tpam configuration and administrator...

Quest One Privileged Account Management Configuration & System Administrator Manual

Version 2.4


2

CONTENTS

1.0 About this Guide .............................................................................................................................................. 5

1.1 Overview.......................................................................................................................................................... 5 2.0 How to Access the TPAM Configuration Application......................................................................... 7 3.0 The TPAM Configuration Interface .......................................................................................................... 7 4.0 Network Settings ............................................................................................................................................ 8

4.1 View Running Values .................................................................................................................................... 8 4.2 Modify Network Settings .............................................................................................................................. 8 4.3 Modify DNS Settings ..................................................................................................................................... 9 4.4 Flush DNS Settings ....................................................................................................................................... 9 4.5 Manage Hosts File ......................................................................................................................................... 9

5.0 Net Tools ..........................................................................................................................................................10 5.1 The Ping Utility .............................................................................................................................................10 5.2 The NS Lookup Utility .................................................................................................................................11 5.3 TraceRoute Utility ........................................................................................................................................11 5.4 Telnet Test ....................................................................................................................................................12 5.5 Route Table Management ..........................................................................................................................12

6.0 Keys and Certificates ...................................................................................................................................14 6.1 Manage Host Keys .......................................................................................................................................15 6.2 Multiple SSH Key .........................................................................................................................................15 6.3 Web Certificate Request .............................................................................................................................18 6.4 Oracle Trusted Certs ...................................................................................................................................19 6.5 Sybase Trusted Root Certs ........................................................................................................................22 6.6 MySQL Trusted Root Certs ........................................................................................................................24

7.0 Resetting the Internal Password (Standalone TPAM) ...................................................................25 8.0 Resetting the Internal Password on the Primary if using HA ....................................................26 9.0 Allowing Remote Access to the Configuration Interface ..............................................................26 10.0 The TPAM Administration Interface .................................................................................................26 11.0 System Administrator Accounts ........................................................................................................27

11.1 Adding a Sys-Admin Account ....................................................................................................................27 11.2 Time Information Tab .................................................................................................................................29 11.3 Promoting and Demoting UserID’s ..........................................................................................................30 11.4 Managing parmaster and paradmin ID’s ................................................................................................31 11.5 Managing CLI Sys-Admin IDs ...................................................................................................................34

12.0 Mail Agent ...................................................................................................................................................35 12.1 Mail Agent Settings .....................................................................................................................................35 12.2 Sent Mail Report ..........................................................................................................................................36 12.3 Mail Agent Status ........................................................................................................................................37 12.4 Mail Agent Log ..............................................................................................................................................38 12.5 E-mail Notification Configuration .............................................................................................................38

13.0 Automation Engine ..................................................................................................................................40 13.1 Agent Status .................................................................................................................................................40 13.2 Auto Agent Settings ....................................................................................................................................42 13.3 Scheduling the Check Process ..................................................................................................................43 13.4 Agent Logs ....................................................................................................................................................43

14.0 Backup ..........................................................................................................................................................44 14.1 Modify Backup Settings ..............................................................................................................................44 14.2 Backup History .............................................................................................................................................45 14.3 Backup Log ...................................................................................................................................................45 14.4 Backup Now ..................................................................................................................................................46 14.5 Manage Online Backups .............................................................................................................................47

15.0 Restoring from a Backup ......................................................................................................................48 15.1 Restore Log ...................................................................................................................................................50

QUEST

3

16.0 Maintenance: Upgrades to TPAM .......................................................................................................50 16.1 Downloading product patches from the Customer Portal ...................................................................51 16.2 Applying the Patch ......................................................................................................................................52

17.0 Logs ...............................................................................................................................................................54 17.1 Sys-Admin Activity Log ..............................................................................................................................54 17.2 Security Log ..................................................................................................................................................55 17.3 Firewall Log ...................................................................................................................................................56 17.4 Database Log ................................................................................................................................................56 17.5 Alerts Log ......................................................................................................................................................57

18.0 Multiple SSH Keys ....................................................................................................................................58 18.1 Adding Keys ..................................................................................................................................................58 18.2 Deleting Keys ...............................................................................................................................................60

19.0 System Status/Settings Menu ............................................................................................................61 19.1 Active Logins ................................................................................................................................................61 19.2 Agents ............................................................................................................................................................61 19.3 Alert Receivers .............................................................................................................................................64 19.4 Alert Thresholds ...........................................................................................................................................68 19.5 Archiving and Transferring Logs ..............................................................................................................68 19.6 Archive Servers ............................................................................................................................................69 19.7 Date and Time Configurations ..................................................................................................................71 19.8 Configuring External Authentication ........................................................................................................73 19.9 Global Settings .............................................................................................................................................77 19.10 HA Configuration ......................................................................................................................................84 19.11 Invoking the Disaster Recovery Mode ................................................................................................87 19.12 Reverting back to the original Primary appliance after a forced or automatic failover ............88 19.13 TPAM Appliance Status Page .................................................................................................................90 19.14 Local Authentication Settings ...............................................................................................................90 19.15 Login Banner.............................................................................................................................................91 19.16 Message of the Day .................................................................................................................................91 19.17 O/S Patch Status .....................................................................................................................................92 19.18 Password Rules ........................................................................................................................................93 19.19 Reason Codes ...........................................................................................................................................95 19.20 Resubmit Batch Reports .........................................................................................................................97 19.21 SysLog Configuration ..............................................................................................................................98 19.22 System Status ..........................................................................................................................................98 19.23 Configuring Ticket Systems ...................................................................................................................99

20.0 Appliance Shutdown / Restart .........................................................................................................111 21.0 Managing Your Own Account ............................................................................................................111 Appendix A: Re-Setting TPAM to Default Network Settings ................................................................114 Appendix B: Command Line Interface for Administrative Access .....................................................116 Appendix C: Relocating/Readdressing TPAM .............................................................................................118 Appendix D: TPAM Appliance Hardware Specifications .........................................................................119


4

© 2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 email: [email protected] Refer to our Web site (www.quest.com) for regional and international office information.

Trademarks

Quest, Quest Software, and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software’s trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered trademarks are property of their respective owners.

Third Party Contributions Quest One Appliance-Based Privileged Account Management Solutions

contain some third party components. Copies of their licenses may be found at http://www.quest.com/legal/third-party-licenses.aspx.

mailto:[email protected]�

http://www.quest.com/�

http://www.quest.com/legal/trademarks.aspx�

http://www.quest.com/legal/third-party-licenses.aspx�

QUEST

5

1.0 About this Guide

1.1 Overview

This guide contains information required to install and configure TPAM. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

1.1.1 Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

Element Convention

Where ever this symbol is displayed it means there is new functionality or an entirely new feature being discussed.

Bold Italics Text

Elements that appear in the TPAM interface such as menu options and field names.

Note! Used to highlight additional information pertinent to the process being described.

Tip! Used to provide best practice information. A best practice details the recommended course of action for the best result.

Alert! Important information about features that can affect performance, security or cause potential problems with your appliance.

1.1.2 Contacting Customer Support

Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink www.quest.com/support Email at [email protected] You can use SupportLink to create, update, or view support requests

http://www.quest.com/support�



6

Before You Begin… Before beginning the initial configuration of TPAM, take a few minutes to copy and complete the worksheet on this page. The information below will be used in the process of the TPAM setup – and having it pre-organized here will ensure an easy setup.

Note! If you are configuring the High Availability option, make an additional copy of this page and complete one for each device.

1. Have an available workstation or laptop that can be used to access the TPAM via direct crossover connection. Use the Ethernet crossover cable provided with your appliance.

2. Write down the network configuration for the TPAM:

a. TPAM IP Address: _____________________________________

b. TPAM Subnet Mask: _____________________________________

c. TPAM Default Gateway: ____________________________________

d. Primary DNS Server: ________________________________

e. Secondary DNS Server: ______________________________

3. Obtain the password for the parmaster account (this password is included in the

documentation supplied with the appliance). _______________________________

Note! If the parmaster password is recorded on this worksheet, it is highly recommended that

this page be removed from the manual and securely stored or destroyed after use.

4. SMTP Mail Configuration (optional, but highly recommended)

a. IP Address of the mail server: ____________________________________

b. Email address to be used by TPAM: ________________________________

5. NTP server address (optional): _________________________________________

6. Time Zone (optional, but recommended): __________________________________

7. Allow remote access to /parconfig? ___ Yes ___ No

QUEST

7

2.0 How to Access the TPAM Configuration Application

Initially, the TPAM Configuration Application is only accessible from the secured TPAM configuration interface LAN1. To access the configuration interface, connect a workstation directly to the LAN1 interface using a standard crossover cable. Once connected, point the browser to the URL: https://192.168.1.105/parconfig. The account used to authenticate to the TPAM Configuration Application is: parmaster. The password for this account is included in the documentation provided with the TPAM appliance.

Note! It is recommended that the configuration port remain disconnected when not in use.

* To configure remote access please refer to the Dell Remote Access Controller on the Dell Systems Management Tools and

Documentation DVD that was shipped with your appliance.

3.0 The TPAM Configuration Interface

The TPAM Configuration interface provides the connection for the initial setup and configuration of the TPAM appliance, as well as an ongoing management interface for accessing logs and other forensic information.

The Configuration Interface is used to set the following parameters for the appliance: • IP Address • Subnet Mask • Default Gateway • DNS server(s)

https://192.168.1.105/parconfig�


8

4.0 Network Settings

4.1 View Running Values

This displays the current values for the primary network interface for TPAM. This read only view allows the administrator to confirm that the settings are correct.

4.2 Modify Network Settings

This page allows you to modify TPAM’s production network connection.

To reconfigure the IP settings of the TPAM network interface, make the necessary changes and

click the button.

QUEST

9

Should it become necessary to reset the TPAM network settings back to their default factory settings, see Appendix A of this manual for detailed instructions.

Tip! It is recommended that you create a CLI Admin ID when you are first configuring your TPAM. This will ensure your ability to reset the parmaster or any other admin passwords through the CLI interface. In the event that all administrative passwords are forgotten, the only way to recover is through an RMA of the device or through a CLI Admin ID. See Managing CLI Admin ID’s later in the manual for detailed instructions.

4.3 Modify DNS Settings

Selecting Network Settings Modify DNS Settings from the menu allows a change in the configuration of just the DNS servers without making any changes to the built-in firewall or IP address of the appliance. This is a more desired method when no other network configuration changes are being made.

4.4 Flush DNS Settings

You have the option to immediately flush all cached DNS entries by clicking the button.

4.5 Manage Hosts File

From the parconfig interface, a System Administrator now has more control of the internal host file mappings. This functionality will allow a static entry of a Host Name that is directly linked to an IP Address without the dependency of a DNS server.

To add an entry, enter the Host IP address and the Host Name(s) and click the button at

the end of the line. To delete an entry, locate the entry to delete and click the at the end of the line.


10

5.0 Net Tools

To assist the TPAM administrator with troubleshooting common network related problems, TPAM contains network tools that are accessible from the configuration interface. In addition, some specialized configurations can be made to add or manage static routes. 5.1 The Ping Utility

Selecting Net Tools Ping from the menu will allow common ICMP echo (ping) requests to be sent from TPAM and present the results. Many of the optional parameters for the ping command are available:

QUEST

11

Using the ping utility, connectivity to remote hosts can be verified as well as some determination of latency, etc.

Not every option is allowed for the ping command within TPAM (-t for example could greatly harm TPAMs performance and is not allowed). The available command options are listed along with the short description of each. Additional information regarding the ping command is beyond the scope of this manual.

5.2 The NS Lookup Utility

Choosing the Net Tools NSlookup menu option will present the NSlookup utility:

Nslookup is a common TCP/IP tool used to test DNS settings and perform similar information gathering using DNS resolution. The TPAM utility for nslookup will use the DNS server(s) configured to TPAM only. The option to specify a server is not provided.

TPAM administrators can benefit from the ability to use nslookup to resolve hostnames to IP addresses and vice versa. More information regarding the nslookup command is beyond the scope of this manual.

5.3 TraceRoute Utility

The traceroute utility is accessed via Net Tools TraceRoute. This utility is available for examining network routing and connectivity from TPAM to a remote IP address or hostname.


12

The use of traceroute is often disallowed by firewalls, routers, and other network security infrastructure – but if allowed, it can be a valuable diagnostic tool.

5.4 Telnet Test

The Telnet Test tool allows a test to be performed from the appliance to another system over a specific port. The tool will test the defined port using telnet functionality to verify the port and whether a connection can be made and then immediately closes the connection.

Enter the Network Address, Port, and Timeout for the connection you want to test and click the

button. You will see a message on the bottom of the screen displaying your test results.

5.5 Route Table Management

Several tools are available to manage the routing table on TPAM, if the need exists to do so. It is strongly recommended that the routing tools not be used unless absolutely necessary and a network engineer is consulted for the proper routes required. Incorrectly defining a route can cause a communication outage.

5.5.1 Show Routes Net Tools Show Routes will display the current route table.

QUEST

13

5.5.2 Adding a Route Net Tools Add Route allows a new static route, either temporary or permanent, to be added to the route table and become effective.

Enter the full IP address of the destination host or network, the proper subnet mask, and default gateway for the new static route. If the desire is to make this new route permanent, check the option box marked Check to make this route permanent. Without this option, the route will be removed when the appliance is rebooted.

5.5.3 Deleting a Route

Net Tools Delete Route will allow an existing route to be specified for removal.


14

To permanently remove the route, enter the IP address of the destination host or network and save the settings.

When making network configuration changes to a high availability pair, it is important to understand how replication takes place between TPAMs. Misconfiguration of the network settings can break the communication between the appliances.

SSHSSH

PRIMARY PAR

REPLICA TPAMNON-FAILOVER REPLICA

Network: 192.168.0.145

Firewall: 192.168.0.146

Firewall: 192.168.0.148Firewall: 192.168.0.150

Network: 192.168.0.147

Network: 192.168.0.149

2 U

2 U

2 U

An HA Pair consists of a Primary TPAM and a Replica TPAM. You also have the option of also configuring a non-failover replica.

Replication occurs in one direction only, from the Primary to the Replicas, at intervals specified in the HA Config settings. The role of either Primary or Replicas is “hard coded” into the appliance, and these roles cannot be reversed. The appliances are not interchangeable.

TPAM appliances ship pre-configured to be able to communicate if connected in a lab environment, using RFC-1918 addresses. It is recommended that initial setup of the primary and the replicas take place in such an environment. See the section titled TPAM HA Configuration to complete the HA set up.

6.0 Keys and Certificates

QUEST

15

6.1 Manage Host Keys

We have added the Manage Host Keys window for viewing and deleting entries from the known_hosts file. Select a Network Address from the Listing tab and click on the Details tab for

more information. If you wish to delete the entry click the button. This can be helpful in troubleshooting connection issues.

6.2 Multiple SSH Key

The SSH Private Key is stored on TPAM, and is used to make secure connections to remote managed systems. The remote systems have the public key of the key pair. Quest Software provides an initial key pair for these connections when TPAM is shipped. It is common (and recommended) that these keys eventually be replaced. This ensures that no one, not even Quest Software has the private key. You have the ability to have up to three SSH Keys active simultaneously. To manage keys go to Keys Manage SSH Keys from the main menu.

To create a new key click the button.


16

Enter the Key File Name and Start and End Dates for the key.

6.2.1 Start and End Dates

At the time you add and save a key a Start and End Date are not required, but the key will not be active. If you enter a Start Date and do not enter an End Date, the assumed end date will be 12/31/2037. If you enter an End Date you must enter a Start Date. If you enter dates that will make more than three keys active at the same time you will receive this message when you try and save the fourth key. You will not be able to save this key until dates are adjusted on the other keys so that only 3 will be active at one time.

QUEST

17

6.2.2 Key Source You have three options for the Key Source:

Generate Key Pairs: with this option TPAM will generate the keys for you.

Enter Private Key: with this option you can paste in your own private key

Upload Private Key File: with this option you can use the Browse button to locate your

own private key file and then click the button to load it.

When the process of saving the new SSH key is complete, the new public key is available for download to the TPAM managed systems.

6.2.3 Deleting Keys

To delete a key click the button. If deleting a key will give you a gap (i.e., days with no keys) between today and the furthest out end date (or 12/31/2037), the key will not be deleted and you will get the warning message below.


18

If all days will still be covered when deleting the key for the furthest out end date and the date is less than 12/31/2037 after deleting the key you will get this confirmation message:

6.3 Web Certificate Request

To replace the SSL certificate on TPAM, navigate to Keys Web Certificate Request from the menu. Replacing the certificate is a three step process that includes generating a request, downloading and submitting the request file to a certificate authority (CA), and uploading the new certificate to TPAM.

Note! The parconfig interface will maintain the original certificate to ensure there is guaranteed access in the event of a corrupt certificate being loaded. The new certificate issued will only apply to the par and paradmin interface.

QUEST

19

Step1: Complete all required fields of the Certificate Request Form and select the button.

Step 2: Click the button to download the request file generated by TPAM. Use this request file with the CA to obtain a new certificate.

Step 3: Click the button to locate the new certificate file and then click the

button. Upload the new certificate provided by CA into TPAM using the

button.

6.4 Oracle Trusted Certs

In order to utilize the secure communication channel from TPAM to Oracle, there is additional configuration that must be performed on TPAM. If you choose to use a tunnel through SSL, these steps are not needed. The steps are:

• Load the Trusted Root Certificate that was used to sign the certificate installed on the Oracle

instance. • Configure the Oracle Managed System in TPAM to use SSL communication.

To install the Trusted Root Certificate, go to the TPAM Configuration interface at https://your_par_address:8443/parconfig or, if connected to the config port of the appliance through a crossover cable, then https://192.168.1.105/parconfig. Select Keys Oracle Trusted Certs from the main menu.

This will bring up the list of certificates loaded into the Oracle Wallet in TPAM. There is a default set of certificates that Oracle pre-installs – these certificates can not be removed from the wallet on TPAM. This list is shown below:

https://your_par_address:8443/parconfig�



20

If you click , the wallet will again be set to this default list. To add an additional root certificate, such as for an internal CA that was used to issue certificates for your

Oracle installations, click . Paste the Base64 encoded certificate into the

textbox and click .

After clicking you will see the following screen.

QUEST

21

You will be shown the new list of trusted certificates. Ensure that the certificate you have just loaded is on the list.

Alert! Please make sure that you are loading the trusted root certificate that was used to sign the certificate installed in the dataserver’s certificate, not the server’s certificate. From the snapshot below taken at the Oracle dataserver, it is the Quest Certificate in the Trusted Certificates list that must be installed on TPAM.

After the certificate(s) has been loaded, you can set up your Oracle managed systems in TPAM to utilize this secure channel for communication. Update or add the Oracle managed system to specify the correct port for the secure channel (Oracle default is 1521) and check the checkbox for Use SSL, as shown below:


22

After saving the changes, all communication from TPAM to the Oracle system is directed through the secure SSL channel.

6.5 Sybase Trusted Root Certs

In order to utilize the secure communication channel from TPAM to ASE, there is additional configuration that must be performed on TPAM. If you choose to use a tunnel through SSL, these steps are not needed. The steps are:

• Load the Trusted Root Certificate that was used to sign the certificate installed on the

Sybase ASE instance. • Configure the Sybase managed system in TPAM to use SSL communication.

To install the Trusted Root Certificate, go to the TPAM Configuration interface at https://your_par_address:8443/parconfig or, if connected to the config port of the appliance through a crossover cable, then https://192.168.1.105/parconfig. Select Keys Sybase Trusted Root Certs from the main menu. Paste the Base64 encoded certificate that was used to sign the certificate installed at the Sybase data server into the text box.

Note! If you utilize multiple Trusted Roots for signing certificates used at different Sybase instances in your organization (for example, having some issued from an internal Certificate Authority (CA) and others issued by a commercial CA), this textbox should include ALL of the root certificates used in your Sybase environment. This is accomplished by appending additional certificates (denoted by a -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- .) You can also place comment information in between the certificates to make it easier to identify the information in there, as shown in the example below:



QUEST

23

Paste the desired list of certificates into the text box and click

You should receive the following response from TPAM.


24

Next, configure the Sybase managed system in TPAM to use the secure channel to communicate. It is important to ensure that you specify the correct port and to check the checkbox for Use SSL. The example screen below is based on a Sybase initialization file containing the following entry:

[SYBASE1254] master=NLWNSCK,sybase1254,5000 query=NLWNSCK,sybase1254,5000 master=TCP,sybase1254,5010,ssl query=TCP,sybase1254,5010,ssl

After saving the changes, click the button to test the connection to the Sybase managed system. You should receive the following results if everything is configured correctly.

6.6 MySQL Trusted Root Certs

In order to utilize the secure communication channel from TPAM to MySQL, there is additional configuration that must be performed in TPAM. If you choose to use a tunnel through SSL, these steps are not needed. The steps are:

QUEST

25

• Load the Trusted Root Certificate that was used to sign the certificate installed on the

MySQL instance. • Configure the MySQL Managed System in TPAM to use SSL communication.

To install the Trusted Root Certificate, go to the TPAM Configuration interface at https://your_par_address:8443/parconfig or, if connected to the config port of the appliance through a crossover cable, then https://192.168.1.105/parconfig. Select Keys MySQL Trusted Certs from the main menu.

This will bring up the list of certificates loaded into the MySQL Wallet in TPAM.

7.0 Resetting the Internal Password (Standalone TPAM)

This process will reset the internal password used by the system to run the processes for the TPAM Database, Front End, and Automation Engine. This password is never known by any individuals, only by internal processes.

Alert! Please ensure that you have backed up your TPAM system, and have saved the backup to another location. This process should only be run when TPAM is initially installed, or if you believe the password has been compromised in some way. Quest Software cannot recover or restore this password for you if the process fails. If this process fails, your TPAM system will not function unless restored from a prior backup. This could result in loss of data and unrecoverable passwords for accounts on your managed systems! To reset the internal password, select Reset Internal Password from the home page menu of the

TPAM configuration interface. Click the button to perform the reset.




26

DO NOT POWER OFF THE SYSTEM WHILE THIS PROCESS RUNS!!

When the process completes, the TPAM system will automatically reboot.

8.0 Resetting the Internal Password on the Primary if using HA

This process will reset the internal password used by the system to run the processes for the TPAM Database, Front End, and Automation Engine. This password is never known by any individuals, only by internal processes.

Alert! Please ensure that you have backed up your TPAM system, and have saved the backup to another location. This process should only be run when TPAM is initially installed, or if you believe the password has been compromised in some way. Quest Software cannot recover or restore this password for you if the process fails. If this process fails, your TPAM system will not function unless restored from a prior backup. This could result in loss of data and unrecoverable passwords for accounts on your managed systems! • Put the Replica into Primary Mode. • Put the Primary into Standalone mode to stop replication. • Change the Internal password on the Primary Server. • Run a backup on the Primary Server. • Restore the Replica from the backup created in the step above. • After the Replica reboots, put the Replica into Test mode and the Primary into Replicating mode.

This should be done at the same time from the HA Config page of the Primary. The Primary will send a full backup to the Replica.

• When the full backup has been transported to the Replica, put the Replica back into Replica mode.

9.0 Allowing Remote Access to the Configuration Interface

For troubleshooting purposes we strongly recommend allowing remote access to the configuration interface. This is useful for environments where TPAM will be maintained in a secure, limited access environment and obtaining a crossover connection to the appliance is difficult. Select Remote Access from the configuration menu.

The Remote Configuration Access is enabled by default. When enabled, TPAM will allow access to the /parconfig interface via port 8443 on the network. To access the /parconfig interface from a network location, enter https://[IP address]:8443/parconfig as the URL. To disable remote configuration

access, select Disabled from the drop down list and click the button.

10.0 The TPAM Administration Interface

QUEST

27

Once the network configuration for TPAM has been completed, the system administrator performs all additional configurations via the TPAM Administration interface. This interface is accessed via web browser, directed to: https://[IP Address]/paradmin. The initial system administrator account is parmaster.

Alert! Best practices indicate the need to change the password for the parmaster account after initial login (although this is not forced). However, once the password has been changed, there is no way to remotely unlock or reset the account if the password is lost. It is highly recommended that before this account is modified, another system administrator account be created. Passwords for these accounts should be well guarded, but also safely stored for emergency use. It may also be advisable to create a CLI system administrator user account and safeguard the authentication key.

11.0 System Administrator Accounts

You can set up System Administrator accounts that have access to the paradmin and parconfig interfaces. 11.1 Adding a Sys-Admin Account

To add a new system administrator account, select Sys-Admin UserIDs Add Sys-Admin

from the menu. Enter the information for the user and click the button.

Note! The first time a system administrator logs in they must login to the paradmin interface to reset their password. Then they will be able to login to the parconfig interface.


28

Note! The UserID may be a maximum of 20 characters in length.

11.1.1 Primary Authentication You can use primary authentication to authenticate using TPAM (Local) or your Windows Active Directory. The Windows Active Directory Primary UserID must always be in UPN (User Principle Name) format, allowing the use of multiple domains. Ex. [email protected]

In v 2.3.765 we have also added LDAP and Radius as primary authentication methods. Refer to Configuring External Authentication later in the manual, for setting up these options.

Alert! If it is necessary to manually force the replica into test or primary mode from replica mode, only System administrators with local primary authentication will be able to authenticate to the parconfig interface of the replica appliance.

11.1.2 Secondary Authentication Secondary authentication mechanisms supported by TPAM are Safeword, RSA SecureID, LDAP (both Unix and Windows), LDAPS, Radius and Windows Active Directory. This option is available at the user level (allowing specific user requirements), rather than as a global configuration. Secondary Authentication does not apply to CLI/API users.


QUEST

29

Note! When using LDAP in a Windows environment, the full LDAP UserID sting is required. Example: “cn=Elmer J. Fudd, cn=Users,dc=dev,dc=us,dc=quest”

11.2 Time Information Tab

This tab is not enabled for CLI users.

11.2.1 User Local Time Zone Information The System Administrator has the ability to set the user’s local time zone. The user will also be able to edit their time zone information through the My Info User Details menu option.

If the user is in the same time zone as the appliance and follows the same Daylight Saving Time (DST) rules the first radio button should be selected. If the user is in a different time zone and/or follows different DST rules and does not want to follow server time, the second radio button should be selected, and the appropriate time zone chosen from the drop down. With this option most dates and times that the user sees in the application or on reports will be converted to their local time. If a date or time still reflects server time it will be noted on the screen. Example: The TPAM appliance is located in New York, NY on Eastern Time. The user is located in Los Angeles, CA, which is on Pacific Time. If the user chooses to set their time zone to Pacific Time, any requests, approvals, etc that they make will be reflected in Pacific Time to them, and they will have the option to view some reports in their local time zone. If the TPAM Administrator is in the Eastern Time zone the admin will see this user’s transactions stamped with the Eastern Time.

Alert! When the user is in Daylight Saving Time (DST) they must remember to check the DST box and uncheck it when it is over. This box does NOT automatically get changed for them.


30

11.2.2 Day/Time Based System Access

You can limit or restrict the business hours that a user can access TPAM as well as specify the days of the week that they are allowed access. For Time of Day you may enter up to 4 time ranges. Multiple ranges must be separated with a semi-colon. The ranges must be entered using 24-hour times with a hyphen between start and end times. Times may be entered as 7, 700, 7:00, or 07:00 (all representing 7:00 am). For example, “7-12;13:00-18:00;19-23:59” would allow/prohibit logon between 7:00 am – 12 pm, 1:00 pm – 6:00 pm, and 7:00 pm – 11:59 pm.

11.3 Promoting and Demoting UserID’s

You have the ability to “promote” a TPAM UserID to a System Administrator ID. To promote a

user click on Sys-Admin UserIDs Manage Sys-Admin UserIDs. Click the button. Enter the filter criteria for the users you are looking for and click the Listing tab to see a list of eligible ID’s. Select the UserID you want to promote and click the Details tab. Click the

button to complete the promotion.

To demote a System Administrator ID to a Basic UserID filter for the user and select the Details

tab. Click the button.

Note! You cannot demote a UserID if they do NOT have a role assigned in the par interface, you can only disable or delete them. You cannot promote or demote the paradmin, parmaster, cache users or CLI/API UserID’s.

To modify an existing System Administrator account, select Sys-Admin UserIDs Manage Sys-Admin UserIDs from the menu.

QUEST

31

Enter your search criteria on the Filter tab and then click the Listing tab to find the ID you want to modify. Select the ID from the Listing tab and click the Details tab. Make any

modifications and click the button.

Alert! If primary and secondary authentication is required for System Administrator IDs and the authentication server is unavailable, the System Administrator will not be able to login to TPAM (even at the /parconfig interface). Therefore, it is recommended to always maintain at least one System Administrator ID that does not require secondary authentication.

11.4 Managing parmaster and paradmin ID’s

You have the option to let TPAM manage the parmaster and paradmin ID’s, so that anyone wanting to login using these id’s must go through the normal TPAM request and approval process. When the paradmin or parmaster accounts are managed by the local TPAM appliance, you cannot enter or change passwords for these accounts via the Sys-Admin User Management Details tab or the User Management Details tab. Additionally, when a user is logged on as paradmin or parmaster they will not have access to the My Info Change Password menu item. To grant a user approver/requestor permission on the parmaster and paradmin accounts you must go to that users’ permission tab to assign the permissions.

Note! The global approver and requestor groups will not automatically grant a user access to the paradmin and parmaster accounts when they are managed.


32

11.4.1 parmaster To have the parmaster account managed by TPAM, create a System Administrator account (See previous System Administrator Account section). Login to the paradmin interface with this account. Go to the Sys-Admin User Details tab for the parmaster account.

Check the Administer account password with local PPM? checkbox. Click the

button. Once this is saved the parmaster account on the managed system “Local_Appliance_parmaster” will set with the Enable Password Management? checkbox checked.

Alert! The system will only allow you to activate this feature if the Automation Engine is running and the Change Agent is enabled. Once the user information is saved the password will be scheduled for an immediate reset. Depending on the number of password changes currently queued up this may take some time for the system to process. Any users currently logged in under this User Name will be prompted for the new password once it has been reset.

If you no longer wish to have TPAM manage this account you can disable password management at the account level or go to the Sys-Admin User Management Details tab and uncheck the Administer account password with local PPM? checkbox.

Tip! After turning off the Administer account password with local PPM? checkbox, you will want to manually reset the password to a known value. Otherwise the account will be left set to the last TPAM generated password.

QUEST

33

11.4.2 paradmin To have the paradmin account managed by TPAM, create a TPAM Administrator account (See the TPAM Administrator manual). Login to the par interface with this account. Go to the User ID Details tab for the paradmin account.

Check the Administer account password with local TPAM? checkbox. Click the

button. Once this is saved the paradmin account on the managed system “Local_Appliance_paradmin” will set with the Enable Password Management? checkbox checked.


34

Alert! The system will only allow you to activate this feature if the Automation Engine is running and the Change Agent is enabled. Once the user information is saved the password will be scheduled for an immediate reset. Depending on the number of password changes currently queued up this may take some time for the system to process. Any users currently logged in under this User Name will be prompted for the new password once it has been reset.

If you no longer wish to have TPAM manage this account you can disable password management at the account level or go to the Admin User Management Details tab and uncheck the Administer account password with local TPAM? checkbox.

Tip! After turning off the Administer account password with local TPAM? checkbox, you will want to manually reset the password to a known value. Otherwise the account will be left set to the last TPAM generated password.

Note! The “Local_Appliance” systems cannot be deleted, duplicated, or tested. Users cannot add, delete, or move accounts on the “Local_Appliance”. The “Local_Appliance” systems do not count against licensed systems.

11.5 Managing CLI Sys-Admin IDs

A CLI Sys-Admin ID is a special TPAM System Administrator account used to access the TPAM remotely via the CLI (command line interface) of TPAM. CLI System Administrators require separate accounts from interactive TPAM System Administrators. A CLI user cannot login to TPAM interactively using a web browser, and can only execute specific commands supported by the TPAM CLI.

To create a new CLI Sys-Admin ID: 1. Select Sys-Admin User IDs Add Sys-Admin UserID from the menu.

2. Complete the information for the new ID. Select CLI as the value in the User Interface drop down.

QUEST

35

3. The source IP address may be restricted for a System Administrator CLI UserID by entering an IP address in the Restricted IP Address field. If an address is specified, this CLI ID may only access TPAM from that address. This adds to the ability to secure and control administrator access to TPAM. More than one IP address may be specified by separating each with a comma – up to a limit of 100 characters for the entire string. The use of wildcards is also permitted to specify a complete network segment – i.e. 10.14.10.*

4. In the CLI Key Passphrase field you can enter an optional pass phrase to encrypt the user’s private key. The phrase is case sensitive, up to 128 characters, and does not allow double quotes (“). The phrase is not stored and cannot be retrieved once the key is generated. Remember to give the pass phrase to the CLI user along with their private key file. If the CLI User ID and key are going to be used in any type of scripting or automation, be aware that any time a CLI Key with a passphrase is used the passphrase must be entered by the user via the keyboard. Passphrase entry via any type of scripting is not allowed for DSS Keys.

5. Use the button to accept the new ID. 6. Before the new CLI Sys-Admin ID can be used, the authentication key must be downloaded

from TPAM. This key must exist on any computer that will use this ID to access TPAMs

command line functions. To download the key click the button. Save the key file to the desired location. The name of the key file can be renamed.

7. Use the button to modify an existing CLI Sys-Admin ID. All information can be modified except the user ID field. If a key has been corrupted or compromised, a new

key can be created for the existing user ID by clicking the button. This will also clear the pass phrase for the key, and a new one can be entered. Once this has been done, repeat step 6 to download and save the new key.

Note! You cannot “Promote” a TPAM CLI User to a System Administrator. You also cannot grant a CLI System Administrator TPAM system permissions. The UserID “CLI-Admin” is reserved and cannot be used for a CLI Sys-Admin user account.

For more information about the TPAM CLI and its functions, see Appendix B.

12.0 Mail Agent

TPAM utilizes mail (SMTP) to provide notification to Approvers and Requestors, as well as providing error alerting for defined administrators, and general information delivery.

12.1 Mail Agent Settings

This screen allows the System Administrator to define the local SMTP server so that TPAM may send email. This also allows for the definition of the sender and reply to address for TPAM generated email. If the Use MX Lookup? box is checked TPAM will query DNS for the configured SMTP server’s MX record for use in sending mail.


36

To use the button you have to save your notification and have the mail agent in a “Running” status before you will be able to enter a Test Email Address and click the button. A test e-mail will be sent to this address on the next cycle of the Mail Agent. This e-mail address will not be saved with the configuration, you will need to re-enter it each time you want to test it. Check the Agent Log and Sent Mail tab for test results.

12.2 Sent Mail Report

This provides a report of every mail that has been queued for delivery by the mail agent. Enter your report filter criteria on the Filter page and click the Results tab.

QUEST

37

12.2.1 Clearing Queued Mail If the mail log contains a number of queued mail items that need to be removed (i.e. mail generated by an error condition, where letting it be sent would essentially ‘spam’ the network), a mechanism to do this is provided.

Temporarily stop the mail agent to avoid sending the unwanted email. Click the

button on the bottom of the Mail Agent Management page. From the menu, select Mail Agent Sent Mail Report. In the filter options, enter or select the appropriate filtering to isolate the unwanted mail items, and select Queued for Delivery as the Mail Status from the drop-down list:

To permanently delete the mail items in the report, click the button. All listed mail items will be marked as ‘Failed’ and will not be sent.

Restart the mail agent by clicking the button.

12.3 Mail Agent Status

The Mail Agent Status is visible on the top right of the Mail Agent, Sent Mail Report, and Mail Agent Log pages. This displays the current status of the mail agent, and gives the

administrator the ability to stop or start the mail agent with the and buttons at the bottom of the page.


38

12.4 Mail Agent Log

The mail agent log provides a detailed report on SMTP activity.

12.5 E-mail Notification Configuration

The subject line and body text of email messages sent by TPAM can be customized. This customization can be the verbiage used in the body of the mail, embedded field information from TPAM (message tags), and even hyperlinks for certain types of mail messages. From the menu, select Mail Agent Email Config

QUEST

39

E-mail notifications that include a date will also reflect the local user’s time zone. For example on a session request the :Submitted Date:, reflects the sever date, and a new date, :SubmittedUserDate:, reflects the date relative to the user making the request.

Dates in e-mails will now have additional text of “(GMT+hh:mm)” which will reflect current offset for either the server or user.

Each Email Type allows different Message Body Tags, which will be displayed beneath the message body and may be copied and pasted into the message body as desired. Such options might include the request reason, ticket system and number, or hyperlink for a password request notification.

The Application Page Link field requires the URL address of TPAM and will default to the configured network address of the appliance. It is important to consider whether this URL will be accessible to all recipients of the email. For example, if TPAM has a RFC-1918 non-routable address it will only be accessible within that network (internally). If there is a NAT associated with an internal IP address for TPAM, that NAT address may be substituted. It is best to consult with network engineers when determining the URL address for these links.

Application Page Links are not available for all types of email messages. Typically they will be included with request notifications. This provides a convenient method for an approver to gain direct access to the request detail page for approval. It should also be noted that requestors may receive copies of this email, but will not be able to gain access to the approval page by


40

following the hyperlink because TPAM will verify each user’s authorization before displaying the page.

The subject line may also be customized for each message type, but cannot include message

tags. You can use the button for changing an individual e-mail to the default,

and the button allows you to restore all the email config settings to the Quest Software defaults after the settings have been modified.

13.0 Automation Engine

The Automation Engine is the heart of TPAM. This portion of the TPAM architecture is where password management on remote systems is configured and scheduled. Logs provide a record of Agent activities and messages of success or failure. The Change Agent and the Test Agent have now been combined into one. You can load balance between the processes running to check passwords, change passwords and change domain accounts.

The domain account change process is when PPM changes the password of an account on a domain controller. PPM will also change the password used by services run by that account on other systems (referred to as dependent systems). 13.1 Agent Status

To view or change the current status of the Automation Agent, select Automation Engine Auto Mgt Agent from the menu. The current status, either Enabled or Disabled is displayed for all the agents on the Status tab.

QUEST

41

13.1.1 Change Process If Enabled, the Change Agent is continuously running on TPAM looking for accounts that are scheduled for password changes and performing the changes. The Domain Account (DA Change) Agent looks for services that need to have their password changed because they rely on a managed account. The Manual Password Change Agent (Man Pwd Change) must be running to trigger email notifications on expired passwords for manually managed accounts. The Synchronized Password Change (Synch Pass) Agent looks for accounts that are subscribers of a synchronized password that need to be changed.

13.1.2 Check Process The PPM Check process periodically checks the password on remote managed system accounts and compares it to the password stored in the TPAM database. This provides an automated integrity checking mechanism that ensures that the password that is

released for use by PPM is valid on the remote system. The button will load the queue to check all managed passwords.

13.1.3 Stopping and Starting the Check and Change Processes The Check, Change, DA Change, Man Pwd Change, and Synch Pass Change processes

can be stopped or started using the Status tab. To stop a process, click the button next to the specific agent. If the change process is currently busy processing changes, it may take some time for the service to stop.


42

Alert! When the Change process is stopped, no passwords will be changed on

remote managed systems. To restart a process click the button next to the specific agent.

13.2 Auto Agent Settings

To view or change the current configuration of the Agents, select Automation Engine Auto Mgt Agent from the menu and click the Settings tab.

Configurable options are: • Max Worker Threads (1-10) – the maximum amount of Check, Change, Domain Account

Change, Manual Password Change and Synch Password Change processes that can be running at one time.

• Full Load Percentages (must total 100%) – allocates the number of Check, Change, Domain Account Change, Manual Password Change, and Synch Password Change processes based on the number of Max Worker Threads.

• Max Change, Check, DA Change, Man Change and Synch Pass Change Threads – allows you to set upper limits that override the percentage allocation of threads.

• Check Retry Interval – specifies the amount of time before a failed password check will be attempted again.

• Change Retry Interval – specifies the amount of time before a failed password change will be attempted again.

• DA Change Retry Interval - specifies the amount of time before a domain account failed password change will be attempted again.

QUEST

43

• Man Change Retry Interval – specifies the amount of time before a Manually managed account will be rechecked and a Scheduled Manual Password email will be resent if the account still requires a manual password reset.

• Sync Pass Change – specifies the amount of time before a failed synchronized password change will be attempted again.

Start Management Agent when system restarts? – if selected the agent will automatically start on reboot (with the exception of replica appliances).

13.3 Scheduling the Check Process

To configure the password test settings for the Check Process, select Automation Engine Auto Mgt Agent from the menu. Click the Schedule tab.

13.4 Agent Logs

To view detailed information on any of the Agents select Automation Engine Auto Mgt

Agent from the menu and click the Logs Filter tab. Enter your filter criteria on the Filter tab and then click the appropriate Log tab to see the results.

To clear the log history for any of logs go to the specific tab and click the button.


44

14.0 Backup

Considering the value of the information assets stored in TPAM and the potential losses and risk that would be presented if lost, a backup engine is an integral part of the TPAM. Backups can be configured to run on automatic schedules and moved securely to offline storage.

14.1 Modify Backup Settings

TPAM allows the System Administrator to schedule automated backups of the repository and offload the encrypted archive. The backup file is always encrypted, so the archive can be maintained in accordance with established backup procedures, without risk of exposing sensitive data.

Alert! We strongly recommend that you schedule full back ups of the Primary appliance. Scheduling a full back up will prevent space issues on your Replica Appliance.

QUEST

45

14.1.1 Scheduling Backups To schedule regular backups of TPAM, ensure that the Enabled? option is checked, and select the frequency and start time from the Schedule portion of the backup configuration.

14.1.2 Additional Backup Options

You have the ability to specify a secondary encryption method with a password to secure your backups.

By default, backup files are stored on the TPAM appliance. Optionally, these files can also be sent to external storage, where they can be archived or managed by external processes.

Available archive servers may be selected from the drop-down list. Archive servers must be pre-defined (See “Archive Servers” in this manual) before they will appear in this list.

Alert! It is strongly advised that backups be configured for transfer to an archive server. In the event of disaster recovery, it may be necessary to have a recent backup safely stored offline.

Backup activity results can be sent via email to an address configured under Additional Options. Emails may be sent for all results or only failed results, as selected.

14.2 Backup History

The Backup History shows the detailed information from the backup process.

14.3 Backup Log

The Backup Log shows a running 30 day detailed view of the steps taking place in each back up. If you want to change the retention period to greater than or less than 30 days this is configurable under System Status/Settings Global Settings. In the table it can be found under Option Name: Backup Log, Category: Retention Period.


46

14.4 Backup Now

Clicking the button allows an immediate backup job to be submitted. Acknowledgement that the backup job is running will be presented at the bottom center of the page.

QUEST

47

14.5 Manage Online Backups

The TPAM Backup utility maintains a predefined number of archives locally on the appliance. The archives are named with a date and time stamp (yyyymmdd_hhmmss) and are displayed in ascending order. The menu allows an administrator to download the encrypted archive using a standard browser interface.


48

15.0 Restoring from a Backup

In the event of a catastrophic failure of TPAM, a System Administrator can restore an offline backup to a new appliance and have the new system available to production in minutes.

If a ‘cold spare’ appliance is available, the following steps are all that is required to return a spare TPAM appliance to production service:

IIff yyoouu rreecceeiivveedd yyoouurr aapppplliiaannccee aafftteerr MMaarrcchh 2255,, 22001100 pplleeaassee ddiissrreeggaarrdd tthhee sstteeppss bbeellooww ppeerrttaaiinniinngg ttoo tthhee ffiirreewwaallll ccaarrdd..

1. Install the spare appliance in place of the failed appliance (same network connections, keyboard, monitor, etc.)

2. Power on the new TPAM and connect a PC or laptop to the configuration interface. If the firewall and network configuration of the spare were not previously set to match the production appliance, follow the steps in the Quick Start Guide to make these changes. The spare should be configured identically to the failed appliance.

3. Access the TPAM Configuration via the crossover connection. Verify that the build version of the spare is the same as that of the system from which the backup was created. If the version is not the same, follow the product patch process to apply any necessary updates to ensure version integrity.

4. Select Restore Restore Appliance from the parconfig interface. 5. Enter the full path and filename for the backup file, or click the Upload radio button and use the

button to navigate to it.

QUEST

49

6. Enter the password for the backup if you configured the backup with secondary encryption. If any options have been provided by Quest, enter them in the Options: field – otherwise, it should be left empty.

7. Click the button. Acknowledge the warning that this restore will destroy any existing

data on TPAM, or select to abort the restore action.

When the restore process is complete, TPAM will automatically reboot. After the reboot, the new TPAM should be accessible from the network and contain all data from the point of the backup from which it was restored.


50

Note! Any time the TPAM appliance is shutdown for more than 16 hours, a keyboard and monitor must be attached to authenticate the disk encryption. If this is not done, the appliance will never boot. 15.1 Restore Log

To view a log of recent restore histories select Restore View Restore Log from the main menu.

16.0 Maintenance: Upgrades to TPAM

This menu option provides the ability to apply a product patch, the update file provided by Quest Software. Product patches are not always cumulative. This means that some product patches must be applied to the system in order and none can be skipped. The release notes for each product update will list the prerequisite version of TPAM required before the update can be applied to the appliance.

To determine the current version of PPM and PSM choose System Status/Settings System Status. The current software version is listed at the bottom.

QUEST

51

It is recommended that a recent backup of TPAM be created and a copy moved off of the appliance prior to following these steps.

16.1 Downloading product patches from the Customer Portal

Product patches are posted on the Quest Software Customer Portal. To access the Customer Portal go to https://hq01.e-dmzsecurity.com/edmzcust. Using the name and initial password provided by Quest, logon to the site. If you click on Downloads from the main menu, you will be presented with the Download Search page.

Here you can find and download all the latest patches that apply to the products you are licensed for. You will be notified via e-mail as new patches are posted that apply to the products your company is using.

Click to download the specific patch you are looking for.

https://hq01.e-dmzsecurity.com/edmzcust�


52

You will click on the File Name to download the file and save it where you can then upload it into your appliance. In most cases you also will require a key when uploading the patch onto your appliance. Click the blue link to generate the key required to apply the patch for each specific appliance. The key will appear in the field which you can then copy and paste when applying your patch.

Note! Online documentation patches are separate from the software patch. Please make sure you also apply the PAR_X_X_Docs.zip patch to get the latest online documentation.

16.2 Applying the Patch

To apply a product patch, save the zip file and the key to your local hard drive (i.e. c:\temp). Login to the /paradmin page of TPAM and select Maint Apply a Patch from the menu.

Using the button, select the .zip product patch file. Click the button.

QUEST

53

Paste the key string into the Key: field. If any options have been provided by Quest, enter them

in the Options: field – otherwise, it should be left empty. When ready, click the button.

To verify the status of the product patch installation, click on the Patch Log tab.

If an error during the upgrade process is detected, or if a reboot of TPAM is required, a special message will be presented in the log. It is recommended that the product Patch Log be reviewed after each upgrade to find these or other messages that might be meaningful or require action.

A message to re-apply the upgrade will look similar to this example:

Some upgrades provided by Quest Software are for the specific purpose of upgrading the underlying OS. These patches will bear the distinctive naming convention beginning with TPAM_OSPATCH. Operating system patches are applied to TPAM using the exact same method as any other product patch. If TPAM is running in the optional HA configuration, these changes need only be applied on the Primary and are replicated automatically to the Replica.

Select the Maint View Patch History or click on the Patch History tab from one of the other Patch screens to view a cumulative history of all updates that have been applied to TPAM. The history will also indicate the UserID that performed the updates and provides a link to view the release notes for that specific update. The Patch History Log is never purged and will always be available for viewing the version history of the appliance.

16.2.1 Updating Time Zones

As a result of user local time zone functionality, OS patches will periodically be posted on the Customer Portal that will update time zones on your appliance. Any users that reside


54

in a now obsolete time zone, will be forced to select a new time zone from the User Details page before they can proceed through the application.

17.0 Logs

The Log menu allows the System Administrator to view Sys-Admin Activity, Security, Firewall, Database and Alert Logs. Most logs can be filtered prior to viewing. In addition, all logs can be exported to Microsoft Excel® format.

17.1 Sys-Admin Activity Log

The Sys-Admin activity log allows you see the activity of all System Administrators. If you are configured for your local time zone, you now have the filter parameter to view the activity on the log in your local time zone.

QUEST

55

17.2 Security Log

The Security log will show any events related to login activity. Only failed events will be displayed to conserve resources.


56

17.3 Firewall Log

The firewall log will display events logged by the firewall component of TPAM. The firewall is configured to log all denied traffic.

17.4 Database Log

The database log shows logged activity from the SQL Server Database.

QUEST

57

17.5 Alerts Log

The Alerts Log will display events related to any of the alerts you can subscribe to.


58

18.0 Multiple SSH Keys

You can have up to three SSH Keys active simultaneously. To manage keys go to Keys Manage SSH Keys from the main menu. You can access these screens from the paradmin or parconfig interface.

18.1 Adding Keys

You will see that TPAM will come with a default key called id_dsa. To create a new key click the

button.

QUEST

59

Enter the Key File Name and Start and End Dates for the key.

18.1.1 Start and End Dates

When you add and save a key a Start and End Date are not required, but the key will not be active. If you enter a Start Date and do not enter an End Date, the assumed end date will be 12/31/2037. If you enter an End Date you must enter a Start Date. If you enter dates that will make more than three keys active at the same time you will receive this message when you try and save the fourth key. You will not be able to save this key until dates are adjusted on the other keys so that only 3 will be active at one time.

18.1.2 Key Source You have three options for the key source:


60

Generate Key Pairs: with this option TPAM will generate the keys for you.

Enter Private Key: with this option you can paste in your own private key

Upload Private Key File: with this option you can use the Browse button to locate your

own private key file and then click the button to load it.

When the process of saving the new SSH key is complete, the new public key is available for download to the TPAM managed systems.

18.2 Deleting Keys

To delete a key click the button. If deleting a key will give you a gap (i.e., days with no keys) between today and the furthest out end date (or 12/31/2037), the key will not be deleted and you will get the warning message below.

When deleting a key that will make the last active key expire prior to 12/31/2037 you will get the following pop up message:

QUEST

61

19.0 System Status/Settings Menu

19.1 Active Logins

To view all users currently logged in, select System Status /Settings Active Logins from the main menu. To terminate a user’s session in TPAM select the session in the listing and click

the button.

19.2 Agents

In v2.4 we consolidated all “Agent” configuration pages under one menu option: System/Status Settings Agents in the paradmin interface.

19.2.1 Daily Maintenance

The Daily Maintenance job combines several backend jobs (batch report start time, purging of old keys, expired passwords, old backups, etc) into one. You can configure the Daily Maintenance Start Time Option. To configure the Daily Maintenance job select Daily Maintenance from the System/Status Settings Agents menu.


62

Enter the Maintenance Start Time and click the button. To view the logs from the job click on the Processing Log tab, enter your filter criteria, and click on the Results tab.

19.2.2 Integration Agent

The Integration Agent controls AD and Generic Integration and the ability of TPAM to automatically update changes in systems and users that have been configured. To have the Integration Agent automatically restart when TPAM is restarted check the Auto

Start check box and click the button. Use the and

buttons to turn the agent on and off. The Agent Log tab provides more information for troubleshooting.

QUEST

63

19.2.3 Performance Monitoring Agent The performance monitoring agent runs and pulls the data for the corresponding Performance Monitoring Data Extract that is available in the par interface.

Check the Enable Performance Monitor? to start the agent and click the

button. Enter the Polling Frequency for how often you want to pull the performance statistics. The minimum allowed for polling frequency is 5 and the maximum is 300. Enter the Retention Period to set how many days worth of data will be saved.

19.2.4 Post-Session Request Processing Agent (PSM Customers Only) The agent must be “Started” for any post session profile activities to be triggered once sessions expire. The new agent will process the synchronized password subscribers according to their priority. If any of the prioritized subscribers fail to change the agent will stop and try again based on the new sync pass change retry interval. If all the prioritized subscribers succeed but some non-prioritized subscribers fail then the agent will schedule the failures to be processed by the regular change agent. All manual subscribers will be scheduled with the regular manual change agent after the prioritized subscribers succeed. For more details on post session profiles see section the Quest One Privileged Account Management Administrators manual. Enter the number of minutes

desired between processing runs in the Agent Interval field and click the

button. Use the and buttons to turn the agent on and off.


64

The Agent Log tab provides more information for troubleshooting.

19.3 Alert Receivers

There are over eighty Alerts that you can subscribe to. To add an alert receiver, select System Status /Settings Alerts Receivers.

QUEST

65

Click the button.


66

Enter a Receiver Name and Description. The Receiver Enabled? checkbox will be checked by default. You have the option to go ahead and set up the alert but disable it for future use by unchecking the box.

You have a choice of SNMP or E-Mail for Receiver Type. If you select E-Mail, enter the e-mail address(es) where you want the alerts sent.

If you select SNMP, enter the Network Address, Community String, Port and SNMP Version for the alert. In the Max Retries field enter the number of times that TPAM should attempt to resend the alert to the receiver in case it encounters a problem.

Quest One Privileged Account Management Configuration & Administration Manual

67

Click the button. To download your MIB file, you must first go to the Alerts tab,

subscribe to your Alerts, save them, return to the Details tab and click the button.

A test message may be sent for testing or troubleshooting purposes using the

button.

Once you have saved the alert receiver click the Alerts tab.

On the Alerts tab you will see over eighty alerts that you can subscribe to. The description in the Message column describes each alert. Where ever you see %1% ,%2% in the message it represents a variable that will be filled in on the actual message depending on what happened to trigger the alert. The Severity that is assigned to each of the Alerts will be displayed in the subject line when the alert is sent via e-mail. The alerts are grouped by category such as Auto Management Engine, or Appliance Health and Welfare. To subscribe to all the alerts that fall under this category select the checkbox to the far left next to the Component Name, this will automatically select all the individual alerts under this component. You can deselect any you so choose or select them all individually. The

button will select any boxes you did not have checked, and uncheck all the

boxes you did have checked. The and boxes are also available to

help you make your subscription choices. Click the button when you are done. You can delete an Alert Receiver by selecting it from the Listing tab or navigating to the

Details tab and clicking the button.


68

19.4 Alert Thresholds

Navigate to System Status /Settings Alerts Thresholds to view and adjust the thresholds used by the alert subscriptions.

To change any of the default values for the thresholds make the change and click the

button.

19.5 Archiving and Transferring Logs

Logs are maintained and stored on TPAM for the duration of the configured retention period. Log data will be purged daily, based upon this configuration. To retain purged log data, select System Status /Settings Archive Logs Settings from the paradmin menu. Unlike backup files, log archives are not encrypted.

• Check the option box Enabled? • Select the Archive Server from the list of configured archive servers (see “Archive Servers”

in this manual).


69

• Option: All or Failed results can be sent via email to a specified email address

19.6 Archive Servers

Configuring archive servers provides the ability to specify external storage locations and methods of transport that TPAM may use to archive logs and store offline backup files. These configured archive servers may then be selected as external storage locations within any TPAM configuration that allows offline storage – such as Archive Log Settings and Backups.

From the System Status /Settings menu, select Archive Servers.

Select from the available defined archive servers or click the button to create a newly defined archive server. To modify the configuration of a defined archive server, use the

button. Either clicking the button or selecting an existing Server and clicking the Details tab will present the configuration page.


70

• Server Name – A descriptive name used to identify this server from selection lists in TPAM.

This name does not need to be the actual server’s name. • Network Address – The IP address or FQDN of the server. • Archive Method – Select from among the three supported transport methods that TPAM

may use to send data to this server:

• FTP – allows the data to be transmitted to any FTP server. Because the backup file is encrypted using AES256, there is not a security risk to the data contained in the file, however authentication credentials may be exposed on the network.

• sFTP using password – allows the data to be transmitted to any SFTP server. In addition to the file encryption protection, the authentication credentials are also protected from network exposure.

• SCP using DSS key – the most secure transport method, allowing the data to be transmitted via SCP (secure copy) within an encrypted SSH tunnel from TPAM to the archive server. The SCP method utilizes a public/private key pair for authentication. Supported keys are OpenSSH and SECSH keys. To complete the setup of the archive server for SCP communication, download the required public key using the

or button and store the key in the proper location on the archive server. The connection/authentication between TPAM and the SCP

archive server can be tested at any time using the button.


71

• Port – Enter the specific Port number if you don’t want to use the standard • DSS Key Details – Use these radio buttons to select a System Standard DSS Key or a

system specific DSS Key.; only applies if you are using SCP using DSS Key archive method. With the ability to have multiple active keys you can select which active key you want to select from the drop down box and then retrieve the public keys.

• Account Name & Password – Specify the credentials required on the remote archive server that will be required for connection and file storage.

• Path to Storage – Enter the full path as required for the storage location on the archive server.

• Description – Any descriptive text is allowed.

If you need to clear the existing host keys for the archive server from the TPAM appliance click

the button.

19.7 Date and Time Configurations

19.7.1 Setting the System Date and Time The TPAM appliance system date and time are configured by selecting Date/Time Configuration System Date from the System Status /Settings menu. Enter the appropriate date and time information in the corresponding fields and click the

button. This function will set the date and time on the current appliance only.


72

19.7.2 Synchronizing the Firewall Date IIff yyoouu rreecceeiivveedd yyoouurr aapppplliiaannccee aafftteerr MMaarrcchh 2255,, 22001100 pplleeaassee ddiissrreeggaarrdd tthhiiss mmeennuu ooppttiioonn..

To synchronize the firewall date/time with the system time select Date/Time Configuration Sync Firewall Date from the System Status /Settings menu.

Press the button to synch the system and firewall time. This should be done anytime the system date/time is changed or the firewall card is reset.

To prevent the firewall time from drifting the firewall time will synchronize with the server time upon reboot and then every 24 hours after that.

19.7.3 Setting the Time Zone To set the appropriate time zone for the TPAM appliance, select System Status/Settings Date/Time Configuration Timezone.

Select the appropriate time zone from the list of available time zones for the geographic location of the TPAM appliance. Optionally, the clock can be adjusted automatically for daylight savings time changes.

Alert! All date and time configurations are specific to a single appliance. If High Availability is used, all date and time configurations including time zone and NTP settings must additionally be made on the Replica TPAM and must be performed while the replica is in Primary Mode.


73

19.7.4 Using NTP to Keep TPAM’s Time TPAM is able to use NTP (network time protocol) to keep the system clock in synchronization with a time server. Select System Status/Settings Date/Time Configuration NTP Config.

Enter the network address of a primary and secondary (optional) NTP server. The address may be either an IP address or FQDN. A valid time server configuration will allow TPAM to make necessary adjustments to the date and time settings automatically.

19.8 Configuring External Authentication

19.8.1 Safeword Configuration The Safeword option allows TPAM to be configured to pass authentication requests to a Safeword server, using a challenge-response authentication.


74

To configure the Safeword service on TPAM, select System Status/Settings External Authentication Safeword Config from the menu bar. Knowledge of the required Safeword configurations is required. These configurations will be unique to every organization and should be obtained from the appropriate technical resources.

Configuration settings for Safeword are as follows: • Server Settings

• Server Address – The IP address of the Safeword server(s) • Weight – Consult the Safeword server administrator • Conns – Consult the Safeword server administrator • Port – The TCP port on which the Safeword server is configured to listen for

requests. • EASSP Version – The version of Safeword software running on the Safeword server.

• Safeword 5.1.1 and older • Safeword 5.1.2 and newer • Safeword Plus • Premier Access

• Socket Timeout – the amount of time in seconds before an unanswered request will be dropped.

• System Name – Consult the Safeword server administrator • Agent Name – Consult the Safeword server administrator • Authentication Timeout – the maximum time (in hours) that an authenticated session

can be maintained.

Use the button to accept and enable the configuration.

The option allows the user to clear the existing server verification data files. The next successful login attempt will re-create this data file.

19.8.2 RSA SecurID Configuration To configure TPAM for SecurID support, select System Status/Settings External Authentication SecurID Config from the menu.

SecurID requires two files to be imported into TPAM (see your SecurID administrator to obtain the correct files): sdconf.rec and sdopts.rec. These files will contain specific information regarding the ACE Server configurations and necessary parameters.


75

The option will remove all previously configured ACE Server files and references, including node secrets.

Authentication Timeout: Configure the maximum time (in hours) that users may remain logged on to TPAM. When the configured time expires, a user will be required to re-authenticate.

ACE Server configuration: Import the sdopts.rec file by selecting SDOpts.rec from the Import File Type

dropdown. Using the button, locate the sdopts.rec file and click .

Import the sdopts.rec file by clicking the button.

Using the button, locate the sdconf.rec file and click . Import the

sdconf.rec file by clicking the button.

19.8.3 LDAP Authentication TPAM supports UNIX or Windows LDAP environments. To configure LDAP select System Status/Settings External Authentication LDAP Config from the menu. . You have the ability to configure more than one LDAP system.


76

System Name: Enter the server name of the authentication server. Server Address: Enter the IP address or FQDN of the authentication server. Timeout: Specify the desired time in hours that a user’s authentication may remain valid. After the timeout period the user must re-authenticate to the authentication server. Port: Enter the name of the port. SSL: Check this box to enable SSL.

19.8.4 Windows Active Directory Authentication To configure Windows Active Directory authentication select System Status/Settings External Authentication WinAD Config from the menu. You have the ability to configure more than one Windows Active Directory system.

19.8.5 RADIUS Authentication To configure Radius select System Status/Settings External Authentication RADIUS Config from the menu. You have the ability to configure more than one RADIUS system.


77

System Name: Enter the server name of the authentication server. Server Address: Enter the IP address of the authentication server. Timeout: Specify the desired time in hours that a user’s authentication may remain valid. After the timeout period the user must re-authenticate to the authentication server. Port: Enter the name of the port. Secret: enter the Secret needed to authenticate.

19.9 Global Settings

Select System Status /Settings Global Settings from the menu. Global settings for TPAM are set and maintained using this screen. This is where retention periods are defined, as well as global construction rules. The number/text displayed in the Setting column represents the value for the Option Name.


78

The following table provides an explanation of each configurable parameter of the Global Settings:

Account Lockout

Account Lockout Duration

The time (in minutes) that an account will remain locked. Valid entries are 10 - 9999. A setting of 9999 requires an administrator to manually unlock the account. The minimum value of this setting is controlled by the current setting of the Lockout Window.

Account Lockout Threshold

The number of consecutive failures within the lockout window required to lock a user account. Valid entries are 0 - 100.

Account Lockout Window

The duration (in minutes) during which failed logon attempts are counted. Valid entries are 0 - 15. The maximum value of this setting is controlled by the current setting of the lockout duration.

Custom Column Names

Managed Account Custom 1-6

Managed accounts may have up to 6 custom columns defined, each capable of holding up to 50 characters of text. Custom column names are limited to 32 characters. Must consist of only upper or lowercase letters, numbers, spaces, periods, hyphens, and underscores. A custom column name cannot be the same as any other custom column name nor as any other column in the Accounts table. Any data entered while the custom column name is defined will be inaccessible if the custom name is undefined. A custom column name may be “undefined” by simply erasing the value.

Managed System Location Custom1-6

Six custom fields available to track system location information. If configured these appear on the System Details tab and listed as filter options on many filter tabs. Column names are limited to 32 characters, cannot be the same as any other LocationCustom column name nor any existing column in the Systems table. Must consist of only upper or lowercase letters, numbers, spaces, periods, hyphens, and underscores. A custom column name may

be “undefined” by simply erasing the value. Alert! Any data entered while the custom column name is defined will be inaccessible if the custom name is undefined.

Customer Specified

Appliance Identity Custom field available to name the appliance. This field is used on the new Appliance Usage Batch Report.

System Date Format

System Date Global Setting that controls the default input and output date and time formats for the entire appliance. Choices are “Month/Day/Year hh:mm AM/PM” or “Day/Month/Year

hh:mm24”. Alert! If this setting is changed all users need to refresh their browsers or they may encounter a session timeout error.


79

Global Groups

Allow Global Groups to be used for permissioning

Allows the Global Groups to be ignored when determining permissions. The default value is No. If this setting has a value of “No”, then Global Groups will not be displayed on the Group Listing and Group Membership assignment tab. For performance reasons, if Global Groups are not used, we recommend that this setting be set at “No”.

Individual Accountability

Allow Account specific override

If “Yes”, then individual accountability can be turned off at the account level, allowing more than one requestor to request this password at the same time or during an overlapping duration. Changing this value to “No” will remove this from all accounts that were enabled in the TPAM interface. The default value is No.

Mobile Device

Allow Password Retrieval

This setting controls whether or not mobile device users of TPAM are permitted to retrieve passwords on their mobile device. Possible values are Yes and No. (1 and 0 in past releases) The default is Yes.

Quick Approve Text

Custom text you can enter that will be displayed as the Password Approval Reason when approving a request from a mobile device. This message will be used if the Approver uses the Quick Approve functionality or does not enter a message when approving a request.

Quick Deny Text

Custom text you can enter that will be displayed as the Password Denial Reason when denying a request from a mobile device. This message will be used if the Approver uses the Quick Deny functionality or does not enter a message when denying a request.

Quick Expire Text

Custom text you can enter that will be displayed as the Password Cancellation/Expiration Reason when canceling/expiring a request from a mobile device. This message will be used if the Requestor uses the Quick Expire functionality or does not enter a message when expiring a request.

Quick Submit Text

Custom text you can enter that will be displayed as the Password Request Reason when submitting a request from a mobile device. This message will be used if the Requestor uses the Quick Submit functionality or does not enter a message when submitting a request.

Old Password Retention

Failed Password Days Specifies the number of days that TPAM will retain failed passwords. Valid entries are 1 – 90. The default is 15.

Minimum Retention Days 1

Specifies the least number of days that TPAM will store old passwords. Valid entries are 1 – 360. The default is 30.


80

Past Passwords The number of previous passwords that TPAM will store for a managed system. Valid entries are 1 – 30. The default is 5.

Purge Password Batch Size

In order to minimize the performance impact for other interactive users this setting will control the number of passwords deleted in each transaction during the Purge Password portion of the Daily Maintenance process. Valid entries are 5-100. The default is 10.

Online Backups

Online Backups The number of TPAM backups that will be stored locally. Valid entries are 1 – 10. The default is 5.

Password Construction

Minimum Password Age

Specifies the minimum time between password changes (in days). Valid entries are 0 – 14. The default is 0.

Maximum Password Age

Specifies the maximum time between password changes (in days). Valid entries are 0 – 180. The default is 42.

Password History 1

Number of old passwords stored by TPAM for user accounts. Stored passwords may not be reused, and are replaced on a first-in first-out basis. Valid entries are 0 – 24. The default is 5.

PSM Session (PSM Customers Only)

Max Session Duration (Hours)

The allowed duration (in hours) for a PSM Session. A job will run every 10 minutes that will terminate any sessions that are exceeding this threshold. A value of 0 will allow sessions to run with no time limit. The default value is 0. Max value is 168.

Request Reasons

Detailed Reason Text for ISA Release

This setting controls whether or not ISAs are required to enter a detailed reason when retrieving a password or file. Possible values are Required, Not Allowed and Optional. The default value is Required.

Alert! Setting this to Not Allowed or Optional and setting Reason Code for ISA Release to Not Allowed or Optional will allow ISA’s to retrieve passwords and files without entering a reason.

Detailed Reason Text for Release

This setting controls whether a detailed request reason is required for any password, file or session request Possible values are Required, Not Allowed and Optional. The default value is

Required. Alert! Setting this to Not Allowed or Optional and setting Reason Code for Release to Not Allowed or Optional will allow requestors to request passwords, files and sessions without entering a reason.


81

Reason Code for ISA Release

This setting controls whether or not ISAs are required to enter a reason code when they retrieve a password or file. Possible values are Required, Not Allowed and Optional. The default value is Optional.

Reason Code for Request

This setting controls whether or not requestors are required to enter a reason code when they request a password, file or session. Possible values are Required, Not Allowed and Optional. The default value is Optional.

Retention Periods

Activity Log The number of days that TPAM will store log entries for TPAM activity events. Valid entries are 30 – 365. The default is 90.

Alerts Log The number of days that TPAM will store system generated alerts. Valid entries are 1-30. The default is 30.

Auto Integration Agent Log

The number of days that TPAM will store the Active Directory/ Generic Integration Agent activity. Valid entries are 1-30. The default is 30.

Backup Log The number of days that TPAM will store backup activity logs. Valid entries are 10 – 365. The default is 30.

Batch Import-Update History (0 = Never Delete)

The number of days to retain Batch Import/Update history results, based on the date the batch was submitted, not completed, or canceled. A value of 0 means the results will never be deleted. 0 is the default.

Data Extract Log The number of days that TPAM will store logs of data extract history. Valid entries are 1-90. The default is 30.

DPA Server Activity Log

The number of days that TPAM will store DPA Server activity. Valid entries are 1-30. The default is 30.

File Release Log The number of days that TPAM will store file release activity logs. Valid entries are 30 – 365. The default is 90.

File Release Request The number of days file release requests will be retained before archival. Valid entries are 1-365. The default is 90.

Firewall Log The number of days that TPAM will store firewall activity logs. Valid entries are 1 – 90. The default is 30.

High-Availability Primary Log

The number of days that HA Primary logs will be stored. Valid entries are 1 - 30. The default is 5.


82

High-Availability Replica Log

The number of days that HA Replica logs will be stored. Valid entries are 1 - 30. The default is 5.

ISA Release Log The number of days that TPAM will store ISA password release activity logs. Valid entries are 30-365. The default value is 90.

Mail Agent Log The number of days that TPAM will store log entries for mail agent activity. Valid entries are 1 – 365. The default is 10.

Online Batch Reports The number of days that TPAM will store logs of scheduled batch job activity. Valid entries are 1 – 180. The default is 30.

Password Change Activity Detail

The number of days that TPAM will store detailed password change logs. Valid entries are 10 – 90. The default is 30.

Password Change Log The number of days that TPAM will store password change activity logs. Valid entries are 30 – 365. The default is 90.

Password Release Log The number of days that TPAM will store password release activity logs. Valid entries are 30 – 365. The default is 90.

Password Test Activity Detail

The number of days that TPAM will store detailed password test logs. Valid entries are 10 – 90. The default is 30.

Password Test Results

The number of days that success/failure results for automated password tests will be retained. Valid entries are 10 – 90. The default is 30.

Post Session Processing Log (PSM Customers Only)

The number of days that TPAM will store post session processing logs. Valid entries are 10-365. The default is 10.

PSM Archive Log (PSM Customers Only)

The number of days that TPAM will store the PSM Archive Log, which reports on the success and failure of archiving sessions. Valid entries are 1-30. The default is 5.

Pwd Change Agent Log

The number of days that TPAM will store password change agent activity logs. Valid entries are 10 – 90. The default is 30.

Pwd Test Agent Log The number of days that TPAM will store password test activity logs. Valid entries are 10 – 90. The default is 30.

Release Request The number of days password release requests will be retained before archival. Valid entries are 1-999. The default is 90.


83

Security Log The number of days that TPAM will store security event logs. Valid entries are 5 – 90. The default is 10.

Sent Mail Log The number of days that TPAM will store log entries for sent mail items. Valid entries are 1 – 365. The default is 30.

Session Request (PSM Customers Only)

The number of days that session release requests will be retained before archival. Valid entries are 1-999. The default is 90. Warning: This setting limits the “Max age in days for session log deletion” in the Archive Settings in the par interface.

Synchronized Password Change Log

The number of days that TPAM will store logs of synchronized password changes. Valid entries are 30-365. The default is 90.

Sys-Admin Log The number of days that TPAM will store system administrator activity logs. Valid entries are 30 – 365. The default is 90.

Review Notification

Immediate Review Notification

“Yes” indicates that a Review Requirement e-mail will be sent immediately, one e-mail per review. “No” will prevent e-mails for individual reviews, including the escalation e-mails configured at the account. The default value is “Yes”.

Periodic Review Notification Interval

A non-zero value will send e-mail notifications of uncompleted Session or Password Release reviews at the top of the hour, every X number of hours. One e-mail will be sent per reviewer with as many uncompleted reviews that can fit in the body of the e-mail. Daily notifications (X=24) will be sent at midnight, server time. A value of zero (0) disables the periodic notification. Reviewers will be sent a single e-mail notification when the review is required, and a single escalation e-mail if so configured at the account. Setting both of the Review Notification settings to 0, will disable all “Release Review” e-mails. The default value is 0.

Role Policy Restrict ISA System

Creation When set to “Yes”, administrators will be the only users allowed to add systems. The default value is “No”.

Session / Account Properties

Allow Multiple Sessions

A “Yes” setting allows users to have multiple browser sessions using the same UserID. A “No” indicates that each UserID may have only one authenticated session. The default value is “Yes”.

Disable after Inactive

for n Days

Possible values are between 14 - 365 in days. If a user has not logged onto TPAM in this number of days, the UserID will be disabled.

Session Inactivity Timeout

If a value between 10 and 2880 is specified, the user sessions will timeout after that number of minutes, if there is no activity.

Note! We no longer support “unlimited” activity so if you had this setting at 0, during the patch process the setting will be changed to 2880 minutes.


84

Trash Cleanup

Allow Manual Hard Deletes

Allow or prohibit manual hard deletes regardless of how the Days in Trash global setting is set.

Days in trash

Specifies the number of days that TPAM will retain deleted systems and deleted accounts. When set to zero they will not be deleted. Valid entries are 0-999.

User Control

Allow User Timezone Changes

“Yes” gives the user the ability to change their Time Zone/Daylight Saving settings in My Info/User Details. “No” means that only an Administrator or User Admin can change a user’s Time Zone/DST settings. This does not affect the Time Zone controls for System Administrators. The default value is “Yes”

1 If Password History and Minimum Retention Days are configured differently, both conditions must be satisfied before a password will be deleted from history.

19.10 HA Configuration

To configure the High Availability settings for TPAM (if so equipped, HA is an optional component), select System Status /Settings HA Config HA Settings from the menu.

85

The Settings configuration is used to identify the two TPAM appliances used for high availability. Primary Server designates the TPAM appliance that is used for daily production. Server Modes available for the Primary Server are: • Replicating – Indicates that this TPAM appliance is the primary device of a High Availability

pair. Data from this TPAM will be replicated to the Replica Server. • Stand-Alone - Indicates that this TPAM appliance is not part of a High Availability pair. No

replication with other appliances will occur.

Replica Server designates the TPAM appliance that is maintained as the disaster recovery solution, but is not accessed for production purposes.


86

Server Modes available for the Replica Server are: • Replica - Indicates that this TPAM appliance is the recipient of replicated data from the

replicating partner of a High Availability pair. When in Replica mode the Replica’s GUI interfaces cannot be accessed except the /parconfig/forcereplica.asp page.

• Test Mode - The test mode of the replica server allows the administrator to look at information contained in the TPAM database in Read-Only mode. This enables replicated data to be verified with no danger of changes being made.

Note! Passwords cannot be viewed in Test mode.

• Primary - Indicates that the replica TPAM has assumed the role of Primary (either manually or via automatic failover).

Non-Failover Replica designates the TPAM appliance that is the recipient of replicated data from the Primary server but cannot be used for failover purposes.

Server Modes available for the Non-Failover Replica are: • Replica - Indicates that this TPAM appliance is the recipient of replicated data from the

replicating partner of a High Availability pair. • Test Mode - The test mode of the replica server allows the administrator to look at

information contained in the TPAM database in Read-Only mode. This enables replicated data to be verified with no danger of changes being made.

Note! Passwords cannot be viewed in Test mode. • Primary - Indicates that the replica TPAM has assumed the role of Primary (must be

manually switched to Primary through the paradmin interface).

Use the and buttons to stop or start the replication service on either the Primary or Replica TPAM.

Alert! If the Replica is expected to be in Primary mode for a considerable amount of time (in excess of eight hours) it is highly recommended that the mode of the primary should be changed to StandAlone. Failure to do this could result in an outage of the primary and possible loss of data.

The Failover and Notification Settings will determine the frequency of the replication cycle and the automatic failover interval. Automatic failover can be enabled/disabled by checking or unchecking the option box. You have the option to enter an e-mail notification when the primary fails over to the replica box. You can use this functionality to alert users that primary has failed over to the replica. The e-mail will contain the IP address of the replica appliance.

Alert! The primary and replica servers communicate through SSH on port 22 and monitor each other’s web servers on port 443. If either one of these ports is unreachable then the primary will failover.

Activity logs for both Primary and Replica servers can be viewed by clicking the Primary Log and Replica Log tabs. Any activity for the Non-Failover Replica will be displayed on the Replica Log. Each log may be filtered by dates.

The button located next to the Replica start button provides a method to perform a gentle shutdown and restart of the replica without the need for physical access to the device,

87

and without modifying its current mode. To perform a reboot of the replica, click the button. The following pop up window will appear.

Click the button.

To keep the Replica shutdown click the button. The following pop-up button will appear.

Click the button to shutdown the Replica.

19.11 Invoking the Disaster Recovery Mode

19.11.1 Automatic Failover Method If the Automatic Failover option is selected on the Replica TPAM, the process of enabling the DR device will occur automatically after n minutes (subject to configuration options). If this occurs, the Replica TPAM will operate in Primary mode. If so configured, an email will be sent to notify that this has happened. At this time, users of the TPAM must access the IP address of the Replica TPAM. In addition if the Replica is expected to continue auto password management, while acting as the primary, the Auto Management Agent on the Replica must be started manually.

Alert! Depending upon the setting for failover (minutes since the Primary was reachable), and the interval at which updates are replicated, it is possible that some recent data may not be accessible after failover. Tolerance for the size of this information gap and performance concerns for replication frequency should be carefully weighed when determining these configurations.

19.11.2 Manual Failover Method If the Automatic Failover option is not selected on the Replica TPAM, the process of enabling the DR device must be completed manually. The steps to accomplish this are as follows: 1. Connect to the Replica TPAM configuration interface via crossover cable, and access

the page https://192.168.1.105/parconfig/ForceReplica.asp. If remote access is enabled you can access the interface via (https://your_par_address:8443/parconfig/forcereplica.asp

https://192.168.1.105/parconfig/ForceReplica.asp�



88

2. Change the mode of the Replica to “Primary”.

3. Click the button to invoke the change from Replica to Primary mode. This will kick off a reboot of the Replica appliance. Once the reboot finishes the failover is complete.

An alternate method to manually failover to the Replica TPAM can be used for testing purposes. This method can only be used if the Primary is accessible: 1. Select System Status / Settings HA Config HA Settings from the paradmin

menu. 2. Change the mode of the Replica from ‘Replica’ to ‘Primary’ by selecting the option

from the drop-down list.

3. Stop and restart the replication service on the Replica using the and

buttons. 19.12 Reverting back to the original Primary appliance after a forced or automatic

failover

Replication between the Primary TPAM and the Replica TPAM occurs in one direction only (from the Primary to the Replica). This is by design, as the HA option is meant to provide rapid disaster recovery but not live redundancy. If a failover has occurred, whether manual or automatic, the following steps must be followed to return the Primary and Replica TPAMs back to their previous roles: 1. Using the parconfig interface of the Replica, put the Replica into Test Mode (this will

prevent any further updates) 2. Back up the Replica from the /paradmin page by selecting Backup Backup Now from

the menu and clicking the button. . Verify that the backup is complete by viewing the Online Backups tab and looking for the new file. Allow enough time for the backup to complete, as it is possible to download an incomplete backup file. Please make sure the file is downloaded to a location with access to the Primary’s /parconfig interface, whether it is accessed remotely or via crossover cable.

3. Put the Primary TPAM into Stand-alone mode 4. Restore the backup onto the original Primary 5. Put the Primary into Replicating mode 6. Put the Replica into Replica mode

7. Note! While in Test Mode, there is no logging of activity (such as backups). External authentication methods are also disabled.

89

The diagram below shows the basic steps required to perform a test of HA failover and recovery.


90

19.13 TPAM Appliance Status Page

A feature that allows customers to configure their network load balancing appliances in front of the TPAM appliance. The customer’s load balancing solution uses a connection to https:// your_par_address /status to get the following read only information:

Appliance Type: PRIMARY Appliance Mode: PRIMARY Appliance Status: NORMAL Last Update: Tue Jul 21 15:45:40 2009 Possible variables in the fields are as follows: Appliance Type: STANDALONE, PRIMARY, REPLICA, NON-FAILOVER-REPLICA Appliance Mode (For PRIMARY APPLIANCE): STANDALONE, REPLICATING Appliance Mode (For REPLICA APPLIANCE): REPLICA, TEST MODE, PRIMARY Appliance Mode (For Non-Failover Replica): REPLICA, TEST MODE, PRIMARY Appliance Status: Normal, Counting Down, Failing Over Last Update: This will be a time/ date stamp from the appliance. *** This occurs every 60 seconds ***** ***** No updates occur when status shows Counting Down or Failing Over****

19.14 Local Authentication Settings

If you are using secondary authentication you now have the option to minimalize the primary local authentication by setting the password for users of secondary authentication to be static. You can make the static password null by not typing anything in the box or enter a password. This static password will not follow any of the default password rules and will not automatically change or expire. If this option is selected you will not be able to change a user’s password from within the TPAM interface while secondary authentication is being used for that user.

91

19.15 Login Banner

A login banner may be configured to display a message to users when logging onto TPAM. This banner is customized to display any text desired, such as a statement of company policy or legal warning message. To configure a logon banner for TPAM, from the System Status /Settings menu, select Login Banner.

The desired text is simply entered into the free text area and saved. The login banner will be displayed at initial login and any time the user’s authentication is verified by TPAM (this can occur several times during a user session).

19.16 Message of the Day

Message of the Day is a brief text message that may be included in any of the formatted emails sent by TPAM by selecting the MOTD: flag in the email configuration (see “Customizing Email Messages” in this manual). Also the Message of the Day will appear on the home page of anyone accessing TPAM.


92

To configure a message of the day, from the System Status /Settings menu, select Message of the Day.

To begin a new MOTD, click the button. Enter a valid date range for the message to be in effect (Start Date cannot be earlier than the current date, nor can the End Date) and use the free text field to enter the message as it will be displayed in emails. Use the

button to save this MOTD to the list of messages.

Messages may be anything that is desired and do not need to be related to TPAM, although the audience for these messages will be only individuals who receive email messages from TPAM and log in to TPAM.

19.17 O/S Patch Status

Patches and updates to the underlying OS of TPAM are distributed in the same manner as product patches (TPAM software updates), and are applied in the same way. To view history of patches applied to the OS, click System Status/Settings O/S Patch Status.

93

19.18 Password Rules

Password construction rules for managed systems are system and account specific. This means that two managed accounts on a single system may have different password construction rules applied, and each managed system can be governed by separate password construction rules, if so desired. The order of operations for conflicting password rules is that the most specific rule applies.

Example: System-A is configured to use the default rule. System-A has two accounts managed by TPAM, Account-1 and Account-2. Account-1 is configured to use the default rule, but Account-2 is configured to use a rule called Rule-A. When passwords are reset for these managed accounts, Account-1’s password will be constructed according to the default password construction rule, while Account-2’s password will be constructed according to Rule-A’s configuration.

This allows TPAM to auto-manage passwords in environments where there may be different security policies in place with respect to OS platform or business unit.

Note! Password rules apply to passwords generated by TPAM.

To create or modify password rules, select System Status /Settings Password Rules from the menu.


94

The Password Auto Repository will always contain at least one rule – the Default Password Rule. This rule’s properties can be modified, but it cannot be deleted. The Default Password Rule governs the password requirements for all TPAM user accounts. To add a new password

rule, click the button. To modify the properties of any rule, select the rule,

make the changes and click the button. The following table provides an explanation of each configurable parameter of the Password Construction Rules:

Password Construction: Rule Definitions

Maximum Characters Specifies the longest password that can be generated. Valid entries are 6-128.

Minimum Characters Specifies the shortest password that can be generated. Valid entries are 4-128.

First Character Value

Specifies the properties allowed for the first character of the password. Allows special characters and numeric characters to be omitted.

Uppercase Requirements Specifies the allowed or required use of uppercase characters within the password.

95

Lowercase Requirements Specifies the allowed or required use of lowercase characters within the password.

Numeric Requirements Specifies the allowed or required use of numeric characters within the password.

Non-Alphanumeric Requirements Specifies the allowed or required use of non-alphanumeric characters within the password.

Valid Non-Alphanumeric Characters

Specifies which non-alphanumeric or "special" characters may be used in password construction. Only enabled if Non-Alphanumeric characters are permitted.

Last Character Value

Specifies what the last character can be in

the password. Alert! If Any Character Permitted, is selected this overrides any of the other restrictions.

Consecutive Repeating Characters Specifies if you can have consecutive repeating characters within the password.

19.19 Reason Codes

If you have decided to implement reason codes in your TPAM appliance you will need to add your custom codes. From the paradmin interface select System Status/Setting Reason Codes from the menu. You can filter the codes that are displayed by clicking on the All, Active (+) or Inactive (-) radio buttons.


96

19.19.1 Adding a New Code

Click the button.

Name: Enter the name that will appear in the drop down lists for this reason code. Minimum of 3 characters, maximum of 50 characters. Once you initially save the Reason Code you will not be able to change the name. Description: Enter a reason code description. This will appear in help content. Limited to 255 characters. Reason Code is active: Check this box to make the reason code active. You do have the option of creating a new reason code but leaving it inactive initially.

Click the button.

97

19.19.2 Changing a Reason Code’s Active/Inactive Status

From the paradmin interface select System Status/Setting Reason Codes from the menu. In the box on the left side of the screen highlight the reason code you want to change. Check or uncheck the Reason Code is active checkbox. Click the

button.

19.19.3 Deleting a Reason Code

From the paradmin interface select System Status/Setting Reason Codes from the menu. In the box on the left side of the screen highlight the reason code you want

to delete. Click the button.

Note! You will only be able to delete a reason code if it has never been used on

any request or ISA retrieval. Click the button to proceed. If the Reason Code has been used, you will be able to delete it once the requests or releases where it has been used have aged out of the system.

19.20 Resubmit Batch Reports

You have the ability to resubmit a run of batch reports for a prior date. To resubmit a batch report to run for a prior date select System Status/Setting Resubmit Batch Reports from the menu.

Enter the date the date you want to run the reports for and click the button. Log into the par interface and go to Scheduled Reports Browse Stored Reports to find the report you resubmitted.

Now that we provide for batch reports to be resubmitted from the paradmin interface, the user may see a much longer folder name for batch reports. When the batch is resubmitted then the directory name starts with the resubmit date followed with “_rundate_time”. So if the 10/1/07 reports were rerun on 11/13/07 at 1pm there would be a directory named 20071001_20071113_130000.


98

19.21 SysLog Configuration

TPAM allows the optional configuration of Syslog and SNMP trap data to be transmitted to a receiver or collector. This provides an alternate way to view activity reports as well as to monitor the TPAM appliance for health and welfare.

To configure the export of activity logs to a syslog collector, select System Status /Settings SysLog Configuration.

Enter the IP address or FQDN of the target syslog server and the port on which that server listens. Enable Sys-Admin or User activity logs as desired.

19.22 System Status

The TPAM System Status/Settings System Status menu option displays current settings for licenses as well as managed systems and accounts, real-time appliance health information,

and database usage. In v2.4 we added System Up-Time (amount of time appliance has been running; days:hours:minutes:seconds) and Last Boot (date and time the system was last rebooted) to the System Status page in the paradmin interface.

99

19.23 Configuring Ticket Systems

Ticket Systems can be configured to so that TPAM will validate ticket numbers and other information about the request that are entered at the time the password, file, or session request is submitted. When a password, file, or session is requested that requires a Ticket Number, the number is passed to the indicated ticket system for a “yes/no” answer. The validation may be as simple as “they entered a number and that’s all we need” or as involved as “not only must the ticket number exist in the ticket system but the data returned must match the user’s name, request, requested account, system, dates, etc.”

More than one ticket system can be configured. If a password, file, or session request fails the validation rules that have been configured the request will immediately be canceled and the requestor will have the option to try again.

To add a ticket system, select System Status /Settings Ticket Systems from the menu.


100

Click the to create a new ticket system. will flag the ticket system as deleted, but does a “soft” delete. The name of a deleted ticket system may be

reused. The button will clone the selected Ticket System using the same type, rules, etc. The new system will be named “Copy of <old name>” (“Copy 2 of <old name>”, “Copy 3 of <old name”, etc.). The new system will have the Enabled? flag set to “No”, and all cloned Rules will be disabled as well.

19.23.1 Ticket System Details Tab

The Ticket System Details tab is where you configure the connection information of the system being queried for ticket information.

101

Ticket System Name This is the descriptive name of the ticket system. The name must be unique and can be up to 30 characters.

Description The description field may be used to provide additional information about the ticket system, special notes, business owner, etc. 255 characters

Enable validation for this Ticket System This box must be checked in order for TPAM to perform a validation against the ticket system. Allow provisional validation when system is disabled If this box is checked and the Enable validation for this Ticket System box is unchecked (because of ticket system issues), then any requests made against this ticket system will still require a ticket number but the ticket number will not be validated when the request is saved. When the approver goes to approve/deny the request they will see the following note on the Request Details tab:


102

The approver has the option of: • Approving/Denying the request without trying to revalidate the ticket

• Clicking the button before approving/denying the request. If the approver tries to revalidate the ticket and the Ticket System is now enabled, and the ticket fails validation, then the request will automatically be denied. The approver will see a pop up window that will warn them of this.

Ticket System Type

Not Managed ODBC Driver - User must select Sybase, MS SQL Server, MySQL or Oracle as the target database. The “Use SSL?” checkbox may be checked to force the validation query to use SSL to communicate with the target database.

Network Address - May be an IP address or system name that will be resolvable from the appliance.

Port Number –for SQL Server, MySQL, Oracle and Sybase databases the default port number will automatically fill in when the ticket system is saved.

Timeout – This setting is optional. It will control how long the validation routines will wait for a response from the database before timing out.

SID/Service Name – (Oracle) The SID or Service Name to connect to on the Oracle server.

Database Name – (SQL Server or Sybase) The name of the Ticket System database on the indicated server.

Username – Login to get into the database. For SQLServer databases this must be a SQL Server Authentication ID. Windows Authentication is not supported.

Password – The password is stored in the database using the same encryption techniques that TPAM uses for managed accounts. Blank passwords are supported, but not recommended. When editing an existing Ticket System leave the password field blank unless you want to change it.

Managed If this option is selected than the ticket system and account must be set up through the par interface as a managed system and account. The system must

103

have a database of Sybase, Oracle, or MS SQL Server. For Oracle systems the SID or Service name from the Managed System record will be used. For MS SQL Server or Sybase systems it is assumed that the account being used has appropriate access to the required database.

System – Enter the Ticket System name as it has been set up in TPAM.

Account – Enter the Account Name as it has been set up in TPAM.

Test Account Button – Use this button to make sure you entered a valid account.

Web Service Beginning with 2.4.800 you may now use a Web Service as your Ticket System provider. The service must reside on a system which is reachable from the TPAM appliance using either HTTP POST or GET protocol and return a stream of XML with either data related to the ticket or an error condition. Note that once a Ticket System has been saved as a Web Service type it cannot be changed to any other type, nor may an existing Ticket System be changed to a type of Web Service. Enter the URI address for your ticket system. Select a Type of either HTTP POST or HTTP GET.

URI – This is the Uniform Resource Identifier of the ticket system. Supported protocols are http and https. Include extra query string information if the URI requires it, but do not include any query string which passes the actual ticket number. That information will be defined on the Data tab.


104

Type – Select either HTTP POST or HTTP GET based on the requirements of the web service. XML Path – The web service is expected to return a stream of XML. The option path you enter here uses the XPATH 1.0 standard to reference specific subsections of the XML. If no path is entered the system will use the top level element as the base element for the returned data. In the above example the returned data resides in a top level element called TicketDetailsObject and includes all elements beneath. Only simple element values are processed as data - no complex sub-elements or attributes are processed. XML Error Path – An error may be returned by the web service in one of two ways. If no value is entered for the XML Error Path the error value is expected to be returned via an HTTP Response value. If a value is entered system will examine the XML and consider it to have been an error if the Error Path object is present. Because of this make sure that the value entered for the Error Path is only present when the web service returns an error. If both

Note! The Error Path should point to a single value element which holds the error message. This message will be used to indicate a ticket validation error failure and returned to the caller.

the XML Path and XML Error Path are found in the returned XML the call will be considered to have errored out.

User Name/Password – If the web service requires a fixed User Name and Password in order to perform validation enter those values here. If the web service supports anonymous calls leave these values blank. System Name/Account – You may also use a TPAM Managed System and Account to supply a user name and password for the web service request. The Managed System does not

have to be of any specific platform type and may be a different platform than that used by the web service. The system will use the Account Name and current password of the Account as the User Name and Password for the call.

Manual Ticket System (No data or rules) There is no database integration for this type of Ticket System.

Validation Expression - accepts Perl-compatible regular expression syntax (regexp). The expressions are case-sensitive by default. Beginning the expression with "(?i)" (without the quotes) will make the whole expression case insensitive. Defaults to .+ (any number of any characters).

Some examples: [0-9]{7} = any 7-digit number is an acceptable ticket number

105

T-[A-Z]-[0-9]{1,4} = The text “T-“ followed by any single character A-Z, followed by “-“, and ending in 1-4 digits

(?i)[a-z][0-9]+ = case insensitive, a single character a-z followed by 1 or more digits

For more info on Regular Syntax Expression go to: http://perldoc.perl.org/perlre.html

Test Ticket Number – field can be filled in to test the Regular Expression. The Test Ticket Number is not saved.

19.23.2 Ticket System Data Tab

The Ticket Systems Data tab is where you configure the actual command being issued against the target system to retrieve the information about the ticket in question.

SQL Command You can enter either a simple SELECT query or execute a stored procedure to return a single-row result set. Substitution parameters may be entered in the command using a :param: syntax. Oracle databases only support SELECT-type syntax – no EXEC storedprocedure for a result set. SQL Server supports SELECT and EXEC. Case-sensitivity is controlled by the target database. The SELECT or EXEC statement must be


106

written in such a way as to produce a result set of exactly one row when successful. When validating ticket numbers for requests a result set of 0 or >1 will be considered as a failed validation.

Alert! This command is executed “as-is” against the target database. We do not check syntax or safeness of the command before executing. If you enter a command of “DROP TABLE foo” then as long as the database login has the rights, the table foo will be dropped. It’s up to you to make sure the database login has the proper safeguards to prevent accidental or intentional damage or loss-of-data to your database. For Web Services: Web Service Parameters

In order to pass information about the request or release to the web service you must define the parameters the service expects. At the very least you will need a way to pass in the ticket number the user enters for validation. The Parameter Names are determined by your web service and will be passed either as a query string (for GET calls) or as form values (for POST calls). The screenshot above would result in a query string something like the following: https://myticketsystem/ticket/RetriveTicket.aspx?soeid=jdoe&callRef=T12345 Substitution Values This list shows all acceptable parameters and their types. You can enter a value for all :xxx: substitution values and use those values to test the SQL command. The test ticket number value has been moved to be a part of this list. The values are saved so they can be reused. The values are NOT Ticket system specific, the same values are used for all ticket systems. The values are not used for Ticket Validation, only for testing the SQL command. The parameters must be properly quoted and in the proper case. (ex. TicketNumber: not ticketnumber) when used in the SQL Command. For instance, @TicketNbr=:TicketNumber: will cause problems because the “:TicketNumber:” parameter is text, instead you would have to enter @TicketNbr=':TicketNumber:' (note the single quotes around the parameter). The list of substitutions includes all values, regardless of where the Ticket Number is being validated. For instance, when entering a Password request the :FileName: parameter is not valid.

Generate List Click this button to execute the SQL Statement using the Test Ticket Number you have entered. If the statement executes correctly it will populate the Fields Returned list.

Clear All Values Click this button to clear all the values entered in the Substitution List.

107

Fields Returned Once the command has been successfully tested the names and types of columns in the result set will appear here. At this point the Rules tab becomes enabled. Alternatively, you can edit the list of Fields Returned manually. This may be necessary if you don't have a way to execute the SQL Command in a test mode or if the system is unable to determine proper column names or types returned from the SQL Command. Note that regardless of the true types returned from the database being queried, the data types displayed are reduced to text (length), number, or date. If a text length cannot be determined from the result set (SQLServer) a default of 255 characters is used.

You must either successfully test the SQL Command or manually describe the result set in order to work with the Rules tab.

19.23.3 Ticket System Rules Tab

The Rules tab and its sub-tabs can be used to describe what to do with the data returned from the query to determine whether or not a valid ticket number has been entered.

The Listing tab shows a summary of all rules defined for the currently selected Ticket System. When a Ticket is entered that requires validation, all of the “Enabled” rules associated with the Ticket System are executed in the order shown in this list. If all rules return a “True” value then the ticket number is accepted. The first rule that


108

returns a “False” value makes the ticket number invalid and the password/session/release request is canceled.

Once you add a ticket system you will automatically see the Ticket Exists rule as a default. The rule ensures that the SQL Command from the Data tab must return one and only one row. If the SQL Command returns 0 (zero) or more than one row of data this rule fails and no further rule checking is performed. This rule cannot be moved or disabled and is always executed first.

Subsequent, user defined rules may be configured using the button. To

delete a rule click the button.

To duplicate a rule click the button. This will copy the currently selected rule, including name, description, and syntax, but make the new rule disabled by

default. The new rule is not saved to the database until the button is

pressed. The and buttons will change a rule’s execution order in the list.

We have a :xxx: substitution value that can be used when defining the Ticket System Rules - :PwdCurrentlyReleased:. This value can only be used in the Rules tab. It will not be recognized as a substitution value when entering the SQL Command on the Data tab.

:PwdCurrentlyReleased: can be used to control the retrieval of a password by an ISA when the ISA is using the "Proxy Release For" field to act as a proxy for another user. It will evaluate to Y or N according to the following rules:

• An ISA release where the ISA does not enter a value for the "Proxy Release For" field

:PwdCurrentlyReleased: evaluates to "N". • An ISA release where the ISA does

• If another ISA has retrieved the password as a proxy for somebody AND the password has not yet been reset :PwdCurrentlyReleased: evaluates to "Y"

enter a value for "Proxy Release For":

• If the ISA issuing the request has already retrieved the password for a different proxy AND the password has not yet been reset :PwdCurrentlyReleased: evaluates to "Y"

• If the password has been released due to an approved request AND the password has not yet been reset :PwdCurrentlyReleased: evaluates to "Y"

• A requester enters a request where the request window (Requested Release Date + Duration) overlaps an ISA Release where the ISA has entered a proxy then :PwdCurrentlyReleased: evaluates to "Y"

• Under all other conditions :PwdCurrentlyReleased: evaluates to "N"

109

The Rule Details tab allows you to create arbitrarily complex rules that can be used to validate the data returned from the SQL Command in the context where the Ticket Number is being used.


110

Rule Name is required, but is not required to be unique. It may be up to 32 characters long. A default rule name is created based on the ID of the Ticket System and the position in the list of the new rule.

A new rule is created with the Enabled? checkbox turned off. It’s up to you to enable the rule when it has been validated.

Sequence is a read only value showing the execution order of this rule.

Syntax Results shows a WHERE clause-like version of the entered syntax. Once the rule syntax has been created and validated this read only area will show the syntax and/or any errors that were detected.

The indicator at the left of the line and the Conjunction on the right can each be cycled through their allowed values by clicking on the block. toggles to either show the word or blank. The Conjunction block will cycle between , , and blank.

The and buttons will add a new row of syntax above or

below the current row (indicated by the symbol). The Conjunction block will default

to either "AND" or blank and the conditional will default to "=". will delete the current row of syntax. The last row of syntax cannot be removed.

111

The button will reset the syntax area (remove all lines) and create a single, default line.

inserts a left parenthesis above the current row. inserts a right

parenthesis below the current row. checks all entered syntax and converts it to WHERE clause format in the Syntax Results. If all the syntax looks acceptable the indicator turns green. If any portion of the syntax is invalid (bad quoting, missing group start or end, missing conjunction, etc.) the error is included in the Syntax Results and the indicator to the left of it turns red.

Nesting Level is a read only value that attempts to keep track of "start/end" groupings. If the user has more "start groups" than "end groups" the value will be greater than zero. If the user has more "end groups" than "start groups" the value will be negative. The value here does not reflect the nesting level of the current line, only the total nesting level of the entire syntax area.

20.0 Appliance Shutdown / Restart

To shutdown or restart, select Shutdown from the home page of the parconfig interface.

To perform a restart (warm boot) of the appliance, ensure that the Restart? checkbox is checked. To

perform a full shutdown of the appliance, uncheck the Restart? checkbox. Click the button to proceed.

Alert! Any time the TPAM appliance is shutdown for more than 16 hours, a keyboard and monitor must be attached to authenticate the disk encryption. If this is not done, the appliance will never boot.

21.0 Managing Your Own Account

Any user may change their password and update individual account details using the My Info menu option. To reset your own password, select My Info Change Password from the menu. Enter the existing password, the new password desired, and confirm the new password. User passwords are subject to the requirements of the Default Password Rule.


112

Other individual account information can also be self managed, such as contact information and full name. Select My Info User Details from the menu to make modifications to your own account information.

A user may not modify the UserID, Last Name, or First Name fields. For information on User Time Zone information see the section titled “System Administrator Accounts”. You will be automatically redirected to the User Details page when attempting a new transaction if: • The server has undergone a DST transition since your last activity. • The time zone on the server has been changed since your last activity. • The server has had a patch applied that has rendered your current time zone obsolete according to

Microsoft’s time zone updates.

You will be able to see the server time on the bottom left of your screen and your local GMT offset (if different from the server) in the middle bottom of the screen. You will see the time listed in reference to GMT (Greenwich Mean Time), using notation to indicate the number of hours ahead or behind of

113

GMT. For example US Eastern Time is 5 hours behind GMT, or GMT-05:00, New Delhi, India is 5½ hours ahead or GMT+05:30.


114

Appendix A: Re-Setting TPAM to Default Network Settings

The network configuration of TPAM can be easily reset to factory defaults by following a few simple steps. This is useful in cases where the network configuration process has encountered problems, providing a “start over” option.


It is important to recall that the network interface and integrated firewall uses bridging technology, and therefore the firewall must be reset when the default network configuration is restored.

Alert! If TPAM is configured as a High Availability pair, and has a firewall card, it is very important that only the firewall of the Primary be reset. Resetting the firewalls on both the Primary and the Replica will require extra steps that may not be necessary.

Network/Firewall reset If the network configuration requires a reset, follow this procedure to restore network connectivity and firewall security to the appliance:

1. Connect a laptop or workstation to the parconfig interface of TPAM using an

Ethernet crossover cable. 2. Direct a web browser to https://192.168.1.105/parconfig 3. Remove the network cable from the interface (failure to do so may result in a

failure of this process). 4. Locate the firewall reset button and reset the firewall. To reset the firewall, press

the reset button with a pen, paperclip, etc. two times within two seconds. The four LED lights on the card will cycle off and then back on. Allow 60 seconds for the firewall reset cycle to complete.

5. Shut down and restart the appliance. 6. Browse to 7. Select Network Settings Modify Settings from the menu.

https://192.168.1.105/parconfig



115

8. Enter the desired IP address, subnet mask, and default gateway. Enter the desired IP address for the firewall.

9. Check the Check if firewall has been reset option box.

10. Click the button, and wait for the success message. Allow 60 seconds for the changes to the firewall to occur.

Verify a successful reset message and click the button.

11. Verify the new network settings by selecting Network Settings View Running Values.

12. Select Net Tools Ping from the menu. Attempt to ping the newly set firewall address and verify a reply. If there is no reply, the firewall did not reset properly and will require another reset attempt. Go back to Step 4 and continue. If there is a reply to the ping, continue with step 13.

13. Shut down and restart the appliance. 14. To test further, configure the workstation to an address on the same network

segment as TPAM. Use the crossover cable to connect directly to the network port and verify that /par or /paradmin can be accessed. Success of this test indicates that the appliance is ready to be placed back onto the network.


116

Appendix B: Command Line Interface for Administrative Access The TPAM CLI (command line interface) provides a method for properly authorized administrative users or automated processes to retrieve information from the TPAM system. Commands must be passed to the TPAM via SSH (Secure Shell) using an identity file key created by TPAM. A specific CLI Admin ID is also required. See “Managing CLI Admin IDs” in this manual for instructions on creating the admin ID and downloading the key file. In the examples used below, the TPAM is accessed via command line from a Windows 2000 computer with SSH capabilities. SSH software (not provided) must be installed on any system before it can be used for TPAM CLI access. Command syntax: ssh –i [keyfile] [userid]@[PAR-address] command [option] Administrator CLI commands: ApplyPatch Install a product patch or patch

Prerequisite: the patch file must first be uploaded to TPAM via SCP: scp -i <cli user key file> <filename> <cli user name>@< host> Use: ApplyPatch <filename><patchkey>

Backup Initiates a backup.

ChangeAdminPassword Forces a change to the password Use: ChangeAdminPassword <username><password>

ForceReplica <Mode> This option allows for a CLI Admin user to force the Replica into a specific mode. Any mode changes from running this command will over write the last change from the primary. If there is a pending ForceReplica command and a change is saved at the primary then that pending ForceReplica command will be deleted. Mode options are:

P – Primary T – Test

R – Replica GetChangeQueue Returns the number of systems in the change queue GetStatus [option] Options:

-a All information -db Database status/state -x Resources used -p OS Patches applied to TPAM -u Appliance uptime -h Usage information (a list of these options)

-i Appliance information Multiple options are not currently supported.

GetTestQueue Returns the number of systems in the test queue ListBackups Lists available online backup files

Restore <filename> Restore TPAM using the specified backup file Shutdown [option] Shutdown or reboot the appliance.

117

Options: /R (shutdown with reboot) /N (shutdown with no reboot)

UnlockAdminUser <username> Unlocks an administrator account

ViewLog [option] Returns the specified log Options:

-restore -backup -patch

Examples: The command: ssh -i admin [email protected] getstatus –db Produces the following result:

The Current State of SQLSERVERAGENT is Running The Current State of MSSQLSERVER is Running Current DB Mode: ONLINE/READ_WRITE Recovery Status: BULK_LOGGED Last Started: 2005-03-18 07:54:47.217

The command: ssh -i admin [email protected] getstatus –u Produces the following result: System Uptime: 57 Days 5 hours 20 mins 52 Seconds

Interpreting returned values from CLI commands

In addition to providing system metrics and information, the CLI also provides a method to monitor the health and welfare of TPAM. The getstatus command options will return expected results containing useful system information, or an error that indicates a system problem. getstatus –db Typical return values will be:

The Current State of SQLSERVERAGENT is Running The Current State of MSSQLSERVER is Running Current DB Mode: ONLINE/READ_WRITE Recovery Status: SIMPLE Last Started: 2005-07-12 09:35:05.983

This message indicates that the database of TPAM is operating as expected. Return values that may indicate a problem: The Current State of SQLSERVERAGENT is Stopped indicates that the SQLServer Agent service is not running on the TPAM. Without the SQLServer Agent running, TPAM will not be able to perform certain critical tasks, such as: Backups; Background processing (password changes, batch report production, etc.). Resolution: Reboot (Shutdown/Restart) TPAM.

Could not connect initiate request, Error connecting to database. Indicates that the TPAM database is not running, or that TPAM itself is down. All of TPAM’s functions rely on the database, and therefore TPAM will be unavailable for use. Resolution: Recycle power on the appliance (cold boot).


118

Appendix C: Relocating/Readdressing TPAM If it becomes necessary to relocate and readdress either TPAM appliance, or both, follow these instructions to help ensure a smooth and trouble free move. The steps used for a replica appliance are the same you would use if you have a non-failover replica configured.


Before making any changes to either appliance, please perform these steps:

Verify communication/replication between the HA Pair. Force a full backup (using the Backup Now option). Allow the backup to complete

and replicate from the Primary to the Replica. From the HA Config/HA Settings page, disable the auto-failover option.

Moving / Readdressing the REPLICA 1. Put the Replica into Primary mode. The preferred method for making this change is to

login to the /paradmin interface of the primary and navigate to the System Status Settings HA Config HA Settings page in order to change the replica’s mode. The other available option for changing the replica’s mode is to access the /forcereplica.asp page on the replica via the parconfig interface.

2. Access /parconfig Network Settings of the Replica. 3. Change all Replica IP addressing. This includes the firewall address, default gateway, etc.

a. Be sure that all information is accurate and that no empty fields exist, even if re-entering the same current data is necessary. This applies to the data for both devices.

4. Perform a reboot of the Replica (shutdown/restart) using the Shutdown menu option. DO NOT simply shut down by powering the unit off. This could result in the loss of the new IP configuration!

5. Once your Network settings changes have been completed, you will need to update the replica’s new IP address within the primary’s System Status Settings HA Config HA Settings page in order for the primary to communicate with the replica.

Moving / Readdressing the PRIMARY 1. Access the /parconfig Network Settings of the Primary. 2. Change all IP addressing for the Primary. This includes the firewall address, default

gateway, etc. a. Be sure that all information is accurate and that no empty fields exist, even if re-

entering the same current data is necessary. This applies to the data for both devices.

3. Using the Shutdown menu option, perform a shutdown of the Primary. It is now ready to be moved. DO NOT simply shut down by powering the unit off. This could result in the loss of the new IP configuration!

119

Appendix D: TPAM Appliance Hardware Specifications

Feature/Spec TPAM Standard /

DPA TPAM Resilient TPAM Enterprise

Processor 1 Quad-core Intel®

Xeon® processor 3400 series

1 Quad-Core Intel®

Xeon® processors 3400 series

2 Quad-Core Intel®

Xeon® processor 5500 series

# Processors 1 1 2

# Cores Per Processor Quad Quad Quad

L2/L3 Cache 8 MB 8 MB 8 MB Chipset Intel® 3420 chipset Intel® 3420 Intel® 5520 DIMMs 4 DDR3 Unbuffered

w/ECC 1333/1066 MHz DDR3 6 R-DIMMs or 4 U-DIMMs 1333/1066/800MHz

4+4 DDR3 Unbuffered w/ECC or Registered w/ECC 1333/1066/800MHz

RAM 2 GB Min 2 GB Min 4 GB Min HD Bays 2 x 3.5” or 2 x 2.5” 4 x 3.5 4 x 3.5

HD Types Default SATA SATA/SAS/SSD SAS add-in controller Internal HD Controller Chipset based SATA Intel® 3420 PERC S100

(Embedded SW RAID) Chipset-based SATA

Disk 250 GB SATA 2 x 500 GB 4 x 300 GB SAS Availability ECC Memory, TPM ECC Memory, Hot-swap

HDD; Redundant PSU, TPM

Hot-swap HDD; Redundant PSU; Memory mirroring, TPM

I/O Slots 1 x PCIe x8 1 x PCIe x8 1 x PCIe x16 (True x16, Gen2); full height, half length

RAID None RAID 1 Mirrored RAID10 NIC/LOM 2x GbE LOM 2x GbE LOM 2x GbE LOM DRAC iDRAC6 iDRAC6 iDRAC6 USB 2 front/2 rear/2

internal 2 rear/2 front/2 internal 2 front/2 rear/2 internal

Power Supplies / Power details

Non-redundant, energy efficient 250W, Auto Ranging (100V~240V) , ACPI compatible

Redundant, 400W, (100V~240V) , ACPI compatible

Redundant, 500W, Auto Ranging (100V~240V), ACPI compliant

Fans 3 Non-redundant, non-hot swappable

3 Non-redundant, non-hot-swappable

4 Non-redundant, non-hot-swappable

Chassis 1U rack 1U Rack 1U Rack Dimension (HxWxD)

42.6 x 431 x 393.7 (mm) (w/o ear and bezel) 1.67” x 17.1” x 15.5”

42.4 x 434.0 x 610 (mm) ( w/o bezel) 1.67 x 17.10 x 24.00 (in)

43.0 x 434.0 x 627.1 (mm) (w/o ear, w/o bezel) 1.69 x 17.09 x 24.69 (in)

Weight Max. 17.76 lbs (8.058 Kg)

Max: 33.02 lbs (15Kg) Max: 62.61lbs (28.4Kg)

Misc. Intrusion switch detects when cover is opened, Hyper-threading(8

Intrusion switch detects when cover is opened, simultaneous multi-


120

threads), 128x20 LCD status LCD panel

threading, status LCD module

Operating Temp 10° to 35°C 10° to 35°C 10° to 35°C Regulatory Certifications Additional country certification information available upon request.

Class A: Australia / N. Z. – AMCA or C-Tick Canada – SCC, ICES European Union - CE Germany -TUV United States – FCC, NRTL



tpam configuration and administrator...

Documents