAM interface. Additional users can be configured to receive these
reports via email.
Enable/disable scheduled reports
Administrators can enable or disable which scheduled reports can be subscribed to. On a new TPAM appliance all
reports will be disabled by default.
NOTE: The run time for these reports is controlled by the daily maintenance start time that is configured
by the System Administrator in the admin interface.
To enable/disable scheduled reports:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
TPAM 2.5
Administrator Guide
239
2
3
Next to each report select one if the following from the far right hand column:
•
Disabled - the report will not run.
•
HTML Only- only the HTML version of the report will run.
•
CSV Only - only the CSV version of the report will run.
•
HTML & CSV - CSV and HTML versions will be run.
•
XML Only - the report will only be run in XML format.
Click the Save Changes button.
NOTE: If any option other than Disabled is selected the XML file is always generated (a zero byte file will
be generated even if no data is reported).
IMPORTANT: The Entitlement reports are very resource intensive and can cause severe performance
degradation for online users during the daily report cycle. If the reports will be used on a daily basis it is
recommended that only the versions required are enabled. It is very common for these reports to be over
1 million rows and customers have found that the CSV files are more manageable.
Send scheduled reports to archive server
To have scheduled reports automatically sent to an archive server:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
TPAM 2.5
Administrator Guide
240
2
Select an archive server from the list. An archive server must be already configured in TPAM by the
System Administrator to display in this list.
3
Click the Save Changes button.
Subscribe/unsubscribe to scheduled reports
Only Administrators and Auditors have permission to edit report subscriptions.
To subscribe/unsubscribe to Scheduled Reports:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
In the Subscribed column select one or more of the output options (HTML, CSV or XML), for the reports
you want to subscribe to.
3
Clear the HTML, CSV or XML check boxes in the Subscribe column for the reports you want to
unsubscribe to.
4
Select the Zip check box to zip all subscribed formats of the report into one file to be emailed.
5
Click the Save Changes button.
NOTE: When the select list does not include a format that is selected in the Subscribed column, the
selection will be highlighted in red.
Add/remove additional recipients to
scheduled reports
Only Administrators and Auditors can view Scheduled Reports from the TPAM interface. Additional users can be
configured to receive these reports via email.
To add additional recipients:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Select the report from the list.
TPAM 2.5
Administrator Guide
241
3
Click the Additional Recipients tab.
4
Enter the email address for the additional recipient in the EmailAddress box.
5
Select the report format/s from the Type list. If None is selected, the recipient will receive an email
informing the report has been generated but without an attachment.
6
Select the Zip check box to zip all subscribed format into one file that will be emailed.
7
Click the Add New Recipient button.
8
Repeat steps 4 through 6 for any additional email addresses.
To delete additional recipients:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Select the report from the list.
3
Click the Additional Recipients tab.
4
Click the Delete button in the Action column next to the recipient you want to remove.
To edit a recipient’s email address:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Select the report from the list.
3
Click the Additional Recipients tab.
4
Edit the address in the EmailAddress box.
5
Click the Update button in the Action column.
View scheduled reports
Scheduled Reports are generated daily by TPAM and stored internally. These reports are available for viewing by
any administrator or auditor user. Stored reports are retained for a period of time specified by the System
Administrator.
NOTE: The date and timestamp on the stored reports is server time.
To view scheduled reports that have run:
1
Select Reports | Scheduled Reports | Browse Stored Reports from the menu.
2
Select the date by clicking the hyperlink, formatted yyyymmdd.
3
The reports run on that date will be displayed. Click the hyperlink for the report you want to view.
4
Select Open to view the report immediately or Save to save the report.
TPAM 2.5
Administrator Guide
242
Resubmit scheduled reports
The System Administrator has the ability to resubmit batch report runs for a prior date. Once the report run has
been resubmitted, the reports can be viewed on the same page as the daily report runs. See the procedure
above.
To resubmit a batch report run:
1
Log on to the /admin interface of TPAM. (accessible to system administrators)
2
Select System Status / Settings | Resubmit Batch Reports from the menu.
3
Enter the date to rerun the batch reports for.
4
Click the Resubmit button.
NOTE: When scheduled report runs are resubmitted, the new run date and time is appended to the end of
the file name. For example, if you rerun the 10/1/2011 reports on 11/13/2011 at 1 pm, the filename will
be 20111001_20111113_130000.
TPAM 2.5
Administrator Guide
243
27
Data Extracts
•
Introduction
•
Configure data extracts
•
Enable/disable a data extract schedule
•
Data extract logs
•
Customize data extract dataset file names
Introduction
Data extracts are defined data sets that can be extracted from TPAM on a scheduled basis and automatically
transferred to a pre-configured Archive server.
Extracted data is supplied as a *.CSV file and is easily viewed with MS Excel or any text editor. Information that
may be extracted includes lists of systems, accounts, users, etc. and many logs of user activity and entitlement.
The extracted files are compressed (ZIP file format) and named with a date and time stamp.
Data extracts are configured much in the same way as TPAM system backups. The extracts can be set to occur
daily, weekly or monthly at a specific time.
Configure data extracts
Up to five different data extract schedules can be configured. Repeat the procedure below as needed to
configure multiple data extract schedules.
To configure a data extract:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select one of the Schedule Names from the Schedule tab and click the Details tab.
3
Edit the Schedule Name. (optional)
4
Select the Enabled check box to enable the data extract schedule.
5
Select the Zip check box to have the extract files saved in a zip file format. (optional)
TPAM 2.5
Administrator Guide
244
6
To have the file formatted differently than comma delimited, type another format in the Delimiter box.
If left blank, tab is the default. (optional)
7
Set the frequency for the data extract run:
•
Daily
•
Weekly - select day/s of the week.
•
Monthly - choose First, Last, or specific Day of the Month.
8
Enter the time when the extraction is to start running. Time must be entered in 24 hour format.
9
Select the archive server where the data is to be transferred. The TPAM System Administrator is
responsible for configuring the Archive Servers.
10 Select All or Failed and enter the email address of the recipient who is to receive data extract results.
(optional)
11 Click the Data Sets tab.
12 Select the Enabled? check box to add the Data Set as part of the scheduled extract.
13 Select the Column Headings? check box to have column headings included in the CSV file results.
(optional)
14 Click the Save Changes button.
The Password Release Activity and Password Update Activity data extracts will pull the last 24 hours of activity.
The Activity Log, Password Release Log and SysAdmin Activity Log data extracts will pull data based on the
number of days configured as the retention period in global settings.
Enable/disable a data extract schedule
To enable/disable a Data Extract Schedule:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select the schedule you want to enable/disable.
3
Click the Details tab.
4
Select/Clear the Enabled check box.
5
Click the Save Changes button.
TPAM 2.5
Administrator Guide
245
To immediately kick off a Data Extract:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select a schedule from the list.
3
Click the Start button.
Data extract logs
The data extract log tab displays the logged results of each scheduled extraction.
To view a data extract log:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select a schedule from the list.
3
Click the Log tab.
4
Enter filter criteria on the Filter tab.
5
Click the Data Extract Log tab.
To clear data extract log/s:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
To clear a specific log, select the schedule from the list and click the Clear Log button.
3
To clear all the logs, click the Clear Log button without selecting a specific schedule from the list.
Customize data extract dataset file names
The procedure below describes how to customize the default file names for the dataset extract results. The
customized file names apply to all the schedules that are configured.
To customize dataset file names:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
TPAM 2.5
Administrator Guide
246
2
Click the Dataset Filenames tab.
3
Place your cursor in the FileName box and rename the file for all the file names to be changed.
4
Click the Save Filename Changes button.
TPAM 2.5
Administrator Guide
247
28
TPAM CLI IDs
•
Introduction
•
Add a TPAM CLI ID
•
Connect PSM account to TPAM CLI ID
•
Delete a TPAM CLI ID
Introduction
In some cases it might be necessary to use an account for PSM authentication which is managed by another,
independent TPAM device. An example use case is an MSP managing systems for several customers which require
password data to be stored in a physically separate database like financial institutions. This can be
accomplished by using TPAM CLI IDs.
A CLI user ID is a special account used to access TPAM remotely via the CLI (command line interface). TPAM CLI
IDs may be defined to TPAM and used to access passwords that may be stored and managed on a remote TPAM
appliance.
Add a TPAM CLI ID
In this example a TPAM CLI ID will be set up on TPAM01 and TPAM02 will use the account for PSM log on for an
account managed by TPAM01.
Add a CLI user ID on TPAM01:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter the user details, clear the Allow Web Access check box on the Web tab and select CLI key based
authentication on the Key Based tab.
TPAM 2.5
Administrator Guide
248
3
Click the Save Changes button.
4
Click the Download key button to download and save the key.
To add a TPAM CLI ID on TPAM02:
1
Select Management | TPAM CLI IDs | Add TPAM CLI ID from the menu.
2
Enter the CLI user ID configured on the remote TPAM appliance.
3
Enter a name to identify the TPAM appliance hosting the CLI ID.
4
Enter the IP address or FQDN of the TPAM primary appliance.
5
Paste the contents of the DSS key into the DSS Key box. This is the private key that was downloaded from
TPAM when the specified CLI user ID was created.
6
Click the Save Changes button.
7
To test connectivity to the remote TPAM appliance with the CLI ID click the Test button.
Connect PSM account to TPAM CLI ID
To connect the PSM account to the TPAM CLI ID:
1
Add the system in TPAM02 you need to connect to via PSM.
2
Add the account you want to use for PSM.
3
Click on the PSM Details tab.
4
Select User Remote TPAM CLI.
5
In the list select the TPAM CLI ID you created.
6
Click the Save Changes button.
TPAM 2.5
Administrator Guide
249
When initiating a session for this account, TPAM02 will now log on to TPAM01 and request the password for
qsrv_qppm, managed by TPAM01 and use this to authenticate the session. After the session, the password will
be checked back in to TPAM01 and will be changed.
Delete a TPAM CLI ID
To delete a TPAM CLI ID:
1
Select Management | TPAM CLI IDs | Manage TPAM CLI IDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the CLI ID to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
TPAM 2.5
Administrator Guide
250
29
Password Requests
•
Introduction
•
Request a password
•
Email notification
•
View submitted password requests
•
Access the password
•
Cancel/expire a password request
Introduction
System account passwords that are configured using Privileged Password Manager can be released by submitting
a password request. The request will either require approval by one or more TPAM users, or be auto-approved,
based on how the account is configured. This process ensures the security of the system account password,
provides accountability, and provides dual control over the system accounts.
Request a password
To request a password:
1
Select Request | Password | Add Request from the main menu.
2
To request a password on a specific system or a specific account enter the criteria on the Filter tab.
3
Click the Accounts tab.
4
Select the check box next to each account to be included in the password request. When selecting
multiple accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.
TPAM 2.5
Administrator Guide
251
5
Click the Details tab.
6
Complete the following fields:
Table 81. Password Request Management: Details tab fields
7
Field name
Description
Request Immediate
Select this check box to immediately request the password.
Date/Time Required
To have a password released on a future date and time, enter the
date and time when the password is required. Enter the time in the
user’s local time.
Requested Duration
The requested duration is the period of time that the password(s) is
available for release. Once the request is saved this duration is
added to the requested release date to determine the request
expiration date. Valid parameters for release durations are from 15
minutes to 7 days, in 15 minute increments – however, the effective
valid parameter for the maximum allowable release request
duration is the value configured for maximum release duration at
the account level. When requesting passwords for multiple accounts
together, the Requested Duration defaults to the shortest “Maximum
Duration” for all accounts listed on the request.
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional, required, or not allowed depending on how they
are configured.
Request Reason
Used to provide a brief description of the reason for the password
release. May be optional, required or not allowed, depending on
configuration.
Ticket System
May be required, based on configuration. Any boxes on the request
highlighted in red, require a ticket system to be chosen from the
list.
Ticket Number
May be required, based on configuration. If the ticket number fails
validation when the request is submitted, then the request is
automatically canceled.
Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page:
Once the request has been submitted it will reflect one of these statuses:
TPAM 2.5
Administrator Guide
252
•
Pending Approval - waiting for authorized approver/s to approve the request.
•
Active/Approved - the request has been approved and is within the release duration window.
•
Approved - the request has been approved but the request date/time is in the future.
•
Denied - the request was denied by the approver/s.
•
Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
•
Expired - the release window for the password has passed or the requestor is done accessing the
password and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.
To add accounts to a request once it has already been submitted:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to add accounts to.
5
Click the Details tab.
6
Click the New Accounts button.
7
Enter filter criteria to find the accounts you want to add.
8
Click the Accounts tab.
9
Select the check box on the Selected column for the accounts you want to add.
10 Click the Details tab.
11 Enter a Ticket System/Ticket Number if required.
12 Click the Save Changes button.
Email notification
Once a password request is submitted, the requestor receives an email notification when the request is
approved, denied, or automatically cancelled as a result of a request conflict.
If a password request is submitted and does not require any approvals, the request is auto-approved by PPM and
the requestor immediately sees this message in the feedback area.
View submitted password requests
To view requests that have been submitted:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
TPAM 2.5
Administrator Guide
253
5
Open the following tabs to view more detailed information about the request.
•
Details - Date and time stamps relevant to the life cycle of the request.
•
Responses - Request responses from approvers, or responses auto-generated by TPAM for autoapproved or cancelled requests.
•
Approvers - All TPAM users with permissions to approve or deny the request.
•
Password - If enabled, displays the password for the account for 20 seconds.
Access the password
Once a request is approved to view the account password:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Password tab.The password will be displayed for 20 seconds. Depending on how your TPAM is
configured the password will display in one of three ways:
a
The password will be revealed on the screen. To copy and paste the password, click the mouse
once over the password which will automatically select the password.
b
The Reveal Password button can be clicked to reveal the password or the password can be copied
to the clipboard without displaying it on the screen.
c
You must put your mouse in the designated area, and press the Ctrl-C keys to copy the password
to a clipboard.
The password can be displayed by the requestor as often as necessary during the release duration period.
Password reset during release window
While a requestor has an active release duration window, three possible circumstances could cause the
password to be changed by TPAM during that time:
•
The configured Default Change Setting for the account occurs during the release window. For example, if
the password is to be changed every 30 days which happens to occur while a requestor has a password.
TPAM 2.5
Administrator Guide
254
This scenario can be prevented by selecting Do not automatically change the password while a release
is active on the account details management tab.
•
The ISA post-release reset interval has occurred. In this case, an ISA may have recently retrieved the
password and it is being reset because the configured interval for that action has expired. This scenario
can be prevented by selecting Do not automatically change the password while a release is active on
the account details management tab.
•
The ISA or the Administrator has forced a reset of the password.
The requestor should try and access the password at a later time.
Cancel/expire a password request
A password request can be cancelled by the requestor if the status is Pending Approval. Once approved, a
password request can be expired to immediately end the release duration. Expiring a request early makes the
account available for request for other users and immediately queues the password for a reset (if so
configured).
To cancel/expire a password request:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Enter a reason in the Cancel/Expire Reason box.
7
If the request contains multiple accounts, select the Apply Reason check box next to the applicable
accounts.
8
Click the Save Changes button.
TPAM 2.5
Administrator Guide
255
30
Approve/Deny Password Request
•
Introduction
•
Approve/deny password request
•
Revalidate ticket on a request
•
Deny request after it is approved
Introduction
When a password request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.
Approve/deny password request
The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.
To approve/deny a password request:
1
Select Approve/Review | Password Request from the main menu.
2
To approve/deny a request on a specific system/account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to approve/deny.
5
Click the Details tab.
TPAM 2.5
Administrator Guide
256
6
If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for your approval.
7
Select the Req. IDs to approve/deny.
8
Click the Conflicts tab to see if any other pending requests for this password overlap with the same
release duration.
9
Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.
Revalidate ticket on a request
If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Request Details tab:
The request can be approved/denied without revalidating the ticket.
To revalidate the ticket:
1
Click the Revalidate Ticket button. The following pop up appears:
2
Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
Deny request after it is approved
Any eligible approver can deny a password request after it has already been approved or auto-approved. Once
denied, the requestor will no longer have access to the password. The requestor receives an email notifying
them that the request was denied
To deny the request:
1
Select Approve/Review | Password Request from the main menu.
2
Enter the search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to deny.
5
Click the Details tab.
6
Select the Req. IDs to deny.
7
Enter a reason in the Request Response box.
8
Click the Deny Request button.
TPAM 2.5
Administrator Guide
257
31
Review a Password Release
•
Introduction
•
Review status definitions
•
On the Password Release for Review listing tab there is a column labeled Review Started. if the value isY,
at least one review comment has been submitted. If the value is N, no review comments have been
submitted.If the value is -(dash) then the review is complete.
•
Provisional ticket validation on a password release
Introduction
Accounts can be configured to have review requirements for password releases once the release duration has
expired. Users eligible to review password releases receive email notification to alert them of pending reviews.
Review status definitions
The table below explains the different possible password release review statuses.
Table 82. Password release review statuses
Status
Definition
Pending
An authorized reviewer is still required to complete the review process.
Completed
All the required reviewers have clicked the Complete My Review button.
Overdue
A reviewer has not reviewed the password release within the required time period.
On the Password Release for Review listing tab there is a column labeled Review Started. if the value isY, at
least one review comment has been submitted. If the value is N, no review comments have been submitted.If
the value is -(dash) then the review is complete.
Review a password release
To review a password release:
1
Select Review | Password Releases from the main menu.
2
To review a password release for a specific account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the Request ID to review.
5
Click the Reviewers tab to see the list of eligible reviewers. (optional) These are the review
requirements at the time the password request was submitted.
TPAM 2.5
Administrator Guide
258
6
Click the Reviews tab to see any review comments made.
7
Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.
8
Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.
9
If the password release being reviewed was part of a multi-request, select the Apply Review check box
for the appropriate row.
10 To enter a comment before officially marking the release as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
11 To mark the review as complete, enter a review comment and click the Complete My Review button.
TPAM 2.5
Administrator Guide
259
Provisional ticket validation on a password
release
If the required ticket system for this account has “provisional validation” enabled in the admin interface and
the ticket system was not available for validation at the time the requestor submitted the request, you see the
following message note on the review details tab:
A reviewer does not have the ability to retroactively check for ticket validation.
TPAM 2.5
Administrator Guide
260
32
Session Requests
•
Introduction
•
Request a session
•
Email notification
•
View submitted session requests
•
Cancel/expire a session request
Introduction
Systems that are configured using Privileged Session Manager can be accessed remotely by submitting a session
request. The request will either require approval by one or more TPAM users, or be auto-approved, based on
how the account is configured. The activity during the session will be recorded and can be played back by
authorized users.
Request a session
To request a session:
1
Select Request | Session | Add Request from the main menu.
2
To request a session on a specific system or a specific account enter the criteria on the Filter tab.
3
Click the Accounts tab.
4
Select the check box next to each account to be included in the session request. When selecting multiple
accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.
5
Click the Details tab.
TPAM 2.5
Administrator Guide
261
6
Complete the following fields:
Table 83. Session Request Management: Details tab options
Field name
Description
Request Immediate
Select this check box to immediately request the session.
Date/Time Required
To conduct a session on a future date and time, enter the date and
time when the session is required. Enter the time in the user’s local
time.
Requested Duration
The requested duration is the period of time that access to the
remote system/s is available. Once the request is saved this duration
is added to the requested release date to determine the request
expiration date. This should be taken into consideration when
selecting the request duration. If not approved quickly, the request
duration available to the requestor could be considerably shorter
than that specified. When expired, the session is no longer available
to the requestor. The session is not terminated or interrupted, but
after it has been closed the user can no longer restart it. The default
request duration is always 2 hours, but can be changed by the
requestor.When requesting sessions for multiple accounts together,
the Requested Duration cannot exceed the shortest “Maximum
Duration” for all accounts listed on the request. Also the “Maximum
Duration” is never greater than the “Max Session Duration”
configured by the System Administrator in Global Settings.
NOTE: If you will be conducting a file transfer during the session,
the session duration must include the time that it takes for the file
transfer to complete.
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional or required, depending on how they are configured.
Request Reason
Used to provide a brief description of the reason for the session
request. May be optional, required or not required, depending on
configuration.
Ticket System
May be required, based on configuration. Any boxes on the request
highlighted in red, require a ticket system to be chosen from the
list.
Ticket Number
May be required, based on configuration. If the ticket number fails
validation when the request is submitted, then the request is
automatically canceled.
TPAM 2.5
Administrator Guide
262
7
Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page:
Once the request has been submitted it will reflect one of these statuses:
•
Pending Approval - waiting for authorized approver/s to approve the request.
•
Active/Approved - the request has been approved and is within the release duration window.
•
Approved - the request has been approved but the request date/time is in the future.
•
Denied - the request was denied by the approver/s.
•
Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to connecting to the remote system.
The request will also be cancelled if the ticket number entered on the request requires validation, and
fails.
•
Expired - the release window for the session has passed or the requestor is done conducting the session
and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.
To add accounts to a request once it has already been submitted:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Click the New Accounts button.
7
Enter filter criteria to find the accounts you want to add.
8
Click the Accounts tab.
9
Select the check box on the Selected column for the accounts you want to add.
10 Click the Details tab.
11 Enter a Ticket System/Ticket Number if required.
12 Click the Save Changes button.
Email notification
Once a session request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a session request is submitted and does not require any approvals, the request is auto-approved and the
requestor can immediately start the session by clicking the Connect button.
TPAM 2.5
Administrator Guide
263
View submitted session requests
To view requests that have been submitted:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Open the following tabs to view more detailed information about the request.
•
Details - Date and time stamps relevant to the life cycle of the request.
•
Responses - Request responses from approvers, or responses auto-generated by TPAM for autoapproved or cancelled requests.
•
Approvers - All TPAM users with permissions to approve or deny the request.
•
Connect Options - If enabled can be used to change settings such as keyboard language mapping
for the session.
Cancel/expire a session request
A session request can be cancelled by the requestor if the status is Pending Approval. Once approved, a session
request can be expired to immediately end the release duration. Expiring a request early makes the account
available for request for other users and immediately queues the password for a reset (if so configured).
To cancel/expire a session request:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Enter a reason in the Cancel/Expire Reason box.
TPAM 2.5
Administrator Guide
264
7
If the request contains multiple accounts, select the Apply Reason check box next to the applicable
accounts.
8
Click the Save Changes button.
TPAM 2.5
Administrator Guide
265
33
Approve/Deny Session Request
•
Introduction
•
Approve/deny session request
•
Revalidate ticket on a request
•
Deny request after it is approved
Introduction
When a session request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.
Approve/deny session request
The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.
To approve/deny a session request:
1
Select Approve/Review | Session Request from the main menu.
2
To approve/deny a request on a specific system/account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to approve/deny.
5
Click the Details tab.
TPAM 2.5
Administrator Guide
266
6
If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for approval.
7
Select the Req. IDs to approve/deny.
8
Click the Conflicts tab to see if any other pending requests for this session overlap with the same release
duration.
9
Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.
Revalidate ticket on a request
If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Request Details tab:
The request can be approved/denied without revalidating the ticket.
To revalidate the ticket:
1
Click the Revalidate Ticket button. The following pop up appears:
2
Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
Deny request after it is approved
Any eligible approver can deny a session request after it has already been approved or auto-approved. If a live
session is being conducted at the time you decide to deny the request that session is automatically terminated.
The requestor receives an email notifying them that the request was denied.
To deny the request:
1
Select Approve/Review | Session Request from the main menu.
2
Enter the search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to deny.
5
Click the Details tab.
6
Select the Req. IDs to deny.
7
Enter a reason in the Request Response box.
8
Click the Deny Request button.
TPAM 2.5
Administrator Guide
267
34
Start a Remote Session
•
Introduction
•
Client requirements
•
Start a session
•
File transfer
•
End a session
Introduction
Once a session is approved a user can use TPAM to connect to a remote system This chapter covers the steps for
starting a session and files transfer options during a session.
Client requirements
Java® version 7 update 45 or higher is required to run the session applet. Java® 32 bit is supported, but not
Java® 64 bit.
IMPORTANT: If the recording session reaches the limit set in Max Recording Size global setting (set by the
TPAM System Administrator), the session is automatically terminated. Warning messages will be sent when
the session reaches 60% of the set limit.
Start a session
To start a session:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Connect Options tab. Connection options are dependent on the platform, proxy type and if a
DPA is assigned to the system. Clear the Use Default Connection Options check box to select different
session connection options. The connection options selected by the user will persist for this user every
time they connect with this account to a session, using the same proxy type. If the proxy type changes
the user will have to save their preferred connection settings again, in order for them to persist.
(optional)
TPAM 2.5
Administrator Guide
268
Table 84. Session Request Management: Connection Options
6
Connection option
Description
Cache Bitmaps
Turning this on may help responsiveness during session over a slow network
connection.
Compression
Turn on to control compression of the RDP data stream.
Experience
Experience changes default bandwidth performance behavior. Choices are
Default (theming is enabled) or 56Kbps (modem).
Keyboard
The keyboard type you want to emulate during the session. Currently the
choices are English (US), French (Swiss), French, Spanish, German, Turkish,
Italian, and Belgian.
Language
Sets the language (sometimes referred to as locale) on the target system for
the session. On most operating systems this changes things like the language
used for system menus, alerts, messages, and numeric formats for default
date and time.
Mouse Motion
Option to send the mouse motion during the session or not. Not sending the
mouse motion can save bandwidth, although some applications may rely on
receiving mouse motion.
Putty:Background
Background color choices of black, green, blue or white.
Putty:Foreground
Foreground color choices of grey, black or white.
Putty:Geometry
Select a window size of 80 x 24 or 132 x 24.
Screen Updates
Screen updates can be sent as bitmaps or left at the default of higher level
drawing operations.
XTerm:Backspace
If Ctrl-h is selected, then using the Backspace key during the session, will
perform the same action as Ctrl-h.
XTerm:Del
If Ctrl-d is selected, then using the Delete key during the session, will perform
the same action as Ctrl-d.
Select the desktop display size for the session. (optional)
NOTE: The window display size selection is not saved, and must be reselected before connecting
each time.
7
Click the Connect button.The remote session is initiated in a new page. All activity performed by the
remote user is logged and recorded. When a session begins, a new window is opened and the Java®
environment is initialized. This step can take up to a minute.
TPAM 2.5
Administrator Guide
269
8
Click Yes to accept web certificate for the applet. This should only appear the first time you start a
session in PSM.
9
Depending upon the configuration for session authentication for the account one of these scenarios
occurs:
•
The session uses auto-logon with a predefined account and its password.
•
The password is provided by TPAM but must typed in by the user.
•
The password is not stored in TPAM and must be typed in by the user.
NOTE: Sessions to remote systems are also subject to the configuration of the access method at the
remote system. Example: if Windows® RDP or Terminal Services is the connection method then the
configuration for disconnected session time outs, maximum connections, and so on, govern certain session
behavior. In addition, troubleshooting problems with connectivity to these systems should include
examining the configuration of the remote system.
Clipboard transfer between the RDP session and the desktop is available if this option was selected at the
account level on the PSM Details tab. The Clipboard transfer feature allows copy/cut and paste of text between
the remote session and the desktop.
TPAM 2.5
Administrator Guide
270
If the proxy type for the session is SSH, then the client is PuTTY. When connecting to the session a PuTTY
security warning message will be presented to validate the client machine host keys. Clicking the Accept button
will cache the host key so that this message will not be presented again during the session.
Pressing the Ctrl key and right clicking the mouse will bring up the Putty menu. This menu provides options to
copy the scroll back buffer, change fonts, and reconfigure other settings.
On the bottom of the PSM session window you will see the system name, account name, keyboard mapping
chosen, the hot keys menu, session connection status and the size of any data pasted to the clipboard.
File transfer
Depending on how the account is configured there are options to upload files to the remote system and
download files from the managed system during the session. The time out period for file transfers is 10 hours.
To upload a file:
1
Click the File Transfer tab in the session window.
TPAM 2.5
Administrator Guide
271
2
Click the Select File button to locate the file or directory to transfer. Repeat this step for each file or
directory to upload. As files and/or directories are selected they are displayed in the Selected Files list.
IMPORTANT: There is 20 GB size limit on any files transferred.
3
To remove a file that was selected by mistake use the Remove Selected or the Remove All buttons as
needed. Additionally files and directories may be selected by simply dragging and dropping them on the
Selected Files list.
4
If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.
5
Click the Upload button to start the transfer process. After the transfer is complete a successful or
unsuccessful message will appear at the bottom of the page.
IMPORTANT: The upload process overwrites any existing file(s) if the user has the file system rights to do
so. If the user does not have sufficient rights to an existing file and they attempt to upload a file of the
same name the upload fails.
To download a file:
CAUTION: File downloads can put a big strain on the appliance. If other users start to see
performance problems in TPAM the file download could be the cause.
1
Click the File Transfer tab in the session window.
2
Enter the fully qualified name of the file in the Download File Name box.
3
If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.
4
Click the Download button. After the download is complete a successful or unsuccessful message will
appear at the bottom of the page.
End a session
Once you have completed what you wanted to do on the remote system you can end the session. To end the
session close the session window. A new session can be started until the release duration on the request expires.
TPAM 2.5
Administrator Guide
272
35
Session Management
•
Introduction
•
Session playback controls
•
Meta data window
•
Replay a session log
•
Add a bookmark to a session
•
View bookmarks/captured events
•
Jump to a bookmark
•
Jump to an event
•
Monitor a live session
•
Terminate a session
Introduction
The session management menu provides access to session logs and the ability to playback sessions.
Session playback controls
To manipulate the playback of a session, the controls at the bottom of the session replay window lets the speed
of the playback be changed, ranging from ½ normal speed to 16 times normal speed. Replay may be paused at
any point.
The table below defines the functions and display information on the playback tool bar.
Table 85. Playback tool bar options
Option
Description
System Name
The name of the remote system where the session was established.
Account Name
The name of the remote account used to access the system during the session.
TPAM 2.5
Administrator Guide
273
Table 85. Playback tool bar options
Option
Description
Slider Control
Displays the current position of playback, and after the session is paused lets a new
position be selected. To reposition session replay, pause the session and position the
slider control to the desired spot. Resume playback using the pause control. The
session playback moves at maximum speed to the desired playback position.
NOTE: The session time position is based on network packet timestamps. This
means that the playback control slider may appear to move in an uneven fashion
depending on the ‘data density’ of each packet, especially for very short recorded
sessions. If for some period time there is a minimal amount of activity followed by a
flurry of dialog openings and keystroke input, this would cause the uneven control
slider movement. Longer session files tend to provide a smoother control slider
movement.
Elapsed Time
Time elapsed in the session replay.
Total Session Time
Total length of time of the session.
Pause Button
When green the session is playing. When red the session is paused. To pause or
resume playback simply click the control.
Loop Button
Selecting this button sets the session to replay over and over.
Controls Menu/Select
Speed
Session play speed in relation to normal speed. For example .5x will play the session
at half normal speed.
Controls
Menu/Metadata/Open
Dialog
If selected this opens a window to display the keystroke log, and tags for events and
bookmarks. The keystroke slider at the top of the window can be adjusted so that
they can see the keystrokes taking place in this window before or after they occur
in the actual session replay window.
Controls Menu/Add
Bookmark
If selected allows the user to add a bookmark at a specific point in the session.
Controls Menu/Always on If selected, the meta data dialog window will be displayed in front of the session
Top
replay window.
Meta data window
While replaying the session the meta data window can be displayed in another window to view the
keystroke/event log.
To open the meta data window during a session:
1
Click the Replay Session button.
2
Once the session has a status of connected in the replay window, select Controls Menu | MetaData |
Open Dialog.
Keystrokes/events will be displayed in green as they occur during the session replay. Bookmarks are displayed in
red. Slide the keystroke slider to the left to view the keystroke log in advance of the activity occurring in the
TPAM 2.5
Administrator Guide
274
session replay window. If the Clear on Loop check box is selected the keystroke log will be cleared before the
session is replayed each time.
Replay a session log
NOTE: You cannot view the keystroke log when replaying a session unless the access policy that is granting
you permission to replay the session has Allow KSL View selected.
To replay a session log:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
Click the File Transfer tab to view details on any files transferred during the session.
7
Click the Captured Events / Bookmarks tab to view details on events captured during the session.
NOTE: If the session log is stored on an archive server there may be a delay while TPAM retrieves the log
from its remote storage location.
The remote access session is displayed and played back in real time. The playback session may be paused and
resumed, moved ahead or back at increased speed, or continuously played at various speeds.
Prior to v2.5.915 a session logs could be “stranded” by closing the browser when a session was recording and
clicking the Terminate button. To fix the problem so the session can be replayed, select the session from the
Listing page and click the Reset Stats button.
Add a bookmark to a session
Requestors, approvers, and reviewers have the ability to add bookmarks to a session log. By adding a bookmark,
the requestor, approver, or reviewer can point something out to another approver or reviewer that they want
them to look at without them having to replay and watch the entire session.
To add a bookmark:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
When you get to the point in the session where you want to add a bookmark click the Pause button on
the session playback controls at the bottom of the window.
TPAM 2.5
Administrator Guide
275
7
Select Controls Menu | Metadata | Add Bookmark.
8
Enter text to label the bookmark and click the OK button.
9
After the bookmark is added the session will resume playback.
View bookmarks/captured events
To view bookmarks and captured events from the session logs listing page:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log.
5
Click the Captured Events, Bookmarks tab. Events are only captured for sessions on an account if the
Capture Events? check box is selected for the account on the PSM details tab.
TPAM 2.5
Administrator Guide
276
Jump to a bookmark
To jump to a bookmark while replaying a session:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
On the session playback menu select Controls Menu | Metadata | Open Dialog.
7
Click the Select Bookmark tab.
8
Select the bookmark you want to go to.
9
Click the Jump to Bookmark button.
10 The session replay will go to the bookmark but will continue replay, it will not be paused at the
bookmark.
TPAM 2.5
Administrator Guide
277
Jump to an event
To jump to an event while replaying a session:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
On the session playback menu select Controls Menu | Metadata | Open Dialog.
7
Click the Select Event tab.
8
Select the event you want to go to.
9
Click the Jump to Event button.
10 The session replay will go to the event but will continue replay, it will not be paused at the event.
TPAM 2.5
Administrator Guide
278
Monitor a live session
With the appropriate permissions a user can monitor another user’s session. The user running the session has no
indication that their session is being watched.
NOTE: You cannot view the Keystroke Log when monitoring a session.
To monitor a live session:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter search filter criteria.
3
Click the Listing tab.
4
Select the session to monitor. Live sessions will have a status of Connected.
5
Click the Monitor Session button. The PSM Session Monitor window will open with a view of the live
session.
Terminate a session
An administrator user has the ability to terminate (kill) active sessions. Unless the session request is also
expired or cancelled the user has the ability to restart the session.
CAUTION: Be aware that terminating a session could leave unfinished work on the remote system and
even do potential damage.
To terminate a session:
1
Select Management | Session Mgmt | Manage Sessions from the main menu.
2
On the Active Sessions tab select the session to terminate.
3
Click the Terminate button.
TPAM 2.5
Administrator Guide
279
36
Review a Session
•
Introduction
•
Review status definitions
•
Review a session
•
Provisional ticket validation on a session
Introduction
Accounts can be configured to have review requirements for PSM Sessions once the sessions are expired. Users
eligible to review sessions receive email notification to alert them of pending reviews.
Review status definitions
The table below explains the different possible session review statuses.
Table 86. Session review statuses
Status
Definition
Pending Review
An authorized reviewer is still required to complete the review process.
Completed
All the required reviewers have clicked the Complete My Review button.
Overdue
A reviewer has not reviewed the session within the required time period.
On the PSM Sessions for Review listing tab there is a column labeled Review Started. if the value is Y, at least
one review comment has been submitted. If the value is N, no review comments have been submitted.If the
value is -(dash) then the review is complete.
Review a session
To review a session:
1
Select Approve/Review | PSM Session from the main menu.
2
To review a session for a specific account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the session to review.
5
Click the Session Logs tab.
TPAM 2.5
Administrator Guide
280
6
Select a session log to replay.
7
Click the Replay Session button. For details on replaying sessions see Session playback controls.
NOTE: A session review cannot be completed until one of the session logs has been replayed by the
reviewer. TPAM may be configured so that all session logs must be replayed before the review can
be completed.
8
Watch the session and then close the session window.
9
To enter or view any comments about a session log, select a session log on the session logs tab and click
the Comments tab. Enter a comment in the new comment box and click the Save New Comment button
to add a comment. (optional)
These comments do not flag a session as being reviewed, but may be informative to other reviewers.
10 To view information about a file transfer, select a session log on the Session Logs tab and click the File
Transfers tab. (optional)
11 Click the Reviewers tab to see the list of eligible reviewers. (optional) These are the review
requirements at the time the session request was submitted.
TPAM 2.5
Administrator Guide
281
12 Click the Reviews tab to see any review comments made.
13 Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.
14 Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.
15 If the session being reviewed was part of a multi-session request, select the Apply Review check box for
the appropriate row.
16 To enter a comment before officially marking the session as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
17 To mark the review as complete, enter a review comment and click the Complete My Review button.
Provisional ticket validation on a session
If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System was not available for validation at the time the requestor submitted the request, you see the
following note on the Review Details tab:
TPAM 2.5
Administrator Guide
282
TPAM 2.5
Administrator Guide
283
37
File Requests
•
Introduction
•
Request a file
•
Email notification
•
View submitted file requests
•
Access the file
•
Cancel/expire a file request
Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.
Request a file
To request a file:
1
Select Request | File | Add Request from the main menu.
2
To request a file on a specific system enter the criteria on the Filter tab.
3
Click the Files tab.
4
Select the file to be included in the request.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission on the file, the file will be listed multiple times on the Files tab. Each row will
show the Access Policy, Minimum Approvers, and Maximum Release Duration associated with it.
5
Click the Details tab.
TPAM 2.5
Administrator Guide
284
6
Complete the following fields:
Table 87. File Request Management: Details tab fields
Field name
Description
Request Immediate
Select this check box to immediately request the file.
Date/Time Required To have a file released on a future date and time, enter the date and time when
the file is required. Enter the time in the user’s local time.
Requested Duration The requested duration is the period of time that the file is available for release.
Once the request is saved this duration is added to the requested release date to
determine the request expiration date. Valid parameters for release durations are
from 15 minutes to 7 days, in 15 minute increments – however, the effective valid
parameter for the maximum allowable release request duration is the value
configured for maximum release duration at the file level.
7
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and may be optional
or required, depending on how they are configured.
Request Reason
Used to provide a brief description of the reason for the file release. May be
optional, required or not required, depending on configuration.
Ticket System
May be required, based on configuration.
Ticket Number
May be required, based on configuration. If the ticket number fails validation
when the request is submitted, then the request is automatically canceled.
Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page:
Once the request has been submitted it will reflect one of these statuses:
•
Pending Approval - waiting for authorized approver/s to approve the request.
•
Active/Approved - the request has been approved and is within the release duration window.
•
Approved - the request has been approved but the request date/time is in the future.
•
Denied - the request was denied by the approver/s.
•
Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
•
Expired - the release window for the file has passed or the requestor is done accessing the file and
expires the request early.
TPAM 2.5
Administrator Guide
285
Email notification
Once a file request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a file request is submitted and does not require any approvals, the request is auto-approved by PPM and the
requestor immediately sees this message in the feedback area. The Retrieve button will be enabled.
View submitted file requests
To view requests that have been submitted:
1
Select Request | File | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Open the following tabs to view more detailed information about the request.
•
Details - Date and time stamps relevant to the life cycle of the request.
•
Responses - Request responses from approvers, or responses auto-generated by TPAM for autoapproved or cancelled requests.
•
Approvers - All TPAM users with permissions to approve or deny the request.
Access the file
Once a request is approved to retrieve the file:
1
Select Request | File | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Retrieve button.
6
Select to open or save the file.
TPAM 2.5
Administrator Guide
286
Cancel/expire a file request
A file request can be cancelled by the requestor if the status is Pending Approval. Once approved, a password
request can be expired to immediately end the release duration. Expiring a request early makes the file
available for other users to request.
To cancel/expire a file request:
1
Select Request | File | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Enter a reason in the Expiration Reason box.
7
Click the Save Changes button.
TPAM 2.5
Administrator Guide
287
38
Approve/Deny File Request
•
Introduction
•
Approve/deny file request
•
Revalidate ticket on a request
•
Deny request after it is approved
Introduction
When a file request is submitted, the associated approver(s) is notified via email of the pending request. The
approver logs on to TPAM to approve/deny the request.
Approve/deny file request
The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.
To approve/deny a file request:
1
Select Approve/Review | File Request from the main menu.
2
To approve/deny a request on a specific system enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to approve/deny.
5
Click the Details tab.
6
Click the Conflicts tab to see if any other pending requests for this file overlap with the same release
duration.
7
Click the Approvers tab to see the list of other eligible approvers for this request.
8
Click the Responses tab to see the responses other eligible approvers have made for this request.
9
Enter comments in the Request Response box.
TPAM 2.5
Administrator Guide
288
10 Click the Approve Request or Deny Request button.
Revalidate ticket on a request
If the required Ticket System for this file has “provisional validation enabled” in the admin interface, and the
Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Approval Details tab:
The request can be approved/denied without revalidating the ticket.
To revalidate the ticket:
1
Click the Revalidate Ticket button. The following pop up appears:
2
Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
Deny request after it is approved
Any eligible approver can deny a file request after it has already been approved or auto-approved. Once denied,
the requestor will no longer have access to the file. The requestor receives an email notifying them that the
request was denied
To deny the request:
1
Select Approve/Review | File Request from the main menu.
2
Enter the search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to deny.
5
Click the Details tab.
6
Select the Req. IDs to deny.
7
Enter a reason in the Request Response box.
8
Click the Deny Request button.
TPAM 2.5
Administrator Guide
289
39
On Demand Reports
•
Introduction
•
Report time zone options
•
Run a report
•
Report descriptions
Introduction
TPAM has a number of pre-defined reports to aid in system administration, track changes to objects, and
provide a thorough audit trail for managed systems. All reports are accessed via the Reports menu. The reports
can be filtered by criteria that are specific to each report type.
Report time zone options
Time zone filter parameters are included on most of the reports allowing you to view the report data in your
local or server time zone (UTC). These filter parameters only appear if you are configured with a local time
zone. These parameters affect not only the data reported but also the filter dates used to retrieve the data.
NOTE: Access to different reports is based on the user’s permissions. Only TPAM Administrators and
Auditors have access to all reports
For example, the server is at UTC time and the user is in Athens, Greece (UTC +2). When the user enters a date
range of 9/16/2009-9/17/2009 with the local time zone option, the report retrieves transactions that happened
on the server between 9/15/2009 22:00 through 9/17/2009 21:59.
All reports that use the local time zone filter have an extra column indicating the UTC offset that was used to
generate the report. This value is either the current UTC offset of the user. This column will also display in
reports that are exported using Excel or CSV.
Run a report
The following procedure describes the steps to run a report in TPAM.
To run a report:
1
From the Reports menu select the report.
2
On the Report Filter tab enter the filter criteria.
TPAM 2.5
Administrator Guide
290
3
Click the Report Layout tab. (Optional)
4
Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5
Select the appropriate box in the Sort Column column to specify sort order.
6
Select the Sort Direction.
7
If viewing the report in the TPAM interface, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.
8
To view the report results in TPAM click the Report tab. To adjust the column size of any column on a
report hover the mouse over the column edge while holding down the left mouse button and dragging
the mouse to adjust the width.
9
To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.
10 Open or Save the report file.
Report descriptions
The following table lists the on demand reports available in TPAM.
Table 88. TPAM report descriptions
Report title
Description
Activity Report
Detailed history of all changes made to TPAM.
ISA User Activity Report Detailed records of all activities performed by users with ISA permissions.
Approver User Activity
Detailed records of all activities performed by users with Approver permissions.
Requestor User Activity
Detailed records of all activities performed by users with Requestor permissions.
PSM Accounts Inventory Accounts that are PSM enabled.
(PSM Customers only)
Password Aging
Inventory
Managed systems, and the managed accounts that reside on those systems.
File Aging Inventory
Secure stored files and the systems that manage them.
Release-Reset Reconcile Audit evidence that released passwords have been reset appropriately.
User Entitlement
Data to review and audit users’ permissions for systems, accounts, files and
commands on an enterprise scale.
NOTE: It is recommended that Show Only Effective Permissions is selected to
reduce the size of the report.
NOTE: If any of the Expand … options are selected, at least one of the text filters
must be filled in with a non-wildcard value. For very large data sources the
expansion of Collections, Groups, and/or Access Policies can very easily create a
report beyond the retrieval and display capabilities of a web browser. For large data
sets (10’s of thousands of accounts or thousands of large collections to expand) it is
recommended to rely on the Data Extracts for unfiltered versions of the Entitlement
Report.
Failed Logins
Failed login attempts to Privileged Account Manager. The data for the report is
refreshed every 15 minutes.
Password Update
Activity
Password modifications to systems managed by Privileged Password Manager.
TPAM 2.5
Administrator Guide
291
Table 88. TPAM report descriptions
Report title
Description
Password Update
Schedule
Scheduled password changes and the reason for the change.
Password Testing
Activity
The results of automated testing of each managed accounts’ password.
Password Test Queue
Accounts currently queued for password tests.
NOTE: This is a useful report to view when troubleshooting performance related
issues. A high number of queued password tests can impact system response time if
the check agent is running. This report does not provide a mechanism for exporting
data but does provide for deleting passwords from the test queue. So if there is some
known reason why a large group of password tests are failing, such as a network
outage, that group can be filtered out in the report and then deleted. An alternative
would be to just stop the check agent.
Expired Passwords
Currently expired passwords, or passwords that will expire within a date range.
Passwords Currently in
Use
Defines “in-use” passwords as:
•
Passwords that have been retrieved by the ISA/CLI/API that have not yet been
reset.
•
Passwords that have been requested and retrieved, but have not yet been
reset.
•
Password has been manually reset on the Account Details or Password
Management pages, but has not yet been reset by PPM.
•
Password has been manually entered on the Account Details page, but has not
yet been reset by PPM.
•
Account is created on the TPAM interface or as a result of Batch Import
Accounts and is assigned a password by the user (as opposed to letting the
system generate a random password).
Password Requests
Password requests and the details relating to the request. Selecting a row in the
report, and clicking on the Responses, Reviews and Releases tab gives you
additional details on the request.
Password Consecutive
Failures
Password check and change failures for accounts.
Auto-Approved
Password Releases
Password releases that did not require dual control approval.
Auto-Approved File
Releases
File releases that did not require dual control approval.
Password Release
Activity
Details on password releases, such as request reason, retrieval date and ticket
information.
File Release Activity
Details on file releases, such as request reason, retrieval date and ticket
information.
Windows® Domain
Account Dependencies
Managed domain accounts that have dependencies on other systems.
Auto Approved Sessions
(PSM customers only)
Sessions that were approved, as a result of no approval requirements for sessions on
the account.
PSM Session Activity
(PSM customers only)
Session details, such as start date, end date, and request reason.
PSM Session Requests
(PSM customer only)
Session requests and the details relating to the request. Selecting a row in the
report, and clicking on the Responses, Reviews and Releases tab gives you
additional details on the request.
TPAM 2.5
Administrator Guide
292
40
Network Tools
•
Introduction
•
The ping utility
•
Nslookup utility
•
TraceRoute utility
•
Telnet test utility
•
Display routes
Introduction
To assist the TPAM Administrator with troubleshooting common network related problems, TPAM contains
network tools that are accessible from the tpam interface.
The ping utility
The ping utility can be used to verify connectivity to remote hosts and determine latency. Many of the optional
parameters for the ping command are available. The available command options are listed along with the short
description of each.
To use the ping utility:
1
Select Management | Network Tools | Ping from the menu.
2
Enter the IP or Hostname.
3
Select the options desired.
4
Click the Ping button. The results will be displayed.
TPAM 2.5
Administrator Guide
293
Nslookup utility
Nslookup is a common TCP/IP tool used to test DNS settings and perform similar information gathering using DNS
resolution. The TPAM utility for nslookup will use the DNS server(s) configured to TPAM only. The option to
specify a server is not provided. TPAM Administrators can benefit from the ability to use nslookup to resolve
hostnames to IP addresses and vice versa.
To use Nslookup:
1
Select Management | Network Tools | Nslookup from the menu.
2
Enter the IP address or Hostname to look up.
3
Click the Lookup button.
TraceRoute utility
The traceroute utility is available for examining network routing and connectivity from TPAM to a remote IP
address or hostname. The use of traceroute is often disallowed by firewalls, routers, and other network security
infrastructure – but if allowed, it can be a valuable diagnostic tool.
To use Traceroute:
1
Select Management | Network Tools | TraceRoute from the menu.
2
Enter the IP or Hostname to trace.
3
Select the -d check box. (Optional)
4
Change the default number of hops and timeout wait. (Optional)
5
Click the Trace button.
TPAM 2.5
Administrator Guide
294
Telnet test utility
The Telnet test utility lets a test be performed from the appliance to another system over a specific port. The
tool will test the defined port using telnet functionality to verify the port, whether a connection can be made,
and then immediately close the connection.
To use the Telnet test utility:
1
Select Management | Network Tools | TelnetTest from the menu.
2
Enter the network address, port and timeout period.
3
Click the Trace button.
Display routes
Several tools are available to manage the routing table on TPAM, if the need arises.
To display current routes:
1
Select Management | Network Tools | Show Routes from the menu.
If necessary, TPAM System Administrators have the ability to edit the routes in the config interface.
TPAM 2.5
Administrator Guide
295
41
CLI Commands
•
Introduction
•
Command standards
•
Commands
Introduction
The TPAM command line interface (CLI) provides a method for authorized users or automated processes to
retrieve information from the TPAM system. Commands must be passed to TPAM via SSH (secure shell) using an
identity key file provided by TPAM. A specific CLI user ID is also required. See Add a CLI user ID for more details
on creating the user ID. CLI user IDs are case sensitive when logging on.
SSH software must be installed on any system before it can be used for TPAM CLI access.
Commands accept parameters in the style of --OptionName option value (two dashes precede the option
name). Existing commands prior to TPAM v2.2.754 still also accept the comma-separated syntax, so existing
scripts do not need to be modified unless you wish to take advantage of new parameters that have been added
to the command in later versions of TPAM.
All commands recognize an option of --Help. This expanded help syntax will show all valid options for each
command, whether the option is required or optional, and a description of the option and allowed values.
NOTE: Many of the CLI commands will not run if the TPAM appliance is in maintenance mode.
Command standards
•
Options may be specified in any order in the command
•
Option names are not case sensitive, --SystemName and --systemname are equivalent
•
When the --Help option is used, no other processing takes place. The help text is printed and the
command terminates.
•
Options marked as “optional” are just that – optional. They do not need to be included in the command
line to “save space” for commands that come afterwards.
•
Option names may be abbreviated “to uniqueness” for each command. For example if a command
accepts options of --SystemName, --AccountName, and --Description the option names can be
abbreviated to --S, --A, and --D, respectively. However if the options were --AccountName and -AccountDescription they can only be abbreviated to --AccountN and --AccountD.
•
Any option value that contains spaces, e.g., --Description or --RequestNotes, must surround the
description with single or double quotes, depending on your command line shell. It’s also recommended
that you surround the entire command invocation with quotes to prevent the shell from unintentionally
stripping desired quotes from your command. Additionally your shell environment may require escaping
extra quotes within your command. The following is an example using Windows® cmd.exe
[...]"UpdateSystem[...]\"Sytem1[...]\"Description for System1\"[...]
TPAM 2.5
Administrator Guide
296
Commands
AddAccount--options
Adds a new system account. The CLI user must have ISA or Administrator privilege.
Table 89. AddAccount options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Maximum 30 characters.
--AccountName
Req
Account Name. Maximum 30 characters.
--AccountDN
Opt
The distinguished name of the account on a Novell NDS, LDAP or
LDAPS system.
--AliasAccessOnlyFlag
Opt
This option is obsolete. Any value passed in using this option will
be used for the --IgnoreSystemPoliciesFlag option.
--AllowISADurationFlag
Opt
Allow the ISA to specify a duration when retrieving a password.
Y/N
--AutoFlag
Opt
Account Password Management type. N=None, Y=Automatic,
M=Manual
--BlockAutoChangeFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password check profile.
--ChangeServiceFlag
Opt
Change the password for Windows® Services started by this
account. Y/N (Windows® platforms only)
--ChangeTaskFlag
Opt
Change the password for the Windows® scheduled tasks started by
this account. (Windows® platforms only)
--Custom[1-6]
Opt
Custom Account Columns, if defined. Use !NULL to clear the value.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainAccountName
Opt
For Windows® or BoKS platforms. Enter domainname\accountname
--EnableBeforeReleaseFlag
Opt
Y/N. If Y, TPAM will disable the account of the remote system until
the password is released or a session started which uses the
password to authenticate. Only applies to Windows® platforms.
--EscalationEmail
Opt
If a password post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--IgnoreSystemPoliciesFlag
Opt
Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are
used for permissions.
TPAM 2.5
Administrator Guide
297
Table 89. AddAccount options
Option name
Req/Opt
Description
--LockFlag
Opt
Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, or changed
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-10080 (7 days).
--MinimumApprovers
Opt
Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
--NextChangeDate
Opt
Set the next scheduled change date for this account. The account
will be scheduled for the first available time window based on the
password change profile.
--OverrideAccountability
Opt
When the Global Setting to Allow Account specific override is
enabled this flag can be turned on at the account level to allow
simultaneous, overlapping password requests to be approved.
When the Global Setting is not enabled this flag is ignored. Y/N
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt
A profile which controls when the account will have it’s password
checked.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify “Default Password Rule” or another
rule to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value.
--ReleaseChangeFlag
Opt
Change the password after any ISA, CLI, or API release. Y/N
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-10080 (7 days). This is
ignored if ReleaseChangeFlag is N. If 0 is entered the ISA retrieval
of a password will not trigger a post release reset of the password.
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on
this account. Y/N.
--RequireTicketForRequest
Opt
Require a valid Ticket System & Number for any password request
on this account. Y/N
--ResetFlag
Opt
Reset the password if a regular check finds it to be different than
what's stored in PPM. Y/N This value is ignored if CheckFlag is N.
--RestartServiceFlag
Opt
Restart Windows® services started by this account, following a
password change. Y/N (Windows® only)
--ReviewCount
Opt
Number of post-release reviews required after a password release.
0-n
TPAM 2.5
Administrator Guide
298
Table 89. AddAccount options
Option name
Req/Opt
Description
--ReviewerName
Opt
User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
--ReviewerType
Opt
Type of reviewer. Valid values are: Any (default), Auditor, User,
Group
--SimulPrivAccReleases
Opt
Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid
ticket system.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA
without a ticket number. Ignored when RequireTicketForRequest is
N or ticket is required for all three (API, CLI, and ISA). Use !NULL
to clear the value.
--UseSelfFlag
Opt
Use the account's current password to change the password. Y/N.
If the functional account is flagged as “non-privileged” at the
system level this value should be set to Y.
AddCollection--options
Creates a new collection. The CLI user must have ISA or administrator privilege.
Table 90. AddCollection options
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection.
--Description
Opt
Collection description. Max of 50 characters.
--PSMDPAAffinity
Opt
List of DPAs to use for PSM Affinity assignment in the form of
DPAName1/priority;DPAName2/priority. Pass “any” to reset the list and
allow any DPA to be used. Priority must be >=0 to add a DPA. A priority of 0
removes a DPA from the list.
Legacy support:
AddCollection <CollectionName>,<CollectionDescription>
AddCollectionMember--options
Creates a new collection member where the system, account, and or file and collection(s) currently exist. The
CLI user must have administrator privilege or the ISA permission over the collection and system, and or file.
Table 91. AddCollectionMember options
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection.
--SystemName
Req
Name of system to add to collection. If an account or file is being added to
the collection then they must exist on this system. A system cannot be in
the same collection as any of its’ accounts or files.
TPAM 2.5
Administrator Guide
299
Table 91. AddCollectionMember options
Option name
Req/Opt
Description
--AccountName
Opt
Name of the account to ad to the collection. If a system or file is being
added to the collection this value must be empty. The account must reside
on --SystemName and cannot be a member of any of the same collections
as the system.
--FileName
Opt
Name of the file to add to the collection. If a system or account is being
added to the collection this value must be empty. The file must reside on -SystemName and cannot be a member of any of the same collections as
the system.
Legacy support:
AddCollectionMember <MemberName>,<CollectionName>
AddGroup--options
Creates a new group. The CLI user must have ISA or administrator privilege.
Table 92. AddGroup options
Option name
Req/Opt
Description
--GroupName
Req
Name of the group.
--Description
Opt
Description of group. Max of 50 characters.
Legacy support:
AddGroup <GroupName>,<GroupDescription>
AddGroupMember--options
Adds an existing user account to one or more existing groups. The CLI user must have administrator privilege.-GroupID or --GroupName may be passed, but not both.
Table 93. AddGroupMember options
Option name
Req/Opt
Description
--GroupName
Opt
Name of the group.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
--UserName
Req
Name of user to add to the group. Only basic and administrator user types
can be added to a group. Multiple UserNames can be specified using semicolons between names.
Legacy support:
AddGroupMember <UserName>,<GroupName>
AddPwdRequest--options
CLI users can create a password request for themselves as well as other users. Both users (the calling CLI and
the user they're adding for) must have request permissions on the target system. The target user must be a webbased user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.
Table 94. AddPwdRequest options
Option name
Req/Opt
Description
--SystemName
Req
System for which the password request is being created.
--AccountName
Req
Account for which the password request is being created.
TPAM 2.5
Administrator Guide
300
Table 94. AddPwdRequest options
Option name
Req/Opt
Description
--ForUserName
Opt
The user you are creating the request for. This parameter should be
omitted if submitting a request for yourself.
--AccessPolicyName
Opt
An access policy to use for the request. This is only required if the user
has access to the account via more than one policy.
--ReasonCode
Opt
A reason code for the request. Based on global settings, a reason code
may be required, optional, or not allowed.
--RequestImmediateFlag Opt
Use Y to create an immediate request, N to create request with future
date. If N is entered, you must supply the --RequestedReleaseDate
option.
--RequestedReleaseDate Opt
Required if RequestImmediate option is N. Must be a valid future date
in the form of MM/DD/YYYY HH:MM (using a 24 hour clock)
NOTE: If the --ForUserName is assigned to a time zone other then
UTC, this value represents the local time for the user.
--ReleaseDuration
Opt
Duration of the request in minutes. Time is rounded up to the next 15
minute interval. The default is 120 minutes for password requests.
The maximum value set is on the account details.
--RequestNotes
Opt
Description of the request. Up to 1000 characters. Based on global
settings, a RequestNote may be required, optional, or not allowed.
--TicketNumber
Opt
A ticket number from the --TicketSystemName. This may be required
based on account settings.
--TicketSystemName
Opt
The name of the ticket system to use for validation. This may be
required based on account settings.
AddSessionRequest--options
CLI users can create a session request for themselves as well as other users.Both users (the calling CLI and the
user they're adding for) must have request permissions on the target system. The target user must be a webbased user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.
Table 95. AddSessionRequest options
Option name
Req/Opt
Description
--SystemName
Req
System for which the session request is being created.
--AccountName
Req
Account for which the session request is being created.
--ForUserName
Opt
The user you are creating the request for. This parameter should be
omitted if submitting a request for yourself.
--AccessPolicyName
Opt
An access policy to use for the request. This is only required if the
user has access to the account via more than one policy.
--CommandName
Opt
The command name that will be used during the session. If the
command is specified then the --AccessPolicyName must also be
specified and include REQ permissions for you and the user for
whom the request is being created.
--ReasonCode
Opt
A reason code for the request. Based on global settings, a reason
code may be required, optional, or not allowed.
--RequestImmediateFlag
Opt
Use Y to create an immediate request, N to create request with
future date. If N is entered, you must supply the -RequestedReleaseDate option.
--RequestedReleaseDate
Opt
Required if --RequestImmediate option is N. Must be a valid future
date in the form of MM/DD/YYYY HH:MM (using a 24 hour clock)
NOTE: If the --ForUserName is assigned to a time zone other then
UTC, this value represents the local time for the user.
TPAM 2.5
Administrator Guide
301
Table 95. AddSessionRequest options
Option name
Req/Opt
Description
--ReleaseDuration
Opt
Duration of the request in minutes. Time is rounded up to the next
15 minute interval. The default duration is set on the account’s PSM
details page. The maximum value is set on the account details page.
--RequestNotes
Opt
Description of the request. Up to 1000 characters. Based on global
settings, a RequestNote may be required, optional, or not allowed.
--TicketNumber
Opt
A ticket number from the --TicketSystemName. This may be
required based on account settings.
--TicketSystemName
Opt
The name of the ticket system to use for validation. This may be
required based on account settings.
AddSyncPass--options
Allows you to add a synchronized password.
Table 96. AddSyncPass options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password. You must have administrator
privileges.
--AccountLevelCheckProfile
Opt
Y/N. Default value is N. If Y, the synchronized password does not
have a Password Check Profile and the password check schedule is
based on the profile assigned to each member account.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Check Profile.
--DisableFlag
Opt
Disable synchronizing subscribed accounts. Y/N
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--NextChangeDate
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Max of 128 characters.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt
A profile which controls when the account will have it’s password
checked.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify Default Password Rule or another rule
to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value. This email address receives an email
when the password is released.
--ReleaseChangeFlag
Opt
Change the password after any ISA, CLI or API release. Y/N
TPAM 2.5
Administrator Guide
302
Table 96. AddSyncPass options
Option name
Req/Opt
Description
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-10080 (7 days). If 0 is entered
the ISA retrieval of a password will not trigger a post release reset of
the password. This value is ignored if ReleaseChangeFlag is N.
--ResetFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Check Profile.
AddSyncPwdSub--options
Allows you to add subscribers to a synchronized password.
Table 97. AddSyncPwdSub options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password. You must have administrator privileges.
--Systemname
Req
System name of account subscribing.
--AccountName
Req
Account name subscribing.
AddSystem--options
Creates a new system. The CLI user must have ISA or Administrator privilege.
Table 98. AddSystem options
Option name
Req/Opt Description
--SystemName
Req
System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
--AllowFuncReqFlag
Opt
Whether to allow the functional account password to be requested and
released. Y/N. Default N.
--AllowISADurationFlag
Opt
Allow an ISA to enter a duration when releasing a password in the GUI.
Y/N. Default N.
--AlternateIP
Opt
Obsolete as of TPAM 2.5.909
--AutoDiscoveryExcludeList Opt
List of account names (up to 1,000 characters) separated by semicolons which will be ignored when processing the auto-discovery
profile on this system. Use !NULL to clear the value or override the
template’s value.
--AutoDiscoveryProfile
Opt
Name of auto-discovery profile which will be used to discover
new/deleted accounts on this system. Use !NULL to clear the value or
override the template’s value. Auto-discovery is only valid for
Windows®, *nix, and DBMS platforms.
--AutoDiscoveryTimeout
Opt
Timeout (in seconds) when discovering accounts on this system. Default
is 300 seconds. If the discovery process times out it will continue to
discover the remaining accounts during the next scheduled run.Use 0
(zero) to set to the default.
--BoksServerOS
Opt
The OS Name (platform) for a Boks server.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Change Profile.
TPAM 2.5
Administrator Guide
303
Table 98. AddSystem options
Option name
Req/Opt Description
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Change Profile.
--Custom[1-6]
Opt
Custom system columns, if defined. Use !NULL to clear the value.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Check Profile.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainFuncAccount
Opt
The domain account to be used as the functional account.
DomainName\AccountName
--DomainName
Opt
The domain name for Windows®.
--EGPOnlyFlag
Opt
Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
--EnablePassword
Opt
Password to use for the “ENABLE” account (Cisco platforms only) or
“EXPERT” account (for CheckPoint SP platforms only).
--EscalationEmail
Opt
If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL to
clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0 (zero)
to disable the notification.
--FuncAcctCred
Opt
Password for the account indicated in the FunctionalAccount option.
Use a password of DSS to have the system use system standard keys for
functional account credentials or a password of SPECIFIC to use a
system specific key.
--FuncAcctDN
Opt*
The distinguished name of the functional account. Required for Novell
NDS, LDAP pr LDAPS systems. Ignored for all others.
--FunctionalAccount
Opt
Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
--LineDef
Opt
Cisco telnet attribute.
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-10080 (7 days).
--NetBiosName
Opt
Required for Windows® AD or SPCW (DC) platforms.
--NetworkAddress
Req
Network address of the system. May be an IP V4 address or a fully
qualified domain name.
--NonPrivFuncFlag
Opt
Y/N.
--OracleSIDSN
Opt
Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle® system.
--OracleType
Opt
May be either SID or SERVICE. Only accepted for Oracle® platform.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt
A profile which controls when the account will have it’s password
checked.
--PasswordRule
Opt
The name of the Password Rule used to generate random passwords for
this system. Leave empty to use the default password rule for new
Systems. Must use the text “Default Password Rule” to change existing
systems.
TPAM 2.5
Administrator Guide
304
Table 98. AddSystem options
Option name
Req/Opt Description
--PlatformName
Req
Any recognized platform name. Note that certain platforms, once set,
cannot be changed. For custom platform names the platform name is
indicated by “Custom” or “Custom Platform” followed by a forward
slash (/) and the custom platform name.
--PlatSpecificValue
Opt
A platform specific value, e.g., Linux® Delegation prefix or Windows®
Computer Name. Not all platforms support this value.
--PortNumber
Opt
Port number used for SSH communication with the system. Default
values are platform specific.
--PPMDPAAffinity
Opt
List of DPAs to use for PPM affinity in the form
DPAName1/priority;DPAName2/priority. Use Local to reset the list
and only use the appliance for password checks/changes.PPM affinity
cannot be set when adding a system from a template, but after the
system is created the affinity may be changed.
--PSMDPAAffinity
Opt
List of DPAs to use for PSM affinity in the form
DPAName1/priority;DPAName2/priority. Use Any to allow any DPA to
be used. Priority must be a number greater than zero. PSM affinity
cannot be set when adding a system from a template, but after the
system is created the affinity may be changed.
--PrimaryEmail
Opt
Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
--ProfileCertType
Opt
One of the following values:
•
N - no thumbprint or certificate. Default
•
T - thumbprint only. The SHA1 thumbprint of the certificate
used by the system to notify TPAM of availability for
check/change operations.
•
G - generated. TPAM will generate a certificate and record the
thumbprint. This certificate must be installed on the system in
order to call the TPAM notification service.
--ProfileCertThumbprint
Opt
Thumbprint of certificate. Only used when ProfileCertType is T.
--ProfileCertPassword
Opt
Optional password on a TPAM generated certificate. This password will
be required to install the certificate on the target system. The
password is NOT stored and cannot be retrieved if forgotten.
--ReleaseChangeFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE.
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-10080. If 0 is entered the ISA
retrieval of a password will not trigger a post release reset of the
password.
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on this
account. Y/N.
--RequireTicketForRequest Opt
Require a valid Ticket System & Number for any password request on
this account. Y/N
TPAM 2.5
Administrator Guide
305
Table 98. AddSystem options
Option name
Req/Opt Description
--ResetFlag
Opt
RTHIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Check Profile.
--SSHAccount
Opt
The account name to use when communicating with this system via
SSH. This is required when the UseSshFlag is set to Y.
--SSHKey
Opt
Either “Standard” to use the appliance's system standard keys or
“Specific” to generate a specific key for this system. “Standard” is the
default.
--SSHPort
Opt
The port number for SSH communication. If not specified a default of
22 is used.
--SystemAutoFlag
Opt
Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
--TemplateSystemName
Opt
The name of a template system. Data from the template system will be
used as defaults for the new system. Template data will be overridden
with data supplied here. System templates may also contain Collection
Membership, Group & User Permissions, and up to 10 accounts, all of
which will be automatically transferred to the new system.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid ticket
system.
--Timeout
Opt
The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a “timed out”
error. Default is 20 seconds.
--UseSslFlag
Opt
Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh Flags
are mutually exclusive. You may only set one or the other, not both.
--UseSshFlag
Opt
Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh Flags
are mutually exclusive. You may only set one or the other, not both.
AddUser--options
Creates a new user account. The CLI user must have user administrator or administrator privilege.
Table 99. AddUser options
Option name
Req/Opt Description
--UserName
Req
User Name. Maximum 30 characters.
--LastName
Req
Maximum of 30 characters.
--FirstName
Req
Maximum of 30 characters.
--Password
Opt
Password for new User. Maximum of 128 characters. If not specified a
random password will be generated and must be reset before the user
may log in.
--Email
Opt
Maximum of 255 characters. Use !NULL to clear.
--Phone
Opt
Maximum of 30 characters. Use !NULL to clear.
--Mobile
Opt
Maximum of 30 characters. Use !NULL to clear. Also recognizes the
value --pager for legacy support.
TPAM 2.5
Administrator Guide
306
Table 99. AddUser options
Option name
Req/Opt Description
--UserType
Opt
Basic (default), Admin, Auditor, or UserAdmin
--Disable
Opt
Whether the user's ID is currently disabled. Y/N. Disabled users
cannot log in to the appliance.
--ExternalAuth
Opt
Obsolete, replaced with SecondaryAuth
--SecondaryAuth
Opt
Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
LDAP.
--ExternalAuthSystem
Opt
Obsolete, replaced with SecondaryAuthSystem
--SecondaryAuthSystem
Opt
Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID
Opt
Obsolete, replaced with SecondaryUserID
--SecondaryUserID
Opt*
User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
--PrimaryAuthExtra
Opt
The LDAP Primary Authentication Types support an “Extra” user ID.
The User logs in using a shorthand value in the PrimaryAuthID, but the
data in the PrimaryAuthExtra will be used to do the actual
authentication against the external system. Use !NULL to clear.
--PrimaryAuthID
Opt*
The User ID to use for primary authentication when a non-local
authentication system is used.
--PrimaryAuthType
Opt
The type of the primary authentication system for this user. Current
values are Local, Certificate, LDAP, WinAD, Radius or Defender. When
Local is used the PrimaryAuthID, PrimaryAuthExtra and
PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem
Opt*
Name of the defined system to use when the PrimaryAuthType is not
local or certificate. Systems are defined by the appliance System
Administrator.
--CertThumbprint
Opt
The SHA1 Thumbprint of the user’s certificate. The SHA1 thumbprint
must be exactly 40 characters in length.
--Description
Opt
Maximum of 255 characters. Use !NULL to clear.
--LogonHoursFlag
Opt
Indicates whether the LogonHours value represents allowed or
prohibited hours. Valid values are A (allowed), P (permitted) or N (no
restrictions).
--LogonHours
Opt
A listing of up to 4 hour ranges. Times must be expressed in 24-hour
format in any of the following forms: 7, 07, 700, 0700, 07:00 (all
indicating 07:00 AM). Separate multiple ranges with semi-colons,
07:00-12:00;18:00-23:59 (7AM-12AM and 6PM-11:59PM). If the
LogonHoursFlag value is N this value is ignored.
--LogonDays
Opt
When Logon Hours are specified you may also specify the days of the
week those hours are effective. Specify days with a string of 7 X's (to
indicate an “on” day) or periods (for an “off” day) to represent the
week from Sunday-Saturday. For example, .XXXXX. is Mon-Fri on, Sun
and Sat off. If LogonHours are specified and LogonDays is left empty
the default is all days “on”, e.g., XXXXXXX.
--MobileAllowedFlag
Opt
Whether to allow this user to log in to the system from a mobile
device (Blackberry, iPhone, etc.). Y/N.
--LocalTimezone
Opt
The user's local time zone. You may enter any part of the time zone
name as long as it is unique in the list, e.g., entering Guam will only
find one time zone while entering 02:00 or US will find multiple
entries. A value of “Server” indicates that the user is in the same
time zone as the server and follows the same DST rules.
TPAM 2.5
Administrator Guide
307
Table 99. AddUser options
Option name
Req/Opt Description
--DstFlag
Opt
Obsolete. Users will now automatically adjust DST per the local time
zone which they are assigned.
--Custom1-6
Opt
Custom user columns if defined,. Use !NULL to clear the value.
--TemplateUserName
Opt
The name of a template user. Data from the template user will be
used as defaults for the new user. Template data will be overridden
with data supplied here. User templates may also contain group
membership and system and collection permissions, all of which will
be automatically transferred to the new user. A CLI User may only
utilize Web-Interface templates.
Legacy support:
AddUser
<UserName>,<LastName>,<FirstName>,[EmailAddress],[Phone],[Mobile],[UserType(Basic
default
\Admin\Auditor\UserAdmin)],[InitialPassword],[DisableFl(Y\N)],[SecAuthType(NONE,SAF
EWORD,SECUREID,LDAP,RADUIS,DEFENDER,WINDAD)],[SecAuthUserID],[Description]
Approve--options
Allows password requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve requests
for the system/account in the request. The CLI user cannot approve a password request they have added on
behalf of another user. Successful execution of the approve command will produce no output. This is by design.
Table 100. Approve options
Option name
Req/Opt
Description
--RequestID
Req
Password request ID to approve.
--Comment
Req
The approval comment. Up to 255 characters.
Legacy support:
Approve <request ID>, <comment>
ApproveSessionRequest--options
Allows session requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve session
requests for the system/account in the request. The CLI user cannot approve a session request they have added
on behalf of another user. Successful execution of the approve command will produce no output. This is by
design.
Table 101. ApproveSessionRequest options
Option name
Req/Opt
Description
--RequestID
Req
Session request ID to approve.
--Comment
Req
The approval comment. Up to 255 characters.
Cancel--options
Allows password requests to be cancelled via TPAM CLI.The CLI user ID must be an authorized approver for the
system/account in the request. Successful execution of the cancel command will produce no output. This is by
design.
TPAM 2.5
Administrator Guide
308
Table 102. Cancel options
Option name
Req/Opt
Description
--RequestID
Req
Password request ID to cancel.
--Comment
Req
The cancel comment. Up to 255 characters.
Legacy support:
Cancel <requestid>,<comment>
CancelSessionRequest--options
Allows session requests to be cancelled via TPAM CLI. The CLI user ID must be an authorized approver for the
system/account in the request.
Table 103. CancelSessionRequest options
Option name
Req/Opt
Description
--RequestID
Req
Session request ID to approve.
--Comment
Req
The cancel comment. Up to 255 characters.
Legacy support:
CancelSessionRequest <requestid>,<comment>
ChangeUserPassword--options
Performs a forced reset on a user’s password. The CLI user must have user administrator (for non-privileged
accounts only) or administrator privilege.
Table 104. ChangeUserPassword options
Option name
Req/Opt
Description
--UserName
Req
User name to change password for. Cannot be a system administrator user.
--Password
Req
New user password. If the password contains any spaces the value must be
surrounded by double quotes.
Legacy support:
ChangeUserPassword <UserName>,<Password>
CheckPassword--options
Initiates a password test for the specified system account. The CLI user must have administrator privilege or the
ISA permission over the system.
Table 105. CheckPassword options
Option name
Req/Opt
Description
--SystemName
Req
System name of the account to check.
--AccountName
Req
Account name to check.
Legacy support:
CheckPassword <SystemName>,<AccountName>
ClearKnownHosts--options
Removes the host entry for the system from TPAM’s known hosts file.The CLI user must have PPM ISA or
Administrator privilege.
TPAM 2.5
Administrator Guide
309
Table 106. ClearKnownHosts options
Option name
Req/Opt
Description
--SystemName
Req
Name of the system to clear the known hosts.
DeleteAccount--options
Soft deletes the system account. The CLI user must have ISA or Administrator privilege.
Table 107. DeleteAccount options
Option name
Req/Opt
Description
--SystemName
Req
System name of the account to delete.
--AccountName
Req
Account name to delete.
Legacy support:
DeleteAccount <systemname>,<accountname>
DeleteSyncPass--options
Deletes a synchronized password. The CLI user must have administrator privilege.
Table 108. DeleteSyncPass option
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password to delete.
DeleteSystem--options
Soft deletes the named system. The CLI user must have administrator privilege.
Table 109. DeleteSystem option
Option name
Req/Opt
Description
--SystemName
Req
System name of the account to delete.
Legacy support:
DeleteSystem <systemname>
DeleteUser--options
Permanently deletes the named user account. The CLI user must have administrator privilege to delete any user,
or user administrator privilege to delete any non-administrator user.
Table 110. DeleteUser option
Option name
Req/Opt
Description
--UserName
Req
User name to delete. Cannot be a system administrator user.
Legacy support:
DeleteUser <username>
DropCollection--options
Deletes an existing collection. The CLI user must have ISA or administrator privilege.
TPAM 2.5
Administrator Guide
310
Table 111. DropCollection option
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection to delete. Cannot drop collections tied to auto-discovery.
Legacy support:
DropCollection <CollectionName>
DropCollectionMember--options
Removes a system, account or file from one or more collections. The CLI user must have administrator privilege
or the ISA permission over the collection and system.
Table 112. DropCollectionMember options
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection. Cannot drop collections tied to auto-discovery.
--SystemName
Req
Name of system to drop from the collection. If the an account or file name
is being dropped from the collection, this should be the system on which
the account or file resides.
--AccountName
Opt
Name of account to drop from collection. The account must reside on -SystemName.
--FileName
Opt
Name of file to drop from collection. The --FileName must reside on -SystemName.
Legacy support:
DropCollectionMember <MemberName>,<CollectionName>
DropGroup--options
Deletes an existing group. The CLI user must have ISA or administrator privilege.--GroupID or --GroupName may
be passed, but not both.
Table 113. DropGroup options
Option name
Req/Opt
Description
--GroupName
Opt
Name of group. Cannot drop groups tied to auto-discovery.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
Legacy support:
DropGroup <GroupName>
DropGroupMember--options
Removes an existing user account from one or more groups. The CLI user must have administrator privilege.-GroupID or --GroupName may be passed, but not both.
Table 114. DropGroupMember options
Option name
Req/Opt
Description
--GroupName
Opt
Name of group. Membership in groups tied to auto-discovery cannot be
changed.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
--UserName
Req
Name of user to remove from the group.
Legacy support:
TPAM 2.5
Administrator Guide
311
DropGroupMember <UserName>,<GroupName>
DropSyncPwdSub--options
Removes a subscriber from a synchronized password. Must have administrator privileges.
Table 115. DropSyncPwdSub options
Option name
Req/Opt
Description
--SyncPassName
Req
Synchronized password name.
--SystemName
Req
System name of account to unsubscribe.
--AccountName
Req
Account name to unsubscribe.
ForceReset--options
Forces a password change for the specified system account. The CLI user must have administrator privilege or
ISA permission over the system. The specified system must be auto managed.
Table 116. ForceResetManual options
Option name
Req/Opt
Description
--SystemName
Req
Name of system for the account.
--AccountName
Req
Account name to reset.
ForceResetManual--options
Allows password reset for a manually managed account through the CLI. This command will return a password to
be set manually and a PasswordID to be used by the ManualPasswordReset to indicate the success or failure of
updating the password.
Table 117. ForceResetManual options
Option name
Req/Opt
Description
--SystemName
Req
Name of system for the account.
--AccountName
Req
Account name to reset.
GetPwdRequest--options
Returns the details associated with the specified password request.
Table 118. GetPwdRequest options
Option name
Req/Opt
Description
--RequestID
Req
Password request ID.
--IncludeLinked
Opt
For requests that are part of a multi-account request, Y will return the
details on all linked requests. N will only return information on the specific
request ID. Y is the default value.
Legacy support:
GetPwdRequest <RequestID>
GetSessionRequest--options
Returns the details associated with the specified session request.
TPAM 2.5
Administrator Guide
312
Table 119. GetSessionRequest options
Option name
Req/Opt
Description
--RequestID
Req
Session request ID.
--IncludeLinked
Opt
For requests that are part of a multi-account request, Y will return the
details on all linked requests. N will only return information on the specific
request ID. Y is the default value.
Legacy support:
GetSessionRequest <RequestID>
ListAccounts--options
Lists all defined system accounts. Only systems for which the CLI user has ISA privilege will be listed.
Administrators may list all accounts.
Table 120. ListAccounts options
Option name
Req/Opt
Description
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--NetworkAddress
Opt
Network address to filter. Use * for wildcard.
--CollectionName
Opt
Collection name to filter. User * for wildcard
--Platform
Opt
Platform name to filter. Use ALL to filter for all platforms. Default is ALL.
Use “Custom/customPlatName” to indicate a custom platform.
--SystemAutoFlag
Opt
Filter on the auto-management flag on the system. Y = auto-managed, N=
not managed, or ALL, the default.
--AccountAutoFlag
Opt
Filter on the auto-management flag on the account. Y = auto-managed,
N= not managed, M = manually managed or ALL, the default.
--DualControlFlag
Opt
All is the default, Y = > 1 approver required, N = zero approvers required.
--SystemCustom1
Opt
Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2
Opt
See --SystemCustom1
--SystemCustom3
Opt
See --SystemCustom1
--SystemCustom4
Opt
See --SystemCustom1
--SystemCustom6
Opt
See --SystemCustom1
--AccountCustom1
Opt
Filter based on contents of account level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--AccountCustom2
Opt
See --AccountCustom1
--AccountCustom3
Opt
See --AccountCustom1
--AccountCustom4
Opt
See --AccountCustom1
--AccountCustom5
Opt
See --AccountCustom1
--AccountCustom6
Opt
See --AccountCustom1
--PasswordChangeProfile Opt
Name of assigned password change profile.
--PasswordCheckProfile
Opt
Name of assigned password check profile.
--DisableSchedules
Opt
Filter by disabled password check or change schedule. Allowed values are
ALL (default), Either, Check, Change, Both, or None.
--Sort
Opt
Sort results by SystemName (default), AccountName, or NextChangeDate.
--MaxRows
Opt
Maximum number of rows to return. 25 is the default.
Legacy support:
TPAM 2.5
Administrator Guide
313
ListAccounts SystemName (* for wildcard)],AccountName (* for
wildcard)],[NetworkAddress (* for wildcard)],[CollectionName (* for
wildcard)],[Platform (All| (see Supported platform list)) default=All],[SysAutoFl
(All|Y|N) default=All],[AcctAutoFl (All|Y|N|M) default=All],[Dual Control Required
Flag (All|Y|N) default=All],[Sort (SystemName|AccountName|NextChangeDt)
default=SystemName],[MaxRows Default=25]
ListAcctsForPwdRequest--options
Provides a list of accounts that the user can submit a password request for.
Table 121. ListAcctsForPwdRequest options
Option name
Req/Opt
Description
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--MostRecent
Opt
Numeric value. Only display the most recently requested number of
accounts.
--SystemCustom1-6
Opt
Filter results base on data in any of the custom system fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--AccountCustom1-6
Opt
Filter results base on data in any of the custom account fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--MaxRows
Opt
Maximum number of rows to return. 25 is the default.
ListAcctsForSessionRequest--options
Provides a list of accounts that the user can submit a session request for.
Table 122. ListAcctsForSessionRequest options
Option name
Req/Opt
Description
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--MostRecent
Opt
Numeric value. Only display the most recently requested number of
accounts.
--SystemCustom1-6
Opt
Filter results base on data in any of the custom system fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--AccountCustom1-6
Opt
Filter results base on data in any of the custom account fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--MaxRows
Opt
Maximum number of rows to return. 25 is the default.
ListAssignedPolicies--options
Lists access policies assigned to accounts, collections, files, groups, systems or users based on specified filter
criteria. ListAssignedPolicies takes the place of both ListPermissions and ListEGPPermissions.
The output of this command is essentially the same data as the entitlement report. All users will be listed,
along with their effective permissions over any system. The output can potentially be very large. The CLI user
must be an Administrator to return the full list. ISA users will obtain a limited list based upon the scope of their
privilege.
TIP: At least one of the following options must contain a non-wildcard value in order to run this report:
AccessPolicyName, AccountName, CollectionName, FileName, GroupName, SystemName, UserName.
TPAM 2.5
Administrator Guide
314
Table 123. ListAssignedPolicies options
Option name
Req/Opt
Description
--AccessPolicyName
Opt*
Access policy names to include in the listing. User * for wildcard. If the
policy name includes spaces the string must be quoted appropriately.
--AccountName
Opt*
Account name to filter. Use * for wildcard.
--AllorEffectiveFlag
Opt
A = show all policies affecting each entry or E = only the one effective
policy. When all policies are shown the effective policy is indicated.
--CollectionName
Opt*
Collection name to filter. Use * for wildcard.
--ExpandCollectionFlag
Opt
Whether to expand the collections to show all member systems,
accounts, and files. Y or N. Default is N.
--ExpandGroupFlag
Opt
Whether to expand the groups to show all user members. Y or N.
Default is N.
--ExpandPolicyFlag
Opt
Whether to expand the access policies to show underlying permissions.
When not expanded only the access policy name shows. Y or N. Default
is N.
--FileName
Opt*
File name to filter. User * for wildcard.
--GroupName
Opt*
Group name to filter for.User * for wildcard.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
--PermissionName
Opt
Permissions to include in the listing. Multiple types may be included
with a semi-colon between each. Valid types are: DEN, ISA, APR, REQ,
REV, PAC and ALL (default).
--PermissionType
Opt
Permission types to include in the listing. Multiple types may be
included with a semi-colon between each. Valid types are: Pwd, Sess,
File, Cmd and ALL (default).
--SortOrder
Opt
Sort results by UserName (default), SystemName, AccountName,
FileName, PolicyName, GroupName or CollectionName.
--SystemName
Opt*
System name to filter. Use * for wildcard.
--UserName
Opt*
User name to filter. Use * for wildcard.
ListCollections--options
Lists collections and collection members, specified by collection name or system name.
Table 124. ListCollections options
Option name
Req/Opt
Description
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
--SystemName
Opt
Indicating the system name will return a list of collections that this system
belongs to.
--AccountName
Opt
Account name for membership to filter. Use * for wildcard. Use ! to find
collections that do not contain any accounts as members.
--FileName
Opt
File name for membership to filter. Use * for wildcard. Use ! to find
collections that do not have any files as members.
ListCollectionMembership--options
Lists collection system, account, and file name for all collections, specified collections, or specified systems.
The CLI user must have administrator privilege or the ISA permission over the collection and system.
TPAM 2.5
Administrator Guide
315
Table 125. ListCollectionMembership options
Option name
Req/Opt
Description
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
--SystemName
Opt
Indicating the system name will return a list of collections that this system
belongs to.
--AccountName
Opt
Account name for membership to filter. Use * for wildcard.
--FileName
Opt
File name for membership to filter. Use * for wildcard.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListCollectionMembership [CollectionName (* for wildcard)],[SystemName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]
ListDependentSystems--options
Lists status of systems (dependent or not dependent) for a specific account. You must have administrator or PPM
ISA privileges on the system.
Table 126. ListDependentSystems options
Option name
Req/Opt
Description
--SystemName
Req
System name.
--AccountName
Req
Account name.
--DependentStatus
Opt
Status of dependents to list: Both (default), Dependent, Not Dependent.
--DependentName
Opt
Filter list of dependents by system name. User * for wildcard.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
ListEGPAccounts--options
Lists all accounts that can be PSM enabled. This command has been replaced by ListPSMAccounts. See
ListPSMAccounts--options.
ListGroups--options
Lists groups and group members, specified by group name or member name, or GroupID.
Table 127. ListGroups options
Option name
Req/Opt
Description
--GroupName
Opt
Group name to filter. Use * for wildcard.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
--UserName
Opt
Indicating the user name will return a list of groups that this user belongs to.
Use a single ! (exclamation point) to find groups with no users assigned.
ListGroupMembership--options
Lists group name and username for all groups, specified groups, or specified users. The CLI user must have
administrator privilege.
Table 128. ListGroupMembership options
Option name
Req/Opt
Description
--GroupName
Opt
Group name to filter. Use * for wildcard.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
TPAM 2.5
Administrator Guide
316
Table 128. ListGroupMembership options
Option name
Req/Opt
Description
--UserName
Opt
Use * for a wildcard. Indicating the user name will return a list of groups that
this user belongs to.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListGroupMembership [GroupName (* for wildcard)],[UserName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]
ListPSMAccounts--options
Lists all accounts that can be PSM enabled.
Table 129. ListPSMAccounts options
Option name
Req/Opt
Description
--AccountAutoFlag
Opt
Y = managed, N = not managed, M = manually managed, or ALL
(default).
--AccountEGPFlag
Opt
This option is obsolete. Any value passed for this option will be used for
--AccountPSMFlag.
--AccountPSMFlag
Opt
Filter on PSM enabled check box. Y= enabled, N = disabled or ALL
(default).
--AccountName
Opt
Account name to filter. Use * for wildcard.
--AccountCustom1
Opt
Filter based on contents of account level custom columns. Ignored if
the appropriate custom column has not been defined in Global Settings.
--AccountCustom2
Opt
See --AccountCustom1
--AccountCustom3
Opt
See --AccountCustom1
--AccountCustom4
Opt
See --AccountCustom1
--AccountCustom5
Opt
See --AccountCustom1
--AccountCustom6
Opt
See --AccountCustom1
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
--DualControlFlag
Opt
All is the default, Y = 1 or more approvers required, N = zero approvers
required.
--AccountLockFlag
Opt
Filter on the account locked flag. Y = locked, N = not locked, or ALL
(default).
--NetworkAddress
Opt
Network address to filter. Use * for wildcard.
--Platform
Opt
Platform to filter. Use ALL for all platforms. Use
“Custom/custPlatName” to indicate a custom platform.
--SystemAutoFlag
Opt
Filter on the auto-management flag on the system. Y = auto-managed,
N= not managed, or ALL, the default.
--SystemCustom1
Opt
Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2
Opt
See --SystemCustom1
--SystemCustom3
Opt
See --SystemCustom1
--SystemCustom4
Opt
See --SystemCustom1
--SystemCustom6
Opt
See --SystemCustom1
--SystemEGPFlag
Opt
This option is obsolete. Any value passed in this option will be used for
--SystemPSMFlag.
--SystemPSMFlag
Opt
Filter on if the system is enabled for PSM. Y = enabled, N = disabled, or
ALL (default).
TPAM 2.5
Administrator Guide
317
Table 129. ListPSMAccounts options
Option name
Req/Opt
Description
--SystemName
Opt
Filter on system name. Use * for wildcard.
--Sort
Opt
Sort results by SystemName (default) or AccountName.
--SortType
Opt
Ascending (default) or Descending.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
ListReasonCodes
Will list any active reason codes and their description that have been defined in TPAM.
ListRequest--options
Lists basic details about password requests for which the CLI user is an approver or requestor.
Table 130. ListRequest options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests, as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorName(*
for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListRequestDetails--options
Lists specific details about password requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.
Table 131. ListRequestDetails options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
TPAM 2.5
Administrator Guide
318
ListRequestDetails [Status(All|Pending|Active|Open|Current)
Default=Open],[RequestorName (* for wildcard)],[AccountName(* for
wildcard)],[SystemName (* for wildcard)],[StartDate (MM/DD/YY)], [EndDate
(MM/DD/YY)],[MaxRows Default=25]
ListSessionRequest--options
Lists basic details about session requests for which the CLI user is an approver or requestor.
Table 132. ListSessionRequest options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListSessionRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorN
ame(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListSessionRequestDetails--options
Lists specific details about session requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.
Table 133. ListSessionRequestDetails options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListSessionRequestDetails[Status(All|Pending|Active|Open|Current)Default=Open],[Req
uestorName(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListSynchronizedPasswords
Lists all synchronized passwords configured in TPAM.
TPAM 2.5
Administrator Guide
319
ListSyncPwdSubscribers--options
List the subscribers of a specific synchronized password. You must have administrator privileges.
Table 134. ListSyncPwdSubscribers option
Option name
Req/Opt
Description
--SyncPassName
Req
Synchronized password name.
ListSystems--options
Lists all defined systems. Only systems for which the CLI user has ISA privilege will be listed. Administrators may
list all systems.
Table 135. ListSystems options
Option name
Req/Opt
Description
--SystemName
Opt
System name to filter. Use * for wildcard.
--NetworkAddress
Opt
Network address to filter. Use * for wildcard.
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
-- Platform
Opt
Name of platform to filter or ALL (default).Use “Custom/custPlatName”
for a custom platform.
--AutoFlag
Opt
Filter on the auto-management flag on the system. Y = auto-managed,
N= not managed, or ALL, the default.
--SystemCustom1
Opt
Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2
Opt
See --SystemCustom1
--SystemCustom3
Opt
See --SystemCustom1
--SystemCustom4
Opt
See --SystemCustom1
--SystemCustom6
Opt
See --SystemCustom1
--PasswordChangeProfile Opt
Name of the assigned password change profile.
--PasswordCheckProfile
Opt
Name of the assigned password check profile.
--SortOrder
Opt
Sort results by SystemName (default), NetworkAddress, or
PlatformName.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListSystems <SystemName (* for wildcard),[NetworkAddress (* for
wildcard)],[CollectionName (* for wildcard)],[Platform (All| (see Supported platform
list)) default=All],[SysAutoFl (All|Y|N) default=All],[Sort
(SystemName|NetworkAddress|PlatformName) default=SystemName],[MaxRows Default=25]
ListUsers--options
Lists all non-CLI users defined in TPAM. The CLI user must have administrator or user administrator privilege.
Table 136. ListUsers options
Option name
Req/Opt
Description
--UserName
Opt
User name to filter. Use * for wildcard.
--EmailAddress
Opt
Email address to filter. Use * for wildcard.
--GroupName
Opt
Group name to filter. Use * for wildcard.
--UserInterface
Opt
Filter for API, CLI, WEB or ALL (default).
--UserType
Opt
Filter for BASIC,ADMIN, AUDITOR, USERADMIN, or ALL (default).
TPAM 2.5
Administrator Guide
320
Table 136. ListUsers options
Option name
Req/Opt
Description
--Status
Opt
Filter for ENABLED, DISABLED, LOCKED, or ALL (default).
--ExternalAuthType
Opt
obsolete, replace by --SecondaryAuthType
--SecondaryAuthType
Opt
Filter for SAFEWORD, SECUREID, LDAP, WINAD, RADUIS, DEFENDER,
NONE, or ALL (default).
--UserCustom1
Opt
Filter based on contents of user level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--UserCustom2
Opt
See --UserCustom1
--UserCustom3
Opt
See --UserCustom1
--UserCustom4
Opt
See --UserCustom1
--UserCustom6
Opt
See --UserCustom1
--SortOrder
Opt
Sort results by UserName (default), FirstName, or LastName.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListUsers <UserName (* for wildcard),>[EmailAddress (* for wildcard)],[GroupName (*
for wildcard)],[UserInterface (All|CLI|WEB|API) default=All],[UserType
(All,Basic,Admin,Auditor,UAdmin) default=All],[Status (All|Enabled|Disabled|Locked)
default=All],[SecondaryAuthType (All|SafeWord|SecureID|LDAP|RADIUS|WINAD|DEFENDER
|None) default=All],[Sort (UserName|FirstName|LastName) default=UserName],[MaxRows
Default=25]
ManualPasswordReset--options
Ability to indicate if resetting a password for a manually managed account succeeded or failed.
Table 137. ManualPasswordReset options
Option name
Req/Opt
Description
--PasswordID
Req
Password ID returned from ForceResetManual command.
--Status
Req
Whether the password change/sync worked or not. Success/Fail.
ReportActivity--options
Ability to run the activity report from the CLI.
Table 138. ReportActivity options
Option name
Req/Opt
Description
--StartDate
Opt
Start date of activities. Must be a valid date time in the form of
MM/DD/YYYY HH:MM. The time portion is optional. If included it must
be in 24 hour format with a space in between date and time.
--EndDate
Opt
End date of activity. Must be a valid date time in the form of
MM/DD/YYYY HH:MM. The time portion is optional. If included it must
be in 24 hour format with a space in between date and time. To select a
single date enter the same start and end date. If not dates are provided
the report will cover all dates in the activity log.
--UserName
Opt
User name to filter for. Use * for wildcard.
--Role
Opt
ISA, REQ, or APR. If role is not passed all roles will be returned.
--GroupName
Opt
Filter for user membership in a group. Use * for wildcard.
--Operation
Opt
Single operation to filter. ALL is the default.
TPAM 2.5
Administrator Guide
321
Table 138. ReportActivity options
Option name
Req/Opt
Description
--Target
Opt
Target text to filter. Use * for wildcard.
--ObjectType
Opt
Object type to filter. Default is ALL.
--Sort
Opt
Sort options are LogTime (default), UserName, ObjectType, or
Operation.
--Direction
Opt
Sort direction. ASC (default) or DESC.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Retrieve--options
Provides a mechanism to retrieve a password for a managed system/account. The CLI user ID must be
authorized to retrieve the password, by either having ISA permissions for the account or having an approved
request ID. If a requestor the --RequestID parameter must be used. The optional requirement for dual control
does not apply to CLI releases. The comment is not required.
Table 139. Retrieve options
Option name
Req/Opt
Description
--SystemName
Req*
System name. If the caller only has request permissions then the
RequestID parameter must be used instead of the system and account
name.
--AccountName
Req*
Account name. If the caller only has request permissions then the
RequestID parameter must be used instead of the system and account
name.
--RequestID
Req*
The requestID must be an approved password release request and the
caller must be the requestor. If the caller has ISA permissions the
system and account name must be supplied instead of the requestID.
--ReasonCode
Opt*
Reason code for retrieving the password. Based on global settings, a
reason code may be required, optional, or not allowed.
--ReasonText
Opt*
ISA reason for retrieving the password. Based on global settings, reason
text may be required, optional, or not allowed.
--TicketNumber
Opt*
Ticket number to validate. Based on account settings, a ticket number
may be required, optional, or not allowed. Parameter ignored when
using RequestID.
--TicketSystemName
Opt*
Name of ticket system to validate. Based on account settings, a ticket
number may be required, optional, or not allowed. Parameter ignored
when using RequestID.
--TimeRequired
Opt
Number of minutes to release the password. The default duration is set
at the account level. Ignored when using RequestID.
Legacy support:
Retrieve <systemname>, <accountname>, <TimeRequired(in minutes)>,<comment>
SetAccessPolicy--options
Allows you to add or remove an access policy assignment to an account, collection, file, group, system, or user.
Replaces the old CLI commands of GrantPermission, SetPermission, SetEGPPermission, and RevokePermissions.
Table 140. SetAccessPolicy options
Option name
Req/Opt
Description
--AccessPolicyName
Req
Name of access policy to assign.
--Action
Req
Add or Drop.
TPAM 2.5
Administrator Guide
322
Table 140. SetAccessPolicy options
Option name
Req/Opt
Description
--AccountName
Opt
Account affected by the assignment. If account is specified then -SystemName must also be specified. The value must be empty if
CollectionName is specified.
--CollectionName
Opt
Collection affected by the assignment. If this value is provided, then
SystemName, AccountName and FileName must not be provided.
--FileName
Opt
File name affected by the assignment. SystemName must also be
provided.
--GroupName
Opt
Group name affected by the assignment. Either UserName or Group
must be specified, but not both. Global groups cannot have their
permissions altered.
--SystemName
Opt
System name affected by the assignment or the system name for the
account or file provided.
--UserName
Opt
User name affected by the assignment. Either user or group must be
specified, but not both. Auditor, cache, useradmin, and sysadmin users
cannot be assigned permissions.
SSHKey--options
Retrieves or regenerates system and PSM specific keys. Also can retrieve system standard keys.
Table 141. SSHKey options
Option name
Req/Opt
Description
--KeyFormat
Opt
Format of the SSH key output - OpenSSH (default) or SecSSH.
--StandardKey
Req*
Name of the system standard key to export. You must pass either -StandardKey name OR --SystemName / --AccountName.
--SystemName
Req*
Name of managed system to retrieve or regenerate keys for. The system
must have Use System Specific Key selected for connections. When
retrieving the system’s key do not pass a value for --AccountName.
--AccountName
Req*
The name of the managed account to retrieve a PSM specific DSS key.
The PSM session authentication must have Use Specific Key selected.
The --SystemName must be included when specifying --AccountName.
--Regenerate
Opt
Y/N (default is N). Regenerate the system key or account key before
retrieving. The system or PSM account must already be set to use a
specific key before calling this.
NOTE: A standard key cannot be regenerated! Regenerating a key will
immediately make the old key unusable. The new key will have to be
put in place before being able to access the system again.
SyncPassForceReset--options
Forces the reset of a synchronized password, changing it in priority order.You must have administrator
privileges.
Table 142. SyncPassForceReset options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password to reset.
--NewPassword
Opt
Password to set as the new password.
TestSystem--options
Initiates a system test. The CLI user must have administrator privilege or the ISA permission over the system.
TPAM 2.5
Administrator Guide
323
Table 143. TestSystem option
Option name
Req/Opt
Description
--SystemName
Req
Name of system to test.
Legacy support:
TestSystem <SystemName>
UnlockUser--options
Unlocks a currently locked user account. The CLI user must have ISA, User Administrator or Administrator
privilege.
Table 144. UnlockUser option
Option name
Req/Opt
Description
--UserName
Req
Name of user to unlock. Cannot be a system administrator user ID.
Legacy support:
UnlockUser <UserName>
UpdateAccount--options
Modifies an existing account. The CLI user must have ISA or Administrator privilege. You can only update the
password for an account that is not auto-managed.
Table 145. UpdateAccount options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Maximum 30 characters.
--AccountName
Req
Account Name. Maximum 30 characters.
--AliasAccessOnlyFlag
Opt
This option is obsolete. Any value passed in using this option will
be used for the --IgnoreSystemPoliciesFlag option.
--AllowISADurationFlag
Opt
Allow the ISA to specify a duration when retrieving a password.
Y/N
--AutoFlag
Opt
Account Password Management type. N=None, Y=Automatic,
M=Manual
--BlockAutoChangeFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--ChangeFrequency
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--CheckFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
--ChangeServiceFlag
Opt
Change the password for Windows® Services started by this
account. Y/N (Windows® platforms only)
--ChangeTaskFlag
Opt
Change the password for the Windows® scheduled tasks started by
this account. (Windows® platforms only)
TPAM 2.5
Administrator Guide
324
Table 145. UpdateAccount options
Option name
Req/Opt
Description
--Custom[1-6]
Opt
Custom Account Columns, if defined. Use !NULL to clear the
value.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainAccountName
Opt
For Windows® or BoKS platforms. Enter
domainname\accountname
--EnableBeforeReleaseFlag
Opt
Y/N. When set to Y, TPAM will disable the account on the remote
system until the password is released or a session started which
requires the password to authenticate. (Windows® platforms only)
--EscalationEmail
Opt
If a password post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--IgnoreSystemPoliciesFlag
Opt
Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are
used for permissions.
--LockFlag
Opt
Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, or changed
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-10080 (7 days).
--MinimumApprovers
Opt
Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
--NextChangeDate
Opt
Set the next scheduled change date for this account. The account
will be scheduled for the first available time window based on the
assigned Password Change Profile.
--OverrideAccountability
Opt
When the Global Setting to Allow Account specific override is
enabled this flag can be turned on at the account level to allow
simultaneous, overlapping password requests to be approved.
When the Global Setting is not enabled this flag is ignored. Y/N
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt
A profile which controls when the account will have it’s password
checked.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify “Default Password Rule” or another
rule to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value.
--ReleaseChangeFlag
Opt
Change the password after any ISA, CLI, or API release. Y/N
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-10080 (7 days). If 0 is
entered the ISA retrieval of a password will not trigger a post
release reset of the password. This is ignored if
ReleaseChangeFlag is N.
TPAM 2.5
Administrator Guide
325
Table 145. UpdateAccount options
Option name
Req/Opt
Description
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on
this account. Y/N.
--RequireTicketForRequest
Opt
Require a valid Ticket System & Number for any password request
on this account. Y/N
--ResetFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
--RestartServiceFlag
Opt
Restart Windows® services started by this account, following a
password change. Y/N (Windows® only)
--ReviewCount
Opt
Number of post-release reviews required after a password
release. 0-n If ReviewCount is zero updates to ReviewerName and
ReviewerType are ignored.
--ReviewerName
Opt
User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
--ReviewerType
Opt
Type of reviewer. Valid values are: Any (default), Auditor, User,
Group
--SimulPrivAccReleases
Opt
Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid
ticket system.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA
without a ticket number. Ignored when RequireTicketForRequest
is N or ticket is required for all three (API, CLI, and ISA). Use
!NULL to clear the value.
--UseSelfFlag
Opt
Use the account's current password to change the password. Y/N.
If the functional account is flagged as “non-privileged” at the
system level this value is forced to Y.
UpdateCollection--options
Allows you to update the PSM Affinity assignment for a collection.
Table 146. UpdateCollection options
Option name
Req/Opt
Description
--CollectionName
Req
Collection name.
--Description
Opt
Collection description. Max of 50 characters.
--PSMDPAAffinity
Opt
List of all DPA’s to use for PSM Affinity in the form of
DPAName1/priority;DPAName2/priority. Pass “Any” to rest the list and
allow any DPA to be used. Priority must be > 0 to add a DPA. A priority
of 0 removes the DPA from the list.
TPAM 2.5
Administrator Guide
326
UpdateDependentSystems--options
Allows you to update the dependent systems assigned to an account. You must have Administrator or PPM ISA
privileges on the system.
Table 147. UpdateDependentSystems options
Option name
Req/Opt
Description
--SystemName
Req
System name.
--AccountName
Req
Account name.
--Assign
Opt
Semi-colon separated list of systems to assign as dependents. The
dependent must be an auto-managed system with a platform of
Windows® or SPCW, and cannot be the parent system named in the
SystemName parameter. You may specify a list of systems to both assign
and unassign in the same command.
--Unassign
Opt
Semi-colon separated list of systems to remove as dependents. You may
specify a list of systems to both assign and unassign in the same
command.
UpdateEGPAccount--options
Modifies the PSM details of an existing account. The CLI user must have PPM ISA and PSM ISA or Administrator
privilege. Same parameters as UpdatePSMAccount.
UpdatePSMAccount--options
Replaces the UpdateEGPAccount command.
Table 148. UpdatePSMAccount options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Maximum 30 characters.
--AccountName
Req
Account Name. Maximum 30 characters.
--ClipboardFlag
Opt
Whether to enable clipboard support to/from host to the session.
Y or N.
--CLIAccountName
Opt
The account name on the remote TPAM to retrieve. Use !NULL to
clear the value.
--CLIDomainName
Opt
The AD or Netbios name to use when starting the session. Use
!NULL to clear the value.
--CLISystemName
Opt
When a TPAMCLIUserName is specified, you may also include an
optional system and account name for retrieval on the remote
TPAM. The CLISystemName, CLIAccountName, and
CLIDomainName values are ignored if the TPAMCLIUserName is not
specified. Use !NULL to clear the value.
--ColorDepth
Opt
Color depth of the PSM session. Values of 8 or 16 for RDP proxy
type. Values of 0, 1,2, and 3 for VNC proxy type.
--ConnectionProfile
Opt
Name of the optional custom connection profile to use for
sessions on this account. Connection profiles are tied to specific
proxy types. Use the value Standard to revert to default
connection information.
--ConsoleFlag
Opt
Y or N.
--DSSKey
Opt
The DSS key to use for session authentication when the
DSSKeyType is Upload. The key may be up to 4096 characters.
--DSSKeyName
Opt
Name of specific DSS Key.
TPAM 2.5
Administrator Guide
327
Table 148. UpdatePSMAccount options
Option name
Req/Opt
Description
--DSSKeyType
Opt
The source of the DSS key used for session authentication when
PasswordMethod is set to DSSKey. Valid values are:
•
Standard - use of any of the standard keys
•
Specific - generate and use a specific DSS key for this
account
--DefaultSessionDuration
Opt
Default value used for duration of a session request, in minutes.
The value will be rounded to the nearest 15 minute increment.
--DomainAccount
Opt
The Windows® domain account used to authenticate the session
when PasswordMethod is Windows domain account.
--EnableFlag
Opt
Indicates if this account may be requested for PSM sessions. Y or
N.
--EscalationEmail
Opt
If a session post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a
session post-release review has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--FileTransAuthMethod
Opt
Choices are:
•
Same - use same credentials as the session
•
Prompt - ask for credentials at the time of transfer
--FileTransDownFlag
Opt
Whether to allow the transfer of files from the session to the
host. Y or N.
--FileTransPath
Opt
A directory path on the target machine where the transferred file
will be placed. Directory syntax is platform specific.
--FileTransType
Opt
The file transfer method. Values are platform specific. Values are
as follows:
•
DIS - file transfer disabled (default)
•
WFC - Windows® file copy
•
SCP - secure copy
•
FTP - file transfer protocol
•
ECP - SCP using PSM functional account.
--FileTransUp
Opt
Whether to allow the transfer of files from the host to the
session. Y or N.
--MaxSessionCount
Opt
The maximum number of simultaneous sessions that may be
running for this account. For proxy types that display a password
this value is set to 1 and cannot be changed.
--MinApprovers
Opt
Minimum number of approvals required for a session request. 0
(zero) indicates that all session requests are auto-approved. If the
proxy type requires the display of a password, this value is
overridden by the PPM release minimum approval value.
--NotifyFrequency
Opt
If NotifyThreshold is greater than zero this is the frequency at
which PSM expired session emails will be sent.
--NotifyThreshold
Opt
If greater than zero this indicates the number of minutes after the
expiration of the session request when TPAM should send
notification emails of a still active session. The email notification
will continue until the session is terminated.
TPAM 2.5
Administrator Guide
328
Table 148. UpdatePSMAccount options
Option name
Req/Opt
Description
--PARCLIUserName or
Opt
The CLI user on another TPAM appliance used to retrieve the
password when the PasswordMethod is Remote TPAM CLI. The CLI
user must already be defined on this appliance and is in the form
of TPAMName/CLIUserName.
Opt
Method PSM uses to authenticate sessions to the account. The
option values must be surrounded by quotes because of spaces.
Valid values are:
--TPAMCLIUserName
--PasswordMethod
•
“Local TPAM” - use the local TPAM appliance for the
password. (default)
•
“Remote TPAM CLI” -use another TPAM appliance for the
password. TPAMCLIUserName must be supplied.
•
“DSS Key” - use a DSS Key.
•
“Not Stored” - the user will be prompted for the password
when starting the session.
•
“Windows Domain Account” - use the account in
DomainAccount for the password.
--PostSessionProfile
Opt
Name of post session profile to control activities that take place
after the session expires. Use the value Standard to revert to
default processing.
--ProxyType
Opt*
Type of proxy connection used for the session. Values are platform
dependent. Proxy type is required when changing the EnableFlag
on accounts. Use the entire text as seen on the PSM Details tab in
the TPAM interface.
--RecordingRequiredFlag
Opt
Whether to require all sessions are recorded. Y or N.
--ReviewCount
Opt
Number of post-release reviews required after a session expires.
--ReviewerName
Opt
User name or group name of required reviewer.
--ReviewerType
Opt*
Type of reviewer. This value is required when ReviewCount is >0.
Valid values are:
SessionStartNotifyEmail
Opt
•
Any (default)
•
Auditor
•
User
•
Group
If populated, an email will be sent any time a session is started on
this account. Use !NULL to clear the value.
UpdateSyncPass--options
Allows you to update a synchronized password.
Table 149. UpdateSyncPass options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password. You must have administrator
privileges.
--AccountLevelCheckProfile Opt
Y/N. Default is N. If Y, then the Synchronized Password does not have
Password Check Profile and the password checks are based on the
password check profile assigned to each member account.
--ChangeFrequency
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
Opt
TPAM 2.5
Administrator Guide
329
Table 149. UpdateSyncPass options
Option name
Req/Opt
Description
--ChangeTime
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
--CheckFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password Check
Profile.
--DisableFlag
Opt
Disable synchronizing subscribed accounts. Y/N
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--NextChangeDate
Opt
Sets the next scheduled change date for this account.
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Max of 128 characters.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt*
A profile which controls when the account will have it’s password
checked. *Required when AccountLevelCheckProfile is N.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the account.
The default rule for new accounts is set on the managed system. You
may also specify Default Password Rule or another rule to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value. This email address receives an email
when the password is released.
--ReleaseChangeFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-10080 (7 days). If 0 is entered the
ISA retrieval of a password will not trigger a post release reset of the
password. This value is ignored if ReleaseChangeFlag is N.
--ResetFlag
Opt
Reset the password if a regular check finds a mismatch. Y/N. This value
is ignored if CheckFlag is N.
UpdateSystem--options
Modifies an existing system. The CLI user must have ISA or Administrator privilege.
Table 150. UpdateSystem options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
--NewSystemName
Opt
New name to apply to system.
--AllowFuncReqFlag
Opt
Whether to allow the functional account password to be requested and
released. Y/N. Default N.
--AllowISADurationFlag
Opt
Allow an ISA to enter a duration when releasing a password in the GUI.
Y/N. Default N.
--AlternateIP
Opt
Obsolete as of TPAM v2.5.909.
--AutoDiscoveryExcludeList Opt
List of account names (up to 1,000 characters) separated by semicolons which will be ignored when processing the auto-discovery
profile on this system. Use !NULL to clear the value or override the
template’s value.
TPAM 2.5
Administrator Guide
330
Table 150. UpdateSystem options
Option name
Req/Opt
Description
--AutoDiscoveryProfile
Opt
Name of auto-discovery profile which will be used to discover
new/deleted accounts on this system. Use !NULL to clear the value or
override the template’s value. Auto-discovery is only valid for
Windows®, *nix, and DBMS platforms.
--AutoDiscoveryTimeout
Opt
Timeout (in seconds) when discovering accounts on this system.
Default is 300. If the discovery process times out it will continue to
discover accounts at the next scheduled run. Use 0 (zero) to set the
default.
--BoksServerOS
Opt
The OS Name (platform) for a Boks server.
--ChangeFrequency
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--Custom[1-6]
Opt
Custom system columns, if defined. Use !NULL to clear the value.
--CheckFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainFuncAccount
Opt
The domain account to be used as the functional account. Must be in
the form SystemName\AccountName and the account must already be
defined in TPAM. When specified the FunctionalAccount and
FuncAcctCred are ignored.
--DomainName
Opt*
The domain name for Windows®.*Required for Windows AD systems.
--EGPOnlyFlag
Opt
Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
--EnablePassword
Opt
Password to use for the “ENABLE” account (Cisco platforms only) or
“Expert” account (CheckPoint SP platform only).
--EscalationEmail
Opt
If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL
to clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0 (zero)
to disable the notification.
--FuncAcctCred
Opt
Password for the account indicated in the FunctionalAccount option.
Use a password of DSS to have the system use system standard keys for
functional account credentials or a password of SPECIFIC to use a
system specific key.
--FuncAcctDN
Opt*
The distinguished name of the functional account. Required for Novell
NDS, LDAP pr LDAPS systems. Ignored for all others.
--FunctionalAccount
Opt
Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
--LineDef
Opt
Mainframe and Cisco telnet attribute.
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-10080 (7 days).
--NetBiosName
Opt
Required for Windows® AD or SPCW (DC) platforms.
TPAM 2.5
Administrator Guide
331
Table 150. UpdateSystem options
Option name
Req/Opt
Description
--NetworkAddress
Opt
Network address of the system. May be an IP V4 address or a fully
qualified domain name.
--NonPrivFuncFlag
Opt
Y/N. Default is N. Set to Y when the functional account is not
authorized to change passwords.
--OracleSIDSN
Opt
Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle® system.
--OracleType
Opt
May be either SID or SN. Only accepted for Oracle® platform.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt*
A profile which controls when the account will have it’s password
checked. *Required when AccountLevelCheckProfile is N.
--PasswordRule
Opt
The name of the Password Rule used to generate random passwords for
this system. Leave empty to use the default password rule for new
Systems. Must use the text “Default Password Rule” to change existing
systems.
--PlatformName
Opt
Any recognized platform name. Note that certain platforms, once set,
cannot be changed. For custom platform names the platform name is
indicated by “Custom” or “Custom Platform” followed by a forward
slash (/) and the custom platform name.
--PlatSpecificValue
Opt
A platform specific value, e.g., Linux® Delegation prefix or Windows®
Computer Name. Not all platforms support this value.
--PortNumber
Opt
Port number used for SSH communication with the system. Default
values are platform specific.
--PPMDPAAffinity
Opt
List of DPAs to use for PPM affinity in the form
DPAName1/priority;DPAName2/priority. Use Local to reset the list
and only use the appliance for password checks/changes. Use a
priority of 0 (zero) to remove a DPA from the list. PPM affinity cannot
be set when adding a system from a template, but after the system is
created the affinity may be changed.
--PSMDPAAffinity
Opt
List of DPAs to use for PSM affinity in the form
DPAName1/priority;DPAName2/priority. Use Any to allow any DPA to
be used. Priority must be a number greater than zero. Use a priority of
0 (zero) to remove a DPA from the list. PSM affinity cannot be set when
adding a system from a template, but after the system is created the
affinity may be changed.
--PrimaryEmail
Opt
Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
--ProfileCertType
Opt
One of the following values:
•
N - no thumbprint or certificate. Default
•
T- Thumbprint only. The SHA1 thumbprint of the certificate
used by the system to notify TPAM of availability for check and
change operations.
•
G- Generated. TPAM will generate a certificate and record the
thumbprint. This certificate must be installed on the system in
order to call the TPAM notifier service.
--ProfileCertThumbprint
Opt
Thumbprint of certificate. Only used if ProfileCertType is T.
--ReleaseChangeFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Release Duration Value.
TPAM 2.5
Administrator Guide
332
Table 150. UpdateSystem options
Option name
Req/Opt
Description
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-10080. If 0 is entered the ISA
retrieval of a password will not trigger a post release reset of the
password.
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForRequest
Opt
Require a valid Ticket System & Number for any password request on
this account. Y/N
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on this
account. Y/N.
--ResetFlag
Opt
THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--SSHAccount
Opt
The account name to use when communicating with this system via
SSH. This is required when the UseSshFlag is set to Y.
--SSHKey
Opt
Either “Standard” to use the appliance's system standard keys or
“Specific” to generate a specific key for this system. “Standard” is the
default.
--SSHPort
Opt
The port number for SSH communication. If not specified a default of
22 is used.
--SystemAutoFlag
Opt
Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid ticket
system.
--Timeout
Opt
The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a “timed out”
error. Default is 20 seconds.
--UseSslFlag
Opt
Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
--UseSshFlag
Opt
Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
UpdateUser--options
Modifies an existing user account. The CLI user must have user administrator or administrator privilege.
TPAM 2.5
Administrator Guide
333
Table 151. UpdateUser options
Option name
Req/Opt
Description
--UserName
Opt
User Name. Maximum 30 characters.
--LastName
Opt
Maximum of 30 characters.
--FirstName
Req
Maximum of 30 characters.
--Email
Opt
Maximum of 255 characters. Use !NULL to clear.
--Phone
Opt
Maximum of 30 characters. Use !NULL to clear.
--Mobile
Opt
Maximum of 30 characters. Use !NULL to clear. Also recognizes the
value --pager for legacy support.
--UserType
Opt
Basic (default), Admin, Auditor, or UserAdmin
--Disable
Opt
Whether the user's ID is currently disabled. Y/N. Disabled users cannot
log in to the appliance.
--ExternalAuth
Opt
Obsolete, replaced with SecondaryAuth
--SecondaryAuth
Opt
Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
LDAP.
--ExternalAuthSystem
Opt
Obsolete, replaced with SecondaryAuthSystem
--SecondaryAuthSystem
Opt
Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID
Opt
Obsolete, replaced with SecondaryUserID
--SecondaryUserID
Opt*
User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
--PrimaryAuthExtra
Opt
The LDAP Primary Authentication Types support an “Extra” UserID. The
User logs in using a shorthand value in the PrimaryAuthID, but the data
in the PrimaryAuthExtra will be used to do the actual authentication
against the external system. Use !NULL to clear.
--PrimaryAuthID
Opt*
The User ID to use for primary authentication when a non-local
authentication system is used.
--PrimaryAuthType
Opt
The type of the primary authentication system for this user. Current
values are Local, Certificate, LDAP, WinAD, Radius or Defender. When
Local is used the PrimaryAuthID, PrimaryAuthExtra and
PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem
Opt*
Name of the defined system to use when the PrimaryAuthType is not
local. Systems are defined by the appliance System Administrator.
--CertThumbprint
Opt
The SHA1 or SHA256 thumbprint of the user’s certificate. SHA1
thumbprints must be 64 characters. Both should consist of only
numbers and the letters A-F. This value is ignored unless the
PrimaryAuthType is Certificate.
--Description
Opt
Maximum of 255 characters. Use !NULL to clear.
--LogonHoursFlag
Opt
Indicates whether the LogonHours value represents allowed or
prohibited hours. Valid values are A, P, or N (no restrictions).
--LogonHours
Opt
A listing of up to 4 hour ranges. Times must be expressed in 24-hour
format in any of the following forms: 7, 07, 700, 0700, 07:00 (all
indicating 07:00 AM). Separate multiple ranges with semi-colons,
07:00-12:00;18:00-23:59 (7AM-12AM and 6PM-11:59PM). If the
LogonHoursFlag value is N this value is ignored.
TPAM 2.5
Administrator Guide
334
Table 151. UpdateUser options
Option name
Req/Opt
Description
--LogonDays
Opt
When Logon Hours are specified you may also specify the days of the
week those hours are effective. Specify days with a string of 7 X's (to
indicate an “on” day) or periods (for an “off” day) to represent the
week from Sunday-Saturday. For example, .XXXXX. is Mon-Fri on, Sun
and Sat off. If LogonHours are specified and LogonDays is left empty
the default is all days “on”, e.g., XXXXXXX.
--MobileAllowedFlag
Opt
Whether to allow this user to log in to the system from a mobile device
(Blackberry, iPhone, etc.). Y/N.
--LocalTimezone
Opt
The user's local time zone. You may enter any part of the time zone
name as long as it is unique in the list, e.g., entering Guam will only
find one time zone while entering 02:00 or US will find multiple
entries. A value of “Server” indicates that the user is in the same time
zone as the server and follows the same DST rules.
--DstFlag
Opt
Obsolete. Users will now automatically adjust DST per the local time
zone which they are assigned.
--Custom1
Opt
Custom user columns, if defined. Use !NULL to clear the value when
updating.
--Custom2
Opt
see --Custom1
--Custom3
Opt
see --Custom1
--Custom4
Opt
see --Custom1
--Custom5
Opt
see --Custom1
--Custom6
Opt
see --Custom1
Legacy support:
UpdateUser
<UserName>,[LastName],[FirstName],[EmailAddress],[Phone],[Mobile],[UserType
(Basic|Admin|Auditor|UserAdmin)],[DisableFl(Y|N)],[SecAuthType(NONE,SAFEWORD,SECURE
ID,LDAP,RADIUS,DEFENDER WINAD)],[SecAuthUserID],[Description]
UserSSHKey--options
Regenerate or retrieve a key for yourself or others. Must be an Administrator.
IMPORTANT: If regenerating your own key make sure not to overwrite the old key file before the command
has completed.
IMPORTANT: Regenerating a user’s key will immediately make their old key invalid. The user will have to
put this new key in place before being able to access TPAM again.
Table 152. UserSSHKey options
Option name
Req/Opt
Description
--UserName
Opt
User name to retrieve. If no user name is supplied your own user name will
be used. If retrieving or regenerating a key for a user other than yourself
the user must be key based with NOTPAM web access.
--KeyType
Opt
The DSS key to retrieve. Must be CLI or API. The default is the key type of
the calling interface.
--PassPhrase
Opt
Only allowed when regenerating a CLI key. Passphrase must be at least 5
characters long and may be up to 128 characters and contain anything
except double quote characters (").
--Regenerate
Opt
Regenerate the key before retrieving. Users without web access must
retrieve and regenerate their own keys. Y/N. Default is N.
TPAM 2.5
Administrator Guide
335
42
Application Programming Interface (API)
•
Introduction
•
C++ library
•
.NET library
•
PERL library
•
Java® library
•
C++ examples
•
.NET examples (C#)
Introduction
The TPAM Application Programming Interface (API) allows client applications, via an SSH (Secure Shell)
connection to the TPAM appliance, to perform many of the operations provided in the TPAM User Interface.
The operations supported by the TPAM API are identical to the operations provided by the TPAM Command Line
Interface (CLI). See CLI Commands for details on the TPAM CLI.
The TPAM API is available in several programming languages to allow customers to use their choice of
programming languages when working with the API. Details for using the API in each programming language are
provided in later sections of this document.
As mentioned above, the operations are invoked on the TPAM appliance via an SSH connection. An identity file
key created by TPAM and a user ID with API key based authentication selected are required for the API to be
able to establish the SSH connection.The necessary SSH client software is included with the TPAM API library,
except for non-Windows® installations of the Perl version of the TPAM. In this case, the client machine must
have SSH software installed and available in the directory path.
C++ library
The TPAM API C++ library is provided as a static library. It is distributed with several other libraries that are
required by the TPAM API C++ library.
The main class of the library is ApiClient. This class provides the SSH connection to TPAM and provides the
method used to execute the various operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the C++ library.
Most classes fall into the category of business objects, commands, results, or exceptions.
See C++ examples for examples of using the C++ library.
Class APIClient
Class ApiClient is used to create the SSH connection to TPAM and execute the various commands provided by the
library. This main class contains only a few functions.
TPAM 2.5
Administrator Guide
336
Table 153. Class APIClient functions
Method
Description
constructor
Constructor for the class.
Parameters
•
String Host - IP address of TPAM appliance
•
String keyFileName - local path to identity
key file created by and downloaded from
TPAM
•
String userName - user name of API user ID
defined in TPAM
connect
This method initiates the SSH
connection to TPAM.
None
sendCommand
This method invokes the requested
operation on TPAM and processes the
response. The response attributes are
available via the appropriate “result”
class described below.
An object of type “command” class as discussed
below
disconnect
This method disconnects the SSH
session.
None
Business object classes
The business object classes describe the entities in TPAM that can be queried or manipulated in some manner
via the TPAM API.
Table 154. C++ Library: Business object classes
Class
Description
Account
This class contains the attributes of an account.
Alias
This class contains the attributes of an alias.
CollectionMembership
This class contains the attributes of a collection membership.
EDMZSystem
This class contains the attributes of a system.
EgpAccount
This class contains the attributes of a EGP account.
GroupMembership
This class contains the attributes of a group membership.
Permission
This class contains the attributes of a permission.
Policy
This class contains the attributes of an access policy.
PsmAccount
This class contains the attributes of a PSM account.
PwdRequest
This class contains the attributes of a password request. It is based on the Request
class.
Request
This class contains the attributes common to a password or session request.
SessionRequest
This class contains the attributes of a session request. It is based on the Request
class.
SynchronizedPassword
This class contains the attributes of a synchronized password.
SyncPwdSubscriber
This class contains the attributes of a synchronized password subscriber.
User
This class contains the attributes of a user.
Command classes
Each “command” class implements a single operation that can be performed on TPAM. The constructor for each
class accepts the mandatory data that is required by TPAM to execute the operation.
TPAM 2.5
Administrator Guide
337
Some operations have optional values that may be specified. Several of the add and update operations allow
optional attributes of the business object being added or updated to be set. The list operations allow optional
selection criteria to be specified in order to narrow the results returned by TPAM. See Setting operational values
for operations for details.
An instance of one of these “command” classes is passed to method sendCommand of class ApiClient to have
the operation carried out on TPAM. After execution, a “result” class can be queried for details of the outcome
of the operation. This result class is accessed via method getResult() of the “command” class. In the case of
commands that query data from TPAM, if the result indicates success, the retrieved data will be available within
the “command” class after execution of the operation on TPAM.
Table 155. C++ Library: Command classes
Class
Result class detailing
execution outcome
Method used to access retrieved data
AddAccountCommand
IDResult
N/A
AddCollectionCommand
Result
N/A
AddCollectionMemberCommand
Result
N/A
AddGroupCommand
Result
N/A
AddGroupMemberCommand
Result
N/A
AddPwdRequestCommand
IDResult
N/A
AddSessionRequestCommand
IDResult
N/A
AddSyncPassCommand
Result
N/A
AddSyncPwdSubCommand
Result
N/A
AddSystemCommand
IDResult
N/A
AddUserCommand
IDResult
N/A
ApproveCommand
Result
N/A
ApproveSessionRequestCommand
Result
N/A
CancelCommand
Result
N/A
CancelSessionRequestCommand
Result
N/A
ChangeUserPasswordCommand
Result
N/A
CheckPasswordCommand
Result
N/A
ClearKnownHostsCommand
Result
N/A
DeleteAccountCommand
Result
N/A
DeleteSyncPassCommand
Result
N/A
DeleteSystemCommand
Result
N/A
DeleteUserCommand
Result
N/A
DropCollectionCommand
Result
N/A
DropCollectionMemberCommand
Result
N/A
DropGroupCommand
Result
N/A
DropGroupMemberCommand
Result
N/A
DropSyncPwdSubCommand
Result
N/A
ForceResetCommand
Result
N/A
ForceResetManualCommand
IDResult
getID() returns the password ID.
getMessage() returns the password.
GetPwdRequestCommand
ListResult
getPwdRequest() returns a single
PwdRequest object
GetSessionRequestCommand
ListResult
getSessionRequest() returns a single
SessionRequest object
GrantPermissionCommand
Result
N/A
TPAM 2.5
Administrator Guide
338
Table 155. C++ Library: Command classes
Class
Result class detailing
execution outcome
ListAccountsCommand
ListResult
getAccountList() returns a vector of
Account objects
ListAcctsForPwdRequestCommand
ListResult
getAccountList() returns a vector of
Account objects
ListAcctsforSessionRequestCommand
ListResult
getAccountList() returns a vector of
Account objects
ListAssignedPoliciesCommand
ListResult
getAssignedPoliciesList returns a
vector of Policy objects
ListCollectionMembershipCommand
ListResult
getCollectionMembershipList() returns
a vector of CollectionMembership
objects
ListCollectionsCommand
ListResult
getCollectionList() returns a vector of
Collection objects
ListDependentSystemsCommand
ListResult
getDependentSystemsList() returns a
vector of DependentSystem objects
ListEgpAccountsCommand
ListResult
getEgpAccountList() returns a vector
of EgpAccount objects
ListEgpPermissionsCommand
ListReult
getPermissionsList() returns a vector
of Permission objects
ListGroupMembershipCommand
ListResult
getMembershipList() returns a vector
of GroupMembership objects
ListGroupsCommand
ListResult
getGroupList() returns a vector of
Group objects
ListPsmAccountsCommand
ListResult
getPSMAccountList() returns a vector
of PsmAccount objects
ListReasonCodesCommand
ListResult
getReasonCodeList() returns a vector
of ReasonCode objects
ListRequestCommand
ListResult
getRequestList() returns a vector of
Request objects
ListRequestDetailsCommand
ListResult
getRequestDetailsList() returns a
vector of Request objects
ListSessionRequestCommand
ListResult
getSessionRequestList() returns a
vector of SessionRequest objects
ListSessionRequestDetailsCommand
ListResult
getSessionRequestDetailsList() returns
a vector of SessionRequest objects
ListSynchronizedPasswordCommand
ListResult
getSynchronizedPasswordsList()
returns a vector of
SynchronizedPassword objects
ListSyncPwdSubscribersCommand
ListResult
getSyncPwdSubscribers() returns a
vector of SyncPwdSubscriber objects
ListSystemsCommand
ListResult
getSystemList() returns a vector of
EDMZSAystem objects
ListUsersCommand
ListResult
getUserList() returns a vector of User
objects
ManualPasswordResetCommand
Result
N/A
ReportActivityCommand
ListResult
getActivities() returns a vector of
Activity objects
Method used to access retrieved data
TPAM 2.5
Administrator Guide
339
Table 155. C++ Library: Command classes
Class
Result class detailing
execution outcome
RetrieveCommand
Result
getPassword() returns the password as
a string
RetrieveWithTicketCommand
Result
getPassword() returns the password as
a string
SetAccessPolicyCommand
Result
N/A
SshKeyCommand
Result
getMessage() method of Result
contains returned SSH key
SyncPassForceResetCommand
Result
N/A
TestSystemCommand
Result
N/A
UnlockUserCommand
Result
N/A
Method used to access retrieved data
UpdateAccountCommand
IDResult
N/A
UpdateAccountTicketCommand
IDResult
N/A
UpdateCollectionCommand
Result
N/A
UpdateDependentSystemsCommand
Result
N/A
UpdateEgpAccountCommand
IDResult
N/A
UpdatePsmAccountCommand
IDResult
N/A
UpdateSyncPassCommand
Result
N/A
UpdateSystemCommand
IDResult
N/A
UpdateSystemTicketCommand
IDResult
N/A
UpdateUserCommand
IDResult
N/A
UserSshKeyCommand
Result
getMessage() method of Result
contains returned SSH key
Setting operational values for operations
Add and update “command” classes that allow optional values to be set contain an instance of the
corresponding business object. Mandatory values specified in the “command” class constructor are populated in
the business object. The optional values can be set by obtaining a reference to the business object from the
“command” class, and setting the desired attributes of the business object.
For example, when adding a new system, the constructor for class AddSystemCommand requires parameters
specifying the system name, network address, and platform name. These values are populated in the
EDMZSystem object contained within the AddSystemCommand object. To set optional attributes, obtain a
reference to this EDMZSystem object by calling method getSystem() on the AddSystemCommand object, and
then call the desired setter methods of the EDMZSystem object. This is demonstrated in the example code
provided in C++ examples.
The add and update “command” classes that contain these business objects that allow setting of optional values
are shown in the following table.
Table 156. Command classes
Class
Method used to get business object reference
AddAccountCommand
getAccount()
UpdateAccountCommand
AddCollectionMemberCommand
getCollectionMembership()
AddGroupMemberCommand
getGroupMembership
TPAM 2.5
Administrator Guide
340
Table 156. Command classes
Class
Method used to get business object reference
AddSystemCommand
getSystem()
UpdateSystemCommand
AddUserCommand
getUser()
UpdateUserCommand
Selection criteria for the list operations are specified by using the setter methods of the “command” classes
that perform the list operations. See the example code provided in C++ examples.
Results classes
The “result” classes detail the result of the execution of operations on TPAM.
Table 157. C++ Library: Results classes
Class
Attributes
Result
Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the
modified database record.
ListResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have
been returned by TPAM. Query the appropriate attribute of the "command" class to access
the data returned by TPAM.
Exception classes
The C++ TPAM API Library will throw exceptions under error conditions. Each exception contains a message
describing the failure.
Table 158. C++ Library: Exception classes
Class
Description
ParseException
This exception will be thrown if there is a failure while parsing a response from TPAM.
SshException
This exception will be thrown if there is a problem with the SSH connection being used
to communicate TPAM.
ValidationException
This exception will be thrown if validation fails on any data prior to sending that data to
TPAM for processing. Note that most data validation is done by TPAM itself. Under this
scenario, if invalid data is passed to TPAM, ValidationException is not raised. Instead,
the result from execution of the command on TPAM will indicate a failure and the result
message details the failure reason.
TPAM 2.5
Administrator Guide
341
.NET library
The TPAM API .NET library is provided as a Windows® DLL file. It is distributed alongside the TPAM API C++
Library.
The main class of the library is ApiClientWrapper. This class provides the SSH connection to TPAM and methods
to execute all available operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the .NET library.
These classes fall into the categories of business objects, filters, and results.
See .NET examples (C#) for examples of using the .NET library.
Class ApiClient wrapper
Class ApiClientWrapper is used to create the SSH connection to TPAM, and it provides methods to implement the
various operations available in the library.
Methods in ApiClientWrapper will throw an ApplicationException on error. A message describing the failure is
included in the exception.
Table 159. ApiClientWrapper methods
Method
Parameters
Returns
constructor
System::String^ host: IP address of TPAM appliance.
N/A
System:: String^ keyFileName: local path to identity key
file created and downloaded from TPAM.
System:: String^ userName: user name of "API" defined
user in TPAM.
connect (initiate the SSH
connection to TPAM)
None
Void
disconnect (disconnect the SSH
session)
None
Void
setCommandTimeout (sets the time int
out for execution of a command
over SSH)
Void
addAccount
Account^ account
IDResult
System::String^ collectionName
Result
addCollection
System::String^ description
addCollectiom
System::String^ collectionName
Result
AddCollectionParms^parms
addCollectionMember
System::String^ description
System::String^ collectionName
AddCollectionMemberParms^ parms
addGroup
System::String^ groupName
addGroupMember
System::String^ userName
Result
System::String^ description
Result
System::String^ groupName
addGroupMember
System::String^ username
Result
int groupID
TPAM 2.5
Administrator Guide
342
Table 159. ApiClientWrapper methods
Method
Parameters
Returns
addPwdRequest
System::String^ systemName
IDResult
System::String^ accountName
System::String^ forUserName
System::String^ requestNotes
AddPwdRequestParms^ parms
addSessionRequest
System::String^ systemName
IDResult
System::String^ accountName
System::String^f orUserName
System::String^ requestNotes
AddSessionRequestParms^ parms
addSyncPass
System::String^ syncPassName
addSyncPwdSub
System::String^ syncPassName
Result
AddSyncPassParms^ parms
Result
System::String^ systemName
System::String^ AccountName
addSystem
EDMZSystem^ system
IDResult
addUser
User^ user
IDResult
approve
int requestID
Result
System::String^ comment
approveSessionRequest
int requestID
Result
System::String^ comment
cancel
int requestID
Result
System::String^ comment
cancelSessionRequest
int requestID
Result
System::String^ comment
changeUserPassword
System::String^ userName
Result
System::String^ password
checkPassword
System::String^ systemName
Result
System::String^ accountName
clearKnownHosts
System::String^systemName
Result
deleteAccount
System::String^ systemName
Result
deleteSyncPass
System::String^ syncPassName
Result
deleteSystem
System::String^ systemName
Result
deleteUser
System::String^ userName
Result
dropCollection
System::String^ collectionName
Result
dropCollectionMember
System::String^ systemName
Result
System::String^ accountName
System::String^ collectionName
dropGroup
System::String^ groupName
Result
dropGroup
int groupID
Result
dropGroupMember
System::String^ userName
Result
System::String^ groupName
TPAM 2.5
Administrator Guide
343
Table 159. ApiClientWrapper methods
Method
Parameters
Returns
dropGroupMember
System::String^ userName
Result
int groupID
dropSyncPwdSub
System::String^ SyncPassName
Result
System::String^ systemName
System::String^ accountName
forceReset
System::String^ systemName
Result
System::String^ accountName
forceResetManaul
System::String^ systemName
IDResult
System::String^ accountName
getPwdRequest
System::String^ accountName
ListResult
[System::RunTime::InteropServices::Out] PwdRequest^
%request
getSessionRequest
int requestID
ListResult
[System::RunTime::InteropServices::Out]
SessionRequest^ %sessionRequest
grantPermission
System::String^ permName
Result
UserOrGroup userOrGroupChoice (possible values are
USER or GROUP)
System::String^ userOrGroupName
SystemOrCollection systemOrCollectionChoice (possible
values are SYSTEM or COLLECTION)
System::String^ systemOrCollectionName
listAccount
AccountFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Account^>^% accounts
listAcctsForPwdRequest
AcctForPwdRequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<AccountForPwdRequest^>^% accounts
listAcctsforSessionRequest
AcctForSessionRequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<AccountForSessionRequest^>^% accounts
listAssignedPolicies
PolicyFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Policy^>^% policies
listCollectionMembership
System::String^ collectionName
ListResult
System::String^ systemName
int maxRows
[System::RunTime::InteropServices::Out]
array<CollectionMembership^>^% membership
listCollectionMembership
CollectionMembershipFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<CollectionMembership^>^%membership
listCollections
CollectionFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Collection^>^% collections
TPAM 2.5
Administrator Guide
344
Table 159. ApiClientWrapper methods
Method
Parameters
Returns
listDependentSystems
System::String^ systemName
ListResult
System::String^ accountName
DependentSystemFilter^ filter
[System::RunTime::InteropServices::Out]
array<DependentSystem^>^%dependentSystems
listEgpAccounts
EgpAccountFilter^filter
ListResult
[System::RunTime::InteropServices::Out]
array<EgpAccount^>^% egpAccounts
listPermissions
PermissionFilter^ filter
listEgpPermissions
[System::RunTime::InteropServices::Out]
array<Permission^>^% permissions
listGroups
GroupFilter^ filter
ListResult
ListResult
[System::RunTime::InteropServices::Out]
array<Group^>^% groups
listGroupMembership
System::String^ groupName
ListResult
System::String^ userName
int maxRows
[System::RunTime::InteropServices::Out]
array<GroupMembership^>^% membership
listPsmAccounts
PsmAccoutFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<PsmAccount^>^% psmAccounts
listReasonCodes
[System::RunTime::InteropServices::Out]
array<ReasonCode^>^% reasonCodes
ListResult
listRequest
RequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Request^>^% requests
listRequestDetails
RequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Request^>^% requests
listSessionRequest
SessionRequestFilter^ ilter
ListResult
[System::RunTime::InteropServices::Out]
array<SessionRequest^>^% sessionRequests
listSessionRequestDetails
SessionRequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<SessionRequest^>^% sessionRequests
listSynchronizedPassword
listSyncPwdSubscribers
[System::RunTime::InteropServices::Out]
array<SynchronizedPassword^>^%
synchronizedPasswords
ListResult
System::String^ SyncPassName
ListResult
[System::RunTime::InteropServices::Out]
array<SyncPwdSubscriber^>^% syncPwdSubscribers
listSystems
SystemFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<EDMZSystem^>^% systems
TPAM 2.5
Administrator Guide
345
Table 159. ApiClientWrapper methods
Method
Parameters
Returns
listUsers
UserFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<User^>^% users
manualPasswordReset
System::String^ passwordID
Result
System::String^ status
reportActivity
System::String^ accountName
ListResult
[System::RunTime::InteropServices::Out]
array<Activity^>^% activities
retrieve
System::String^ systemName
Result
System::String^ accountName
int timeRequired
System::String^ comment
retrieve (v2.3+)
System::String^ systemName
Result
System::String^ accountName
System::String^ comment
RetrieveParms^ parms
retrieve(v2.3+)
System::String^ systemName
Result
System::String^ accountName
RetrieveParms^ parms
retrieveWithTicket
System::String^ systemName
Result
System::String^ accountName
int timeRequired
System::String^ ticketSystemName
System::String^ ticketNumber
System::String^ comment
setAccessPolicy
System::String^ accessPolicyName
Result
System::String^ action
SetAccessPolicyParms^ parms
sshKey
SshKeyParms^parms
Result
syncPassForceReset
System::String^ syncPassName
Result
testSystem
System::String ^systemName
Result
unlockUser
System::String^ userName
Result
updateAccount
Account^ account
IDResult
System::String^ systemName
IDResultl
System::String^ newPassword
updateAccountTicket
System::String^ accountNamet
System::String^ ticketSystemName
eDMZ::ParAPI::Flag RequireTicketForRequest
eDMZ::ParAPI::Flag RequireTicketForISA
eDMZ::ParAPI::Flag RequireTicketForCLI
eDMZ::ParAPI::Flag RequireTicketForAPI
System::String^ ticketEmailNotify
TPAM 2.5
Administrator Guide
346
Table 159. ApiClientWrapper methods
Method
Parameters
Returns
updateCollection
System::String^collectionName
Result
UpdateCollectionParms^ parms
updateDependentSystems
System::String^ systemName
Result
System::String^ accountName
UpdateDependentSystemsParms^ parms
updateEgpAccount
System::String^ systemName
IDResult
System::String^ accountName
UpdateEgpAccountParms^ parms
updatePsmAccount
System::String^ systemName
IDResult
System::String^ accountName
UpdatePsmAccountParms^ parms
updateSyncPass
System::String^ syncPassName
Result
UpdateSyncPassParms^ parms
updateSystem
EDMZSystem^ system
IDResult
updateSystemTicket
System::String^ systemName
IDResult
System::String^ ticketSystemName
eDMZ::ParAPI::Flag RequireTicketForRequest
eDMZ::ParAPI::Flag RequireTicketForISA
eDMZ::ParAPI::Flag RequireTicketForCLI
eDMZ::ParAPI::Flag RequireTicketForAPI
System::String^ ticketEmailNotify
updateUser
User^ user
IDResult
userSshKey
UserSshKeyParms^ parms
Result
Business object classes
The business object classes describe the entities in TPAM that can be queried or manipulated in some manner
via the TPAM API.
Table 160. .Net Library: Business object classes
Class
Description
Account
This class contains the attributes of an account.
AcctForPwdRequest
This class contains the attributes of an account that is available for password request.
AcctforSessionRequest
This class contains the attributes of an account that is available for session request.
Activity
This class contains the attributes of an entry in the activity report.
Collection
This class contains the attributes of a collection.
CollectionMembership
This class contains the attributes of a collection membership.
DependentSystem
This class contains the attributes of a dependent system.
EDMZSystem
This class contains the attributes of a system.
EgpAccount
This class contains the attributes of an Egp account.
Group
This class contains the attributes of a group.
GroupMembership
This class contains the attributes of a group membership.
Policy
This class contains the attributes of an access policy.
TPAM 2.5
Administrator Guide
347
Table 160. .Net Library: Business object classes
Class
Description
PsmAccount
This class contains the attributes of a PSM account.
PwdRequest
This class contains the attributes of a password request. It is based on the Request
class.
ReasonCode
This class contains the attributes of a reason code.
Request
This class contains the attributes common to a password or session request.
SessionRequest
This class contains the attributes of a session request. It is based on the Request class.
SynchronizedPassword
This class contains the attributes of a synchronized password.
SyncPwdSubscriber
This class contains the attributes of a synchronized password subscriber.
User
This class contains the attributes of a user.
Filter classes
The “filter” classes are used to specify selection criteria for data being requested from TPAM.
Table 161. .Net Library: Filter classes
Class
Description
AccountFilter
Provides selection criteria for ListAccounts
AcctForPwdRequestFilter
Provides selection criteria for listAccountsForPwdRequest
AcctforSessionRequestFilter
Provides selection criteria for listAccountsForSessionRequest
ActivityFilter
Provides selection criteria for reportActivity
CollectionFilter
Provides selection criteria for listCollections
CollectionMembershipFilter
Provides selection criteria for listCollectionMembership
DependentSystemFilter
Provides selection criteria for listDependentSystems
EgpAccountFilter
Provides selection criteria for listEgpAccounts
GroupFilter
Provides selection criteria for listGroups
PolicyFilter
Provides selection criteria for listAssignedPolicies
PsmAccountFilter
Provides selection criteria for listPSMAccounts
RequestFilter
Provides selection criteria for listRequestDetails
SessionRequestFilter
Provides selection criteria for listSessionRequestDetails
SystemFilter
Provides selection criteria for listSystems
UserFilter
Provides selection criteria for listUsers
Parms classes
The “parms” classes are used to specify optional parameters for various methods implemented in
ApiClientWrapper.
Table 162. .Net Library: Parms classes
Class
Description
AddCollectionMemberParms
Allows setting of optional parameters for addCollectionMember method
AddCollectionParms
Allows setting of optional parameters for addCollection method
AddPwdRequestParms
Allows setting of optional parameters for addPwdRequest method
AddSessionRequestParms
Allows setting of optional parameters for addSessionRequest method
AddSyncPassParms
Allows setting of optional parameters for addSyncPass method
TPAM 2.5
Administrator Guide
348
Table 162. .Net Library: Parms classes
Class
Description
DropCollectionMemberParms
Allows setting of optional parameters for dropCollectionMember method
RetrieveParms
Allows setting of optional parameters for the retrieve method
SetAccessPolicyParms
Allows setting of optional parameters for the setAccessPolicy method
SshKeyParms
Allows setting of optional parameters for sshKey method
UpdateCollectionParms
Allows setting of optional parameters for updateCollection method
UpdateDependentSystemParms
Allows setting of optional parameters for updateDependentSystems method
UpdateEgpAccountParms
Allows setting of optional parameters for updateEgpAccount method
UpdatePsmAccountParms
Allows setting of optional parameters for updatePsmAccount method
UpdateSyncPassParms
Allows setting of optional parameters for updateSyncPass method
UserSshKeyParms
Allows setting of optional parameters for userSshKey method
Results classes
The “result” classes detail the result of the execution of operations on TPAM.
Table 163. .Net Library: Results classes
Class
Attributes
Result
Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the modified
database record.
ListResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have been
returned by TPAM.
Array of Objects: array containing "row count" elements, with each element being an object of
type described under business objects as requested by the operation.
NOTE: This array is used internally by the API. It simply refers to the data being returned as an
OUT parameter of list operations. It is suggested that applications using the API use the OUT
parameters instead of this array.
PERL library
Documentation for the TPAM API Perl library is available in PERL POD format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.
Java® library
Documentation for the TPAM API Java® library is available in Javadoc format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.
TPAM 2.5
Administrator Guide
349
C++ examples
The following examples have minimal error checking for simplicity.
void addSystem(ApiClient& client)
{
// Add a dummy system.
AddSystemCommand asc("testsys", "147.148.149.150", "AS400");
// Set some attributes of the system being added.
asc.getSystem().setSystemAutoFl(Flag::FLAG_N);
asc.getSystem().setDescription("Description for testsys");
// Execute the operation on TPAM.
client.sendCommand(asc);
// Check the outcome of the operation.
IDResult* idresult = asc.getResult();
cout << "addSystem: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void addAccount(ApiClient& client)
{
// Add a dummy account.
AddAccountCommand aac("testsys", "testacct");
// Set an attribute of the account being added.
aac.getAccount().setDescription("Description for testacct");
// Execute the operation on TPAM.
client.sendCommand(aac);
// Check the outcome of the operation.
IDResult* idresult = aac.getResult();
cout << "addAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void updateAccount(ApiClient& client)
{
// Update the account password.
UpdateAccountCommand uac("testsys", "testacct");
uac.getAccount().setPassword("a1b2c3d4e5");
// Execute the operation on TPAM.
client.sendCommand(uac);
// Check the outcome of the operation.
IDResult* idresult = uac.getResult();
cout << "updateAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void retrieve(ApiClient& client)
{
// Get the password for testsys/testacct.
RetrieveCommand rc("testsys", "testacct", 30, "This is my comment");
// Execute the operation on TPAM.
client.sendCommand(rc);
TPAM 2.5
Administrator Guide
350
Result* result = rc.getResult();
if (result->getReturnCode() == 0)
{
cout << "retrieve: The password is " << rc.getPassword() << endl;
}
else
{
cout << "Failed retrieving password: " << result->getMessage() << endl;
}
}
void listAccounts(ApiClient& client)
{
// List the accounts, but set filters to see only testsys/testacct.
ListAccountsCommand lac;
lac.setSystemName("testsys");
lac.setAccountName("testacct");
// Execute the operation on TPAM.
client.sendCommand(lac);
ListResult* listresult = lac.getResult();
// Since we set filters for just testsys/testacct,
// there should be just 1 entry returned.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "listAccounts: The description for testsys/testacct is "
<< lac.getAccountList().at(0).getDescription() << endl;
}
else
{
cout << "Unexpected result for listAccounts: "
<< listresult->getMessage() << endl;
}
}
void listSystems(ApiClient& client)
{
// We'll list all defined systems.
ListSystemsCommand lsc;
// Execute the operation on TPAM.
client.sendCommand(lsc);
ListResult* listresult = lsc.getResult();
if (listresult->getReturnCode() == 0)
{
for (int i=0; i<listresult->getRowCount(); i++)
{
cout << "listSystems: System name: "
<< lsc.getSystemList().at(i).getSystemName() << endl;
}
}
}
void deleteAccount(ApiClient& client)
{
// Delete the account.
DeleteAccountCommand dac("testsys", "testacct");
TPAM 2.5
Administrator Guide
351
// Execute the operation on TPAM.
client.sendCommand(dac);
// Check the outcome of the operation.
Result* result = dac.getResult();
cout << "deleteAccount: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}
void deleteSystem(ApiClient& client)
{
// Delete the system.
DeleteSystemCommand dsc("testsys");
// Execute the operation on TPAM.
client.sendCommand(dsc);
// Check the outcome of the operation.
Result* result = dsc.getResult();
cout << "deleteSystem: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}
void getPwdRequest(ApiClient& client)
{
GetPwdRequestCommand gprc(9);
// Execute the operation on TPAM.
client.sendCommand(gprc);
ListResult* listresult = gprc.getResult();
// This operation always returns just 1 entry.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "getPwdRequest: Status of request "
<< gprc.getPwdRequest().getRequestID()
<< " is "
<< gprc.getPwdRequest().getRequestStatus() << endl;
}
else
{
cout << "Unexpected result for getPwdRequest: "
<< listresult->getMessage() << endl;
}
}
int main()
{
ApiClient client("192.168.70.3", "C:/keys/parapiuser.txt", "parapiuser");
try
{
client.connect();
try
{
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
TPAM 2.5
Administrator Guide
352
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ValidationException& vex)
{
cout << "ValidationException: " << vex.toString() << endl;
}
catch (ParseException& pex)
{
cout << "ParseException: " << pex.toString() << endl;
}
// Call disconnect() on the ApiClient after commands have completed.
client.disconnect();
}
catch (SshException& sshex)
{
cout << "SshException: " << sshex.toString() << endl;
}
}
.NET examples (C#)
The following examples have minimal error checking for simplicity.
static void addSystem(ApiClientWrapper client)
{
// Add a dummy system.
EDMZSystem edmzsys = new EDMZSystem();
edmzsys.systemName = "testsys";
edmzsys.networkAddress = "147.148.149.150";
edmzsys.platformName = "AS400";
edmzsys.systemAutoFl = Flag.N;
edmzsys.description = "Description of testsys";
// Execute the operation on TPAM.
IDResult idresult = client.addSystem(edmzsys);
// Check the outcome of the operation.
Console.WriteLine("addSystem: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}
static void addAccount(ApiClientWrapper client)
{
// Add a dummy account.
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.description = "Description for testacct";
// Execute the operation on TPAM.
IDResult idresult = client.addAccount(account);
// Check the outcome of the operation.
Console.WriteLine("addAccount: rc = {0}, message = {1}",
TPAM 2.5
Administrator Guide
353
idresult.returnCode, idresult.message);
}
static void updateAccount(ApiClientWrapper client)
{
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.password = "a1b2c3d4e5";
// Execute the operation on TPAM.
IDResult idresult = client.updateAccount(account);
// Check the outcome of the operation.
Console.WriteLine("updateAccount: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}
static void retrieve(ApiClientWrapper client)
{
Result result = client.retrieve(
"testsys", "testacct", 30, "This is my comment");
if (result.returnCode == 0)
{
// If returnCode indicates success, the message is the password.
Console.WriteLine("retrieve: The password is {0}",
result.message);
}
else
{
// If returnCode indicates failure,
// the message is an actual message.
Console.WriteLine("Failed retrieving password: {0}",
result.message);
}
}
static void listAccounts(ApiClientWrapper client)
{
// List the accounts, but set filters to see only testsys/testacct.
AccountFilter af = new AccountFilter();
af.systemName = "testsys";
af.accountName = "testacct";
// Execute the operation on TPAM.
Account[] accounts = null;
ListResult lr = client.listAccounts(af, out accounts);
// Since we set filters for just testsys/testacct,
// there should be just 1 entry returned.
if ((lr.returnCode == 0) && (lr.rowCount == 1))
{
Console.WriteLine(
"listAccounts: The description for testsys/testacct is {0}",
accounts[0].description);
}
else
{
Console.WriteLine("Unexpected result for listAccounts: {0}",
lr.message);
TPAM 2.5
Administrator Guide
354
}
}
static void listSystems(ApiClientWrapper client)
{
// We'll list all defined systems.
EDMZSystem[] systems = null;
ListResult lr = client.listSystems(null, out systems);
if (lr.returnCode == 0)
{
for (int i = 0; i < lr.rowCount; i++)
{
Console.WriteLine("listSystems: System name: {0}",
systems[i].systemName);
}
}
}
static void deleteAccount(ApiClientWrapper client)
{
// Delete the account.
Result result = client.deleteAccount("testsys", "testacct");
// Check the outcome of the operation.
Console.WriteLine("deleteAccount: rc = {0}, message = {1}",
result.returnCode, result.message);
}
static void deleteSystem(ApiClientWrapper client)
{
// Delete the system.
Result result = client.deleteSystem("testsys");
// Check the outcome of the operation.
Console.WriteLine("deleteSystem: rc = {0}, message = {1}",
result.returnCode, result.message);
}
static void getPwdRequest(ApiClientWrapper client)
{
PwdRequest request;
ListResult lr = client.getPwdRequest(9, out request);
if (lr.returnCode == 0)
{
Console.WriteLine(
"getPwdRequest: Status of request {0} is {1}",
request.requestID,
request.requestStatus);
}
else
{
Console.WriteLine("Unexpected result for getPwdRequest: {0}",
lr.message);
}
}
static void Main(string[] args)
{
ApiClientWrapper client = new ApiClientWrapper(
TPAM 2.5
Administrator Guide
355
"192.168.70.3",
"C:\\keys\\parapiuser.txt",
"parapiuser");
try
{
client.connect();
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ApplicationException aex)
{
Console.WriteLine("Exception: {0}", aex.Message);
}
finally
{
client.disconnect();
}
}
TPAM 2.5
Administrator Guide
356
43
Configuration for Capturing Events on
Windows® Systems
•
Introduction
•
General j-Interop requirements
•
Summary of common problems
•
Firewall related problems
•
Explicitly opening DCOM ports
•
Dynamically opening DCOM ports
•
Remote registry related problems
•
Local security policy related problems
•
User account control (UAC) related problems
•
Registry key related problems
•
Operating systems
•
Windows® event requirements
Introduction
TPAM provides the ability to capture events during PSM sessions to certain platforms. J-Interop is used on DPAs
to help capture events on Windows® systems. Special configuration may be required on Windows® systems in
order for j-Interop to work. In addition to setting up the Windows® system so that j-Interop works correctly,
certain Windows® events must be generated in order for the event capture code to determine when sessions
start and stop.
This chapter describes configuration that may be necessary to enable event capture on Windows® systems.
These are general directions, so buttons, dialog boxes, etc. discussed here may be slightly different than those
encountered on the various Windows®operating systems.
General j-Interop requirements
In order for j-Interop to communicate with a remote Windows® system there are a number of requirements that
have to be met.
•
Running "Remote Registry" service
•
Prevent the firewall from blocking the j-Interop traffic
•
Prevent the Windows® User Account Control (UAC) from interfering
•
Configure other permissions
TPAM 2.5
Administrator Guide
357
Depending on which version of Windows® you are using, different steps have to be taken or have to be taken
differently.
Summary of common problems
Table 164. Common problems
Operating
system
Firewall
Remote
registry
service
Windows® XP
Action
Required
Local security
permissions
User account
control (UAC)
Registry key
permissions
No Changes
Needed
Action Required
N/A
No Changes
Needed
Windows® Vista Action
Required
Action
Required
No Changes Needed Action Required
No Changes
Needed
Windows® 7
Action
Required
Action
Required
No Changes Needed Action Required
Action Required
Windows®
Server 2003
No Changes
Needed
No Changes
Needed
No Changes Needed N/A
No Changes
Needed
Window®s
Server 2008
Action
Required
No Changes
Needed
No Changes Needed Action Required
No Changes
Needed
Window®s
Server 2008 R2
and later
Action
Required
No Changes
Needed
No Changes Needed Action Required
Action Required
Firewall related problems
The firewall of the Windows® system may block j-Interop communication. The following ports have to be
available:
•
TCP 135: General RPC Port (When doing asynchronous RPC call the service listening on this port will tell
the client on which port the component servicing his request will be waiting on)
•
UDP 137: NetBIOS Name Resolution
•
UDP 138: NetBIOS Datagram Service
•
TCP 139: NetBIOS Session Service
•
TCP 445: SMB
•
TCP ???: When doing asynchronous RPC calls the remote host dllhost.exe starts a "server" dealing with the
request. The port this service listens on can be dynamic, and therefore tricky to configure. See the
following articles for more details:
•
Service overview and network port requirements for Windows® http://support.microsoft.com/kb/832017
•
How to configure RPC dynamic port allocation to work with firewalls http://support.microsoft.com/kb/154596
•
WMI troubleshooting - http://msdn.microsoft.com/enus/library/windows/desktop/aa394603%28v=vs.85%29.aspx
In order to open the DCOM ports there are two options:
•
Explicitly open DCOM ports
•
Dynamically open DCOM ports
TPAM 2.5
Administrator Guide
358
Explicitly opening DCOM ports
If you want to control which ports DCOM may open, you can limit the port range by using dcomcnfg. This makes
it possible to explicitly open ports for DCOM communication. Otherwise the DCOM system will use any free port.
To explicitly open the ports:
1
Start dcomcnfg.
2
Right click Component Services | Computers | My Computer and select Properties.
3
Click the Default Protocols tab.
4
Select Connection-oriented TCP/IP and click Properties.
5
By clicking on the Add... button you can add one (or multiple) ranges of ports. Don't set this range too
small. You should probably configure at least 20-40 ports for DCOM.
6
Click the OK button to close all dialog boxes.
7
You will have to reboot in order for these changes to take effect.
For the first 5 entries all Windows® versions already have predefined rules that can be activated:
•
TCP 135: Windows® Management Instrumentation (DCOM-In)
•
UDP 137: File and Printer Sharing (NB-Name-In)
•
UDP 138: File and Printer Sharing (NB-Datagram-In)
•
TCP 139: File and Printer Sharing (NB-Session-In)
•
TCP 445: File and Printer Sharing (SMB-In)
In order to make asynchronous requests (with fixed or dynamic ports) you have to add rules to the firewall
configuration manually. This is where most tutorials on the web recommend adding a port based rule opening a
range of ports. Not all versions of Windows® allow you to define a port range in a firewall rule (actually only
Windows®Server 2008 R2 and newer server OSs and Windows® 7 and newer client OSs support providing a port
range). Without the port range capability, you would have to define numerous individual rules.
You can however add ports from the command line. So start a command line (cmd) as Administrator and
using the following command you could add a port range by calling the "add one port" in a for loop:
FOR /L %I IN (9000,1,9099) DO netsh firewall add portopening TCP %I "DCOM dynamic
Port %I"
As a result, your firewall configuration will be populated with 100 new entries that all have about the same
name.
Dynamically opening DCOM ports
Alternatively, you could allow a program to open ports. Asynchronous calls are opened by a program called
dllhost.exe. You can create a program-based rule that opens all ports created by dllhost.exe or one of its' child
processes. For this simply add the program: %SystemRoot%\System32\dllhost.exe as the target program. If you
use this method, then you don't have to define a port range for DCOM at all.
Remote registry related problems
In order for j-Interop to be able to connect to the remote system, the Remote Registry service has to be running
on the remote Windows® system. Usually this service is running on all Windows® systems except Windows® Vista
and Windows® 7. If you set the service to be started Automatic, then the service will also start automatically
the next time the system boots.
TPAM 2.5
Administrator Guide
359
Local security policy related problems
This seems to be a problem that is related only to Windows® XP systems. Even if this configuration option is
present in all Windows® operating systems, only with Windows® XP is it configured in a way that prevents jInterop from working correctly.
The security policy Network access: Sharing and security model for local accounts is set to: Guest only: local
users authenticate as Guest per default. This has to be changed to Classic: local users authenticate as
themselves. If this is set to Guest only, all remotely logged-in users have only guest permissions on the target
system.
User account control (UAC) related
problems
Starting with Windows® Vista and Windows® Server 2008, Microsoft introduced User Account Control (UAC). In
order to prevent unwanted modifications, Microsoft introduced UAC which separates the Admin Account login
from actual Admin tasks. In order to actually perform an Admin task, the operating system now requests
permission by displaying a popup.
This behavior breaks most functionality that j-Interop would execute, since with a non-interactive session there
is no way to display and click a button in a popup, therefore the operating system dispatches a "permission
denied" failure. There are a few options to make it possible to connect.
•
Use the built in local Administrator account for the functional account (Not a domain Admin account,
only the built in one works - you may have to enable this account first and set a password for it)
•
Turn off UAC entirely
•
Change the local security policy to disable Admin Approval Mode for administrators
Activating the local administrator account
To activate the local admin account:
1
Start lusrmgr.msc
2
Select Local Users and Groups | Users.
3
Right-Click the Administrator account and select Properties.
4
Clear the Account is disabled check box.
5
Save with OK
6
Right-Click the Administrator account again and select Set Password...
7
Confirm the warning
8
Enter the new password twice
9
Set/Change the password with OK
Turn off the UAC
To turn off UAC:
1
Refer to Microsoft documentation for how to turn off UAC for the Windows® system.
2
Turn off UAC.
TPAM 2.5
Administrator Guide
360
3
Reboot to activate UAC changes.
Disable admin approval mode for administrators
To disable admin approval mode for administrators:
1
Start secpol.msc
2
Select Security Settings | Local Policies | Security Options.
3
Right-click the list entry User Account Control: run all administrators in Admin Approval mode and
select Properties.
4
Select Disabled.
5
Confirm with OK.
6
Reboot the machine for the change to take effect.
Registry key related problems
In order to be able to use an OLE/COM component remotely, an AppID key has to be added in that object's
registry entry. J-Interop will attempt to add the registry entry if it does not already exist. However, starting
with Windows® 7 and Window® Server 2008 R2 the registry key has the TrustedInstaller set as owner and only
that user has full access. When j-Interop tries to add the AppID key, Windows® reports an error back to jInterop.
There are several ways to solve this problem:
•
Give the functional account (j-Interop user) full permissions to the key
•
Manually add the AppID to the
•
OLE object's registry, thereby doing manually what j-Interop intends to do automatically
In order for event capture to work, access to the following object is required:
•
WBEM Scripting
•
Locator: HKCR/CLSID/{76A64158-CB41-11D1-8B02-00600806D9B6}
More information on this is found in the j-Interop FAQ: http://www.j-interop.org/faq.html#A6
Give functional account full permissions to key
In order to perform the change, you have do the following for the above key.:
1
Execute regedit in order to start the registry editor
2
Select the key (using the search helps)
3
Right-click the key and select Permissions...
4
Currently only the owner is allowed to change the permissions and currently this owner is the
TrustedInstaller user. Therefore we have to change the ownership first. In order to do so, click
Advanced.
5
Click the Owner tab.(in some releases this is not a tab, so find the mechanism used to change the
owner)
6
Select Administrators
7
Click OK
TPAM 2.5
Administrator Guide
361
8
In order to make the ownership change effective, you have to commit the changes by clicking on OK first
and then reopening the Permissions dialog
9
In the reopened Permissions dialog, add or select the user or group you want to access the system under
and select the check box for allowing Full Control.
10 Click OK
11 Right-click the key a third time and select Permissions...
12 Click Advanced
13 Select the Owner tab. (In some releases this is not a tab, so find the mechanism used to change the
owner.)
14 Enter the following username (you can't select it from any list) NT Service\TrustedInstaller.
15 Click OK as necessary to exit
NOTE: After the first session is started, and j-Interop has created these registry entries, it is safe to reset
the permissions back to original values.
Manually add the AppID to the OLE object’s registry
To manually add the AppID:
1
Search for the OLE object's registry entry (HKCR/CLSID/{76A64158-CB41-11D1-8B02-00600806D9B6})
2
Create a new "String Value" in this entry
•
AppID (REG_SZ): Set the Data field to {76A64158-CB41-11D1-8B02-00600806D9B6}
3
After this add a new key to HKCR/AppID (HKCR/AppID/{76A64158-CB41-11D1-8B02-00600806D9B6})
4
Inside this new key, simply add two new String Values:
•
(Default) (REG_SZ): (The parentheses are required) - You can set the Data field to a name
describing the object or just leave it blank.
•
DllSurrogate (REG_SZ): (The Data field can be left blank)
Operating systems
The following sections describe changes that may be required for each Windows® operating system to support jInterop.
Windows® XP
All Microsoft client operating systems starting with Windows® XP SP2 and later were shipped with a firewall.
This is blocking almost all inbound traffic. See Firewall related problems for more information.
After the firewall is configured on Windows® XP systems some Local Security Policy settings have to be changed,
or j-Interop will not be able to connect. See Local security policy related problems for more information on how
to resolve that problem.
Now the system should be accessible.
TPAM 2.5
Administrator Guide
362
Windows® Vista
Starting with Windows® Vista the client operating systems have the Remote Registry Service disabled per
default. Therefore check see Remote registry related problems for how to fix this.
As with Windows® XP the firewall has to be configured.See Firewall related problems for more information.
Also, Windows® Vista introduced the User Account Control (UAC). See User account control (UAC) related
problems for details.
Now the system should be accessible.
Windows® 7
In order to have Windows® 7 accessible the same steps have to be done as with Windows® Vista: configure the
firewall, start the Remote Registry service and configure the User Account Control (UAC).
There were also some changes with permissions in the Registry. These are preventing j-Interop from functioning
correctly. See the Registry key related problems.
Now the system should be accessible.
Windows® Server 2003
It appears that no changes are needed for j-Interop to work with Windows® Server 2003.
Windows® Server 2008
Windows® Server 2008 was the first Microsoft Server operating system to be shipped with a firewall, so this has
to be configured prior to be able to connect to it. See the chapter Firewall related problems for more
information.
It was also the first server product that included User Account Control (UAC) so this is interfering too. See the
chapter User account control (UAC) related problems for more information.
After resolving the firewall and UAC problems, connections work without any problems.
Windows® Server 2008 R2 and later
Windows® Server 2008 R2 is configured almost identically to Windows® 2008, so please follow the firewall and
UAC configuration guide of that system.
One difference however is how the User Account Control is disabled. Instead of a check box in this case there is
a slider. In order to turn off the UAC, just drag the Slider to the bottom. After rebooting UAC should be disabled.
The biggest differences are small changes in the permissions of the systems registry. See the chapter on Registry
key related problems.
After these changes the connection should work with Windows® Server 2008 R2 and later operating systems.
TPAM 2.5
Administrator Guide
363
Windows® event requirements
The event capture code must be able to track the beginning and end of a specific Windows® login session. This
is accomplished by monitoring specific Windows® logon and logoff events, Therefore, events indicating
successful logon or reconnect and logoff or disconnect must be generated by the Windows® system. The IDs of
the specific events required to be generated by the Windows® system and where to configure generation of the
events are as follows.
Table 165. Windows® XP/Server 2003 events
Operation
Windows® XP / Server 2003 event ID
Security path policy
Logon
528 - A user successfully logged on to a computer.
Audit Policy - Audit logon events
Logoff
538 - THe logoff process was completed for a user.
Audit Policy - Audit logon events
Logoff
551 - A user initiated the logoff process.
Audit Policy - Audit logon events
Reconnect
682 - A user has reconnected to a disconnected terminal Audit Policy - Audit logon events
server session.
Disconnect
683 - A user disconnected a terminal server session
without logging off.
Audit Policy - Audit logon events
Table 166. Windows® Vista/Server 2008 and later events
Operation
Windows® Vista / Server 2008 and later
event ID
Logon
4624 - An account was successfully logged on.
Advanced Audit Policy Configuration Logon/Logoff - Audit Logon
Logoff
4634 - An account was logged off.
Advanced Audit Policy Configuration Logon/Logoff - Audit Logoff
Logoff
4647 - User initiated logoff.
Advanced Audit Policy Configuration Logon/Logoff - Audit Logon
Reconnect
4778 - A session was reconnected to a
Windows® station.
Advanced Audit Policy Configuration Logon/Logoff - Audit Other Logon/Logoff
events
Disconnect
4779 - A session was disconnected from a
Windows® station.
Advanced Audit Policy Configuration Logon/Logoff - Audit Other Logon/Logoff
events
Security path policy
TPAM 2.5
Administrator Guide
364
44
Appliance Specifications
Table 167. Application specifications
Feature/
Spec
Standard TPAM
Standard DPA
Standard cache
Processor
1 E5-2400 Intel® Xeon® processor family 2 E5-2400 Intel® Xeon® processor family
# of Processors
1
2
# of Cores per
Processor
Quad
Quad
L2/L3 Cache
10 MB
10 MB
Enterprise TPAM
Chipset
Intel C600 series
Intel® C600 series
DIMMs
DDR3 R-DIMMs
DDR3 R-DIMMs
RAM
4 GB
8 GB
HD Bays
4 x 3.5 Hot Plug
4 x 3.5 Hot Plug
HD Types
SATA/SAS/SSD
SAS add-in controller
Internal HD
Controller
PERC H310 Integrated RAID Controller
PERC H710P Integrated RAID Controller, 1 GB
NV Cache
Disk
2 x 500 GB
4 x 300 GB SAS
Availability
ECC Memory, Hot-swap HDD; Redundant
PSU, TPM
Hot-swap HDD; Redundant PSU; Memory
mirroring, TPM
I/O Slots
1 x PCIe x 16
1 x PCIe x16; half height, half length
RAID
RAID 1 Mirrored
RAID10
NIC/LOM
2x GbE LOM
2x GbE LOM
®
DRAC
iDRAC7 Enterprise
iDRAC7 Enterprise
USB
2 front/2 rear/2 internal
2 front/2 rear/2 internal
Power Supplies/
Details
Redundant, 350W, Auto Ranging
(100V~240V), ACPI compatible
Redundant, 550W, Auto Ranging (100V~240V),
ACPI compliant
Fans
3 Non-redundant, non-hot swappable
4 Non-redundant, non-hot-swappable
Chassis
1U rack
1U rack
Dimension
(HxWxD)
42.8 x 434.0 x 677.3 (mm) (w/o bezel)
1.68 x 17.08 x 26.66 (in)
42.8 x 434.0 x 607 (mm) (w/o ear, w/o bezel)
1.68 x 17.08 x 23.9 (in)
Weight
Max: 42.55 lbs (19.3Kg)
Max: 43.87 lbs (19.9Kg)
Misc.
Intrusion switch detects when cover is
opened, Hype-threading(8 threads),
128x20 LCD
Intrusion switch detects when cover is
opened, simultaneous multi-threading, status
LCD module
TPAM 2.5
Administrator Guide
365
Table 167. Application specifications
Feature/
Spec
Standard TPAM
Standard DPA
Standard cache
Enterprise TPAM
Operating Temp
10° to 35°C
10° to 35°C
Regulatory
Certifications
Class A: Australia/ N.Z. - AMCA or C-Tick Class A: Australia/ N.Z. - AMCA or C-Tick
Canada - SCC, IES
Canada - SCC, IES
Additional country
certification
available upon
request
European Union - CE
European Union - CE
Germany - TUV
Germany - TUV
United States - FCC, NRTL
United States - FCC, NRTL
TPAM 2.5
Administrator Guide
366
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
[email protected]
Technical Support Resources
Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
https://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
•
Create, update, and manage Service Requests (cases)
•
View Knowledge Base articles
•
Obtain product notifications
•
Download software. For trial software, go to Trial Downloads.
•
View how-to videos
•
Engage in community discussions
•
Chat with a support engineer
TPAM 2.5
Administrator Guide
367
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement