Installation Guide Enterprise Random Password Manager v4.83.8 SR2
Copyright 2003-2014 Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If there are any problems in the documentation, please report them to Lieberman Software in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, SQL Express, SharePoint, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and product names are trademarks of their respective owners. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310.550.8575 Internet E-Mail: support@liebsoft.com Website: http://www.liebsoft.com
iii CONTENTS INTRODUCTION... 7 Overview... 7 Performance Notes... 8 License Agreement... 9 Limited Warranty...10 Background and Goals...10 PREREQUISITES... 13 Recommended Knowledge...14 Solution Host System Requirements...14 Solution Web Services Requirements...16 Solution Database Requirements...19 MS SQL Requirements for Solution...19 Oracle Requirements for Solution...20 Solution Service Accounts...22 Managed Database Pre-requisites...23 Managed Computers and Devices Pre-requisites...26 Port Requirements...27 INSTALLATION OF PREREQUISITES... 31 Installing and Configuring IIS...33 Installing IIS...34 Required Web Components on a Non-Web Server... 41 Enable ASP Support... 47 Enable ASP.NET Support... 50 Enable IIS6 Compatibility Support... 54 How to Configure SSL...58 SSL with IIS - With an Existing Cert... 58 SSL with IIS - No Existing Cert... 61 MS SQL and Oracle...71 SQL 2008 Installation...71 Oracle 11g Installation...89 Database Connectors... 104 Microsoft SQL... 104 Oracle... 104 Sybase ASE... 112 MySQL... 123 DB2... 129 Remote COM+ and IIS Access... 138
Contents iv Windows 2008 & Later Remote COM+ Access... 138 Configure the COM Object and Deferred Processor Account... 145 Granting Rights to the Database... 158 INSTALLATION... 161 Management Console Installation... 162 Component Overview... 162 Quick Installation... 165 Mini-Setup... 171 Configuring ERPM Datstore for HA Configurations with MS SQL Server... 180 Configuring ERPM Datastore for HA with Oracle Database Servers... 187 Configuring SSL Encryption to the Database... 188 Encryption Settings... 189 HSM Troubleshooting... 194 Controlling Access to the Admin Console... 200 Web Application Installation... 204 Web Application Overview... 204 Web Application Authentication and Delegation... 206 Web Application Security... 207 Web Application Installation Dialog... 208 Web Application Settings... 210 App Options... 210 Password Access... 213 File Store Settings... 217 Account Elevation... 218 Security... 220 User/Session Management... 223 Remote Sessions... 225 Console Display... 229 User Dashboards... 231 Web Application - Post Installation... 234 Integrated Authentication... 234 Web Application - Updating Settings... 237 Manual Web Application Installation... 239 1. Manually Configure the Web Files... 239 2. IIS 7 and ASP Pages... 241 3. Configure IIS Directories... 246 4. File Store Manual Setup... 249 5. COM+ Identity Wrapper... 253 6. COM Components... 257 7. Website Configuration Options and Settings... 259 Two Factor Authentication Configuration... 261 OATH 2-Factor... 262 OATH Tokens... 264 Additional OATH Resources... 269 OATH With Existing Tokens... 270
Contents v OATH Without Existing Tokens... 274 Configuring OATH Requirements for Management Console Access... 280 Configuring OATH Requirements for Web Interface Access... 282 PhoneFactor... 284 RADIUS 2-Factor... 289 RADIUS 2-Factor for Explicit Accounts... 294 RSA SecurID... 300 Configuring RSA SecurID... 306 RSA SecurID Configuration Verifier... 309 Configuring RSA SecurID Requirements for Management Console Access... 310 Configuring RSA SecurID Requirements for Web Interface Access... 311 Troubleshooting RSA SecurID Configuration... 315 UPGRADE INSTRUCTIONS... 329 Upgrade Notes... 348 INDEX... 349
7 INTRODUCTION This chapter includes an overview of Enterprise Random Password Manager (ERPM), what problems it is designed to solve, performance information, expected pre-requisite knowledge, and some background information on Windows. This chapter also includes the license and warranty information for ERPM. IN THIS CHAPTER Overview... 7 Performance Notes... 8 License Agreement... 9 Limited Warranty... 10 Background and Goals... 10 OVERVIEW Enterprise Random Password Manager is a privileged account management platform. It is designed to find and manage systems and devices with the intent of building a CMDB of the customer network. Once the systems and devices are discovered, begin to manage the identities (accounts and passwords) on a regular schedule and provide access to these credential as needed in a controlled and audited fashion. ERPM will function as a standalone solution, capable of managing platforms on its own. ERPM will also function as a platform, with the ability to integrate and operate or be operated by external programs, provisioning and work flow systems and much more. ERPM has the ability to not only change passwords for simple accounts like root or Administrator, but also for service accounts that are used to run services, tasks, COM and DCOM objects, scripts, configuration files, and more. For these service accounts, once a password change for a service account is performed, ERPM will propagate the new password to all those referenced locations without an admin needing to define every location the account is used. ERPM provides more functionality beyond password management, password vaulting, and session management. ERPM also provides for: Account escalation - the ability to add a user to a pre-defined group with higher privileges than the user would normally have on a target system and then automatically remove that access. Secure file storage - the ability to upload and store as an encrypted data blob in the programs secure data store, any file such as password spread sheets, digital certificates, instructions, and more. After
Introduction 8 the files are uploaded, an ACL system identifies what users will be able to retrieve the files while auditing access to the files. Orchestration - ERPM can run headless; being controlled programmatically. This permits tight integration in other systems such as work-flow engines, run book orchestration for user and system provisioning and de-provisioning, programmatic access to almost all functions, and much more. This control os provided via SOAP based web services and PowerShell. User's may tie into ERPM using any program or language which can call the web service or PowerShell. Privileged Account Management - providing session based control to privileged accounts to run specific programs against specific hosts. Via the optional bastion server model, any program, website, script, etc., may be run in a controlled and secured environment to allow users from network access to specific systems or other trusted or untrusted networks using specific tools with specific feature sets. This allows access to the tool set need to get a job done without providing direct physical access or access to the credential. Session Recoding - building on the concept of privileged account management, when using the optional bastion host, these sessions can be recorded for later playback and auditing of the user actions that took place during a user's session. This further helps to comply with auditing mandates as well as training procedures. PERFORMANCE NOTES Enterprise Random Password Manager is a multi-threaded product designed with scalability and speed in mind for every operation. At the default settings of 100 threads (100 simultaneous connections) on a well connected network (100Mbps) where all systems are accessible, password change performance is typically 400 machines per minute for a simple password change (not including propagation steps). This is not a guarantee of service as off-line systems, high-latency, low-bandwidth, and unhealthy systems will affect performance. When running on Windows Server 2008 R2, the maximum thread count can be set as high as 200-250 simultaneous threads. In Windows Server 2012 and later, the thread count may go even higher and do so with much greater reliability. Threading options may be tuned up or tuned down by changing maximum number of threads that will be dispatched from the Program Options dialog under Settings Program Options. Variances in customer environments and provided hardware may permit more simultaneous threads or may require threading options be turned down. All scheduled operations and job retries are handled in the background by a deferred processor service. Most clients using the default settings note traffic equivalent to NetBIOS type traffic at about 2% of available bandwidth during an operation, if they note any affect at all on network traffic. Typically, target machine impact is unfelt (CPU, Memory, Hard Disk, Network) but will vary based on the type of operation performed (e.g. changing an account password or restarting a service).
Introduction 9 LICENSE AGREEMENT This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, you should return the software and documentation as well as all accompanying items promptly for a refund. 1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of Enterprise Random Password Manager to control the licensed number of systems and/or devices. 2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). the SOFTWARE is an update, any transfer must include the update and all prior versions. If 4. Notice: This software contains functionality designed to periodically notify Lieberman Software Corporation of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software Corporation under these circumstances, and you agree to not hold Lieberman Software Corporation responsible for the use of any or all of the information by Lieberman Software Corporation or any third party. When used lawfully, this software periodically transmits to us the serial number and network identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067
Introduction 10 310.550.8575 Internet E-Mail: support@liebsoft.com Website: http://www.liebsoft.com LIMITED WARRANTY The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media. The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages. Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of/for consequences of any such errors. This agreement is governed by the laws of the State of California. Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write: Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or e-mail us at: sales@liebsoft.com. BACKGROUND AND GOALS The Need for Strong Local Credentials Organizations with a need for the most basic access security should use unique local logon credentials customized for each workstation and server in their environment. Unfortunately, most organizations use common credentials (same user name and password for the built-in administrator account) for each
Introduction 11 system for the ease of creating and managing those systems by the IT Department without any concern as to the consequences to the organization should these common credentials be compromised. With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the implementation of reasonably hard to compromise local logon credentials is mandatory for most organizations as a means for protecting not only the confidentiality of their data, but also to protect against tampering. Creating Strong Local Credentials Lieberman Software s program: Enterprise Random Password Manager can change any common account on all workstations and servers in just a few minutes without the need for scripts or any other type of program. The new credentials can be stored in a local or remote SQL Server database and can be recovered on demand using the password recovery website. Enterprise Random Password Manager can be configured to regularly change the passwords of common accounts on all target systems (i.e. workstation built-in administrator account) according to a schedule so that each account receives a fresh cryptographically strong password regularly. This product feature protects the overall security of an organization so that the compromise of a single machine s local administrator password does not lead to the total compromise of the entire organization s security. Enterprise Random Password Manager also provides the ability to automatically discover all references to the specified account, such as services, tasks, COM and DCOM objects, and more, and following a password change for a users account, whether domain or local, propagating the new password to all those references. Delegated Password Recovery ERPM also contains a web interface to allow the remote recovery of passwords. The web interface is web application comprised of ASP and ASP.NET web pages that allows any user with the appropriate group memberships the right to use the application as well as the right to recover passwords for accounts managed by the program. All access to the web application as well as all password recoveries are logged and the history is also available via the same web interface to authorized users. Because this application protects and provides extremely sensitive information, it is essential that particular attention be payed to the security settings of the application and also use appropriate encryption such as SSL based on the scope of access provided. For more information on security hardening, please refer to the proposed options for server hardening: http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/546-server-hardeni ng-guide.html.
13 PREREQUISITES If you are looking to migrate from Random Password Manager (as opposed to Enterprise Random Password Manager) to ERPM, please contact your account representative for assistance on this matter. If you are under a current support, Lieberman Software will assist you in a once time migration free of charge. This section will provide basic instructions to get Enterprise Random Password Manager installed and managing passwords in the shortest amount of time. Components listed such as website, management console, and potentially the database may be on separate systems or shared. In order to perform a successful installation, a few items will be required: Windows Server 2008 R2 or later; Windows Server 2012 R2 is recommended Internet Information Services (IIS) 7.5 or later with support for Active Server Pages Enabled MS SQL 2005 or later or Oracle 11g database - SQL Express fine for testing.net Framework v3.5 SP1.NET Framework v4.x A privileged account for the COM application(s) and deferred processor, can be the same account Specific communication ports Additional supporting files The following sections will outline the requirements and rights required to perform a successful installation of Enterprise Random Password Manager. The sections are broken down by ERPM component. If multiple components will be installed on a single system, then the requirements for both components should be met on the same host. The solution is an N-tier product where individual components can and should be (resources permitting) be distributed across multiple systems. The product is supported in a physical, virtual, or physical-virtual mixed environment. The virtual host platform is irrelevant to the support of the product however, virtual host configurations can severely impact or impede the ability of the product to work as virtual host and guest configurations do affect every component of the virtual guest that is running the product.
Prerequisites 14 IN THIS CHAPTER Recommended Knowledge... 14 Solution Host System Requirements... 14 Solution Web Services Requirements... 16 Solution Database Requirements... 19 Solution Service Accounts... 22 Managed Database Pre-requisites... 23 Managed Computers and Devices Pre-requisites... 26 Port Requirements... 27 RECOMMENDED KNOWLEDGE ERPM uses a management console application in conjunction with a local service to setup the recurring password change jobs. Setting up the web application to allow access to the password store through the web interface includes the deployment of an IIS Web application. The web application includes COM objects and a collection of ASP and ASP.NET files that will be setup in a virtual directory on the web server. The web server must be Microsoft Internet Information Services. A Microsoft SQL Server or Oracle database is required to store program data. While Lieberman Software provides documentation and support in how to setup and configure ERPM in conjunction with the various technologies that it uses, it is also required to have knowledge of the program datastore and target databases, IIS web server technologies, network administration, and networking in general as these components will be used by the solution. These elements should be patched, secured, and properly configured to ensure that the password store system will not be compromised. SOLUTION HOST SYSTEM REQUIREMENTS This section covers requirements for the console/deferred processing tier of ERPM. Requirements for the the password retrieval website are covered in the next section. A Windows Server operating system will be required for a production installation of Enterprise Random Password Manager. The solution will work fine on a physical server or a virtual machine. For lab/testing environments, a workstation class operating system, such as Windows Vista Business, or Windows 7 Professional will suffice. All Service Pack levels and editions are supported except where specifically noted. Supported versions of Windows are:
Prerequisites 15 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows 8.1 Professional or higher, 64bit version*,** Windows 8 Professional or higher, 64bit version*,** Windows 7 Professional or higher, 64bit version*,** Windows Server 2012 R2, is the recommended host platform. *These versions are not recommended or supported for a production implementation; these versions should only be used in a testing scenario. **This application is a 32bit application and will run in a WOW64 environment on a 64bit system. They are certified by Microsoft to run on these versions. Keeping in mind best practices regarding Windows and MS SQL hardware requirements, in addition to what the host and other services will require, ERPM will also require: 512MB of RAM Approx. 500MB of Hard Drive Space to install* Intel or AMD multi-core processor or multi-cpu system.net Framework version 3.5 with service pack 1.NET Framework version 4.x It is recommended to exceed these recommendations. The recommended minimum configuration is: Windows Server 2012 R2 2GB of RAM for the ERPM application 4GB+ of hard drive space for local log files Intel or AMD multi-core or multi-proc/multi-core processors 4GB+ RAM for the program database.net Framework version 3.5 with service pack 1.NET Framework version 4.5 32bit Java v1.5 This manual does not cover installation of Windows. If using a Windows Server 2008 R2 or later host operating system for ERPM, there will be inconsistencies with remote COM+ management interfaces when managing COM+ on Windows 2000 target machines. For further information on this matter including how to address the issues, please read the following article:
Prerequisites 16 http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/491-stub-receivedbad-data-when-propagating-windows-2000-a.html If attempting to manage databases other than Microsoft SQL, the most recent 32bit OLEDB providers, typically available from the DB vendor or installation media, will be required to be installed. Before successfully installing ERPM, the.net Framework must also be installed; specifically version 3.5 SP1 AND version 4.x. Version 3.5 SP1 is included in server 2008 R2. Version 4.x must be installed on operating systems prior to Windows Server 2012. Windows Server 2012 will require additional steps to install version 3.5 SP1. The.Net Framework is leveraged for some of the propagation types such as Microsoft SCOM and some of the Cross-Platform support features. It is highly recommended to obtain the latest version and service packs of the.net Framework. ERPM also ships with a Java based SDK for application to application and application to database secure password management. This is available for both Windows and non-windows operating systems. Java 1.5 or higher, 32bit edition, will be required to make use of this. If Java 1.5+ is not installed, the program's Java based SDK will not be available to ERPM. If there are no plans to make use of the program's Java based SDK, then there is no need to install Java on the host system or target systems. If attempting to integrate System Center Service Manager (SCSM) - the SCSM SDK binaries will need to be obtained from the installation directory of SCOM and placed into the installation directory of ERPM if using SCSM 2010. Virtual environments are fully supported for all components of the solution. However, there may be severe performance limitations depending on the virtual environment versus the environment being managed. Typically, the application(s) and website(s) are virtualized while the database is a physical system. Please refer to the following knowledge base article for more information on HA, DR, and basic comments on security: http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/59-disaster-recover y-security-high-availability.html * This does not include space required by logging files. Log files are enabled by default and can consume enormous amounts of space over time. Note: As of version 4.83.8, Enterprise Random Password Manager is no longer supported on Windows Server 2008 (non-r2 versions). Version 4.83.7 and earlier would run on Server 2008 (non-r2) 64bit editions only. SOLUTION WEB SERVICES REQUIREMENTS This section covers requirements for the password retrieval website tier of ERPM. Requirements for the the management console/deferred processor are covered in the previous section.
Prerequisites 17 On the machine or machines functioning as the web host(s), change the following security policy (gpedit.msc): Computer Configuration Administrative Templates System User Profiles: Do not forcefully unload the user registry at logoff = Enabled. If the above change is not made on the web host(s), the web site COM+ application may stop working (in time) and a DCOM error (10006) may be logged in the web server(s) application event log and the website will not function, displaying an inability to retrieve a list of authenticators from the database. IIS 7.5 or later - see below for detailed requirements.net Framework version 3.5 with service pack 1.NET Framework version 4.x Internet Information Services (IIS) with support for Active Server Pages must be installed on the system that will host Enterprise Random Password Manager. Supported versions of IIS include: IIS 7.5 IIS 8.0 IIS 8.5 IIS 7.5 and 8.x require the following role services be included when configuring IIS: Static Content Default Document HTTP Errors - required for file vault ASP.NET (v4.5) ASP active server pages Static Content Static compression - optional IIS Management console (not the IIS6 version) IIS6 Metabase compatibility Windows authentication - optional, required if using Windows integrated authentication Installation and configuration of IIS will be covered in the next section. Note: As of version 4.83.8, Enterprise Random Password Manager is no longer supported on Windows Server 2008 (non-r2 versions). Version 4.83.7 and earlier would run on Server 2008 (non-r2) 64bit editions only. The management console can push out the website to a remote web server. If the website will be hosted on a remote system, relative to the management console, it will be necessary to enable remote COM+ access on the web server to support an automated installation of the website. For information on how to
Prerequisites 18 enable this access, the Remote COM+ and IIS (see "Remote COM+ and IIS Access" on page 138) section of this guide.
Prerequisites 19 SOLUTION DATABASE REQUIREMENTS A Microsoft SQL database or Oracle database will be required at the time of installation and is used for Enterprise Random Password Manager's storage and configuration database; all systems lists, system information, account information, stored passwords, etc. are stored in the database. During the installation, the options to use an existing installation of a database or implement a new instance on the same server or a different server (different server recommended) will be offered. With respect to what Lieberman Software Recommends, both are excellent choices depending on available resources, licensing, and your available in-house support staff. We however have notes about the use of these databases... It is essential when using an Oracle back-end that the Oracle DBA tune the database to achieve the level of performance that is being sought after. Oracle provides some extra tools to support this tuning, but it must still be performed by your Oracle DBA; there is nothing Lieberman Software can program in to ERPM to achieve the desired performance. Comparatively, SQL Server uses an automated tuning system that does not generally require a DBA. Oracle achieves scalability by allowing almost everything in it to be manually configured. Oracle also starves many applications by default and this absolutely requires a DBA to parcel out resources to different applications. There are no rules of thumb for Oracle nor any general purpose guidance other than if you are not getting sufficient performance from our application to engage the Oracle DB and manually optimize our environment. Oracle works well with our application, however it will require an Oracle DBA to manage our database. MS SQL REQUIREMENTS FOR SOLUTION Supported versions of MS SQL include: MS SQL 2014 MS SQL 2014 Express* MS SQL 2012 MS SQL 2012 Express* MS SQL 2008 R2 MS SQL 2008 R2 Express* MS SQL 2008 MS SQL 2008 Express* MS SQL 2005 MS SQL 2005 Express* Both 32 and 64bit versions of the Microsoft SQL database are supported.
Prerequisites 20 *SQL Express versions are not recommended or supported for production implementations and should be used for testing scenarios only. SQL Express also configured itself to a random port number during installation. This port number will be required to complete the installation of ERPM. Standard and Enterprise editions are supported. SQL 2012 or later is strongly recommended. Installation and configuration of MS SQL will be covered in the next section. Use Integrated Authentication or explicit SQL authentication; integrated authentication is the preferred method of connection as it does not require storage of any connection credentials by the host system. If using a dedicated instance of SQL to provide to ERPM or RPM, simply grant: or SYSADMIN = user role Control Server = database server right This allows the granted users the rights to perform all actions within that instance of SQL including creating the required databases, stored procedures, all other features in the main application, as well as backup and restoration. If it is not desired or permitted to grant SYSADMIN or Control Server to the SQL instance, then the database that ERPM will use must be pre-created within SQL by the DBA. The SQL account, or Windows users/groups will need to be granted the following roles/rights over the ERPM database: or DBO = user role View Server State = server permission db_datareader = user role db_datawriter = user role db_ddladmin = user role View Server State = server permission Execute = database permission Create tables = database permission Create views = database permission ORACLE REQUIREMENTS FOR SOLUTION Supported versions of Oracle include:
Prerequisites 21 Oracle Database 11g R1, 32bit Oracle Database 11g R1, 64bit Oracle Database 11g R2, 32bit Oracle Database 11g R2, 64bit Standard Edition One, Standard Edition, Enterprise Edition are supported. The Oracle database may be hosted on a Windows or non-windows platform. Enterprise Random Password Manager will require its own table space and must be granted an unlimited quota on this table space. The following rights will be required by the account used to connect to the Oracle database: CONNECT CREATE TRIGGER CREATE SEQUENCE CREATE TABLE CREATE VIEW Oracle uses overly conservative initial configurations for a heavily threaded product such as ERPM. In a default configuration where ERPM is spawning at least 100 threads to the database, this can cause the database to run out of resources resulting in failed jobs (incomplete password changes). This behavior is easily seen and replicated by trying to do things such as changing passwords across a largish number of systems. One way to combat this is to drop the thread count down to 40 (Settings Program Options) for ERPM. This has the effect of slowing down the job processing while increasing the likelihood of a successful job (as far as the DB is concerned). Another [highly recommended] option is to change the memory and thread allocation to the oracle database. Start with: show parameter memory show parameter process This will give you your baseline settings. To change the allocations use: alter system set memory_target=xxxxm scope=spfile; alter system set processes=yyyy scope=spfile; Where xxxx is the amount of memory allocated to the database and yyyy is the number of threads. We recommend a value of 2000 or much higher for the memory and a minimum value of 1000 threads. Note: The Oracle 11g R2 OLEDB provider (version 11.2.0.3) does not properly register on Windows servers. If using this version of the OLEDB provider, please also run the following command after installation of the Oracle OLEDB provider on your Windows server: regsvr32 <OracleHome>\bin\OraOLEDB11.dll
Prerequisites 22 SOLUTION SERVICE ACCOUNTS Enterprise Random Password Manager is comprised of an N-tier architecture: database, management console, web server, and zone processors. All tiers may be on a single system or spread across multiple systems. The web site, management console, and zone processors are mutually exclusive in their operation. The web site and zone processors may use the same service account or use separate service accounts with different permissions. ERPM use a COM+ object for its interactions from the web server to the application database. This object requires the use of a privileged account. This account should be a domain member (as applicable) and have the following rights and memberships: Administrator of the web server host system Domain User* Log on as a batch job DBO rights for the application database if using integrated authentication *If multiple trusting domains will be managed by a single implementation of ERPM, the COM account must be a trusted user for the target domain(s) as well or manual configuration of an authentication bridge will be required. If using a directory other than active directory for user authentication, this requirement may be skipped. Pre-configuration of this account will be covered in the next section. ERPM performs all scheduled jobs such as password change jobs or password verification reports by using a service on the management console host system or a standalone service called a zone processor. The account should be a domain member (as applicable) and have the following rights and memberships: Administrator of the management console host system Log on as a service* DBO rights for the application database (system admin of the DB not required) integrated authentication if using Administrative rights over target managed systems** This account used to run the deferred processing service cannot be managed automatically by ERPM! Managing this account by ERPM will cause the job being run to be stopped mid-process which will leave the job in a locked and incomplete state. This will likely cause all scheduled jobs to stop running until manual intervention is taken. An alternative to using a service account for the scheduling service is to configure the service to run as LocalSystem. This will negate password management requirements for the service. However, to be successful in using this method, you must also grant permissions to the
Prerequisites 23 database for the computer account (ComputerAccountName$) as well as ensuring the computer account is seen as an administrator of all managed systems. NOTE: If the computer account is added to a new group in Active Directory in order to provide these administrative rights, the computer must be restarted. The website COM object must be configured to run as a user account, but this account can be automatically managed by ERPM. * If the service account/interactive user account cannot be administrators of the target systems, then alternate administrative accounts will need to be configured for use by the tool. Please see the administrator's guide for steps on configuring alternate administrator accounts. If possible, avoiding the use of alternate administrator accounts within Enterprise Random Password Manager when managing COM+ and DCOM objects, including scheduled tasks should be avoided as these interfaces do not allow for impersonation. **The COM account, if using a separate account than the deferred processing account, may need administrative rights over target Windows systems. This right becomes a requirement IF the website option to Block password Check-in if account is in use is turned on. Enabling this option allows the COM object to enumerate all active sessions and determine if the specified account is still "logged in". For all accounts running components of ERPM, including users of the administrative console, they must be allowed to "Create Global Objects". This security permission is granted to Administrators by default via local system policy, but it is also sometimes removed by group policy. ERPM creates and shares information between its components. If this policy is not allowed for the service accounts and users of the administrative console on the machine(s) hosting our components, the the console or the components will not be able to function. This policy is found in the local policy under: Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignments >> Create Global Objects. MANAGED DATABASE PRE-REQUISITES Various databases can be managed within Enterprise Random Password Manager. In order to connect to and manage these databases, the appropriate database provider will need to be installed on the ERPM host system. The providers may be downloaded from the database manufacturer. A provider for Microsoft SQL is already provided with Windows. The following databases require additional database specific providers to allow for management of their privileged identities from the Enterprise Random Password Manager host system.
Prerequisites 24 Oracle MySQL Sybase - Sybase ASE OleDB provider DB2 Changing DB2 account passwords is supported but does not require a specialized provider for password management as DB2 utilizes the database host system's local account store rather than providing its own internal accounts store as does Microsoft SQL, Oracle, or MySQL. However, Enterprise Random Password Manager can enumerate the local accounts associated with the DB2 Instance. For this process to work, the DB2 database OLEDB provider must be installed. The rights required to change a password in a target account's password will vary from database to database. The rights required will also vary depending on the target account being changed. Certain knowledge will also need to be known prior to a successful password change within a database such as instance or service name. For the most up to date description of rights required to change various identities within a target database, see the database vendor for information. Following is an un-inclusive list of possible rights required for various databases: Microsoft SQL = Microsoft SQL can leverage explicit SQL accounts or "integrated authentication" accounts. Accounts using "integrated authentication" will be local computer accounts or accounts from a trusted domain. In order for either of these account types to manage account passwords within MS SQL, the following rights must be granted to the desired account or group: GRANT VIEW ANY DEFINITION GRANT CONTROL SERVER Interactive login account and/or deferred processing account will require these rights in order to change passwords and enumerate accounts within the SQL database. Rights must be granted to a Windows user or group for Integrated Windows authentication. Database instance name and port (if different than default) will be required. If the sysadmin right is given, no other rights will be required on the MS SQL server. Oracle = An Oracle login account will be required when configuring an Oracle password change job. This login account must have sufficient rights to change the desired target account's password. Presuming the login account can connect to the specified Oracle service (and instance if applicable) the following rights must be granted to the desired login account: ALTER USER To enumerate the user accounts in an Oracle instance (accounts store view in Enterprise Random Password Manager), the following rights must be granted to the desired login account:
Prerequisites 25 SELECT ANY DICTIONARY My SQL = A MySQL login account will be required when configuring a MySQL password change job. This login account must have sufficient rights to change the desired target account's password. Presuming the login account can connect to the specified MySQL service and target database, the following global privilege must be granted to the desired login account: UPDATE To enumerate the user accounts in a MySQL instance (accounts store view in Enterprise Random Password Manager), the following global privilege must be granted to the desired login account for the appropriate database: SELECT Sybase = A login account will be required when configuring a Sybase password change job. This login account must have sufficient rights to change the desired target account's password. Presuming the login account can connect to the specified Sybase service (and instance if applicable), the login account must belong to the either of the following roles: SSO_ROLE SA_ROLE To enumerate the user accounts in a Sybase instance (accounts store view in Enterprise Random Password Manager), the following access must be granted to the desired login account: SELECT access to the password column of the SYSLOGINS table in the MASTER database DB2 = The rights required to change rights for accounts associated with a DB2 instance depends on whether database is hosted on Windows or Linux/UNIX. If hosted on Windows, ERPM interactive login account and/or deferred processing account will require Account Operators unless the target account (account being managed) is also a local administrator. If the target account is a local administrator, then the ERPM interactive login account and/or deferred processing account will require local Administrators membership as well. If the target account is hosted on Linux/UNIX, ERPM will be configured to connect to the target system as the target user for this password change job. Any user should be able to change their own password. See the administrator's guide for configuring password changes on Linux/UNIX systems. Follow the steps for changing accounts on Windows or Linux/UNIX. To enumerate accounts in a DB2 database instance (accounts store view), the login account will require: CONNECT TO DB GRANT SELECT on SYSIBM.SYSDBAUTH
Prerequisites 26 MANAGED COMPUTERS AND DEVICES PRE-REQUISITES The following lists the requisite services and expected configurations for target managed computers and devices. Windows, see port requirements for further information - File and Print Services for Microsoft Networks Server Service Remote Registry is optional and allows for further system information gathering such as MAC address retrieval If using Enterprise Random Password Manager and propagating/managing the following items, remote management support to: COM+/MTS - requires application server role with network COM+ access DCOM IIS - If intent is to manage on a target system, IIS must also be installed on the host system - requires application server role with network COM+ access WMI - for System Center Operations Manager run as account management. Also required is placement of the SCOM SDK binaries (from the SCOM server) in the Enterprise RPM installation directory. Enabling remote access to COM+ and IIS requires additional configuration steps on the target systems. These steps are outlined in the Remote COM+ and IIS Access (on page 138) section. Linux/UNIX/OSX - Determine current SSH port - required for password change and account enumeration Login password for a root level account, or the root account being managed Low powered login account - optional, used if root accounts are not permitted to SSH to target system Some distributions of Solaris, AIX, or other Linux/UNIX distributions may require password authentication be enabled in the /etc/ssh/sshd_config file. This will be obvious as there will be errors to reflect this during a password change job in the E/RPM log. To enable password authentication, open /etc/ssh/sshd_config and set the PasswordAuthentication directive to yes. Then, restart the SSH daemon. How to restart the daemon will be distro specific. Following are examples of various restart commands: FreeBSD: /etc/rc.d/sshd restart Solaris: svcadm restart network/ssh
Prerequisites 27 Cisco - Suse: rcsshd restart Ubuntu: sudo /etc/init.d/ssh restart Red Hat/Fedora/CentOS: /etc/init.d/sshd restart OR service sshd restart Login account password Current password for enable SSH or Telnet port if changed from default IPMI - Login account password; Root or Admin level password SSH/Telnet devices, actual requirements will vary based on target type and embedded operating system - Login account password; Root or Admin level password SSH or Telnet port if changed from default Special consideration may need to be given these devices for the process used to update stored passwords. Please review the admin guide for information on modifying the XML files used for SSH/Telnet targets. PORT REQUIREMENTS The following ports can be used by Enterprise Random Password Manager: Actual port usage will vary based on the options used and systems managed. The following ports are the standard well known ports for the various protocols. These ports may have been changed on the target systems. It is the solution Administrator's responsibility to determine if any of the target ports have been changed and reflect that changed port when password change jobs or account discovery jobs are performed. Port 22 - SSH, TCP, outbound - used for managing non-windows devices that support SSH. Non-Windows devices only. Port 23 - Telnet, TCP, outbound - used for managing non-windows devices that support Telnet. Non-Windows devices only. Port 25 - SMTP, TCP, outbound - port for e-mail support. Only required if email notifications will be allowed from the solution.
Prerequisites 28 Port 80/443 - HTTP/S, inbound - password recovery from ERPM password recovery website. Port 135 - Remote DCOM management port and secondary ports typically provided by granting access to DLLHOST.EXE in the %systemroot%\system32 directory, TCP/UDP, outbound. This port is also required to support automated installation of the password recovery website. The website can be manually installed on the target web server so this port does not need to be open on the web server unless also managing DCOM objects on the web server or IIS web sites and virtual directories. For Enterprise Random Password Manager, this port is required to be able to set credentials for COM+, and DCOM applications, IIS web sites and virtual directories, as well as Scheduled Tasks (itask interface). Remote COM/DCOM may require the use of additional ports (1024+) - check your system configuration. Port 137 - NetBIOS name service, UDP, outbound. This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for management of Windows systems. Port 138 - NetBIOS datagram distribution service, UDP, outbound. This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for management of Windows systems. Port 139 - NetBIOS Name Service Ports, TCP, outbound. This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for management of Windows systems. Port 389/636 - LDAP/LDAPS, TCP, outbound. LDAP compliant directories such as Active Directory or Oracle Internet Directory Port 445 - Alternate NetBIOS Name Service port, TCP, outbound. This port is not required unless the normal NetBIOS Name Service ports are closed (137, 138, 139). Be aware that this alternate port for the NetBIOS Name Service will not work on Windows NT 4 or earlier. Port 514 - ArcSight / QRadar / Syslog, UDP, outbound. Port 623 - IPMI, UDP, outbound. Port 80/443/Other - HTTP/HTTPS, TCP, inbound. When configuring the password recovery website, it will default to using HTTP (port 80) without the use of SSL. SSL is highly recommended for use with the password recovery website but is the responsibility of the administrator to configure. If the HTTP + SSL is configured (HTTPS) then the default ports requirement for the web server is port 443. Whether HTTP or HTTPS is used, the administrator of the website can also choose to redirect web traffic to any port other than 80 or 443. Port 1433 - SQL Server, TCP, outbound. Ports used for connecting to SQL Server must be accessible from the machine running Enterprise Random Password Manager as well as any instances of the web interface. This port is a typically a custom TCP/IP port and can be configured through the SQL Server database provider. If MS SQL is using a different port then specify this on the database connection configuration dialog. Port 1521 - Oracle, TCP, outbound.
Prerequisites 29 Port 2002 - Java SDK remote connection, TCP, outbound. Port 3306 - MySQL, TCP, outbound. Port 3389 - Remote Desktop Protocol (RDP), TCP, outbound. Port 5000 - Sybase, TCP, outbound. Port 50000 - DB2, TCP, outbound. Port - Other, depending on the application being managed, such as SharePoint or if additional external items/processes are leveraged, additional ports will be required. Please refer to the following requirements for known port connection requirements: BMC Remedy - TCP/UDP, outbound, BMC_AR_Port HP Service Manager - TCP, outbound, HPSM Port Microsoft SharePoint Server - TCP outbound, the SharePoint administrative port Microsoft System Center Configuration Manager - TCP, outbound - typically Microsoft File and Printer Sharing or Remote management ports Oracle WebLogic - TCP outbound IBM WebSphere - TCP outbound
31 INSTALLATION OF PREREQUISITES Enterprise Random Password Manager includes multiple components some of which are optional and separate. This installation guide contains This section outlines installation of the pre-requisites. Actual installation experience may vary. Covered is: Installation of IIS 7.x Installation of MS SQL 2008 (r2) Installation of Oracle 11g COM and Deferred Processor Account Not covered is: Installation of.net Framework Installation of Java SDK Whether or not the password retrieval website will be installed locally on the ERPM host system, certain components IIS must be installed in order to perform a an automatic installation of the web site to a remote server. Local IIS components will also be required to manage remote IIS installations, however, only a couple of elements will be required and those are outlined in the following sections. IN THIS CHAPTER Installing and Configuring IIS... 33 MS SQL and Oracle... 71 Database Connectors... 104 Remote COM+ and IIS Access... 138 Configure the COM Object and Deferred Processor Account... 145
33 INSTALLING AND CONFIGURING IIS The following sections detail how to install and configure IIS on their respective host operating systems. IN THIS CHAPTER Installing IIS... 34 How to Configure SSL... 58
Installation of Prerequisites 34 INSTALLING IIS Important! The Enterprise Random Password Manager web interface does not work properly on 32bit editions of Windows 2008 and is not supported on 32bit editions of Windows 2008. The installation experience for IIS 7.5 and 8.0 on Server 2008 R2 and Server 2012 is identical and the same procedures can be followed. IIS requires the following role services be included when installing IIS: Static Content Default Document HTTP Errors ASP.NET ASP Static compression - optional IIS6 metabase compatibility Any items that these components want to add will also need to be included. To install Internet Information Services, open Server Manager and select the Roles node. In the details pane (right side), click the Add Roles link to start the Server Roles Wizard.
Installation of Prerequisites 35 From the Add Roles Wizard dialog, select Web Server (IIS) and click Next.
Installation of Prerequisites 36 Click Next on the description page. On the Select Role Services page, under the Application Development header, select ASP and ASP.NET. By default Windows 2008 or later does not enable support for Active Server Pages, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for Active Server Pages has not been enabled, please see Enable ASP Support for IIS (see "Enable ASP Support" on page 47) to enable support for it.
Installation of Prerequisites 37 By default Windows 2008 or later does not enable support for ASP.NET, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for Active Server Pages has not been enabled, please see Enable ASP.NET Support for IIS (see "Enable ASP.NET Support" on page 50) to enable support for it.
Installation of Prerequisites 38 If prompted to Add role services required for ASP? and/or Add roles services required for ASP.NET, click Add required role services. On the Select Role Services page, under the Management Tools header, select IIS 6 Metabase Compatibility. Click Next to continue.
Installation of Prerequisites 39 By default Windows 2008 and later does not enable support for IIS 6 Metabase Compatibility, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for IIS 6 has not been enabled, please see Enable IIS6 Compatibility Support for IIS (see "Enable IIS6 Compatibility Support" on page 54) to enable support for it.
Installation of Prerequisites 40 On the Confirm Installation Selections page, click Install.
Installation of Prerequisites 41 Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard. The IIS administrators console may be launched by selecting Internet Information Services (IIS) Manager from the Administrative Tools menu, by selecting Web Server under the Roles node in Server Manager, or by typing inetmgr at the command prompt or run menu. REQUIRED WEB COMPONENTS ON A NON-WEB SERVER [Enterprise] Random Password Manager is an N-tier product consisting of web services, a management console, a database, and scheduling services (zone processor or default deferred processor). It is a recommended practice to separate out the product into at least three tiers consisting of: 1) Web Services 2) Management console & scheduling service 3) Database
Installation of Prerequisites 42 When the machine hosting the management console will NOT also function as a web server, certain portions of IIS may still be required. In the modular paradigm of Windows, if IIS is not installed, neither are the binaries to be able to manage and talk to remote instances of IIS. Therefore to perform a remote installation of the web services (push) or to manage IIS 6 and IIS 7.x, it will be required to install these binaries. The installation experience for IIS 7.5 on Server 2008 R2 is identical and the same procedures can be followed. IIS 7 requires the following additional role services be included when installing IIS 7 for remote web service installations and remote IIS management: IIS6 management compatibility - if also managing web servers that run IIS 6 If IIS 6 web servers will not also be managed, then simply add IIS with no options. To install Internet Information Services in Windows 2008, open Server Manager and select the Roles node. In the details pane (right side), click the Add Roles link to start the Server Roles Wizard.
Installation of Prerequisites 43 From the Add Roles Wizard dialog, select Web Server (IIS) and click Next.
Installation of Prerequisites 44 Click Next on the description page. On the Select Role Services page, under the Management Tools header, select IIS Management Console (required for IIS 7), IIS 6 Metabase Compatibility, and IIS 6 Management Console. All other items may be deselected. Click Next to continue.
Installation of Prerequisites 45 By default Windows 2008 does not enable support for IIS 6 Management Compatibility, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for IIS 6 has not been enabled, please see Enable IIS6 Compatibility Support for IIS 7 (see "Enable IIS6 Compatibility Support" on page 54) to enable support for it.
Installation of Prerequisites 46 On the Confirm Installation Selections page, click Install.
Installation of Prerequisites 47 Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard. The IIS administrators console may be launched by selecting Internet Information Services (IIS) Manager from the Administrative Tools menu, by selecting Web Server under the Roles node in Server Manager, or by typing inetmgr at the command prompt or run menu. ENABLE ASP SUPPORT If installing this application onto an existing web server and Active Server Pages was not previously enabled, turn it on by using following the procedure.
Installation of Prerequisites 48 In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add Role Services link.
Installation of Prerequisites 49 On the Select Role Services page, under the Application Development header, select ASP. If prompted to Add role services required for ASP?, click Add required role services. This will automatically add ISAPI Extensions.
Installation of Prerequisites 50 On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard. There are no further actions to perform once the wizard completes. ENABLE ASP.NET SUPPORT If installing this application onto an existing web server and ASP.NET was not previously enabled, turn it on by using following the procedure.
Installation of Prerequisites 51 In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add Role Services link. On the Select Role Services page, under the Application Development header, select ASP.NET.
Installation of Prerequisites 52 T
Installation of Prerequisites 53 If prompted to Add role services required for ASP.NET?, click Add required role services. This will automatically add ISAPI Extensions.
Installation of Prerequisites 54 On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard. There are no further actions to perform once the wizard completes. ENABLE IIS6 COMPATIBILITY SUPPORT If installing this application onto an existing web server and IIS 6 Compatibility was not previously enabled, turn it on by using following the procedure.
Installation of Prerequisites 55 In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add Role Services link.
Installation of Prerequisites 56 On the Select Role Services page, under the Management Tools header, select IIS 6 Metabase Compatibility. Click Next to continue.
Installation of Prerequisites 57 On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard. There are no further actions to perform once the wizard completes.
Installation of Prerequisites 58 HOW TO CONFIGURE SSL This product does not ship with an SSL certificate for encryption between the password retrieval website and the client browser. This means it is up to the web server admin to configure SSL and determine which certificate to use. See the following pages for configuring SSL on IIS 7+. SSL WITH IIS - WITH AN EXISTING CERT In order to encrypt transmissions from the web server (IIS) to the client browser, to protect the privileged passwords while they are in transit, it is necessary to configure SSL. This product does not ship with a pre-configured SSL certificate. Certificates can be obtained through a public certification authority or through an internal private certificate authority or numerous free utilities, or in IIS 7.x and later, with a self-signed certificate. The following steps presume that a certificate is already installed on the host web server and must be requested. Open Internet Information Services (IIS) Manager from the Administrative Tools. Go the server's node and open Server Certificates. If certificates are installed on the system, they will be listed in the Server Certificates area.
Installation of Prerequisites 59 Go the website that hosts the products web pages or hosts the virtual directory for the web pages. In the Actions pane, click Bindings. Click Add.
Installation of Prerequisites 60 Select the protocol Type to be HTTPS and assign the preferred SSL Port. If an alternate port is selected, this must be reflected in the URL as HTTPS://address:port_number/... Select the appropriate certificate from the SSL certificate drop down list. Click OK. Note the HTTPS binding is now appended to the website. Click Close.
Installation of Prerequisites 61 To require the website use SSL, go the website that hosts the products web pages or the virtual directory that hosts the web pages and from the IIS area, open SSL Settings. Set the option to Require SSL. Click Apply. No other configuration options are required. SSL WITH IIS - NO EXISTING CERT In order to encrypt transmissions from the web server (IIS) to the client browser, to protect the privileged passwords while they are in transit, it is necessary to configure SSL. This product does not ship with a pre-configured SSL certificate. Certificates can be obtained through a public certification authority or through an internal private certificate authority or numerous free utilities, or in IIS 7.x and later, with a self-signed certificate. The following steps presume that a certificate is NOT already installed on the host web server and must be requested.
Installation of Prerequisites 62 Open Internet Information Services (IIS) Manager from the Administrative Tools. Go the server's node and open Server Certificates. To create a self-signed certificate, on the Actions pane, click Create Self-Signed Certificate.
Installation of Prerequisites 63 Type in a friendly name for easy identification and click OK. The certificate will be created and added to the list of certificates installed on the server. To create a certificate request to a third-party CA or an off-line CA, click Create Certificate Request.
Installation of Prerequisites 64 To create a certificate request to an on-line Enterprise CA, click Create Domain Certificate. On the Distinguished Name Properties dialog, specify the Common name (for easy identification), and all other properties, then click Next.
Installation of Prerequisites 65 If this is going to an off-line CA, select the appropriate Cryptographic Service Provider Properties. If this is going to an on-line CA, this page will not be presented. Click Next.
Installation of Prerequisites 66 If this is going to an off-line CA, a prompt for the name of the certificate request will be presented. This text file will be sent to the CA for processing. Once the certificate is approved, simply follow the wizard to Complete Certificate Request, then examine the next section to configure SSL with an existing certificate. Click Finish.
Installation of Prerequisites 67 If this is going to an on-line CA, select the name of the CA by clicking the Select button. Then supply the friendly name of the website. The friendly name is the name of the server specified in the URL. Click Finish. Once the certificates are installed on the system, they will be listed in the Server Certificates area.
Installation of Prerequisites 68 Go the website that hosts the products web pages or hosts the virtual directory for the web pages. In the Actions pane, click Bindings. Click Add.
Installation of Prerequisites 69 Select the protocol Type to be HTTPS and assign the preferred SSL Port. If an alternate port is selected, this must be reflected in the URL as HTTPS://address:port_number/... Select the appropriate certificate from the SSL certificate drop down list. Click OK. Note the HTTPS binding is now appended to the website. Click Close.
Installation of Prerequisites 70 To require the website use SSL, go the website that hosts the products web pages or the virtual directory that hosts the web pages and from the IIS area, open SSL Settings. Set the option to Require SSL. Click Apply. No other configuration options are required.
Installation of Prerequisites 71 MS SQL AND ORACLE A database server running SQL Server (2005, 2008, 2008r2, 2012, 2014), SQL Express (for testing only), or Oracle 11g is required for use as the back-end data store. In order to complete the installation of this tool, an instance of SQL Server, SQL Express, or Oracle 11g must already be installed and accessible. It is recommended to create an isolated database (separate named instance) but it is not a requirement. If a full version of SQL or Oracle is unavailable to during evaluation, use SQL Express or Oracle Express for the evaluation. Both SQL Server and SQL Express have two different modes of authenticating users. They can be configured to support integrated authentication which will use the credentials of the user account currently accessing the database, or they can use a mixed mode, which allows both Windows user accounts and explicit SQL accounts to have permissions to a database. It is recommended to use Windows Integrated Authentication only. SQL Express is a lightweight version of SQL Server that is made available for free download from the Microsoft website. Oracle databases require a connection account be used for connection to the database. Oracle Express is a lightweight version of the full flavored Oracle databases that is made available for free from the Oracle website. Connections to the chosen database are treated the same, meaning that after the database is setup and the connection has been made, there are no configuration differences regarding Lieberman Software's tools when operating against a SQL Server, SQL Express Oracle, or Oracle Express database. SQL 2008 INSTALLATION For evaluation purposes, Microsoft's free version of its SQL product, SQL Express will work sufficiently well. Download SQL Express from Microsoft: http://www.microsoft.com/express/download/. Check the documentation for your chosen database to determine if all pre-requisites are met. The common criteria for any version of SQL are: If SQL is hosted on another server, allow network access via TCP or named pipes to the instance. If using Windows Integrated Authentication, ensure that the COM+ and/or service account used by the application has DBO rights over the database that the tool will use. Read more about Granting Rights in MS SQL (see "Granting Rights to the Database" on page 158). If using SQL Authentication instead of Windows Integrated Authentication, it is a good practice to create a new account (instead of using the SA account) and grant this account the appropriate rights. The following steps show a SQL 2008 installation. The steps are identical for a basic SQL 2008 R2 installation and comparable for SQL 2012 and 2014.
Installation of Prerequisites 72 Start the installation process and select the Installation link on the top left corner of the dialog.
Installation of Prerequisites 73 Click on the New SQL Server stand-alone installation or add features to an existing installation link.
Installation of Prerequisites 74 On the Setup Support Rules page fix any errors that are found, then continue by clicking OK.
Installation of Prerequisites 75 Click NEXT past the Product Key page.
Installation of Prerequisites 76 Read and accept the EULA to continue installing SQL Express. Then click Next.
Installation of Prerequisites 77 Click Install to start the installation of the required SQL 2008 Express Support Files.
Installation of Prerequisites 78 On the Setup Support Rules page, note and warning or errors presented and fix them as necessary. Click Next when ready to continue.
Installation of Prerequisites 79 On the Feature Selection page, choose Database Engine Services then click Next to continue.
Installation of Prerequisites 80 On the Instance Configuration Page, choose to configure a Default Instance or a Named Instance. If no other instances of SQL are installed on this system, choose either option. A default instance will use the name of the server for all SQL connections. A named instance will use the name of the server appended with a \Instance_Name. For example, if defining a named instance called LSC and the software is being installed on a machine named UTILS01, then the server connection to this instance of SQL would be UTILS01\LSC. Click Next to continue.
Installation of Prerequisites 81 On the Disk Space Requirements page, click Next.
Installation of Prerequisites 82 On the Server Configuration page, Choose the service account that will run the SQL services. If no replication or clustering will be utilized, then set the account name to NT AUTHORITY\SYSTEM and the startup type to Automatic. Choose the default collation from the Collation tab. Click Next to continue.
Installation of Prerequisites 83 On the Database Engine Configuration page, choose an authentication mode that the database should allow. Windows authentication mode will require the credentials of the person using the tool as well as its various service and COM identities to have certain rights to the database and is the recommended setting to use. Mixed Mode will allow for the most flexibility in scope of application that can be used with the database and will allow specification of accounts that only exist in the context of the database (no Windows or AD) to access the database information. Configurations configured with Mixed Mode authentication still must create and allow user accounts access to the database. Windows Authentication will require identifying the Windows users and/or groups that can access the database services. Click Add to supply those users and groups here. No other changes need to be made here. Click Next to continue.
Installation of Prerequisites 84 On the Error Usage and Reporting page, elect to send Microsoft any error or usage information if desired, then click Next to continue.
Installation of Prerequisites 85 On the Installation Rules page, fix any error or warning that are presented at this time, then click Next to continue.
Installation of Prerequisites 86 On the Ready to Install page, review the configurations, then click Install to continue.
Installation of Prerequisites 87 The installation routine will continue to install SQL.
Installation of Prerequisites 88 When installation is complete, click Next to continue.
Installation of Prerequisites 89 Click Close on the Complete page. ORACLE 11G INSTALLATION While the ERPM console and website must be hosted from the Windows platform, when using an Oracle database, it is possible to host the database from a Windows or a non-windows system. Check the Oracle documentation for the appropriate pre-requisites. For evaluation purposes, Oracle's free version of its Database product, Oracle Express will work sufficiently well. Download Oracle Express from Microsoft: http://www.oracle.com/technology/products/database/xe/index.html. Oracle databases requirements will vary based on the target platform. Please refer to Oracle documentation for specific requirements. The common criteria for any version of Oracle are:
Installation of Prerequisites 90 If hosted on another server, allow network access via TCP. Ensure that the connection account used by the solution has the rights and limits as defined in these pages. The following steps show a basic Oracle 11g installation on Windows. Start by identifying the installation bath for the Oracle base files and the home location (default location) for created databases. Identify the installation type (Oracle Database Edition), global database name (Oracle Service Name), and database password. This password will be the default password for the SYS, SYSTEM, SYSMAN, and DBSNMP accounts. These accounts provide initial and ongoing administrative access to the database. Click Next to continue.
Installation of Prerequisites 91 If desired, specify an email address to receive security update notifications. Click Next to continue. If an email address was not specified, a prompt will appear informing so. Choose Yes to continue or No to provide an email address.
Installation of Prerequisites 92 The Oracle installer will now perform a pre-requisite check. If there are no major problems, click Next to continue.
Installation of Prerequisites 93 Click Install on the summary screen to let the installation proceed.
Installation of Prerequisites 94 The installation will continue until it is finished.
Installation of Prerequisites 95 When installation is complete a summary screen will appear. Click OK to continue.
Installation of Prerequisites 96 Click Exit to close the installation. The database server is now configured. Following are the additional steps required to allow ERPM to work with the Oracle server. The steps can be performed by copying the text between the five-slash lines into a file with a.sql extension and running them on the SQL server or by following the steps outlined after. ///// -- CREATE TABLESPACE CREATE SMALLFILE TABLESPACE "[tablespace_name]" DATAFILE '[full_path_to_tablespace_name]' SIZE 100M AUTOEXTEND ON NEXT 10M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO -- USER SQL CREATE USER [user_name] IDENTIFIED BY [user_name_password]
Installation of Prerequisites 97 DEFAULT TABLESPACE [tablespace_name] TEMPORARY TABLESPACE TEMP; -- ROLES GRANT "CONNECT" TO [user_name]; -- SYSTEM PRIVILEGES GRANT CREATE TRIGGER TO [user_name]; GRANT CREATE SEQUENCE TO [user_name]; GRANT CREATE TABLE TO [user_name]; GRANT CREATE VIEW TO [user_name]; -- QUOTAS ALTER USER [user_name] QUOTA UNLIMITED ON [tablespace_name]; ///// In the preceding text, replace: [tablespace_name] with the name of the tablespace (location where the solution tables go) [full_path_to_tablespace_name] with the full path to where the Oracle tablespace datafile will be kept such as "c:\app\oracle11g\rpm" [user_name] with the name of the user account to be created [user_name_password] with the password desired for the user_name being created Rather than creating a script as referenced above, the web interface can be used to create the necessary items. First, configure a default table space. Open the Oracle Manager website and go to Server Storage TableSpaces. Click the Create button on the bottom right area to create a new table space. Define a name and set the desired options. The default settings of locally managed, permanent, and read write will be sufficient.
Installation of Prerequisites 98 Provide a file name, initial size, and choose to Automatically extend datafile when full (AUTOEXTEND). Set the auto growth increment and click Continue. The previous page will be displayed with the data file added.
Installation of Prerequisites 99 Click Continue to add the tablespace. The table space will now be listed in the available table spaces. Finally, create a user in Oracle for the solution to use and set the default table space for that user.
Installation of Prerequisites 100 Select Server Security Users. In the top right area, click Create. Provide a name for the account, set the desired profile and authentication. Set the default tablespace to the tablespace created in the previous steps. Set the temporary tablespace to TEMP. Set the status to Unlocked when ready to use the account. Click OK to create the user. Go to System Privileges and add the following system privileges:
Installation of Prerequisites 101 Create Any Sequence Create Any Table Create Any Trigger Create Any View Next go to the Quotas area.
Installation of Prerequisites 102 Set the default table space (created and assigned in previous steps) to have an Unlimited quota. Click OK to create the user account
Installation of Prerequisites 103 A summary screen will then appear. The user account is now setup.
Installation of Prerequisites 104 DATABASE CONNECTORS For each supported database target, a specific OLEDB connector will need to be installed. These connectors or providers are supplied by the database vendor - Oracle for Oracle, IBM for DB2, Sybase for Sybase ASE, and MySQL for MySQL; Microsoft providers the required connectors with the operating system. If the proper OLEDB connector is installed, it will become available to ERPM when adding a new database target and be visible in the add target dialog (see the following sections). For Microsoft SQL Server only, starting with version 4.83.6 of the ERPM product, support for the SQL Server Native Client is also provided. It is recommended to use latest SQL Server Native Client provider available. It has been found that version 10 of the SQL Server Native Client can provide undesirable behavior. It is recommended to use the SQL Server 2012 Native Client (v11) instead. The following sections provide guidelines for installing the required providers and minimum versions of each. Links are provided, but do note, the links may change over time and some of the vendors may require a login, licensing agreement, and other prerequisites. This document assumes no liability for the steps outlined, links provided, and assumes you are aware of any and all licensing and use restrictions surrounding these providers. The specifics of leveraging these connectors and database types are covered in the admin guide. MICROSOFT SQL Microsoft provides the required OLEDB provider with the operating system; there is nothing to install or configure if opting to use the OLEDB provider. Starting with version 4.83.6 of the ERPM product, support for the MS SQL Server Native Client is also provided. It is recommended to use latest SQL Server Native Client provider available. It has been found that version 10 of the SQL Server Native Client can provide undesirable behavior. It is recommended to use the SQL Server 2012 Native Client (v11) instead. The version 11 SQL Native Client can be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=29065. ORACLE To manage and discover Oracle database instances requires the Oracle database provider. This can be downloaded from the Oracle downloads website (Registration required for download): http://www.oracle.com/technology/software/products/database/index.html
Installation of Prerequisites 105 ERPM only works with the 32bit provider for Oracle regardless of the host operating system or target database. Be sure to use only the 32bit Oracle provider. This is not to be confused with the Oracle back end database which can be a 32 or 64 bit database. ERPM can manage accounts in an Oracle database. Supported Oracle database start at version 9i and later. In order for ERPM to manage Oracle databases, OLEDB provider for Windows version 11g or later must be used; version 11g R2 x86 is recommended. The following installation details the Oracle 11g R2 installation. Launch the installer, select Custom, and click Next to continue.
Installation of Prerequisites 106 Select any appropriate languages and click Next.
Installation of Prerequisites 107 Choose the installation directories and click Next.
Installation of Prerequisites 108 The only required item is Oracle Provider for OLE DB. Select Oracle Provider for OLE DB and click Next.
Installation of Prerequisites 109 On the summary page, click Finish to begin the installation.
Installation of Prerequisites 110 The installation will proceed to copy new files.
Installation of Prerequisites 111 When the installation is complete, click Close.
Installation of Prerequisites 112 When the Oracle provider is installed, it will be listed as an available "Database Provider" when adding an Oracle database to the accounts store view. SYBASE ASE To manage and discover Sybase database instances requires the Sybase database provider. This is not available for general download. You will be required to use your existing Sybase source files to perform the provider installation.
Installation of Prerequisites 113 Launch the installer and click Next to continue.
Installation of Prerequisites 114 Choose the installation directory for the Sybase files and click Next to continue. If the directory does not exist, a prompt requesting to create the directory will appear.
Installation of Prerequisites 115 All that is required is the OLEDB providers. Choose the Custom option and click Next. De-select all options except for:
Installation of Prerequisites 116 ASE Data Providers ASE ODBC Driver ASE Data Providers ASE OLE DB Driver Click Next to continue.
Installation of Prerequisites 117 Choose the Sybase license use as is appropriate to your company. Click Next to continue.
Installation of Prerequisites 118 Select the licensing region and agree to the license agreement to continue installing the software. Click Next to continue.
Installation of Prerequisites 119 On the summary screen, click Next to continue.
Installation of Prerequisites 120 Files will be copied to the host system.
Installation of Prerequisites 121 When the installation is finished, click Next to continue the wizard.
Installation of Prerequisites 122 When the installation wizard is finished, click Finish to close the wizard.
Installation of Prerequisites 123 When the Sybase provider is installed, it will be listed as an available "Database Provider" when adding a Sybase database to the accounts store view. MYSQL To manage and discover MySQL database or MariaDB instances requires the MySQL database provider. This can be downloaded from the MySQL downloads website (Registration required for download): http://www.mysql.com/downloads/connector/odbc/ Download the provider appropriate to your version of Windows such as the "Windows (x86, 32-bit), MSI Installer" for Windows. At this time, the product is still a 32bit product thus necessitating the need for 32bit OLEDB/ODBC drivers.
Installation of Prerequisites 124 Launch the installer and click Next to continue.
Installation of Prerequisites 125 Select the Complete setup type and click Next to continue.
Installation of Prerequisites 126 On the installation summary page, click Install to continue.
Installation of Prerequisites 127 The installation will proceed to copy new files.
Installation of Prerequisites 128 When the installation is complete, click Finish. When the MySQL provider is installed, it will be listed as an available "Database Provider" when adding a MySQL database to the accounts store view.
Installation of Prerequisites 129 DB2 IBM DB2 does not use an internal/explicit account store as do MS SQL, Sybase, MySQL or Oracle. Rather, DB2 databases leverage the local account store of the host system. This means that in order to change a password for an account associated with DB2, it must be determined if DB2 is hosted on a Windows, Linux, or UNIX platform and choose that platform as the target platform when managing DB2 accounts. Additional OLEDB drivers are not required to manage passwords within DB2. Accounts associated with DB2 can be enumerated from the Accounts Store View. To determine (for display purposes only) the accounts associated with DB2 will require the DB2 OLEDB driver be installed on the host system. This is not a required step to change passwords. ERPM support for DB2 is limited to using the Microsoft provider for DB2 available from the Microsoft SQL 2005 or SQL 2008 feature packs. Search from http://microsoft.com/downloads for DB2 OLEDB or as of this writing, download the file directly from here: http://download.microsoft.com/download/0/e/6/0e67502a-22b4-4c47-92d3-0d223f117190/db2ole DB.exe The installation routine has two prerequisites: 1) You have a version of Enterprise or Developer edition of Microsoft SQL 2005 or 2008, or some component thereof which also implies that the version is licensed for use by your corporation. 2) The installer checks for the existence of certain registry keys and/or files to validate the installation before the provider will install. The presumption is that installing SQL server components to make use of the Microsoft supplied DB2 provider is not permissible. The following steps document a registry manipulation which will lead the installer to believe the requisites it looks for during installation are present. Caution! Use of the registry editor can lead to system instability or loss of functionality. Perform these steps at your own risk. 1) Open the registry editor on the ERPM host system. 2) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\90\Tools\Setup 3) Add a new string value called: Version 4) Modify the new "version" value and make its data: 10.0.1600 5) Add a new string value called: EditionType 6) Modify the new "version" value and make its data: Enterprise Edition 7) Add a new string value called: Edition
Installation of Prerequisites 130 8) Modify the new "version" value and make its data: Enterprise Edition Once the registry is configured, the installation of the Microsoft Provider for DB2 can proceed. Launch the installer and click Microsoft OLE DB Provider for DB2.
Installation of Prerequisites 131 Enter the user name and organization name and click Next to continue.
Installation of Prerequisites 132 Choose to accept the licensing agreement if the requirements of licensing agreement are met and click Next to continue.
Installation of Prerequisites 133 Click Next past the installation location page.
Installation of Prerequisites 134 Click the Install button to begin the installation.
Installation of Prerequisites 135 The installation routine will run.
Installation of Prerequisites 136 Click Finish when prompted.
Installation of Prerequisites 137 When the DB2 provider is installed, it will be listed as an available "Database Provider" when adding a DB2 database to the accounts store view.
Installation of Prerequisites 138 REMOTE COM+ AND IIS ACCESS Enabling remote management access to COM+ and IIS is, permissions aside, an act of installing the application server role and enabling Network COM+ access. This section details how to do this in Windows Server 2008 R2 and later. If Network COM+ access is not installed, remote management of COM+ and IIS will fail as will account usage discovery on those operating systems for those particular subsystems. WINDOWS 2008 & LATER REMOTE COM+ ACCESS Remote COM+ Access can be enabled by adding the Application Server role (only in non-core installations) or by adding a singular registry entry (core and non-core installations). If it is preferable to modify the registry rather than add the Application Server role the make the following modifications: 1) In the registry, locate and then click the following sub-key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 2) Locate the key: RemoteAccessEnabled 3) Right-click RemoteAccessEnabled, and then click Modify. 4) In the Edit DWORD Value dialog box, type 1, and then click OK. The same modification can be made via group policy by using the Preferences portion of Group Policy and modifying the same path and key noted above. If the host servers are GUI based installations of Windows Server, then the Application Server role may be installed rather than modifying the registry.
Installation of Prerequisites 139 To install network COM+ access in Windows 2008 R2 requires installing the Application Server role. Open Server Manager and select the Roles node. In the details pane (right side), click the Add Roles link to start the Server Roles Wizard. On the Select Server Roles page, select Application Server. A second dialog will immediately appear prompting to install additional components. These are mandatory items. Click Add Required Features to continue.
Installation of Prerequisites 140 On the Select Server Roles page, click Next to continue.
Installation of Prerequisites 141 On the Application Server page, click Next to continue.
Installation of Prerequisites 142 On the Select Role Services page, select COM+ Network Access. Then click Next to continue.
Installation of Prerequisites 143 On the Confirm Installation Selections page, click Install to continue.
Installation of Prerequisites 144 On the Installation Results page, click Close to finish the installation.
Installation of Prerequisites 145 CONFIGURE THE COM OBJECT AND DEFERRED PROCESSOR ACCOUNT If the solution will be managing local systems only and will not at all manage domain accounts, the account will only need administrative rights on the host system (web server, application server). If the account will be managing accounts in a domain, add it to the administrators or domain admins group within the domain or delegate control of an OU to "reset" passwords. If this account will be managing services, tasks, COM objects, etc on your domain controllers, it must be an administrator or domain admin within the domain. Skip this section if there is already an account that meets the following requirements: Domain Admin or Administrators group membership in the domain to be managed or delegated control based on the outline above Administrator on the host system(s) Account granted Logon as a batch job and Logon as a service on the host system(s) To create the user in the domain, use Active Directory Users and Computers from the Administrative Tools of your domain controller or from the local system if the remote server administration tools (RSAT) have been installed.
Installation of Prerequisites 146 To create a user account in Active Directory, right click on the organizational unit or container to create the account and select New User.
Installation of Prerequisites 147 It is helpful to provide the account a semi-descriptive first name as this is what will be visible in Active Directory. Provide the account with a unique logon name. Click Next to continue. Provide a password for this account. It is recommended to provide a password that is 15 characters or longer as this will highly minimize the potential for a compromise of the password of this account. Clear the User must change password at next logon flag or this account will not work as any installations utilizing this account will fail because the account will be unable to logon. It is recommended to also set the Password never expires flag for this account to avoid loss of functionality should the password expire. This password should still change and can be changed at any time.
Installation of Prerequisites 148 Click Next to continue.
Installation of Prerequisites 149 Click Finish to create the account and close the wizard.
Installation of Prerequisites 150 Now that the account is created, right click on the account and select Properties then select the Member Of tab and click Add. Type in the name of the domain group to add this account to. At a minimum this account will need to be a member a Domain User. However, if will also manage users of the domain's Administrators group or Domain Admins group or Enterprise Admins group, this account will also need to be a member of either one of those groups.
Installation of Prerequisites 151 Click OK to add the user to the group. Click OK to close the properties dialog.
Installation of Prerequisites 152 On the system which will host the management and web Consoles, ensure that this account has certain rights. Specifically because this user will need to run as a COM object on the host system, this user account will also need to be seen as an administrator of the host system and have the log on as a batch job right. If this account was added to the Domain Admins group, there is no need to also add the account to the host system's local administrators group. Skip to assigning the user the right to log on as a batch job. If the user was not added to the domain's domain administrators, add this user to the host system's administrators group. Open computer management on the host system by typing compmgmt.msc from the RUN menu or by choosing Computer Management from Administrative Tools. Under System Tools expand Local Users and Groups then select the Groups node. In the details pane, right click on Administrators and choose Properties.
Installation of Prerequisites 153 Click Add... From the Select Users, Computer, or Groups dialog, type in the user account's name or use the Advanced... option to search the user account. Click OK once to add the user to the local administrators group.
Installation of Prerequisites 154 Click OK to finalize the change and add the account to the administrators group.
Installation of Prerequisites 155 On the host system type gpedit.msc at the RUN menu. This will open the local system's security configuration. Navigate to Computer Configuration\Windows Settings\Local Policies\User Rights Assignment and choose Log on as a batch job from the details pane.
Installation of Prerequisites 156 Right click on Log on as a batch job and select Properties. Click on Add User or Group...
Installation of Prerequisites 157 From the Select Users, Computer, or Groups dialog, type in the user account's name or use the Advanced... option to search the user account. Click OK once to add this user to the list.
Installation of Prerequisites 158 Click OK to close the properties dialog. Then close the group policy editor. To ensure that the policy is updated immediately and doesn't conflict with any other domain policies, from a CMD prompt, type gpupdate /target:computer /force. Re-check the policy and ensure that the user account is still listed in the list. If it is not listed then you have a domain level policy that is removing your settings. Work with the group policy administrator to determine which policy is causing the conflict. GRANTING RIGHTS TO THE DATABASE There are at least three objects in Enterprise Random Password Manager that access the database: Website COM object Deferred Processor / Zone Processors Main application
Installation of Prerequisites 159 If using an Oracle database please see Oracle 11g Installation (on page 89) within the prerequisites section for configuring the Oracle account's necessary rights. There are at least two ways to authenticate to a Microsoft SQL database SQL Authentication Integrated Windows Authentication The solution may use either authentication method, though Integrated Windows Authentication is recommended. Whichever method is chosen will also be the method used by the website COM object as well as the Deferred Processor (and zone processors). Windows Integrated Authentication is recommended as this permits much more granular control when providing access to the information within Random Password Manager and also allows for additional logging. If using SQL authentication, all access to the database server happens in the context of the SQL account rather than the user performing the action. Whatever method is chosen for authentication, access will need to be provided for the solution database to the SQL account, the Windows user account, or to a Windows group containing the Windows users. If using a dedicated instance of SQL to provide to ERPM or RPM, simply grant: or SYSADMIN = user role Control Server = database server right This allows the granted users the rights to perform all actions within that instance of SQL including creating the required databases, stored procedures, all other features in the main application, as well as backup and restoration. If it is not desired or permitted to grant SYSADMIN or Control Server to the SQL instance, then the database that ERPM will use must be pre-created within SQL by the DBA. The SQL account or Windows users/groups will need to be granted the following roles/rights over the ERPM database: or DBO = user role db_datareader = user role db_datawriter = user role db_ddladmin = user role Execute = database permission Create Tables = database permission; required during installation and upgrade Create Views = database permission; required during installation and upgrade
Installation of Prerequisites 160 Additionally, if using SQL 2005 or later, ERPM can take advantage of the performance recommendations made by SQL (for auto-index creation). To be able to make use of this the account or Windows users/groups will need to be granted the View Server State right on the host SQL server. To do this, open SQL manager and the properties of the account/group, select Securables, add the database server, and scroll down the list to View Server State and select the grant option next to that right. If using the explicit DB permissions rather than granting sysadmin or DBO, once the user account has been granted the db_datareader, db_datawriter, and db_ddladmin roles, the EXECUTE permission is granted via SQL statement such as GRANT EXECUTE TO user_name.
161 INSTALLATION The section covers the detailed installation for this tool including configuration of the main console, connecting to a database, and deploying the web based password recovery console. IN THIS CHAPTER Management Console Installation... 162 Web Application Installation... 204 Two Factor Authentication Configuration... 261
Installation 162 MANAGEMENT CONSOLE INSTALLATION This chapter covers the installation and setup of the management console application and common questions regarding setup and troubleshooting. COMPONENT OVERVIEW Enterprise Random Password Manager takes advantage of several different components working in conjunction to provide a complete password management solution. Some of these components are required for operation, and some are optional. Understanding what each component does and how it affects the solution as a whole is important when making installation and configuration decisions and changes. The core components that make up the solution are: 1) The management console application (installed with the download package) - required. 2) The deferred processing service (comes with the download package) - required to utilize scheduled jobs and automatic retry options. 3) An installation of SQL Server or Oracle Database - required. 4) Cross Platform Support Library (CrossPlatformSupportLibrary.msi, comes with the download package) - required to manage passwords on Linux, Unix, and Cisco IOS devices. 5) An e-mail server (optional - smtp express can be downloaded from http://www.liebsoft.com/smtp_express/). ERPM utilizes an e-mail server to send out periodic reports as well as alert when certain actions take place. Choices are to use an existing e-mail server, setup a stand-alone SMTP e-mail server, or not configure the tool to send e-mail. The configuration of the e-mail server (including enabling SSL and establishing a certificate trust) is done outside ERPM. 6) A Web server (IIS 7.5 or later) with ASP (Active Server Pages) and ASP.NET processing enabled - required to utilize the password recovery website. Passwords can be recovered from within the tool without the use of the website. 7) Web application components for the password recovery web portal (comes with the download package) - required to utilize the password recovery website. Passwords can be recovered from within the tool without the use of the website. Item 5 must also be installed before successfully installing and configuring the website. 8) Email templates used to generate reports and alerts (comes with the download package). The focus of this document is primarily on the management console application, the web application, the deferred processing service, and reporting/alerting components since these components are designed and maintained by Lieberman Software. This installation section will also outline various steps for
Installation 163 setting up and configuring the other various components to work with Enterprise Random Password Manager.
165 QUICK INSTALLATION At this point there should be two conditions which are met. 1) Log in as an account which has local administrative rights. 2) An instance of SQL Server, SQL Express, or Oracle should be installed and accessible from this machine. Once these conditions are met, ERPM is ready to install. Launch the installer from the directory to which it was saved and follow the prompts to choose an installation directory.
Installation 166 Click Next.
Installation 167 Input the preferred registration information and click Next.
Installation 168 Read through the license agreement and click Agree. Selecting Enterprise Random Password Manager is the base requirement. Additional options are:
Installation 169 AutoIT Script Application Launch Scripting - this is used when the optional application launcher is installed and it is desired to automate launching of thick client applications for which there are no command line parameters. PuTTy Terminal Emulator - the freeware and open source terminal emulation program. This is helpful for connecting to non-windows targets such as Linux and UNIX hosts and may also be used for application launching to non-windows systems. Choose the installation directory and click Next.
Installation 170 Click Next to start the installation. During the installation the program will create shortcuts on the desktop and start menu. All the required files and components needed to run the application as well as install and run the web application and deferred processing service will be copied to the destination directory. After the file copy is complete, click Finish. The application must be launched manually after installation is complete. This will begin a mini-setup wizard. For further information, please see the next section. Registration of Enterprise Random Password Manager occurs once the product is installed and the mini-setup wizard (see "Mini-Setup" on page 171) is completed. This step is performed from the Help Register dialog. For demo copies, the default demo license is sufficient. For commercial keys, enter the key that was sent and click OK.
Installation 171 IN THIS CHAPTER Mini-Setup... 171 Configuring ERPM Datstore for HA Configurations with MS SQL Server180 Configuring ERPM Datastore for HA with Oracle Database Servers... 187 Configuring SSL Encryption to the Database... 188 MINI-SETUP The first time Enterprise Random Password Manager or Random Password Manager is run, a mini-setup wizard will run through a series of pages that handle the configuration of the various components of the tool. Each page of the wizard allows configuration of a different component and all of the component setup steps are optional except the first, which configures the database for the program data store. This setup wizard can be run again after completing it from the Settings Re-Run Setup Wizard menu item.
Installation 172 The first page is the database setup page. This step is mandatory but can be changed later by re-running the setup wizard from the settings menu or can be changed at any time by going to Settings Datastore Configuration...
Installation 173 This page will show the current database settings used by the solution and whether or not the database can be contacted using those settings. Of the pages in the setup wizard, this is the only required step, as the solution cannot operate without a connection to the database it will use for its data store. When ERPM is run for the first time, these settings will not be initialized and must be provided by clicking the Change Settings button to configure ERPM to use the preferred database.
Installation 174 In this dialog, the following items must be configured:
Installation 175 Database Provider: SQL Server or Oracle. The setting chosen will also determine the subsequent options available for configuration. Multiple options will be available for MS SQL if they are installed. ERPM supports the use of the Microsoft SQL Native provider using both OLEDB and ODBC. In order to use an HA mirror with Microsoft SQL you will need to use the SQL Native Provider via ODBC. It is recommended to obtain the latest SQL Native Provider from Microsoft (free) when using this option. Database Name: If connecting to a named instance of SQL or SQL Express use the format ServerName[\InstanceName] to specify the database server name. If connecting to an Oracle database specify the name as ServerName/ServiceName. If using a MS SQL database, a database must be chosen; Oracle will keep the relevant tables in the default tablespace for the connection account If using a MS SQL database, a custom schema can [and is highly recommended to] be chosen. This ensures that the program will call for fully distinguished table names rather than relative table names. This is especially important when integrated authentication is being used and not all users have the same DBO/sysadmin rights over the database or server. Once server name and connection authentication mode are selected, use the Test Connection button to test the connection to the database. For MS SQL, if SSL is configured for connections, selecting the Encrypt communication with database will cause the solution to use SSL when connecting to the database. SSL connection encryption is available to SQL Server 2000 or later. There are further implications to consider when using SSL with the database. For more information, see the next section, Configuring SSL Encryption on the Database (see "Configuring SSL Encryption to the Database" on page 188). If the database has connection limitations due to performance or licensing issues, select the check box titled Set explicit connection limit in the center-left of the dialog to set the allowed/preferred connection limit. This will limit the number of connections to the database. If this is not done, it is possible to slow down the performance of the solution or worse cause connection timeouts waiting on threads that will never return information because the database cannot handle as many threads as will be spawned. Overwrite the default database timeout value is the value in seconds for the database connection timeout. Shorter timeouts may cause long running queries to be terminated prematurely while values that are too long may let queries that will never finish to hold up the entire process. Leave the box unchecked to use the default timeout of the OLEDB provider which is typically 30 seconds. Finally, if there are additional connection string parameters that should be configured or an entirely different connection string should be used, select the appropriate option. When finished configuring the database settings, click OK to save the settings and return to the main console. ERPM will verify that it can connect to the database specified in the settings and that all the
Installation 176 table formats are current and correct. If a connection cannot be made or if the database format is not correct, an error message indicating the problem will appear. When this step is complete, the required steps for setup are complete. Click Next to continue. The deferred processor service handles all background activity preformed by the solution such as scheduled password change jobs and dynamic group updates. This is an optional component. The deferred processor manages scheduled and automatic retries for password changes, password spins performed by the web application, dynamic group update jobs, alerting, and periodic reporting. Supply a Windows account for the service to run under. This account must have local administrative rights and the right to logon as a service as well as administrative rights on the systems being managed. Once the account information is provided, click Launch Service to install and start the deferred processor. After completing this step, the final optional step is e-mail setup.
Installation 177 Note: Configuration of the service account will cause ERPM to attempt to auto-grant the required rights to the account to run as a service.
Installation 178 Alerts on program behavior or daily activity can be sent out via e-mail detailing activity. This is an optional feature. In order to take advantage of these features, provide valid e-mail server settings. For more information about setting up the e-mail settings, see the E-mail Server Settings Overview section in the Administrators guide (included with the solution). After completing this step, proceed to the alerting setup. If the step is skipped, a warning dialog will appear.
Installation 179 Enterprise Random Password Manager periodically checks the status of stored passwords and will send out e-mail alerts detailing when the passwords were last changed, whether they currently are valid, and when they are next scheduled to be changed again. These alerts can be turned on or off, and depend on the deferred processing service being installed and running as well as the e-mail settings being valid. Once the setup wizard has completed the setup of the mandatory components, the Setup Complete dialog is presented. From here, the encryption settings can be configured now and the website can be configured now. For more information on these items, see the Encryption Settings (on page 189) and Web Application Installation (on page 204) sections later in this manual.
Installation 180 Once setup is completed, click Finish and the management console will open with an empty default group. Now that the configuration is complete, the remaining steps are to register, select which systems will be managed, and to change passwords on those systems. To register, go to Help Register. For demo copies, the default demo license is sufficient. For commercial keys, enter the key that was sent and click OK. CONFIGURING ERPM DATSTORE FOR HA CONFIGURATIONS WITH MS SQL SERVER Microsoft SQL Server from 2005 through 2014 supply multiple methods for high availability. Enterprise Random Password Manager supports and Lieberman Software recommends the data base used for the ERPM data store be configured for high availability. The following methods are available with the proper versions of Microsoft SQL (contact your Microsoft account rep for licensing and version specifics):
Installation 181 Clustering - will also require specific hardware Geo-clustering - will also require specific hardware and network configuration Mirroring AlwaysOn Availability Groups - SQL 2012 and later Replication and Log Shipping Clustering & Geo Clustering ERPM requires no special configuration to be used with clustering and Geo-clustering. When supplying the name of the database host, simply supply the name of the cluster common node or IP address. Active/Passive clusters are supported. Active/Active clusters are not supported. Mirroring For ERPM to use mirroring, technically there is no special requirements unless it is desired for ERPM to automatically fail over to the new instance. If automatic fail over to the new node is desired then all component hosts of ERPM (console, web, zone processor, etc.) will need to have the SQL Native Client v11 installed and configured. In the management console under Settings Data Store Configuration Basic Configuration ensure the SQL Native Client 11.0 (ODBC) is selected. Custom parameters will be required as noted below and shown in the screen shot. If these settings were changed the console settings after deploying the website, it will be necessary to open the Manage Web App dialog from the console, right-click on the website and select the option Replace instance options with default web application options. Note: the dialog requires filling in of certain information even though it won;t be used and seems redundant. Ultimately this is just a display issue as the system will actually use custom connection string. Then select the option to Add custom connection string parameters and supply the following string:
Installation 182 Server=PRIMARY_SERVER_NAME;Failover_Parter=SECONDARY_SERVER_NAME;database=NAME_OF_TARGET_DAT ABASE
Installation 183
Installation 184 AlwaysOn Availability Groups For ERPM to use AlwaysOn Availability Groups, technically there is no special requirements unless it is desired for ERPM to automatically fail over to the new instance. If automatic fail over to the new node is desired then all component hosts of ERPM (console, web, zone processor, etc.) will need to have the SQL Native Client v11 installed and configured. In the management console under Settings Data Store Configuration Basic Configuration ensure the SQL Native Client 11.0 (ODBC) is selected. Custom parameters will be required as noted below and shown in the screen shot. If these settings were changed the console settings after deploying the website, it will be necessary to open the Manage Web App dialog from the console, right-click on the website and select the option Replace instance options with default web application options. Note: the dialog requires filling in of certain information even though it won;t be used and seems redundant. Ultimately this is just a display issue as the system will actually use custom connection string. Then select the option to Add custom connection string parameters and supply the following string: YourAGListener,DBPort;Database =YourDatabase;MultiSubnetFailover=yes For the connection string parameters above:
Installation 185 YourAGListener the host/dns name which resolves to the AG Listener. DBPort self-explanatory, typically 1433. YourDatabase the name of the database you selected in #4, above. MultiSubnetFailover As ERPM is connecting to the availability group listener of a SQL Server availability group or a SQL Server Failover Cluster Instance, this setting should be 'yes'.
Installation 186
Installation 187 Log Shipping and Replication There are no special configurations for ERPM to use a database that replicates its data via log shipping or replication. If/when failure of the primary instance occurs, a DBA must manually enable the alternate/receiving database to be write enabled. Once that occurs, ERPM can be retargeted to the new active DB by either changing the database configuration for the product and updating the website or by redirecting DNS or the host file. CONFIGURING ERPM DATASTORE FOR HA WITH ORACLE DATABASE SERVERS Oracle 11g Enterprise editions with the optional RAC software supply multiple methods for high availability. Enterprise Random Password Manager supports and Lieberman Software recommends the data base used for the ERPM data store be configured for high availability. The following methods are available with the proper versions of Oracle databases (contact your Oracle account rep for licensing and version specifics): Clustering - will also require specific hardware. For more information about Oracle Real Application Clusters (RAC), please visit: http://www.oracle.com/us/products/database/options/real-application-clusters/overview/index. html (http://www.oracle.com/us/products/database/options/real-application-clusters/overview/index.html). Active Data Guard Replication and Log Shipping Clustering ERPM requires no special configuration to be used with clustering and Geo-clustering. When supplying the name of the database host, simply supply the name of the cluster common node or IP address. Active/Passive clusters are supported. Active/Active clusters are not supported. Active Data Guard ERPM requires no special configuration to be used with remote mirroring. When supplying the name of the database host, simply supply the name of the currently active node. Active Data Guard keeps a full copy of the database on-line and ready all the time. Unfortunately, ERPM does not support the use of the Oracle JDBC connector so an automatic fail over is not possible at this time. Replication and Log Shipping with Data Guard There are no special configurations for ERPM to use a database that replicates its data via log shipping or replication. If/when failure of the primary instance occurs, a DBA must manually enable the alternate/receiving database to be write enabled. Once that occurs, ERPM can be re-targeted to the new
Installation 188 active DB by either changing the database configuration for the product and updating the website or by redirecting DNS or the host file. CONFIGURING SSL ENCRYPTION TO THE DATABASE Configuring SSL encryption for the SQL database connection is not a mandatory step as the tool never sends clear text password or connection information to the database. That information will be encrypted using the configured encryption settings prior to being written or read from the database. Further the level of encryption employed for use over this connection is dependant on the version of Windows and the application being used and will either be 40bit or 128 bit. Enabling encryption will slow performance. TO CONFIGURE SSL FOR YOUR DATABASE CONNECTION FOR SQL 2005 OR LATER: 1) Install a certificate in the Windows certificate store of the server computer. 2) Click Start, in the Microsoft SQL Server 2005 program group, point to Configuration Tools, and then click SQL Server Configuration Manager. 3) Expand SQL Server 2005 Network Configuration, right-click the protocols for the server you want, and then click Properties. 4) On the Certificate tab, configure the Database Engine to use the certificate. 5) On the Flags tab, view or specify the protocol encryption option. The login packet will always be encrypted. When the ForceEncryption option for the Database Engine is set to Yes, all client/server communication is encrypted and clients that cannot support encryption are denied access. When the ForceEncryption option for the Database Engine is set to No, encryption can be requested by the client application but is not required. 1) SQL Server must be restarted after changing the ForceEncryption setting. If enabling SSL encryption for a cluster of SQL servers, the name applied to the certificate should be equal to the name of the SQL cluster. Additionally, the certificate will need to be installed on each node of the SQL cluster.
Installation 189 ENCRYPTION SETTINGS The passwords generated during a password change job can be stored encrypted in the database. The current supported encryption type is AES in 128, 192, or 256 bit key lengths. When encryption is enabled or the options are changed, the passwords will be decrypted and re-encrypted with the new key. The website settings will also need to be updated manually to reflect the new encryption key. The key signature for the current key is shown in this dialog. When recovering stored passwords, this signature can be matched against the key signature for the stored password to ensure that it was encrypted with the same key. To configure the encryption settings, select Settings Encryption Settings.
Installation 190 Although the encryption algorithms used are FIPS algorithms, the use of external FIPS 140-2 certified encryption modules is supported. FIPS 140-2 certified encryption may be required for installations in primarily government organizations which require the use of FIPS 140-2. The encryption code is the same whether using the built-in encryption or the FIPS 140-2 certified encryption; the FIPS 140-2 method simply uses the encryption procedures in a manner which is compatible with the certification. FIPS 140-2 certified usage requires using a module which has been certified as a stand-alone module. In the case of RPM/ERPM, the Crypto++ library used leverages the exact same cryptography code as the certified module. In the built-in case, the code is compiled into the solution (which is not a certified usage); in the certified case, the code is being used through a call to an external dll (which has been certified). The certified usage case is slightly less secure, because it susceptible to replacement of the external dll, whereas changing the built-in cryptography would require modification to the application itself (which would invalidate the digital signature). To enable FIPS 140-2 certified encryption, download and install the FIPS certified support library, which contains the add-on components necessary to support this mode (including the FIPS 140-2 certified Crypto++ module). Once this has been installed, simply select Use FIPS 140-s software provider if available from the Encryption Settings for stored passwords dialog. Usage of the FIPS 140-2 provider (fail if not available) can be required, otherwise the application will default to the identical, but not FIPS 140-2 certified, internal code if the certified provider is not available. The certification number for the FIPS module is 819. The certification for the module can be found at: http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140crt/140crt819.pdf More information about FIPS 140-2 certification can be found at: http://csrc.nist.gov/cryptval/140-2.htm Using this dialog, the validity of the current encryption key can be tested as well as exporting the current key or import a previous key. The export feature will write a registry (.reg) file with the encrypted key settings. These settings can later be imported to the same system or to a different system by using the import feature or by double-clicking on the registry file. To manually import a set of encryption settings to a web interface installation on a remote machine, the root path must be updated. The settings are output with the path HKEY_LOCAL_MACHINE\Software\Lieberman\RPM\ProgramOptions\EncryptionSettings. The root path for web application settings is HKEY_LOCAL_MACHINE\Software\Lieberman\RPMWebComponent\ProgramOptions. Update the path in the registry file and then add it to the registry of the web application server. Caution: Be careful when saving/importing/exporting encryption keys. In the event of disaster recovery, if the encryption key is lost, passwords that have been encrypted with that specific key will be
Installation 191 un-recoverable. If the encryption keys are exported, keep them in a secure location, as they can be used to decrypt all stored encrypted passwords. If the encryption settings are changed after the website has been deployed, update the web site settings (see "Web Application - Updating Settings" on page 237) so that the website has the appropriate encryption information. The option Force change and clear any passwords which cannot be decrypted will examine all passwords in the password store and clear all passwords which cannot be decrypted using the current settings. This is a single use option meaning, after the option is selected the dialog is OKed, the operation will take place. The next time the dialog is opened, the option will no longer be selected. This option is designed to clear erroneous data from the database when the correct encryption key is unavailable. Hardware Encryption A hardware encryption module which off-loads the encryption process from the tool and system to an external hardware device can be leveraged. For a current list of tested hardware devices, please contact Lieberman Software. HSM technology has been utilized for years in the government, military, and intelligence industries to protect against the security flaws of conventional encryption software. Even keys which are encrypted, software debuggers can locate and access the encryption key, allowing critical data to be compromised. With an HSM, there is no record of keys stored in memory. Instead the keys are stored in a secure device, physically inside of a computer. This solution can interface with any HSM developed by commercial third parties or the intelligence community when a PKCS#11 interface library is provided.
Installation 192 To use hardware encryption, select the radio button on the encryption settings dialog that says Use Hardware Cryptography Module for hardware-based cryptography. The select the ellipses (...) to configure the hardware key. When the hardware encryption device is installed, it will place a DLL onto the host computer which is required for anything to interface with it. The path to this DLL must be provided to this tool in the Interface library DLL path field. After loading the DLL, options appropriate to the hardware device will become available and the slot/token description field will be automatically filled out per the information provided by the device.
Installation 193 If the hardware device can support multi-threaded access, the option should be enabled by selecting Initialize library for multi-threaded access as this will greatly improve performance of the solution when using a hardware encryption device. If the device also requires a PIN to access it, the appropriate PIN must be input. The Key and Encryption Method area allows defining the appropriate key and encryption mechanism. Values that can be selected here will depend on the hardware device installed. Once all of the options have been completed, click OK to close the dialog and implement the encryption settings. If the encryption settings are changed after the website has been deployed, update the web site settings (see "Web Application - Updating Settings" on page 237) so that the website has the appropriate encryption information.
Installation 194 HSM TROUBLESHOOTING The following depictions are created in reference to ncipher HSMs. Lieberman Software will be unable to provide support for your specific HSM. All support for your specific HSM will need to be handled by your HSM provider. NCIPHER CONNECTION STATUS Ideally, once the HSM is installed and available and the option to use the HSM is selected, ERPM/RPM will display the message PKCS #11 interface DLL verified. This only indicates that the DLL is configured, not that the HSM is ready to use. When testing your HSM it will likely require the ERPM/RPM host to register its IP address as a permitted client. When testing connection status from the HSM utilities, an error stating No connection could be made because th target machine actively refused it may appear (some information omitted). Module #1 enquiry reply flags enquiry reply level serial number mode Failed UnprivOnly Six unknownunknown operational version 0.0.0 speed index 0 rec. queue 0..0 level one flags version string none unknown checked in 0000000000000000 Wed Dec 31 16:00:00 1969 level two flags level four flags none none
Installation 195 module type code 0 product name device name unknown unknown EnquirySix version 3 impath kx groups feature ctrl flags none features enabled none version serial 0 connection status RemoteServerFailed, <us> (ncerrorno(econnrefused): No connection could be made because the target machine actively refused it) connection info esn = 6FBC-70AB-E4E3; addr = INET/192.168.99.5/9004; ku hash = 98765a4321aaaaa1aa11aa11a1aa11c11223c4b5, mech = DSA; time-limit = 24h; The connection status line indicates that the connection is being refused by the nethsm. This means that the nethsm likely doesn t have this host s IP address present in its client list. Another possibility is that the host has two or more interfaces and the IP address listed in the nethsm is not the one that the host is using to connect with. You can check the client config from the front panel of the nethsm by navigating to 1-1-4 (System/System configuration/client config) or looking in the RFS for this nethsm and checking the nethsm s config file, which is copied to the RFS. One block of the config file (with the header [hs_clients]) will be dedicated to the client list. The nethsm s config file can be found on the RFS in one of a few different places, depending on the version of ncss and the version of Windows in use: Pre-v11 ncss: C:\nfast\kmdata\hsm-<ESN>\config\config v11 on 2003: C:\Documents and Settings\All Users\Application Data\nCipher\Key Management Data\hsm-<ESN>\config\config v11 on 2008: C:\ProgramData\nCipher\Key Management Data\hsm-<ESN>\config\config Another setting to check is the config file auto push settings. Try resetting the auto push for the config file and it should show up on RFS. Check the connection status again and it should read as OK.
Installation 196 NCIPHER COULD NOT ENUMERATE SLOTS Ideally, once the HSM is installed and available and the option to use the HSM is selected, ERPM will display the message PKCS #11 interface DLL verified. This only indicates that the DLL is configured, not that the HSM is ready to use. If there are no operator cards or softcards configured for the HSM, then the error Could not enumerate slots on PKCS #11 interface device will appear. The registration process with the HSM happens between the ncipher client software and the HSM - ERPM is not aware of the HSM, just where the PKCS#11 library is. ERPM uses the PKCS#11 library, whose requests are handled by the ncipher client, which then sends instructions to the HSM to take specific actions (make a key, load a key, encrypt data, etc.). Verify registration of the ncipher client with the HSMs by running the following commands from C:\Program Files (x86)\ncipher\nfast\bin: enquiry nfkminfo ckcheck-inst Output will look like this: C:\Program Files (x86)\ncipher\nfast\bin>enquiry Server: enquiry reply flags none enquiry reply level Six serial number
Installation 197 mode operational version 2.42.17 speed index 0 rec. queue 2..50 level one flags version string none 2.42.17cam8, checked in 00000000487debd5 Wed Jul 16 05:38:45 2008 level two flags none max. write size 8192 level three flags level four flags none ServerHasPollCmds ServerHasLongJobs ServerHasCreateClient module type code 0 product name nfast server device name EnquirySix version 4 impath kx groups feature ctrl flags features enabled none none version serial 0 remote server port 9004 C:\Program Files (x86)\ncipher\nfast\bin>nfkminfo World generation 1 state 0x0!Initialised!Usable!Recovery!PINRecovery!ExistingClient!RT
Installation 198 C!NVRAM!FTO!SEEDebug Unchecked n_modules 0 hknso 0000000000000000000000000000000000000000 hkm 0000000000000000000000000000000000000000 (type DES3) hkmwk 0000000000000000000000000000000000000000 hkre 0000000000000000000000000000000000000000 hkra 0000000000000000000000000000000000000000 hkmc 0000000000000000000000000000000000000000 hkmnull 0000000000000000000000000000000000000000 ex.client none k-out-of-n 0/0 other quora createtime 1970-01-01 00:00:00 nso timeout 0 min Modules - list unavailable No Pre-Loaded Objects C:\Program Files (x86)\ncipher\nfast\bin>ckcheck-inst ckcheck-inst: C_Initialize failed rv = 00000006 (CKR_FUNCTION_FAILED) (Use nfkmcheck to check your security world, Set CKNFAST_DEBUG to turn on PKCS #11 logging.) Based on this output, it is necessary to register this host with the nethsm using nethsmenroll. If the host were properly registered, there would be some module output listed in the enquiry output. To add a nethsm to this client: 1. Run nethsmenroll <IPofnetHSM> on the client to register it with the nethsm
Installation 199 2. Go to the nethsm itself and add the client s IP Address to the client list (Menu/System/System configuration/client config). Next, bring the client into the same Security World as the nethsm: Copy world and module_* files from RFS to bring this new host into the Security World and run: 1. rfs-sync --setup --no-authentication <IPofRFS> 2. rfs-sync --update Choose one of your CAs and locate the ncipher Key Management directory: Windows 2003: C:\Documents and Settings\All Users\Application Data\nCipher\Key Management Data\local Windows 2008: C:\ProgramData\nCipher\Key Management Data\local Find the world files and module_* files and copy them to the ERPM host - you ll want to copy this to the same/corresponding Key Management Data\local directory on the ERPM host. Now, the client will be in the same Security World as the HSM and the CAs. To configure the PKCS#11 library edit this file (or create it if it doesn t exist): C:\Program Files (x86)\ncipher\nfast\toolkits\pkcs11\cknfastrc and make sure it contains the following line: CKNFAST_LOADSHARING=1 This turns on HA and fail over features of the PKCS#11 library Next, create a login token for the ERPM PKCS#11 login. Run the following ncipher command: ppmk --new <TokenName> where <TokenName> is just a string for a label (e.g. LiebermanPM). Following this step a prompt for a PIN will appear. Now return to the ERPM HSM configuration and complete the configuration steps. The SoftCard just created will show up as a Hardware Slot/Token in their GUI and will also require the PIN just created.
Installation 200 CONTROLLING ACCESS TO THE ADMIN CONSOLE Enterprise Random Password Manager has the ability to control which users have the rights to launch the console application. Following installation, any user who is an administrator of the system where the console is installed who also has rights to the SQL database, will have the ability to launch the application. To change this behavior, and require that users be administrator plus be on a white list of allowed console users, navigate to Delegation Delegate Console Access which will launch the following dialog:
Installation 201 The above dialog will be seen if no delegations are present. From this page either type in the names of users who can launch the tool by clicking the Add button or browse the domain for users and [multi-]select the accounts to allow access to. The proper format of user names will be DomainName\UserName. When adding users to the delegated users list, it is possible to also require the users to provide two factor authentication via:
Installation 202 RSA OATH SafeNet PhoneFactor RADIUS 2 Factor To change the settings for a particular user, simply select the user, then click the appropriate button to Change XXX Requirement Settings for Selected Users. A prompt will appear asking to require the particular two factor authentication for the user. Simply choose Yes or No. If an all access model is later desired, where all administrative users are able to launch the tool, simply clear all entries in the above dialog. If a user tries to access the console that has not been granted the rights to do so, the management console will not launch and will display the following warning: These delegations are stored in the ERPM database in a table called tbl_delegatedconsoleuser. If using these delegations, access to this table should be secured. Moreover, in the event of complete lockout of the tool, a DBO for the ERPM database can clear all the entries from this table and ERPM will default to allowing all administrators of the system to launch the console application. Further, as changes are made to these delegations from with ERPM, those events will be logged to the system's application logs as event id 22 when users are added or event id 23 when users are removed with a source of Enterprise Random Password Manager or Random Password Manager. ERPM provides a facility to always launch the console with elevated privileges. To configure this option, enable the Run with elevated privileges option and supply a proper administrative account. This permits an otherwise low powered user account to launch the console and perform management actions
Installation 203 with ERPM. These credentials cannot be managed automatically by ERPM. Proper name input is in the form of either "User_Account_Name" or "Domain_Name\User_Account_Name". Caution! If using the option to run the console as an elevated user is enabled, do not perform other delegations on this dialog as they will not work. The console will never prompt for the other users and if the elevated user account is not on the list, the console will also fail to open due to delegation constraints.
Installation 204 WEB APPLICATION INSTALLATION This chapter contains installation instructions and background information on the configuring the password recovery web interface. The web interface includes a set of ASP pages, a COM object, a COM+ identity wrapper, and a set of registry entries. Note: As of version 4.83.8, Enterprise Random Password Manager is no longer supported on Windows Server 2008 (non-r2 versions). Version 4.83.7 and earlier would run on Server 2008 (non-r2) 64bit editions only. In order to install the web site locally (on the machine hosting ERPM, refer to the Installing and Configuring IIS (on page 33) section of this installation guide. Whether or not the website will be installed locally on the ERPM host system, IIS must be installed in order to perform a an automatic installation of the web site to a remote server and it will also be required manage remote IIS installations. WEB APPLICATION OVERVIEW The purpose of the web application is to allow delegated access to all passwords that are stored and managed by the solution. Access to the password store is controlled and audited by routing requests through a COM object, which authenticates logon requests with Windows domain controllers or other directory servers and authorization requests against the delegation rules in the program database. All actions taken in the web interface are logged to the program database including delegation changes and access to the log itself. The steps involved in setting up the web application are described here and can be affected through the Manage Web Application feature in the console application or performed manually. These are the steps involved with setting up the web application: 1) Copy the web files from the installation directory to a folder on the web server. By default, this is the C:\inetpub\wwwroot\PWCWeb directory because the account running IIS will have inherited rights to read and access the files if they are placed there. 2) Create a new virtual directory in IIS that references the folder containing the ASP pages on the web server. By default this virtual directory name is called PWCWEB. 3) Copy the RouletteWeb.dll COM object from the ERPM installation directory to the web server. By default, the COM object is copied to the System32 directory* in the Windows root directory so that it will be found in the system path. This location is not required, as it will be registered as a component in a COM+ application.
Installation 205 * 64bit Windows systems control access to the system32 directory a little differently than 32 bit Windows systems. To avoid changing permissions or anything else pertaining to this directory, install the COM+ file to a location other than the system32 directory such as the path where the website will be installed. 4) Create a new COM+ Server Application on the web server called PWCWebComApp. Set the credentials for the application to valid local administrator credentials. The credentials for the COM+ application will also need to be valid domain user credentials on each of the trusted domains to authenticate against. This includes the rights to perform logon operations and do group enumeration operations. 5) Add the required RouletteWeb.dll COM object to the COM+ Application a new component. If the component or a previous version of the same component has been previously registered (either manually or as a component in a COM+ application), the component must be unregistered and then added to the COM+ application. 6) Create a delegation rule that grants full access to a Windows user or group through the management Console. When performing an automated install, a default all-access account is created. This account is called WebApplicationManager in the delegation system. This account is specific to the solution's delegation scheme and exists only in the context of the solution. The management console uses this account to perform auto-logon operations during installations of the web application though it is not required to successfully install the website. This account can be safely removed. 7) Launch a new browser window with the web interface. To change web application options once the web interface has been installed, run the web application installation again from the management console application or choose to update an instance with the current configurations by right-clicking the web site instance and choosing to update settings.. Note: When upgrading, the web application installation must be re-run to upgrade the web pages and COM components. Make sure the COM+ application is shut down before trying to upgrade the COM+ object or the copy may fail. If the COM object cannot be stopped, run IISReset to restart all COM applications held open by it. Note: If changing the database settings, the web application installation must be re-run or push the settings to the web application store (see "Web Application - Updating Settings" on page 237) using the export/import features for the web application settings or by updating the instance with the current options. This is necessary because the database configuration on the web server is stored separately from the console's database configuration information. Note: If the password for the account being used to run the COM+ application is changed, manually update the identity in the COM+ application's identity page. To access this page, open the COM+ application in Component Services and open the properties of the PWCWebComApp COM+ application.
Installation 206 WEB APPLICATION AUTHENTICATION AND DELEGATION The web server (IIS) uses a low-powered account (IUSR) to handle the processing of web pages. This is desired because if the website were to be compromised, any malicious behavior or executed code would run in the context of the web server. This design means the web server will not have access to the database directly or the ability to perform operations such as group and user lookups to check authentication. Because the web server will not have access to the database or to the domain, the COM+ wrapper must have local administrative rights and domain user rights. The credentials needed to access the SQL server database are also stored locally (if using SQL authentication) and used by the COM+ objects when retrieving password, system, and delegation information from the database. The credentials are never used directly by the web server and thus are not exposed to the outside world. The authentication mechanism starts when the web server requests a security token from the COM object. A security token is granted for each successful login and then stored in the database. This token contains the encoded rights associated with a specific login including lifetime for the login. Once the token has been passed back from COM+ object, the web server stores it in the active session. Requests to perform operations are passed to the COM+ object along with the token, and the COM+ object determines whether or not the user has the appropriate access based on the token. Using this scheme, the web server does not have access to the database directly, so even if the web server were to be compromised, the attacker would not have access to any of the password data. The delegation scheme for the web interface consists of a set of rules stored in the database that map directly to real Windows Domain Groups. The domain the web server is in will be the source for these Windows Groups. When creating an access rule, specify both the action that is allowed and the Windows Group which is allowed to perform the action. User identification and authentication takes place by passing the account name and password through the web server to the COM+ object, which attempts to perform a domain logon. If the logon is successful, the COM+ object will perform a group lookup for the user name and build a list of the domain groups the user is a member of. The COM+ object will then build the set of rights granted to the one or more groups the user belongs to and encode those rights into a security token, which it saves to the database and passes back to the web server. When subsequent requests are made to the COM+ object from the web server, this security token is verified to ensure the user has the correct rights. There are two basic types of delegation rules for Windows groups or users. The first is a Global Program Access Rule. This type of rule defines what basic web application operations are allowed to be performed by the members of the Windows group or user. These rights include the logon right, access to all passwords, and the ability to change the delegation rules and check logs. Any Windows groups or users that should have access to the web interface must be granted the logon right. The second type of rule is the Managed Group Access Rule. These rules determine which managed groups a Windows group or user has the right to access. For Windows groups or users to be able to recover passwords for a set of
Installation 207 systems, grant access for that group or user to logon and recover passwords. Then specify the systems lists that they have access to. WEB APPLICATION SECURITY It is highly recommend to install and setup SSL encryption for the web server that will be hosting the web interface. Without SSL installed and running on the web server, the credentials passed from the web server to the client's browser could be sent un-encrypted and could be vulnerable to network traffic sniffing. If configuring the website on a network load balanced (NLB) web server, each web server will require a copy of the SSL certificate that has a name tied to the NLB cluster name. If implementing the web interface over the internet, then it is also recommended to limit access based on specific IP address ranges. This is handled directly by IIS. By default, the account which IIS uses to serve web pages is configured to be a guest account. This is the case so that if an attacker compromises the web server, they do not have elevated access to the system as a whole. Because the components of ERPM which require elevated access are run in COM+ applications with their own credentials, there is no need to give the web server elevated access for ERPM's web application to work. It is also recommended to run the web application using Integrated Windows credentials to access the database. This way the credentials are not stored on the web server and if the server is compromised, the attacker will not be able to recover credentials that grant database access. There are more application specific security options which may be defined in the Web Application Settings section.
Installation 208 WEB APPLICATION INSTALLATION DIALOG An instance of the web application can be installed directly from the console. This will allow copying of all the required files from the local installation directory to the remote machine and install the required components on the remote system. To perform a web application installation on the remote system, the currently logged in account must have local admin rights on the target system. To Access these features, either click the Manage Web App button in the left control panel of the main dialog or use the Install web application instance from the Settings Manage Web Application Install Web Application Instance menu option. Install and configure the web application to run either on the local system or on a remote web server. If specifying a remote web server, the required files and registry values will be copied out to the server along with the setup of the COM+ wrapper and the registration of the COM objects. For remote installation of the website to succeed, the following criteria must be met: IIS must be installed and running locally, even if it won't be used. It can also be disabled or un-installed afterwards. The need for this component is that it provides the IIS management interfaces. IIS must be installed on the remote web server COM+ Network Access (Application Server Role feature) must be enabled on the remote web server. First specify the target for the web application installation. The target system must have IIS 7.5 or later installed and running and processing of ASP and ASP.NET pages enabled. Use the Check System
Installation 209 Compatibility button at the top of the dialog to ensure that proper communication with the instance of IIS that is running on the target system. The Web Files area of the dialog allows configuring which website (if there are multiple) to install the web application to. Choose the website from the drop list. Options are to create a new virtual directory for the application or install to the root of the website. Specify the destination path on the remote server to copy the web files to, and optionally update any existing virtual directories to point at the destination path. If installing to the root of the website, the destination directory must be the directory that is referenced by the root website. For default installations, the root path for the default website is C:\inetpub\wwwroot. The Web Application COM Components area controls the COM file copy settings and COM+ application wrapper credentials. Specify the destination location where the COM object.dll file will be copied to on the remote system. By default, this is the %systemroot%\system32 directory on 32 bit systems or %systemroot%\syswow64 directory on 64 bit systems so that it is found in the path of the system. Because the COM object will be registered as a component in a COM+ application during the installation, there is no need to copy the file into the system32 directory. Specify the name of the COM+ application; this will be the name of the wrapper in the Component Services MMC snap in. The COM component will be registered under this application name. Supply account credentials to run the COM+ application. The credentials must have local administrative access on the target system and have domain user rights on the domain the target system is in. Use the Verify Credentials button to ensure that the account specified as the COM+ application identity is recognized on the remote system and has the necessary rights to run the COM+ application. 64bit Windows systems control access to the system32 directory a little differently than 32 bit Windows systems. To avoid changing permissions or anything else pertaining to this directory, install the COM+ file to a location other than the system32 directory such as the path where the website will be installed. The final three options, Website configured for SSL, Website Port, and Explicit Site Address are not required for a successful website deployment. These options have to do with the ability of the management console to automatically launch the website upon request such as following initial installation when the prompt appears to launch the website. The settings of the web application are configured using this dialog as well and are saved locally and then pushed to the remote server during the installation. Settings changes to the web application options that are made through this dialog do not affect existing web application instances. In order for existing web application instances to get the updated settings, the web application must be installed again on those systems. The web application may be installed over previous existing versions of the web application assuming that your COM+ application name and virtual directory names are the same. To change the name or path of installed components, remove the existing installation first and then perform a re-install of the web application.
Installation 210 Note: For a limited number of specific features to be enabled in the web application, the account running the COM+ application will need to be an administrative account on the systems it recovers passwords for. This constraint is limited to the check-in condition feature that allows the web application to check for existing sessions using an account before allowing a password check-in. Because this operation is performed in the context of the web page, the COM+ application needs the rights necessary to report on logged on users on the system which contains the account. If the COM+ application does not have the rights to run the check, the check-in of the password is allowed. Note: If upgrading to a new version of the solution, the web application installation must be re-run to update the COM objects and web pages associated with the web application. WEB APPLICATION SETTINGS The web application settings are options that tell the website what operations to perform when a password is checked out or checked in. Changes made to this dialog or the encryption settings (on page 189) dialog after a website is deployed will require that website's settings to be updated (see "Web Application - Updating Settings" on page 237). The settings configured here are saved to the registry of the local computer and then pushed out to the target web server during the web application installation. Modifying these settings does not affect existing installations of the web application until those website installations are expressly updated with current options. In order to update an existing installation, modify the settings and then install the web interface again to the target computer or re-push the settings (see "Web Application - Updating Settings" on page 237). APP OPTIONS Auto-spin recovered passwords - the web application will create a password change job for each password that is recovered through the web application. The password change job will be scheduled to run a fixed amount of time after the recovery. The amount of time before the change is defined by the Check-out Extension Duration field in the settings. The password change operation uses the same password change settings from the previous password change for that account. If a random password for that account previously, the account will get a new random password with the same settings. If the password has been set statically, then no automatic re-randomization job will be created and the account will retain its current password. Password change jobs are executed by the deferred processing service, so in order for these change jobs to happen, the service must be installed and running. E-mail alerting - the web application will send an alert e-mail when a user recovers a password through the web interface. The alert e-mail will be sent to the address specified and will include the account name of the recovered password, who recovered the password, and what time the password was
Installation 211 recovered. In order for this feature to work successfully, the e-mail server settings must be setup and configured. The e-mail server settings that are configured for the console will be pushed to the web server with the web application installation, so the settings must be valid on the web server as well for the e-mail alerting feature to work. Only show systems/accounts which match the search filter - normally the default filter is * meaning a user does not need to specify an exact computer name to see a list of computers or accounts within the website. Enabling this option will stop partial filter matches from happening meaning the user must put in an exact computer name in the 'System Name' or 'Account Name' column in order to see the computer to recover its password. Only show system/account names (hide system/account info columns) - do not display system information like last managed time, IP address, etc in the accounts or systems view of the website. Enable self recovery rules - turns on the self recovery aspect of the delegation system. This feature creates a one to one mapping of users to specific computers and allows those users to log on and recover accounts for those computers only, rather than grant access through group memberships to managed groups. This feature can be enabled or disabled independently of the other delegation features. To create the self recovery rules use the website delegation tool found within the management console. Enable personal repository - allows users of the web interface to enter individual passwords into the password store through the web interface. The passwords entered this way are only recoverable by logging into the web interface by the user who input the credentials. The passwords are also available to administrators through the management console password recovery feature. Passwords in the personal repository are encrypted with the encryption mechanism as other stored passwords in the password store. Any sort of password or other information can be stored in the personal vault, from web page login information to reminders or common passwords. Personal password store disclaimer text is a text message that will be displayed to users when working in the personal password repository. Allow website links to be stored with personal passwords - for personal password storage, displays an extra field where a user can input a URL. Enable description fields for personal passwords - allows the user to input a comment for their personal passwords. Enable phonetic information for passwords will literally help the user to pronounce the password character by character. For example, the password EAYd 0lc would be written out as ECHO ALPHA YANKEE delta Pipe Zero lima charlie. When enabled, a "Show Phonetics" button becomes visible during a password recovery which when clicked will display phonetics for the displayed password.
Installation 212 Enable recursive group membership lookup will cause the solution to perform a recursive lookup for all Windows global group memberships to determine if a user should be allowed access. With the option disabled (default), a user must be a direct member of a delegated group in order to gain the rights associated with that entity. With the option enabled, a user can belong to a group which is a member of the group which has the delegated rights. Enabling recursive lookups will slow down website authentication and other functions which evaluate permissions. Number of items returned per page limits the number of items displayed on any given page in the website. A smaller number of items will speed the load time of an individual page but will result in a greater number of pages for the user to search through if the result is not on the first page. Number of rows to export on report limits the number of rows that will be exported from the auditing area in the website. Caution! A large number of rows can cause database timeouts, exhaust memory and COM resources. Individual results will vary. Custom email message templates folder - Passwords are sent at various times for during the password retrieval process: request, grant and recovery. These templates permit the customization of those emails. Default page on successful login operation set the default page for a users first time login. Users cannot set their own preferred default login page. Alternate background colors for items in lists determines the alternating color for rows on any page in the website which lists data in rows such as passwords, systems, auditing, etc. Allow IPMI power operation in web interface - When an operating system is managed that also has a managed IPMI device, this option will permit the IPMI device to have its power controls exercised via the website, delegations permitting. Display available operations with password summary page will toggle the passwords display page from either showing the users all options they have for a given account (e.g. Recover Password, SSH, RDP, etc.) when the passwords page loads or will require the user to expand the account to be able to see their available options. Leaving this option enabled tends to be less work for end users however, turning this option off can result in a much faster initial page load for the user. The required queries to determine permissions will be made when the user later attempts to expand the account. Use asynchronous calls for page loads changes the way data loads to first load the page and then continue evaluating permissions in the background. This can potentially speed up the page load times for certain pages for users who do not have All Access granted. Default website style theme sets the default them and login page for the web application. Once a user is logged in, they can go to their Session Information link in the lower left corner of the website once logged in, and set a custom them for their user account.
Installation 213 Server certificate file in web application installation path is used to duplicate functionality in already found in client web browsers to make it easier for users who do not trust the server's SSL certificate to download the certificate and install it themselves. Specifically, if the ERPM website is deployed using a certificate not trusted by all consumers of the website, the administrator can place the servers certificate in the website installation path on the web server. The user may then go to User Settings in their web session and download the certificate and install the certificate. Hide advanced options for launch app hides the advanced configurations for applications launched with the optional Lieberman Software Application Launcher. PASSWORD ACCESS Enable Password Check-out - prevent passwords from being recovered by multiple users of the web application simultaneously. This feature is often used to keep track of exactly who has access to the administrative passwords at all times. When the password is recovered, a lock is placed on the account and no other users will be allowed to recover that same account password until one of three things
Installation 214 happen: the user checks the password back in using the web interface, the Check-out time expires, a web application administrator overrides the Check-out and forces the password to be checked in. he amount of time a user may have a password checked out can be configured by changing the Check-out Window and Check-out Duration fields. Default check-out/extension duration is the default amount of time a password will be checked out before the Check-out expires as well as the amount of time granted per extension request. This means a user will be granted the password initially for this number of minutes. If they request an extension, the extension will also be for this number of minutes each time they request an extension. Extensions are cumulative. This means if the window is for 120 minutes and they immediately request two more extensions, they will have the password for 360 minutes. Extensions can be requested at any time prior to the password lifetime expiration otherwise the password will need to be re-checked out. Extensions will be granted until the Maximum Check-out Duration time would be exceeded. This means if the Maximum Check-out Duration is set to 720 minutes, a user can have the password for no longer than 720 minutes at a time including all Check-out extensions. Each platform can have its own password checkout duration. Maximum Simultaneous Check-outs dictates how many separate passwords any one user of the web application can Check-out at any point in time. Block password check-in if password is in use attempts to discover if the account is in use on the machine when the user attempts to check the password back in. If the password is still in use, it indicates there are existing sessions on the computer using the password and/or the user may still be logged into that machine with the checked-out password. If the web application detects that the account is still being used and this option is enabled, it will prevent the user of the web application from Checking in the password until the account is no longer being used on the computer. This option requires that the account being used to run the web application's COM+ application on the web server be seen as an administrative account on the computers where the accounts are located. If the web application does not have the appropriate rights to determine if the account is active, the check-in is allowed and no event will be put in the target computer's application log. Log {option} to System's event log will log the described event to a specified Windows computer's application event log when passwords are checked in or out using the web interface. The web application can log if the account is in use when the password is checked in, or log all password check-in operations. The event messages have Event ID 17 and Source 'Random Password Manager' or 'Enterprise Random Password Manager'. In order to display the event message correctly on the remote computer it is necessary to put the messages DLL in the path of that system. The messages DLL comes with the software and is found in the installation directory as LiebMsgs.dll. The field should contain a specific target computer name. If the field is left blank, the local host name will be used instead.
Installation 215 Allow users to request check-outs in the future and Password Request Window for Future Check-outs (hours) defines if users are allowed to make password requests for future times rather than only immediately and how far in the future that request can be made for. Block password Check-out if password spin job creation fails is a failsafe mechanism in the solution. When a password change job randomizes a password for any account, that job becomes the "master" job. Subsequent re-randomization jobs (following recovery if auto-spin is enabled) will use this job as a basis for re-randomizing the password. If this "master" job is deleted, the re-randomization job cannot be properly created and will put the product into a state where it cannot move forward until that re-randomization job is manually deleted or edited and a new master job is created or re-randomization is turned off. This option, when disabled (default), will allow recovery of the password and put the product into the degraded state. If the option is enabled, the password cannot be recovered but the product will be placed into a degraded state because of improper/inconsistent jobs. Allow users to check out passwords to any group they are a member of permits a user who has checked out a password to checkout the password to any other group, that are configured as enrolled identities, that the user is a member of. Those subsequent groups must already be able to view and recover/request access to the password. Require check-in comment when password is checked in will prompt the user for a comment when checking a password back in. The comment is logged to the database along with the recovery operation. If this option is enabled, the comment will be optional. Require recovery comment for password recoveries will prompt the user for a comment when recovering a password. The comment is logged to the database along with the recovery operation. If this option is enabled, the comment will be mandatory. Require ticket number for password recoveries will prompt the user for a ticket number. The comment is logged to the database along with the recovery operation. If this option is enabled, the comment will be optional. Require ticket number with {Application} will force the solution to validate the input ticket number with an existing ticket number in the designated application. The application must be configured in the Settings Extension Components section of the management console. Password request timeout window dictates how long a password request is valid before it times out and can no longer be granted. A user can only make one request for a specific password at a time, and once a request is made that request will remain active until this time period elapses. If an administrator has not processed the request before the timeout occurs, the request is moved to the timed out request status and the user can make a new password request for the specific account. Request Grant Timeout Window dictates how long after a request has been granted that a user can recover the password. After the window expires, the grant is no longer valid and the user will have to make another password request for the account if they wish to recover the password.
Installation 216 Check-out and check-in operation actions will only apply if the Enable Password Check-out feature is enabled. Allow users to edit and delete managed random passwords - with this option enabled, users/groups/roles that have been delegated the ability to edit/delete passwords within the website, will see two new links next to the random passwords and statically defined passwords in the password recovery page of the password recovery website. Editing of random passwords can cause problems for future randomization job runs, password verification jobs, terminal service sessions, or simple account utilization. If this option is not enabled and a users/group/role has been delegated the ability to edit/delete passwords within the website, the logon account will see an edit and delete link next to static passwords only. It is recommended to leave this option disabled.
Installation 217 FILE STORE SETTINGS The file store is a secured area of the program which permits uploading of documents or other arbitrary file based data into the programs data store. When enabled, the program can provide an ACL for each item, version control, and auditing of access for the data. The file repository provides additional security to sensitive data by also encrypting it while the data is not in motion meaning while it is stored. When compared to EFS or similar technologies, this feature provides a benefit to users because no additional steps are required to secure the data. This feature also consumes no additional licensing. Enable file store - Enabling this option will allow the upload, secure storage, delegated access, and access auditing of files within the web application. When files are accessed send emails to the following address - any time a file is opened or checked out this email address will receive a notification to that effect. Enable file check-out - if this option is left disabled, any number of users may open the same file at the same time. With this option enabled, a file is checked out to a single user at any moment in time. Check-out window/extension interval - time in minutes that a user is guaranteed solitary access to a given file, blocking any other user from checking the file out and making changes to it. Maximum check-out duration - The maximum time in minutes that a user may have any single file checked out. Maximum simultaneous check-outs - The maximum number of files a single user may have checked out to them at any moment in time. Log all file check-outs / check-ins to system's event log - define a Windows event log server for file vaulting operations by providing the NetBIOS name of a Windows computer. Events are written to the Application Log and will have a source of 'Random Password Manager' or 'Enterprise Random Password Manager'. Enable encryption for files in the store - turns on encryption for files stored in the file store. By default this is not enabled due to encryption export restrictions that are specific to each country as applied to the encryption of data. This product will encrypt files using the same methods used to encrypt the passwords it is storing. Please review country specific laws on encrypting data before enabling this feature. Default file upload permissions - these values are used to define what permissions are assigned to a file that is uploaded into the secure file store. If these options are not configured, then when a user who belongs to multiple groups that are also granted access to ERPM uploads a file, full control permissions will be granted to the user and all other groups the user belongs to.
Installation 218 Limit file sizes for uploaded files in the store - this is the maximum allowable size for file uploads. Be aware that this size may still be limited by IIS settings which by default are more restrictive. If IIS is set to a lower value, the IIS value will take precedence. ACCOUNT ELEVATION Account Elevation allows the requesting logon account, via the web application, to have its rights elevated on the target system to a pre-defined level for a pre-defined period of time. The goal is to provide a more direct audit trail of user actions without circumventing any domain level policies. Access to this feature is found in the systems view of the password recovery website. Use of this feature does require the deferred processor to be installed and running. Enable self-service account elevation - enables the account elevation feature. In order to make use of this feature, an entity must have the permissions for View Systems and Elevate Account. These rights can be defined globally, per system set, or per system and is accessible in the Systems area of the website. This option applies to all Windows systems, including domain controllers.
Installation 219 Elevation local group name - the name of the [domain] local group to elevate an account to. If the Elevate Account into Global Group on Domain Controllers option is NOT enabled, users will be elevated to this domain local group in the domain if a domain controller is selected for account elevation. Elevate account into global group on domain controllers - overrides the previous account elevation option when a domain controller is targeted for account elevation and will place the target user into the defined global group listed in the elevation global group name field. Elevation global group name - the name of the global group to elevate an account to when a domain controller is targeted for account elevation and the Elevate account into global group on domain controllers option is selected. Elevation duration - the time in minutes that an account will remain elevated on the target system. Enable arbitrary elevation in the web interface - A delegated user may place an arbitrary user in an arbitrary target group on an arbitrary system for an arbitrary period of time. Typically, this is only used by help desk personnel. Enable email reminder of expiring elevations - For arbitrary elevations, an email reminder will be sent to the user per the Hours before expiration to send reminder setting. Default short term elevation time - the website provide a selection of either long term or short term elevation. If short term elevation is selected this is the default period of time that the user will be elevated for. Default long term elevation time - the website provide a selection of either long term or short term elevation. If long term elevation is selected this is the default period of time that the user will be elevated for.
Installation 220 Maximum elevation time - this is the maximum amount of time a user may be elevated for. SECURITY Allow default authenticated user access - enabling this option provides a means for any user who can authenticate against a central directory, such as Active Directory, to be gain access to the web console based on the rights delegated to the [DefaultAuthenticatedUserAccount]. This provides an easy and global way to allow users to gain access to the website to use features such as the personal vault. Hide recovered password after - if this option is not enabled, when a user recovers a password and that password is displayed, the password will remain on the users display panel indefinitely or until the user expressly navigates to a different page or closes the browser. Enabling this option will force the website to redirect to the Main page after a set amount of time thus minimizing the usefulness of shoulder surfing. Force inactive web session timeout - time in minutes after which an idle login session will expire, requiring re-authentication. Session state should be disabled in IIS otherwise the shorter of the two
Installation 221 values will win. Session state within IIS MUST be disabled if the website is configured on a Network Load Balanced web farm. Require secure cookies - requires SSL be enabled for the site (SSL certificate is not provided by Lieberman Software). Enabling this feature will mark the cookies for use with SSL only; the cookies will not be transmitted if SSL is not used. Enable Windows Integrated Authentication - if enabled will allow users of Internet Explorer to enter the site using their already logged in credentials without having to retype a user name and password. Use of this feature can be problematic if users share machines. Users will still be prompted with a login page where they can enter a user name and password or simply login. Automatically login users using Windows Integrated Authentication in conjunction with enabling Windows Integrated Authentication will automatically login a user to the password recovery web site without ever prompting for a user name and password. Disable copy button for displayed passwords - enabling this option disables the copy button when a password is viewed in the website following a successful recovery. Disable concurrent logins from a single user - blocks a user from logging multiple times from multiple source systems and/or browsers; any single user account is limited to a single session. Embed unique identifier with each page - gives each page a GUID that will be regenerated every few page clicks. This provides a method to partially mitigate replay attacks. Unique identifier valid for only one page request - enabling this option will limit the page GUID to only a single click per page after which the user must re-enter the page to perform a subsequent action. This provides a method to mitigate replay attacks from the same system but does mean more navigation as each page must be manually re-loaded after each action is performed to obtain a new GUID. Disable explicit web application accounts - enabling this option stops the solution from allowing explicit ERPM application accounts from logging in to the website. Store only the authentication token in the cookie - enabling this option removes information from the session cookie regarding user access. This forces the web application to retrieve user rights for each request and may slow down web site processing if enabled. Force logout on any page error - enabling this option will end the user's session if the website encounters a page error. Errors are generated not only by product issues but also but improper commands being entered such as in the program URL which would result in a permissions check failing. Require 2 factor authentication for all web application logins - enabling this option enables a global requirement for the website that two factor authentication will be required for access to the website. If this option is not enabled and some form of two factor authentication is configured on the host computer, then two factor authentication can be configured on a per user basis for access to the website
Installation 222 if the Enable 2 factor authentication for web application logins feature is enabled. This requirement applies to all user created explicit logon accounts but does not apply to the built-in web application manager. For more information on how to configure this tool to use two factor authentication, please see the section titled: Two Factor Authentication (see "Two Factor Authentication Configuration" on page 261). Enable 2 factor authentication for web application logins - enabling this option enables 2 factor authentication for the web application but does not mandate it for login. If this check box is not enabled, then the user will not be prompted to enter their passcode even if their delegation right is set to require two factor authentication. For this option to work the two factor client must be correctly installed and configured on the web server machine and the two factor server must be accessible from the ERPM web server. In addition to the settings of the web application, the delegation rules will also need to be configured to require users to use two factor authentication. Those delegation rules can be configured through either the management console or through the web application after installation. See the admin guide for more information. Use simple username for two factor login checks - this option becomes available if the two factor options are set to require or enable. Enabling this option permits the use of simple names rather than fully decorated usernames. Enable OATH token checks for web application logins based on permissions - If OATH tokens are configured in management console and required for user logins and this option is enabled, a user must supply a proper passcode, in addition to their standard login, in order to gain access to the website. There are no further infrastructure requirements for this form of two-factor authentication. Prevent the requesting user from granting a password request will stop a user who requests a password, where they also have the rights to grant password requests for the same password, from granting their own request. Allow Client Certificates for User Authentication and Authorization will permit the product to use certificates to authenticate users. Certificates may be in the form of simple user certificates, smart cards, CAC/PIV cards, biometrics, etc.the Bypass login challenge for client certificate identities will auto-login an account past the forms based login page and not require further credentials be supplied. Frequent request redirection is designed to help prevent denial of service or brute force attacks directly against the website. Enable account lockout if an identity attempts to login N number of times in N number of minutes, they will be locked out for N number of minutes from the product. This applies to any identity. Escape all password input fields on submit escapes all input characters to help prevent cross site scripting or SQL injection attacks.
Installation 223 Hide passwords in recovery page until shown stops the password from being displayed on screen in the web site during a password recovery, unless the user explicitly clicks the Show button. The additional functions of copy, show phonics, extend checkout,and check in will still function normally. USER/SESSION MANAGEMENT The User/Session Management provides configuration for integrating with a PUM system as well as a session recording system. Privileged User Management (PUM) products provide access controls to perform actions as an elevated user account on a target Linux/UNIX system using the PUM system as a command proxy which additionally will log all actions taken through this process. Enable Privileged User Management integration support will enable the integration with a supported PUM provider.
Installation 224 PUM Gateway Server (optional) is the default name of the target Linux/UNIX server with the PUM software to be targeted for the run commands. PUM Gateway User (optional) is the default name of the account to be used. Response configuration file location for PUM operations (optional) is the path on the ERPM web server to the PUM response xml file. The file can initially be found on the ERPM application host system in the AnswerFiles sub-folder of the installation directory. If this field is left blank, the response file is assumed to be in the website COM object installation path which defaults to %systemroot%\system32 on 32 bit systems or %systemroot%\syswow64 on 64bit systems. Other requirements for the PUM feature to work are that the CrossPlatformSupportLibrary, available in the ERPM installation directory must be installed onto the web server (if it is a remote web server only) for this to work. Session playback URL - when the optional application launching and the Lieberman Software session recording module are enabled, this is the URL that the compiled videos will stream from. Enable session recording - when this option is enabled, this will enable the integration between the Lieberman Software product and another session recording product such as the one offered by Observe-IT. When enabled, a Session Recording link will appear in the web interface that will enable the session recording product to become part of the ERPM web based experience granting visibility to the meta-data search and session recording information. For ObserveIT, the link would be similar to this: https://server-name:4883/observeit/integration/sessionrecordingview/search.aspx. The actual URL and port value is configured with the specific installation.
Installation 225 Additional steps may be required for the session recording service. Please refer to their documentation for specifics. REMOTE SESSIONS The password retrieval website can provide a remote session via RDP, SSH or Telnet which will attempt to auto-login to the target system without ever displaying the password of the managed account. The use of this feature will require the user to use Internet Explorer for RDP or any browser with Java for the SSH and Telnet connections. The user's browser must have a local Java Run Time Environment (JRE) installed at version 1.6 or higher. Enable RDP sessions using stored passwords to the host system will enable the automatic RDP functionality of the website. Allow RDP sessions using stored passwords to any system will permit the managed account to be used to connect to any system, if the target system permits it.
Installation 226 Allow users to choose RDP gateway for web connections will provide a list of RDP gateways for the user to choose when launching an RDP session. Use the Configure Gateways button to add/import/edit the RDP gateway list. Allow multiple RDP windows from a single session will allow the launching of multiple RDP sessions from the website. If this box is disabled, the current auto-rdp session will be disconnected before the new session is established. Open RDP windows maximized will open the RDP window at Full Screen rather than a window. If host desktop resolution is low, this option should be selected. Enable Telnet Console Access - enable the launching of a telnet session to the target system. Be aware that telnet cannot programmatically pass a password to a target system. Thus password retrieval will be necessary prior to launching the telnet session. Allow multiple Telnet windows from a single session will allow the launching of multiple Telnet windows from the website. If this box is disabled, the current telnet session will be disconnected before the new session is established. Enable SSH Console Access - enable the launching of an SSH session to the target system. This securely and programmatically passes the target system/account credentials so users do not need to be aware of the current password. Allow SSH sessions using stored passwords to any system will permit the managed account to be used to connect to any system, if the target system permits it. Allow multiple SSH windows from a single session will allow the launching of multiple SSH windows from the website. If this box is disabled, the current telnet session will be disconnected before the new session is established. Proxy Type - Both the SOCKS and HTTP proxy protocols can be used to traverse firewalls. SOCKS is usually used to create a raw TCP connection, and the HTTP proxy protocol can do the same with the CONNECT method. If a proxy is required, also supply the Proxy Host, Proxy Port, and Proxy Timeout. SSH Protocol - when set to Auto, the control will determine what the target supports and use that. Force a particular version if desired. SSH Port - the SSH target port Connection Timeout - initial connection timeout Handshake Timeout - amount of time for the connection handshake to take place Key Exchange Timeout - amount of time for the key exchange to take place Public Key Passphrase - Pass phrase for publickey keypair file Compression Level - possible values are 0-9. 0 = no compression, 9 = best compression/slowest
Installation 227 Key Timing Noise when Sending Passwords - enable to create a random timing offset for key transfer (security). Allow New Server - enable to permit jumping from server to server from within the SSH session. Enable X11 Forwarding - if X11 forwarding is enabled on the target host, this will enable the feature to function in the Java based SSH session. Allow SSH connections using public/private key pairs - if SSH keys are configured in ERPM, the Java based SSH sessions may leverage keys to connect to the target systems. Key location on client system is the physical path on the client's machine where the SSH keys are physically stored. Allow clients to specify private key paths to identify the public key path on their own system rather than relying on the globally configured option.
Installation 228 This feature is provided by MindTerm which is licensed from Cryptzone for integration with lieberman Software's products. The MindTerm program provides for web based Terminal for SSH, Telnet, SCP, SFTP, and FTP to SFTP bridge.
Installation 229 The SCP, SFTP, and FTP to SFTP bridge can be accessed from the Plugins menu of the shell once the session is initiated from the web site. See the admin guide for more information on remote sessions. CONSOLE DISPLAY Display ASCII - use ASCII Line-draw-characters instead of drawing. Auto Linefeed - do auto-linefeed. Auto Wrap - auto wrapping of line if output reaches edge of window. <CR><NL> not <CR> for copy/paste - put <CR><NL> instead of <CR> at end of lines in copy/paste. Copy on mouse select - copy directly on mouse-selection. Send <CR><LF> not <CR><NUL> - send carriage returns as telnet <CR><LF>. Ignore NULL inputs - ignore any null bytes in the data-stream.
Installation 230 Insert mode enabled - toggles insert mode. Local Echo - enable local echo. Local Page keys - use PgUp, PgDn, Home, End keys for local scroll or escape them. Map Ctrl+Space to NULL - typically used for emacs. Reposition screen to bottom in input - reposition scroll-area to bottom on keyboard input. Reposition screen to bottom on output - reposition scroll-area to bottom on output to screen. Mouse button to paste - click the mouse button to paste the copy buffer. Allow window to resize - allow the window size to be changed or fixed. Visible cursor - toggles if cursor is visible or not. Visual bell - toggles if audible or visual bell will be used. Send on Backspace - character to send on BACKSPACE: BS (^h, 0x08), DEL (^?, 0x7f), or ERASE (^E[3~). Send on Delete - character to send on DELETE: BS (^h, 0x08), DEL (^?, 0x7f), or ERASE (^E[3~). Scrollbar Position - relative scrollbar position (none/left/right). Terminal Type - Name of terminal to emulate (xterm, linux, scoansi, att6386, sun, aixterm, vt220, vt100, ansi, vt52, xterm-color, linux-lat, at386, vt320, vt102 and tn6530-8). Background Color - color of the background. Cursor Color - color of the cursor. Foreground Color - color of the foreground window. Rows - number of rows to display in the terminal. Columns - number of columns to display in the terminal. Font Name - the font name to use in the terminal. Font Size - size of the font displayed in the terminal Line space Delta - number of pixels to modify the line spacing with.
Installation 231 Line Buffer - number of lines to save in scroll back buffer. USER DASHBOARDS ERPM includes a number of dashboard and visualization features. To enable the feature, select the check box on the User Dashboards tab. The web server must have.net Framework v4.x installed for the dashboards to work. To be able to view/configure charts, a user must have either of the following Web Application Global Delegations:
Installation 232 Grant All Access View Dashboards When the web application is installed, the dashboard configuration setting will be set in the web server's configuration whether or not the dashboard feature is enabled in the application settings. This is so that if the feature is enabled later, the web server configuration doesn't need to updated, just the settings for our application on the server. The changes that are made for the installation of the dashboards are the following. First a new application thread pool in IIS for the chart component is created. The application pool that is create in IIS is called PWCDashboards. It is set to enable 32-bit applications and should run as LocalSystem or another account capable of reading and writing the temp files directory where the images for the chart control will be stored. The framework version is set to version 4. The second step is the creation of the web application itself for the dashboards. The folder will be located under the installation directory of the ERPM web application and is called Dashboards. In IIS,
Installation 233 the Dashboards child directory is converted to an application and configured to run with the PWCDashboards application pool.
Installation 234 WEB APPLICATION - POST INSTALLATION This section covers steps that may be required after the website is deployed such as configuring Integrated Authentication.For SSL configuration, see SSL configuration (see "How to Configure SSL" on page 58) under the Installing and Configuring IIS (on page 33) section of this manual. INTEGRATED AUTHENTICATION Enterprise Random Password Manager can make use of simple forms based authentication which requires users, once logged onto their systems, to re-enter a username and password to enter into the password retrieval web application, or, integrated authentication which will not necessarily require the user to enter their username and password again. If integrated authentication is enabled, a user leveraging Microsoft Internet Explorer or other trusted Microsoft program/process can enter the website without being prompted for credentials. The concept behind this type of login is three fold: 1) For users, this simplifies the login process by not necessarily requiring the user to enter a username and password to enter the website. 2) For trusted processes, this allows programmatic retrieval of the password via the SDKs, web service, or other methods without requiring an additional username and password be sent. 3) For scenarios where user certificates may be required (e.g. PKI, CAC cards, guarantee of identity of calling application during programmatic retrieval, or untrusted processes), this permits a seamless login to the system without requiring an additional username and password be sent. The following details the steps required to enable integrated authentication to work with ERPM.
Installation 235 Within IIS, open the website or virtual directory hosting the ERPM web pages. Open Authentication. Disable Anonymous Authentication and enable Windows Authentication. The response type defined and the protocols defined (properties of Windows Authentication) may affect the internet explorer security settings for using Integrated authentication. Even with these settings, the user may still be prompted for credentials if Internet Explorer's security settings are too strict for the given security zone. Contact support for more help. From the management console, go to Web Options (button) Options Security tab and Enable Integrated Windows Authentication. The sub-option, Auto Login Users (orange arrow), can be turned on if users should not be presented with any login screen at all, ever. This is not necessarily a recommended option as this defeats the ability for other users to login from within the context of another user's Login session.
Installation 236 After the updates are made, update the web instance(s) with the new options. Right-click on the web instance and select Replace instance options with default web application options... Configured as described above, the web login page allows the input of a specific username and password or a simple login by clicking the Integrated button.
Installation 237 All the user needs to do to login is click the Integrated button. If the sub-option to auto-login users is enabled, then no login page (depicted above) will ever be displayed and they will be brought into the application immediately. WEB APPLICATION - UPDATING SETTINGS Any time program encryption settings or any of the web site options are changed, it will be necessary to update the website settings; the website may re-deployed instead if desired. To update the website settings, go to Settings Manage Web Application Manage Web Application Instances. If the web server can be remotely managed and the website was automatically installed previously, simply right-click on the web site instance and choose Replace instance options with default web application options. If the remote web server cannot be remotely managed or the website was not installed automatically (Manual Installation), choose to Advanced Export Web App Registry Config. This will save the configuration to a registry file which can then be manually imported into the web server(s).
Installation 238 Each installed website also maintains its own specific settings once deployed. To manipulate settings for one specific website without affecting the others, right-click on the particular instance and select Change web application options for selected instance.
Installation 239 MANUAL WEB APPLICATION INSTALLATION If the automated installation fails, follow these steps to manually install the web application on a system. These detailed steps are helpful to troubleshoot a failed web application installation, or change web application settings. 1. MANUALLY CONFIGURE THE WEB FILES To perform a manual installation of the ERPM password recovery web site, certain files must be copied by hand to known locations. The best location to copy the web files to is a subdirectory under the.\inetpub\wwwroot such as PWCWeb (this makes the path %inetpub%\wwwroot\pwcweb). This is because this directory already grants the necessary permissions to the web server's IUSR account. You may find these files in the Random Password Manager installation directory in the WebInterface folder. Also copy the RouletteWeb.dll file to the web server as well. The recommended location is %systemroot%\system32.
Installation 240 Lastly, export the website registry configuration for import to the registry of your web server. To learn how to do this, read the section titled Web Application - Updating Settings (on page 237).
Installation 241 2. IIS 7 AND ASP PAGES Microsoft Internet Information Services 7.5 or later may be used on the web server to use the web application component of Enterprise Random Password Manager; processing of ASP and ASP.NET pages must also be enabled. For information on installing IIS 7.5 and its required components as is applicable for Enterprise Random Password Manager, please see the section titled Windows 2008 and IIS in the Installation of Prerequisites section earlier in this manual.
Installation 242 Presuming that Active Server Pages (ASP) is installed as a roles service for IIS 7.5, simply validate that it is enabled for the website or virtual directory that the website will run from. To validate that ASP is available to a website or virtual directory, select the website where the ERPM website (or where you will create the virtual directory) will be deployed. In the center pane, open Handler Mappings. ASPClassic should be listed as Enabled and Path Type is set to File or File and Folder. If the module is listed as disabled, then right click on ASPClassic and select Edit Feature Permissions. The permissions should allow Read and Script. If the ASPClassic is not listed at all in the handler mappings, add the ASP references for the website, virtual directory, or server - any will work. Highest level is Server. Website inherits from server, virtual directory inherits from website - by default, can be controlled at each level. To add the ASPClassic handler to IIS, if it does not exist, click the Add Module Mapping link in the top right-corner of the IIS 7 management console. Add the following information: Request path = *.asp Module = IsapiModule Executable = %windir%\system32\inetsrv\asp.dll
Installation 243 Name = ASPClassic Click Request Restrictions and set the following options: Mapping tab = Invoke handler only if request is mapped to: FILE Verbs tab = Specify the verbs to be handled: One of the following verbs: GET,HEAD,POST Access = Script
Installation 244 Part of the installation of the web application involves creating a virtual directory in IIS. This virtual directory will reference the set of ASP pages which provide the user interface for the web application. During the automated web application installation, the ASP files are copied from the installation directory to the C:\Inetpub\wwwroot\RPMWeb directory and the new virtual directory is created in IIS. Shown here are the manual steps of making these changes.
Installation 245 Name the new virtual directory; the name can be anything. The default name is RPMWeb for Random Password Manager and PWCWeb for Enterprise Random Password Manager. The name provided affects the URL used when accessing the website. Point the virtual directory's physical to the location of the ASP pages. Click OK to finish creating the virtual directory. To finish the configuration of the virtual directory, select the virtual directory just created then: Open ASP from the center pane and validate the following settings: In the Behavior area, buffering should be enabled In the Behavior area, Enable parent paths can be True or False. Recommendation is False In the Behavior area, Enable session state can be True or False. If running the website as part of a network load balanced cluster, the value must be set as False Open Default Document from the center pane and validate the following settings: should be enabled and Default.asp or Login.asp should be somewhere in the default documents list. Open Authentication from the center pane and validate the following settings: The only authentication method that should be enabled is Anonymous Access. Lastly, because of the nature of this application, the web server has the capability to send passwords out to the users of the web application. If there is the possibility of unauthorized users sniffing traffic from the web server, it is recommended to install and use an SSL certificate on the web server to encrypt passwords viewed through the web interface. Support of SSL and the issuance of certificates will need to be handled by the organization.
Installation 246 3. CONFIGURE IIS DIRECTORIES Now that the required web files have been copied to the IIS server and the web server application roles have been installed and configured, IIS can be configured. Do note, that the website will still be un-operational until the COM+ application is setup in steps 5 and 6. Open IIS and decide where to install the website. The location selected in IIS affects the URL that users go to. The default location chosen during an automatic install is to a virtual directory called PWCWeb. This makes the URL for the users: servername/pwcweb. Choose any desired name or path as there are no hard requirements for this portion of the installation. These steps will detail a default installation based on the automated installation routine. At the top of the left IIS pane, expand the server, right click on Application Pools, and select Add Application Pool. Set the name to PWCDashboards, the.net CLR version to v4, and the Managed pipeline mode to Integrated. Then click OK. Right-click on the new PWCDashboard application pool and select Advanced Settings. Set Enable 32-Bit Applications to True. Set the identity to be LocalSystem if it is not already.
Installation 247 Then click OK.
Installation 248 In IIS, expand the server node and then expand Sites. Right click on the default website and click Add Application. In the Alias name, type PWCWeb (this name affects the URL). In the physical path, type the path to the location where the web files were copied in step 1. Leave the application pool configured as the DefaultAppPool. Click OK. Expand PWCWeb. Right-click on the Dashboards folder and select Convert to Application.
Installation 249 Next to the Application pool field, click Select and choose the PWCDashboards application pool. Click OK. Expand PWCWeb. Right-click on the FileVault folder and select Convert to Application. Accept the defaults and click OK. 4. FILE STORE MANUAL SETUP There are limitations to the size of the files that may be uploaded which is controlled by IIS. The first limitation set by internet information services limits uploads to 200KB (204,800 bytes). The second limitation is the SQL database and how large it permits binary blobs to be; the limit is 2GB in size. While there is nothing to be done with the SQL limitation, the IIS limitation can be handled. To fix this problem in IIS 7.5 and later, change the Maximum Requesting Entity Body Limit attribute for the website within IIS. The default value is 204,800 bytes (200KB). To set this value: 1) Open Internet Services Manager and select the website in question. Open ASP properties and expand Limit Properties. Edit the value for Maximum Requesting Entity Body Limit.
Installation 250 2) After entering the number, hit the enter key or click away. The value will be set to the new value and be shown in bold indicating it is not a default value. 3) Click the Apply button in the top right corner of the MMC to apply the change. Note: To increase the file download size limit, repeat all steps above but in step 3, find the parameter called Response Buffering Limit. The default download limit is 4MB. For IIS 7.x, additional manual configuration must be made for file uploading and Check-out to work properly. When installing Random Password Manager or Enterprise Random Password Manager on a Windows 2008 R2 or later system and the File Repository is enabled, the website will display error 404.0 when attempting to open a file. IIS 7 Configuration settings set the incorrect error handling for the file vault to function. Microsoft does not provide a way to problematically set this option. To fix this: 1) In IIS, expand the website[\virtualdirectory], then expand FileVault. 2) In the FileVault settings area open Error Pages. 3) Click Edit Feature Settings on the right panel and set the error responses action to Custom Error Pages.
Installation 251 4) Click OK. Now select the 404 error page and click Edit on the right Actions pane.
Installation 252 Select the option to Execute a URL on this site. Then set the path to /PWCWeb/OutputFile.asp. If the ERPM website was installed to the root of the website, simply set the path to be /OutputFile.asp. When installing Enterprise Random Password Manager or Enterprise Random Password Manager on a Windows 2008 R2 or later system and the File Repository is enabled, the website will display error 500.19 when attempting to open a file. IIS configuration settings default to requiring a web.config file for its settings and error handling. A few additional settings need to be made in IIS. 1) In web files installation directory, typically c:\inetpub\wwwroot\rpmweb or c:\inetpub\wwwroot\pwcweb, create a folder called FileVault. 2) In the FileVault folder create a file called web.config. 3) Open the web.config file using notepad and copy and paste the text in the code box below. Then save the file. Don't include the slashes.
Installation 253 //////////////////////////////////////// <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> </system.web> </configuration> //////////////////////////////////////// Be sure to follow the four steps earlier in this section to configure the custom error handling. 5. COM+ IDENTITY WRAPPER Enterprise Random Password Manage utilizes a COM+ server application to store credentials for use by the COM objects used by the web application. Because the COM+ Application is a server application, it uses a specified set of credentials instead of using the launching process' credentials. Running as a specific user allows the COM+ Application to run the COM components at an elevated level of access without running the website as that powerful account. For the web application to work, the COM+ application must be running using an account which has local administrative rights, as well as, domain user rights. COM+ must be supported and enabled on the web server for the web application installation. The creation of the COM+ object is handled through the web application installation wizard, but the steps can also be performed manually as shown below.
Installation 254 Open the Component services utility and browse to the COM+ Applications folder on the local machine. Create a new COM+ Server Application (specific credentials) called PWCWebComApp for ERPM.
Installation 255 On the second page of the wizard, choose to Create a new empty application.
Installation 256 Title the application PWCWebComApp and choose Server application.
Installation 257 Enter the user account for the COM+ application. This account must have administrative access to the local machine. This account will also need to be a valid domain user if it is going to provide authentication to the web site for domain users. Finish the wizard to create the COM+ Application. the COM application. Finally, configure the required security settings on Open the properties for the COM+ Application just created and validate the following settings: On the Security tab, Enforce access checks for this application is NOT selected On the Security tab, the security level is set to Perform access checks at the process and component level On the Activation tab, the activation type is set to Server application Initially the application will be empty and the required COM components (see "6. COM Components" on page 257) must be added in order for the web site to function. 6. COM COMPONENTS Once the COM+ Application has been created, the COM objects used by the web application will have to be added so they will be registered with the system. Once the COM objects have been registered with the system, they can be called from other applications (in this case the web server can call them from
Installation 258 ASP pages). The benefit of adding the COM objects to a COM+ application is that they will run as the user account stored in the COM+ application, rather than the context of the calling user. The required COM components are copied to the installation directory. The files which contain the COM objects are named RouletteWeb.dll. The installation wizard will automatically add the COM objects to the COM+ application, but this can also be done manually. Open the Component Services console and locate the components folder of the PWCWebComApp COM+ Application. Choose to add new components to the application. Choose to Install New Component(s).
Installation 259 Browse to the installation directory of ERPM or wherever the file was copied RouletteWeb.dll file to the COM+ application. to and add the Once the COM object has been added as a component, the web server will be able to create and access it. 7. WEBSITE CONFIGURATION OPTIONS AND SETTINGS If a manual installation must be performed then also update the configuration options by hand. This includes all of the normal website configuration options such as password check-out and check-in options, but also the encryption key and database connection string.
Installation 260 To update the website settings, go to Settings Manage Web Application Manage Web Application instances. As automatic installation of the web application failed, configure the web application options (see "Web Application Settings" on page 210) then choose Export Web App Registry Config from the Advanced menu. This will save the configuration to a registry file which can then be manually imported into the desired web server(s). Any time encryption settings are changed for ERPM or change any of the web site settings options, it will be necessary to update the website settings.
Installation 261 TWO FACTOR AUTHENTICATION CONFIGURATION Enterprise Random Password Manager supports 2-factor authentication for access to both the management application console and the delegated web interface.
Installation 262 OATH 2-FACTOR Support for OATH token authentication is available for the web application and management console. No further infrastructure is required for support of this two-factor authentication method when using TOTP tokens; HOTP may require additional elements. If OATH Tokens are required for web access, then after a user enters their login credentials they will see a login prompt which asks for their OATH Token passcode. OATH Logins can be setup in multiple ways with support for TOTP and/or HOTP tokens. TOTP will send the token key via email or SMS. HOTP will require a physical or soft device that is kept in sync with ERPM. Below is a sample TOTP email message: Message From Enterprise Random Password Manager (Version: 110531) Message from 2K8R2-2 Your login requires token authentication Token Code: 81607010 Token code is valid for 15 minutes Input the Token Code and click Login. If the login is successful, there will be no further prompts from the OATH system. If the OATH login is unsuccessful, the user will be dropped back to the initial login page with a message stating: Login Error: Failed OATH token check.
Installation 263 The attempt will be logged in the program's audit logs: And the user's bad login count will be incremented in the OATH Token Configuration dialog (Delegation Token Configuration). Be careful, too many unsuccessful logins and the user will be locked out for 15 minutes automatically or require admin intervention to unlock the account.
Installation 264 OATH TOKENS Support for OATH token authentication is available for the web application and management console. No further infrastructure is required for support of this two-factor authentication method when using TOTP tokens; HOTP may require additional elements. Support for the web application requires that the OATH tokens are configured in the management console (Delegation Token Configuration...), the web application options to support it are turned on, and that the identity that should require has the option selected in the global delegations (Delegation Web Application Global Delegation Rules...). Enterprise Random Password Manager provides support for seven different OATH token types: OATH HOTP 6 Digit SHA1 OATH HOTP 8 Digit SHA1 Prefixed OATH HOTP 6 Digit SHA1 Prefixed OATH HOTP 8 Digit SHA1 OATH TOTP 6 Digit SHA1 OATH TOTP 8 Digit SHA1 Yubico OTP The one-time-password, or OTP, authentication method can be divided into two sub-types. Time-based methods rely on the transformation of a shared secret and a time value that is synchronized between the server and the client. Event-based methods rely on the transformation of a shared secret and an event count that is synchronized between the server and the client. Typically, the event that is counted is the pressing of a button on the token. HOTP Tokens rely on the event driven model. For example, a user with a key-fob or soft-element on their smart-phone presses a button. That device or software is in sync with the OATH server (ERPM) such that when they press the button, the code generated is the same code that ERPM comes up with. TOTP tokens rely on a time driven model and are most comparable to RSA tokens where if a physical/or soft device is used, its code is on-screen and changing periodically.
Installation 265 Following is a description of the token assignment dialog and its fields. Select the appropriate token type to use; see the top of this section, OATH Token, for descriptions of each token type. The token type that is selected will determine which options are available. The following text will describe each token option. Once a token is configured and assigned, click Save. OATH Token Properties Token Type - Select the token type and number of digits for the token. Both OATH and Yubico formats are supported. OATH tokens come in an event based version known as HOTP and a time based version known as a TOTP. Yubico tokens only come in an HOTP version. Token ID - This is an 8 digit code that must be unique between tokens. This value is frequently auto-generated by token manufacturers to identify one token from another. Customer prefix (8 bits) - This is a single byte value that allows token vendors to further qualify tokens by customer. Note that some tokens have the ability to transmit their Token ID and Customer Prefix as well as the token code itself as a long string of digits (i.e. Yubico). In this case, the program will attempt to verify not only the token code (6/8 digits), but also the Token ID and Customer Prefix value. If using a token that only presents 6 or 8 digits (non USB device), then the preceding two fields are not verified and are used for internal accounting only. Token Key - The Token Key field is used to provide either a 160-bit key for OATH tokens or 128-bit key for Yubico tokens. The field uses decimal encoding where each two digits represent a byte (8-bits) as two hexadecimal digits (00-ff). For an OATH token of 160 bit, this is represented by 40 digits (20 bytes x 8
Installation 266 bits). The OATH token is a random number seed feed into the SHA1 algorithm defined by OATH. Yubico tokens place an AES 128-bit key in this field. This key is unique to each key and is used to decrypt the payload of the Yubico token. Yubico does not present a token value per se, instead it encrypts a token USB insertion count (Session Count) and a key press count during the current session. Note that Yubico has additional user fields for verification. Since the token cannot be decrypted with the wrong AES key, the token is secure. Note that Yubico is an event token only (HOTP). RFC4226 Button - Pressing this button creates a special test Token Key that is used to confirm the OATH compatibility of HOTP tokens: "3132333435363738393031323334353637383930" The seed created is nothing more than the byte equivalence of the ASCII character sequence of "12345678901234567890". In practice, the first few token values for this test token are well known and can be used to make sure that hardware or software is creating the correct token code sequences. Example: 6 digit RFC4226 sequences: 755224 287082 359152 Example: 8 digit RFC4226 sequences: 84755224 94287082 37359152 Generate Random Key button - This button generates a series of random numbers to create either a 160-bit seed for OATH format tokens, or a 128-bit crypto key for Yubico tokens. When creating tokens for production use, always use the Generate Random Key option or use import seed files generated by a reliable source. Do not create seeds manually by hand as it is essential that the values be completely random. Token Secret Encoding Type - Encoding type used for the seed. Valid values are decimal or base64. Moving Factor Seed - When an OATH HOTP is first programmed, the first token code generally assumed start from zero offset in the SHA1 cryptographic sequence. Some vendors of tokens will start the token off with a random number of initial key press clicks. The thought is that if someone were to get the seed for a token, they would not know where the sequence began (if other than zero). Some token customers feel more comfortable starting tokens at random points in the random sequence generator, so we provide support for the function even it does not provide any significant improvement in security. Generally it is assumed that OATH seeds are secure and there is no need to start the token off at a random starting point in its key press history (the first key press is offset or moving factor = 0).
Installation 267 Last Authentication Check - the last time the user attempted authentication using their token. Last Authentication Success - the last time the user successfully authenticated using their token. Last Configuration Time - Last time the token configuration was updated. Token Unlock Time - if the user has locked themselves out due to failed login times, this is the time at which time they will be unlocked. To unlock the user now, click the Unlock button. Number of Bad Auth Attempts - the number of times a user can fail authentication before being locked out. A value of 0 means lockout immediately. Current Sequence Number - This is the current number of key presses recorded against this event token (HOTP). This number starts at zero with a new token and is updated to reflect the last matched key press sequence number. As an example: a brand new token will start with a sequence number of zero. If a user presses the button four (4) times to play around with the token, if they then log in with the fifth (5th) key press on the token, the program will detect that the fifth token code was detected and to expect and accept only token code number six (6) and later. The Current Sequence Number is required to make sure that a user does not reuse an old or previous token code. Moving Window - Given that a user may inadvertently press the token code, the software needs to account for this and look forward from the last token code. In the default case, the program will accept up to the next 10 token codes from the last one that it successfully authenticated against. In the case of time based tokens (TOTP), this value is split in half to look for tokens 5 steps back in time and 5 steps forward in time, where time is the current time. Note that the program is smart enough to know to not allow the use of time token code values older than the last one correctly authenticated. Configuration Password - Yubico specific token configuration password to protect token reconfiguration. Generate Token - button to test token creation and login. Yubico OTP Properties Yubico tokens support both the open OATH standard as well as its own proprietary standard called Yubico OTP. This section maintains the current status information if the user has selected and configured a Yubico OTP token. The Yubico native format passes a long stream of encoded characters (called modhex) that contain token identification information, number of times plugged in and the number of times the button was pressed in the current plugged in session. When using Yubico OTP, all of the token configuration information must match what is stored within this program. Each time the token is used, the data stream is decoded and the token spills the beans on its token identification, number of times the unit has been plugged in, and how many times the button has been pressed. This program checks to make sure that the token information is correct for the current user and the user has not tried to replay a previous string of digits.
Installation 268 Yubico tokens can be delivered fully programmed from Yubico with a seed file ready for import into this program, or blank Yubico tokens can be programmed as OATH or Yubico OTP format. Session Counter - Last count received from token indicating how many times the token has been plugged into a USB port. The device accumulates an internal counter of how many times it has been plugged into a USB port. For a new token this value will be zero. When the Yubico OTP authenticates successfully against this system, this internal information is decoded, stored and displayed. User for Session Counter - This is the count of the number of times the button on the Yubico token was last pressed when plugged in and it authenticated with this application. Both of the two previous parameters are normally set to zero for a new token. Once a token has been decoded for the first time, the above two parameters will be set to the discovered values. Only tokens with values of the previous that are greater than the previous usage are accepted. Note that neither of these values can be determined if this program does not have the correct AES key for the token. The encryption key should be different between tokens. Private Token ID - The string of digits returned contains both clear text and encrypted data. When the token information is decrypted the token ID field identifies the token with an 8 digit number. This field may be pre-configured by the manufacturer, or may be set by the customer when programming blank tokens in the Yubico OTP standard format. Token Assignment Properties One easy and quick way to deploy multi-factor authentication is to forgo the use of physical tokens and send users the current token value using an out-of-band communication channel such as email or SMS/text messaging. With this option it is possible to use either the Active Directory email address or pager information for a user to implement multi-factor authentication to send a time based token value that has a limited lifetime of usage (defaulted to 15 minutes to use the token before it expires). The prerequisites to using this feature: 1) Configure user tokens for TOTP 6 or 8 digits, generate a random seed, and properly associate the account and its type to the token. 2) Configure the option to send either email or SMS tokens 3) Email account must be defined in Active Directory or Active Directory has defined the Pager field for a user to contain the email alias for their SMS/text messaging device. Most pagers and cell phone providers provide an email alias for all phones on their network. The format is generally: PhoneNumber@CarrierGateway.com. See Wikipedia for SMS Gateways to get an updated list of email gateways for carriers worldwide. These user parameters can be set manually using Active Directory administration tools for Users and Computers. 4) If sending email to a domain outside of the corporate network, it may be required to configure the program s email configuration to use authenticated email access (to enable email relay).
Installation 269 Alternatively, install our standalone email server: SMTP Express (available free from our web site for use with our products) and configure this program s email configuration to use SMTP Express as a local email gateway to relay email and SMS messages. Associated User - the user name (login name) that will be used to enter the ERPM website. If using an explicit ERPM account, enter the name as UserName. If entering a domain or directory user, enter the name as DirectoryName\UserName. User Login Format - if the associated user is an explicit account (entered as UserName), the select Username Only. If the associated user is a user from a directory (entered as DirectoryName\UserName), select Username and Authenticator. Token Comment - a comment for the user/token Email options - HOTP tokens have nothing to email users as they rely on an external mechanism that is kept in sync with the ERPM server. TOTP token users must be sent their token. This can happen via an email or SMS message using attributes as found in Active Directory. ADDITIONAL OATH RESOURCES Oath Specifications Web site for OATH initiative for Open Authentication: http://www.openauthentication.org/ Membership list for OATH: http://www.openauthentication.org/members Official specs for OATH tokens: HOTP: http://www.ietf.org/rfc/rfc4226.txt TOTP: http://tools.ietf.org/html/rfc6238 Our code follows the following best practices for token authentication: TOTP: http://www.openauthentication.org/webfm_send/43 HOTP: http://www.openauthentication.org/webfm_send/42 Overview - Yubikey Yubico Web Site: http://www.yubico.com/ Cross platform Software tools to program blank Yubico tokens (both OATH and Yubico OTP programming are supported in the same tools): http://www.yubico.com/personalization-tool
Installation 270 Note: There are tools to program the tokens one-by-one and also tools to do the programming of a lot of key at the same time (bulk programming). Video on how to program tokens in bulk (this also creates a CSV file for use by our program): http://vimeo.com/11141444 Yubico Store to Purchase Tokens: https://store.yubico.com/ Specification for Yubikey OTP mode: http://static.yubico.com/var/uploads/pdfs/yubikey%20authentication%20module%20design%20guid e%20and%20best%20practices_v1_0.pdf Yubico s Yubikey also has its own native encoding and decoding standards. Rather than using a SHA1 and an attempt to figure out which token sequence is received, the Yubico token encrypts everything and provides a unique token id, session count plus the actual click count in the current session. The only thing to keep in mind is that the session/click count must always be greater than the previous one recorded, otherwise it is a replay and is ignored. OATH WITH EXISTING TOKENS When tokens are purchased in bulk that are already configured (loaded with a cryptographically random seed), vendor can provide a CSV file that contains records of token identifies, seeds and other useful information. Note that that the same token seed can be used for most common types of OATH tokens, so the first step is to select the target type of token for the provided seed file.
Installation 271 Select Delegation Token Configuration... Click Import
Installation 272 The same token seed can be used for most common types of OATH tokens, so the first step is to select the target type of token for the provided seed file.
Installation 273 After selecting the correct token import type, click the OK button, then select the file to import. Once the file is imported the token list will be populated and the tokens awaiting assignment to specific users. Notice the Seed Signature field does not contain the actual seed value itself. Instead the field contains a hash or signature of each seed. The value is useful to determine if each seed is different (signatures will vary).
Installation 274 At this point, map the tokens to specific users by highlighting a token entry and then clicking on the Edit button. Select the appropriate token type to use; see the top of this section, OATH Token, for descriptions of each token type. The token type that is selected will determine which options are available. The following text will describe each token option. Once a token is configured and assigned, click Save. For a description of each field, see the parent section, Oath Tokens (on page 264). OATH WITHOUT EXISTING TOKENS If it is desired to leverage only the infrastructure built into Enterprise Random Password Manager, then just begin by adding tokens. Select Delegation Token Configuration...
Installation 275 Default token options can be configured by opening Global Token Options Options. This dialog allows configuration of global options for both event (HOTP) and time based (TOTP) tokens. These configurations only affect OATH and Yubico type tokens. Most of these settings can generally be left in their default state unless there are specific policies that require changes. Read the functions of each global token parameter to evaluate if these values need to change. General Token Settings First time authentication window (default: 50) - We calculate the expected token value based on either time of events (token button presses). Time drift in tokens as well as inadvertent button presses on tokens may change the presented token value. This setting allows the program to search for the token value within a range of calculated values to determine how far the token is from the expected value and
Installation 276 then set an internal offset correction going forward. For time based tokens, and using the default of "50", the value above is split in half and the token will be searched 25 x 30 seconds before the ideal time, and 25 x 30 seconds ahead of the current time. This is roughly to allow for a 15 minute drift test the first time the token is used. For event tokens, we will search up to 50 key presses from the starting point of a token (offset of zero). Once the token has been synced up with the program (drift/offset determined), the window for the token is narrowed to the specific window set individually for each token. See token configuration for the details of how much drift is allowed after token synchronization. Token lockout threshold (default: 3) - This value determines how many times a bad token can be submitted before a forced lockout goes into effect. Forced lockouts are generally not permanent, but are time based and designed to protect against brute force attacks of the token. Locked out tokens may be reset manually via the token management screen. Token lock duration (minutes) (default: 10) - After the token lockout threshold has been reached, no more tokens for the specific user will be accepted (good or bad) until the lockout duration has passed. Locked out tokens may be reset manually via the token management screen. Re-Authentication delay (seconds) (default: 0) - To protect against reverse engineering the token seed value (very hard to do under any circumstances), the Re-Authentication delay is designed to slow down a potential attacker trying out a sequence of correct keys in rapid success to determine the value of the token seed used. This feature is primarily to protect against a theoretical attack vector, but this value may be used if this threat is considered to be probable (i.e. attacker has an actual list of seed files to test). TOTP Token Settings Time based tokens known as TOTP tokens, have a starting point in time (configured on a token basis), but tokens usually start at the UNIX Epoch of Jan 1, 1970 UTC. The token is also initialized with a unique random number seed, an algorithm is chosen (generally SHA1), number of digits in the display decided, and the frequency how often the value changes in the token (generally 30 seconds). This dialog allows defining the global values for TOTP type tokens. TOTP token time frequency (default: 30 seconds) - For time based tokens, this is the amount of time the token stays on a specific value before moving to the next value. This value is critical to determine the correct token value for a time based token. 30 seconds is the most common value, but 60 seconds is also a normal value. The manufacturer of tokens and their customer may decide what value to use for the tokens they purchase. TOTP Algorithm (default: SHA1) - The common algorithm for both time and event based tokens is known as SHA1. Time based tokens may also use algorithms such as SHA256 and SHA512. Given the rarity of use for anything other than the SHA1 algorithm, we currently only supports SHA1. If it is desired to use or are currently using SHA256 or SHA512, please contact our support department or email
Installation 277 support@liebsoft.com and we will provide an updated version to support these other hashing algorithms. New Token IDs New tokens have blank default IDs - no token ID will be assigned to new tokens. This is the best option if the desire is to control every aspect of the token creation process. New tokens have auto-incremented IDs if possible (blank if not) - starting from the integer provided in the field, token IDs will be generated in one-step increments from that point such that every token will have a unique ID. When a user logs into the website for the first time and is required to use OATH authentication because a group or role that the user belongs to is requiring OATH authentication, this options will auto-generation and assign a token to that user using the next available ID. Also, when tokens are simply added one by one, the Token ID will be assigned the next available integer. New tokens have randomly generated GUIDs - starting with a randomly generated GUID, token IDs will be generated randomly such that every token will have a unique ID. When a user logs into the website for the first time and is required to use OATH authentication because a group or role that the user belongs to is requiring OATH authentication, this options will auto-generation and assign a token to that user using the next available ID. Also, when tokens are simply added one by one, the Token ID will be assigned another randomly generated GUID. Default Token Type Default Token Type - Select from the available token types for the default token type that will be assigned when new tokens are created. Token type for the assigned user may be changed at any time post-creation. Default Token Code Delivery Method for TOTP Default Token Code Delivery Method for TOTP - when a token of type TOTP is selected as the default token type, these settings define which method of delivery will be used to send the identity their login token when they attempt to access the website.
Installation 278 To add a new token, Click Add.
Installation 279 Select the appropriate token type to use and fill in the required fields. Once a token is configured and assigned, click Save. For a description of each field, see the parent section, Oath Tokens (on page 264).
Installation 280 CONFIGURING OATH REQUIREMENTS FOR MANAGEMENT CONSOLE ACCESS To add OATH authentication to a console user, go to Delegations Delegate Console Access. Create the users who should require RSA SecurID authentication. Add the users as DomainName\UserName. When the users are added, a second prompt will appear asking to configure the users for OATH Access. If the users should require OATH access to open the console click YES.
Installation 281 To change a user's OATH requirement after they have been added to the console delegation list, click the Change OATH Token Requirement Settings for Selected Users... button. OATH check for the selected user(s) can be enabled or disabled. If enabling the check, the specified users will need to input their OATH token to be able to start the console application. Once the application is started, they are able to perform all operations without further OATH requirements.
Installation 282 CONFIGURING OATH REQUIREMENTS FOR WEB INTERFACE ACCESS First, the web application must be configured to support OATH based authentication. To enable OATH checks within the website, go to the Security tab within the Web Application Options. Select the option to Enable OATH token checks for web application logins based on permissions.
Installation 283 To add OATH access checks to users of the web application, use Delegations Web Application Global Delegations dialog shown below. The Require OATH Token requirement check box is right below the Logon right. Unlike the rest of the rights assigned to identities, if any identity that a user login belongs to requires OATH authentication, then the user will have to supply an access token at login time. This means that if a Windows user logs in and is a member of two Windows groups that have rights delegated through the web interface, even if only one of those groups requires OATH to login, then that user will need to supply a passcode.
Installation 284 PHONEFACTOR PhoneFactor is a multi-factor authentication system which utilizes phone calls to verify identity. It provides multiple models for the service including cloud and local agent based. In the simplest terms, when a user is challenged for PhoneFactor authentication, the PhoneFactor system may call or SMS the target user with their PIN code. To begin, go to Delegations Web Application Global Delegation Rules, select the target identity and select the option to Require Ext 2-Factor Authentication. Note: if the selected identity also belongs to another group or role which does not also require 2-Factor authentication, then 2-Factor authentication will not be required for the user to login. Note: The option to Enable or Require Ext 2-Factor authentication must be enabled as a website option. This is configured from the security tab of the website options via the management console.
Installation 285 Next, select External 2 Factor Configuration from the Delegation menu. Cloud Based The customer needs to sign up for Phone Factor with Phone Factor for either cloud or agent based. Once they do, they will be provided with the information needed below for the cloud based authentication: License Key, Group Key, Certificate Password, and Service Address. The PhoneFactor Certificate Path will be the local file path of the location you have placed your private key.
Installation 286 From the Authenticator Type pick list, select PhoneFactor Cloud Service. Select whether the user will be notified via Standard Voice Call or SMS OTP. Voice call will call the user at the phone number as is recorded in their AD attribute.
Installation 287 Agent Based First, obtain install the PhoneFactor Agent and service on your intended PhoneFactor host system. These steps are not covered by Lieberman Software. Select PhoneFactor Agent Service from the Authenticator Type pick list. Supply an appropriate Authenticator Label and supply the path to the PhoneFactor service in the PhoneFactor Agent Service field. The Authentication Process First, the user will enter their username and password at the login dialog as normal. After which, the user will be prompted by the PhoneFactor system.
Installation 288 Phone Factor then calls the user and prompts the user to perform an in an interactive key sequence while on the phone. Once this is completed successfully, the user will be authenticated successfully to the ERPM website. The SMS process is essentially the same process. The difference is the user will be sent a text and told to reply with a one time passcode that is supplied. This is then sent back to the authentication server and you are authenticated successfully. The fact that the logon was performed utilizing PhoneFactor is also audited.
Installation 289 The PhoneFactor configuration dialog also allows the administrator to test and validate the system is working using the Test Authentication area in the lower right of the dialog. Simply supply a target phone number and click Test Authentication. RADIUS 2-FACTOR For any other form of two factor authentication where it is preferred to go through a RADIUS server rather than go directly to the two factor server (e.g. when using SafeNet or RSA via RADIUS) use the RADIUS 2-Factor option. The identities may be standard identities (users, groups, etc. or may be added as RADIUS users). To begin, go to Delegations Web Application Global Delegation Rules, select the target identity and select the option to Require Ext 2-Factor Authentication. Note: if the selected identity also belongs to another group or role which does not also require 2-Factor authentication, then 2-Factor authentication will not be required for the user to login.
Installation 290 Note: The option to Enable or Require Ext 2-Factor authentication must be enabled as a website option. This is configured from the security tab of the website options via the management console. Note: The appropriate 2-Factor RADIUS agent must be installed on the ERPM web server. This agent is provided by the 2-Factor provider such as RSA, SafeNet, etc.
Installation 291 Next, select External 2 Factor Configuration from the Delegation menu. Select RADIUS and the Authenticator Type then provide the following information:
Installation 292 Authenticator Label - the friendly name for this RADIUS entry. IP Address - the IP address of the RADIUS server. Port - the listener port of the RADIUS server. The default port is 1812. Shared Secret - the shared secret to communicate with the RADIUS server. Be sure to make the ERPM web server(s) RADIUS clients on the RADIUS server! Timeout - the preferred timeout value for the call to the RADIUS server. Connection Retry Count - the allowable amount of failures when trying to call the RADIUS server. PAP / CHAP - the preferred encryption method for the RADIUS server. Once the RADIUS server is configured, use the Test Authentication feature in the lower right corner to validate authentication to the RADIUS server.
Installation 293 Note: Once the 2-factor RADIUS client installed (provided by RSA, SafeNet, etc.), ensure that it can communicate with the 2-factor server. Try using a free testing tool called NTRADPING which I downloaded and tried and it worked well. There are many places to obtain NTRADPING, just use your favorite search engine to find it. The login begins as normal where the user enters their username and password. After the username is validated, the website will prompt the user for their token.
Installation 294 Upon successful validation, the user will be logged in. The lower left corner of the web page will indicate they were authenticated with 2-Factor authentication. RADIUS 2-FACTOR FOR EXPLICIT ACCOUNTS Enterprise Random Password Manager supports the use of explicit accounts. These are accounts that do not exist anywhere but in the context of ERPM. They are not beholden to normal directory policies for password complexity, aging, or history. Accounts like this are used most often when there is no central directory to rely on. However, it is possible to require two-factor authentication for these accounts. To begin, go to Delegations Web Application Global Delegation Rules, select the target explicit identity and select the option to Require Ext 2-Factor Authentication.
Installation 295 Note: if the selected identity also belongs to another group or role which does not also require 2-Factor authentication, then 2-Factor authentication will not be required for the user to login. Note: The option to Enable or Require Ext 2-Factor authentication must be enabled as a website option. This is configured from the security tab of the website options via the management console. Note: The appropriate 2-Factor RADIUS agent must be installed on the ERPM web server. This agent is provided by the 2-Factor provider such as RSA, SafeNet, etc.
Installation 296 Next, select External 2 Factor Configuration from the Delegation menu. Select RADIUS and the Authenticator Type then provide the following information:
Installation 297 Authenticator Label - the friendly name for this RADIUS entry. IP Address - the IP address of the RADIUS server. Port - the listener port of the RADIUS server. The default port is 1812. Shared Secret - the shared secret to communicate with the RADIUS server. Be sure to make the ERPM web server(s) RADIUS clients on the RADIUS server! Timeout - the preferred timeout value for the call to the RADIUS server. Connection Retry Count - the allowable amount of failures when trying to call the RADIUS server. PAP / CHAP - the preferred encryption method for the RADIUS server. Also select the option to Use RADIUS to authenticate all explicit user logins instead of password.
Installation 298 The web application security option to Use simple username for 2 factor login checks must be selected. To enable this check box, first select the Enable 2 factor authentication for web application logins based on permissions, enable Use simple username for 2 factor login checks, then, if desired, de-select Enable 2 factor authentication for web application logins based on permissions.
Installation 299 Wen the explicit user logs in, supply the correct username, set the Authenticator to [Explicit], then in lieu of the password supply the pin number for the account. If the two factor system successfully authenticates the username, the user will be logged in directly.
Installation 300 RSA SECURID Support for RSA SecurID authentication is available for both the management console application and the web application. Support for the console requires that the RSA SecurID client agent software be installed and configured to talk to a working authentication server prior to enabling the feature. Support for the web application requires that the RSA SecurID client agent software be installed on the web server and configured to talk to a working authentication server in order to prompt for access checks. Prior to enabling the support for SecurID in ERPM, install and configure the RSA SecurID authentication server in and install and correctly configure the client agent software on either the system running the management console and/or the web server that the web interface will run on. It is not necessary to install the client agent on each system that will access the web server, and SecurID checks can be enabled on the console and web application separately. Checks for RSA can be enabled at a later time after the initial installation. The authentication methodology for the console requires that the logon name for the user accessing the console match the default login name associated with the SecurID token in the SecurID authentication server database. This means that if the token is assigned to a user with a default login name of DomainName\UserName, then when logging on to access the console using that SecurID token, log into the machine using the account DomainName\UserName. The console and web application can authenticate using either the fully qualified user logon name or the simple logon name (without prefixing the DomainName\). To change this setting, use the program options page for RSA SecurID settings in the console, and the web application options page for the web application. If RSA SecurID is enabled for web access, then after a user enters their login credentials they will see a login prompt which asks for their SecurID passcode.
Installation 301 If the user is not required to use an on-demand token code, they should just click Login. If they are required to use an on-demand token, they should click On-Demand Token Code. If the pin was previously initialized they will be logged in. If they must use an on-demand token, one will be emailed to them. The specifics of the any additional steps are outlined below. Uninitialized Pin Enter the passcode from the SecurID token and then click the Login button. This will complete the login process and redirect to the main management page. If the PIN code for the login has not been initialized for the SecurID token, then PIN will need to be initialized. The PIN number can be setup through the web interface. The process looks like this:
Installation 302 Enter the next tokencode on your device as well as input a new PIN of your choice. If the PIN is not accepted, there will be a notification and the login screen will reappear. If the PIN is accepted, then supply the next passcode (PIN + tokencode) to complete the login process. Another possible scenario is that RSA SecurID will require next passcode when attempting to authenticate. In that case, supply the next 2 passcodes in order to login. On Demand Token If the user is configured to use an on demand token, then on the initial RSA screen enter the current PIN into the passcode dialog box and select On-Demand Token Code. The user will receive their on-demand token code in their email.
Installation 303 The user will now enter the on-demand PIN into the PIN field and enter the token code that was emailed to them into the Passcode field. On Demand Token with Next Pin Set If the user is configured to use an on demand token and the initial pin has not yet been initialized, then when the user attempts to login with their RSA PIN, they will be prompted again for the current pin and to establish a new pin. Once both pins are entered, click Set PIN.
Installation 304 The user must enter their new PIN that was just set, then click Get Tokencode. The user will receive their on-demand token code in their email.
Installation 305 The user will now enter the on-demand PIN into the PIN field and enter the token code that was emailed to them into the Passcode field.
Installation 306 CONFIGURING RSA SECURID In order for ERPM to be able to authenticate SecurID tokens, the RSA SecurID client software must be installed and configured correctly on the system where the console is running. The client installation can be tested using the test scripts that are distributed with ERPM. In order for the test scripts to run, register the ActiveX control named LiebSoftRSASecurIDCOM.ocx. The file can be found in the program installation directory. Register the control by opening a command window and navigating to the installation folder, then running the command: regsvr32 LiebSoftRSASecurIDCOM.ocx. The control will register successfully and then the verification scripts will run. The first test script is named Rsa.vbs. It is located in the program installation directory. This script verifies that the ActiveX object has been registered successfully. When running the script, a message box indicating the version information for the ActiveX control will appear. If the version information message box fails to appear, the ActiveX control was not registered correctly. Once the control is registered, the seconds test script is named RsaAuth.vbs. It is also located in the program installation directory. This script will prompt for a SecurID default login name and passcode and attempt to authenticate the user with the SecurID authentication server. This script will not handle more complex cases like next passcode required or PIN initialization requests, it will only attempt to authenticate a user token that is in the "enabled" state. Running the script should yield the following series of messages boxes. The first will prompt for a default login name.
Installation 307 The next message box will ask for the passcode. At this point the script will authenticate the token. indicating success will appear: If the authentication is successful, a message box If the operation is not successful, one of two resulting message boxes will appear. The first possibility is a message indicating that communication to the authentication server could not be established as shown below:
Installation 308 If this message box appears, it means that either the RSA Client software is not installed/configured correctly on the system, the authentication server is not running, the authentication service on the authentication server is down, or the authentication server could not be reached on the network. The second possible failure message box indicates that there was a problem authenticated the user and passcode pair, but the communication with the authentication server was successful. The message does not indicate what the specific problem was by design, in order to minimize attackers gaining any information as to what went wrong with the authentication attempt. The third test script that is distributed with the application exercises the ability to initialize a new PIN for a SecurID token and implements the Next Passcode functionality. The third test script is not needed to validate that the SecurID Client/SecurID Authentication Server configuration is correct. 64-BIT RSA CLIENT SUPPLEMENT 1) To configure ERPM for use with RSA SecureID when the 64bit RSA client is installed on a 64bit host system, follow these steps. 2) Install the RSA client (not the RSA Web Client) on the ERPM system hosting the web application and verify that it can authenticate with the RSA authentication server. 3) Utilize the 64 bit version of the LiebSoftRSASecurIDCOM.ocx file which can be obtained here: http://ftp.liebsoft.com/erpm/rsa_x64_ocx_file/liebsoftrsasecuridcom.zip. 4) Register the ocx file in the ERPM installation directory. From a command prompt, navigate to the installation directory and run regsvr32 LiebSoftRSASecurIDCOM.ocx. 5) Copy the following files from the RSA installation directory into the system32 directory: aceclnt.dll sdmsg.dll 6) Copy the following files from the %programfiles%\common Files\RSA Shared\Auth Data directory into the \Windows\system32 directory: sdconf.rec sdstatus.12 secureid - if the shared key changes, this file will need to be recopied
Installation 309 7) In both the \Windows\System32 and %programfiles%\common Files\RSA Share\Auth Data directory. Grant the ERPM COM identity Read and Write permissions to: aceclnt.dll sdmsg.dll sdconf.rec sdstatus.12 8) In the \Windows\System32 directory, grant Everyone the Modify permission on (RSA recommends to be careful to not allow this permission to propagate to other directories through inheritance for security purposes): sdconf.rec sdstatus.12 9) Use the test scripts located in the ERPM installation directory entitled RSA.vbs and RSAAuth.vbs. 10) Configure the Web Application Global Delegations and the ERPM web application options to utilize the RSA authentication. Note: to turn on the RSA Trace log if needed (RSA may turn it on by default-have seen it on and off by default) open the registry of the web application host machine and set the TraceLevel DWORD value to 15 under HKLM\SOFTWARE\SDTI\ACECLIENT. The path to the log is C:\ProgramData\RSA\rsa Authentication Agent\aceclient.log. RSA SECURID CONFIGURATION VERIFIER Enterprise Random Password Manager and Random Password Manager ships with a management application that can be used to test the configuration of the RSA Client on the system. The application is called RSASecurIDConfigurationVerifier.exe; it is in the program installation directory. When starting this application it will prompt for a login name and then a passcode. It will then attempt to authenticate the login with the RSA SecurID authentication server. This verification application will also handle the cases of PIN initialization and next passcode required. If the application fails to start, the RSA SecurID client is not installed correctly on the system, or the version of the RSA SecurID client is too old. If the application cannot verify logins successfully, the client is not configured correctly to work with the authentication server or the user that is trying to login is not valid in the RSA SecurID server Authentication database.
Installation 310 CONFIGURING RSA SECURID REQUIREMENTS FOR MANAGEMENT CONSOLE ACCESS To add RSA SecurID authentication to a console user, go to Delegations Delegate Console Access. Create the users who should require RSA SecurID authentication. Add the users as DomainName\UserName. When the users are added, a prompt will appear asking to configure the users for RSA Access. If the users should require RSA access to open the console click YES.
Installation 311 To change a user's RSA requirement after they have been added to the console delegation list, click the Change RSA Requirement SecureID Settings for Selected Users... button. RSA SecurID check for the selected user(s) can be enabled or disabled. If enabling the check, the specified users will need to input their RSA SecurID passcode to be able to start the console application. Once the application is started, they are able to perform all operations without further need of the SecurID device. CONFIGURING RSA SECURID REQUIREMENTS FOR WEB INTERFACE ACCESS To add RSA SecurID access checks to users of the web application, use Delegations Web Application Global Delegations dialog shown below.
Installation 312 Note: if the selected identity also belongs to another group or role which does not also require 2-Factor authentication, then 2-Factor authentication will not be required for the user to login. Note: The option to Enable or Require Ext 2-Factor authentication must be enabled as a website option. This is configured from the security tab of the website options via the management console. Note: The appropriate 2-Factor RADIUS agent must be installed on the ERPM web server. This agent is provided by the 2-Factor provider such as RSA, SafeNet, etc. The Require External 2-Factor Auth check box is right below the Logon right. Unlike the rest of the rights assigned to identities which are cumulative, if any identity that a user login belongs to DOES NOT require 2-factor authentication, then the user will NOT have to supply an access token at login time. This means that if a Windows user logs in and is a member of two Windows groups that have rights delegated through the web interface, even if one of those groups requires 2-Factor Auth to login, then that user will NOT need to supply a passcode. In order for the web application to process RSA SecurID checks, the RSA SecurID client must be properly installed and configured on the web server and RSA SecurID has to be enabled.
Installation 313 Next, select External 2 Factor Configuration from the Delegation menu.
Installation 314 Select RSA Agent from the Authenticator Type and supply a friendly name for the Authenticator Label. Click OK.
Installation 315 TROUBLESHOOTING RSA SECURID CONFIGURATION If RSA SecurID authentication is not working as expected, Enterprise Random Password Manager ships with several scripts and a console application that can be used to troubleshoot various problems with the configuration. All three configuration verification scripts that are found in the installation directory to test the RSA SecurID logon authentication process (RSA.vbs, RSAAuth.vbs, RSAComplexAuth.vbs) should always be able to run. Also, the configuration verification application (RSASecurIDConfigurationVerifier.exe) can also do the same thing. Use these scripts and/or applications to test the RSA SecurID client installation on the console and/or web server machine before enabling RSA SecurID for the console or web application respectively. If RSA SecurID is enabled, there is still trouble with the verification application, the verification scripts, or the SecurID authentication process, here are some steps to troubleshoot the problem. First try either the verification scripts and/or the verification application. This will ensure that the RSA SecurID Client is installed and configured correctly and communication can be established with the SecurID authentication server. When user logins can be authenticated using the test scripts or the console verification application, then move on to troubleshooting the management console or web application. RSA SECURID CONFIGURATION TEST SCRIPTS There are 3 visual basic scripts that ship with the solution that can be used to test the configuration of the RSA SecurID Client. The scripts are located in the installation directory and are named: RSA.vbs RSAAuth.vbs RSAComplexAuth.vbs First run RSA.vbs. operating system. Running the script requires Wscript, which is installed as part of the Windows The script should display the version information of the COM object it invokes.
Installation 316 If a similar to the one above is not displayed, the following error message may: This means that the COM object (LiebSoftRSASecurIDCOM.ocx) has not been registered successfully on the system. The installer should register the object when ERPM is installed, but can be manually registered by running the command Regsvr32 LiebSoftRSASecurIDCOM.ocx from the file's location. If the registration is successful, try running the RSA.vbs test script again. If the registration fails, this will be the error message: This error means the requisite RSA SecurID client library files were not found. The files required are named aceclnt.dll and sdmsg.dll. Both files are packaged with the installation of Random Password Manager and installed to the installation directory. These files are also installed to the system path when installing the RSA SecurID Client application. If these files are not on the system, it indicates that the RSA SecurID client has not been installed, or the installation/configuration is not complete. If two required library files are put into the same directory as the COM object (LiebSoftRSASecurIDCOM.ocx), the registration should complete. If these two files are missing however, it usually indicates that the RSA SecurID client has not been installed or configured correctly and authentication with the SecurID authentication server will not succeed. If the RSA.vbs test script is run and the version information is not displayed, this error may also appear:
Installation 317 This error means that the requisite RSA SecurID client library files were not found. They could have been removed from the system after the registration of he COM object (LiebSoftRSASecurIDCOM.ocx), or they may not be found in the system path. Copy the files into the same directory as the RSA.vbs script, this should solve this error. This error could also indicate that the RSA SecurID client has been removed from the system, which will cause authentication attempts to the server to fail. Once RSA.vbs is correctly displaying the version information of the COM object, then move on to the RSAAuth.vbs script. This script will ask for a username and passcode. If the authentication is successful, a message box indicating success will appear: If the test script fails, this message appears: This error indicates that communication could not be established with the RSA SecurID authentication server. See the section about Problems Connecting to the RSA SecurID Authentication Server (on page 326) for help. Another possible error is this: This error indicates a failed user authentication. This can happen for a number of reasons. See the section about Failed RSA SecurID User Authentication (on page 327) for help. The third test script contains additional functionality to test the PIN creation and next passcode features of the RSA SecurID interface implemented in ERPM. If the security token requires a new PIN, then after
Installation 318 entering the tokencode, either enter a desired PIN or have the system generate a new PIN. Once the new PIN is created, then supply the next passcode (PIN + tokencode). If the pin entered is not accepted, a message indicating a bad PIN will appear and the test script will exit. If the token is set to next passcode mode (this can happen due to failed login attempts, re-attempting logins with a previously used passcode, or attempting to login using a passcode that is out of sync with the time window), then it is required to successfully supply two consecutive passcodes in order to authenticate successfully. RSA SECURID CONFIGURATION VERIFICATION APPLICATION ERPM is distributed with a standalone management console application that can test the configuration of the RSA SecurID client installation and configuration. The application is named RSASecurIDConfigurationVerifier.exe and is put in the installation directory.
Installation 319 To test the configuration of the RSA SecurID client, input a login username and tokencode/passcode and click Test Authorization. If the authentication is successful, a message indicating so will return: If the application exits during the authentication process, then one or more of the required libraries were not found. The files required are named aceclnt.dll and sdmsg.dll. Both files are packaged with the installation directory. These files are also installed to the system path when installing the RSA SecurID Client application. If these files are not found on the system, it indicates that the RSA SecurID client has not been installed, or the installation/configuration is not complete. If the two required library files are put into the same directory as the verification application, the authentication process will be attempted. If these two files are missing however, it usually indicates that the RSA SecurID client has not been installed or configured correctly and authentication will fail.
Installation 320 If the communication with the authentication server fails, a message indicating so will return: This indicates that communication could not be established with the RSA SecurID authentication server. See the section about Problems Connecting to the RSA SecurID Authentication Server (on page 326) for help.
Installation 321 If communication with the server succeeds, but the authentication of the username and passcode fails, up to three attempts will be allowed. The following dialog will appear: If the username and tokencode pairs are not accepted, see the section about Failed RSA SecurID User Authentication (on page 327) for help. The other options supported by the application include PIN generation and next passcode prompting. If the security token requires a new PIN, then after entering the tokencode, either enter a desired PIN or have the system generate a new PIN. Once the new PIN is created, then supply the next passcode (PIN + tokencode). If the pin entered is not accepted, a message indicating a bad PIN will appear and the test script will exit. If the token is set to next passcode mode (this can happen due to failed login attempts, re-attempting logins with a previously used passcode, or attempting to login using a passcode that is out of sync with the time window), then it is required to successfully supply two consecutive passcodes in order to authenticate successfully. RSA SECURID CONSOLE USER AUTHENTICATION TROUBLESHOOTING Problem: The RSA SecurID client is installed on the system, but the console starts up without prompting for RSA SecurID authentication.
Installation 322 Solution: Make sure that RSA SecurID access is enabled for the user in the console delegation options. The console delegation options are located under the settings menu in the main dialog of the management console application. The Windows user that is currently logged in must have an entry in the delegated console access list and the Require RSA SecurID value must be set to TRUE.
Installation 323 Problem: The application prompts for RSA SecurID but then fails to start with the following error after the username and passcode are entered. Solution: The RSA SecurID client is installed and communicating correctly, but there is a problem authenticating the user. See Failed RSA SecurID User Authentication (on page 327) for help. RSA SECURID WEB APPLICATION USER AUTHENTICATION TROUBLESHOOTING Problem: Users are not prompted for RSA SecurID passcode authentication when they login through the web interface.
Installation 324 Solution: Make sure that RSA SecurID is enabled for the web application instance. Check the web application settings by opening the web application configuration options. Make sure that the Enable RSA SecurID check for web application Logins is checked.
Installation 325 Then update the web application settings for the web application instance from the web application instance management dialog. Verify that the RSA SecurID web application settings are correctly enabled by viewing the web application settings page through the web interface. Problem: The web application settings are correct, but users still are not being prompted for RSA SecurID passcodes authentication when they login to the web application.
Installation 326 Solution: Make sure RSA SecurID 2-Factor Authentication is enabled for the user in the delegation settings for the web application. These settings can be accessed through the Delegations Web Application Global Delegation Rules menu. Make sure that the required user or group has the Require Ext 2-Factor Auth option checked. Also make sure that the user is not a member of a group that is able to login to the web application without using the 2-Factor Auth. If any group that the user is a member of does not require the 2-Factor Auth, then they will not be forced to authenticate with it. PROBLEMS CONNECTING TO THE RSA SECURID AUTHENTICATION SERVER If the RSA SecurID client is unable to communicate with the authentication server, SecurID log on authentication will not be possible. Consult the documentation for the RSA SecurID client installation to make sure that the client has been installed and configured correctly. Use the RSA Security Center (installed with the RSA SecurID client) to test the connection between the client and server. Make sure that a shared secret has been established with the server. Also make sure that the server configuration file (SDConfig.rec) has been loaded onto the client. In addition, here are some other things to consider: The authentication agent will not work with Network Address Translation if the client and server are on different networks. This is because the IP address of the default gateway is encoded with the passcode when it is sent to the server. If the IP address of the client or server is translated, it will not be able to
Installation 327 be decoded directly and the authentication fail. If it is necessary to use address translation, check the client installation documentation regarding how to setup this non-standard case. FAILED RSA SECURID USER AUTHENTICATION There are a number of things that can cause user authentication to fail. For a complete reference, see the usage guide for the RSA Secure client. The following cases are some of the more common problems that are experienced: The authentication agent will not work with Network Address Translation if the client and server are on different networks. This is because the the IP address of the default gateway is encoded with the passcode when it is sent to the server. If the IP address of the client or server is translated, it will not be able to be decoded directly and the authentication will fail. If it is necessary to use address translation, check the client installation documentation regarding how to setup this non-standard case. The name stored in the authentication database must match the name passed by the application. If the authentication server stores fully qualified domain user names (domain\username), then the default configuration for RSA SecurID will work. If the authentication database stores only the username portion of the login name, then the application must be configured to use simple authentication (only the username portion of domain\username). This setting is configured for the management console application through the program options dialog and this option can be configured for the web application using the web application options page.
329 UPGRADE INSTRUCTIONS The upgrade process for Enterprise Random Password Manager is relatively straight forward - download the new installer package, run it, upgrade the website. What follows is a more detailed description about everything that is required when performing an upgrade. of a basic installation of ERPM. Distributed installations may require additional steps. Optional components like the web service and application launcher will have their own upgrade processes. The basic flow of the upgrade is as follows: 1) On the web server, open IIS and stop the website hosting the ERPM web application. 2) On the web server, open Component Services, expand COM+ Applications and stop the COM application called PWCWebComApp. 3) On the console host, open the Services snap-in. Stop and disable the Enterprise Random Password Manager Deferred Processing Service. 4) If zone processors are installed, stop the zone processors on the zone processor hosts. The services are named Roulette$ZONENAME where zonename is the name of the target zone. 5) Run the new ERPM installer and perform the upgrade. 6) Launch the program once the installer is finished. This will upgrade the database. 7) Upgrade (re-install) any and all instances of the ERPM website. 8) If previously installed, upgrade (reinstall) the ERPM web service (SupplementalInstallers folder). 9) On the web server, open IIS and start the website hosting the ERPM web application. New calls to the website will automatically start the COM application. 10) On the console host, re-enable and start the Enterprise Random Password Manager Deferred Processing Service. 11) If zone processors were installed, update the zone processor core files (roulettesked.exe, rouletteproc.exe, ipworks8.dll, ipworksssh9.dll). 12) If support for SSH and other integration components were previously installed, run the new IntegrationComponents installer (SupplementalInstallers folder) on the zone processor host(s). 13) If zone processors were installed, start the zone processors. The services are named Roulette$ZONENAME where zonename is the name of the target zone. 14) If previously distributed to clients, provide them with the new PowerShell cmdlets files. The following steps show the required actions for a basic installation to be upgraded to the latest version of Enterprise Random Password Manager: Prior to upgrade, double-check the prerequisites section of this manual to verify your host server meets the current installation requirements as requirements are subject to change between version.
Upgrade Instructions 330 Stop/Disable the website(s) in IIS. Make note of all deployed web sites and open Internet Information Services Manager on those systems. In IIS 7.5 and later, select the parent website and choose Stop from the right-hand actions pane. The purpose is to stop all new connections and operations to the database and release the locks on the COM object. If the website is stopped, it will need to be started following the upgrade.
Upgrade Instructions 331 Shutdown the COM objects in Component Services. On the web server host system, open Administrative Tools Component Services and expand the tree to COM+ Applications. Find the COM Application, typically called PWCWebApplication or RPMWebApplication, right-click and choose Shutdown. This will stop the COM object from running allowing it to be updated. Once re-installed, the COM object will start automatically following the first access to the password recovery website. If a scheduled job was running when the process was began, in the task manager an executable named rouletteproc.exe will be running. It is best to wait for the job to finish before performing an upgrade. If rouletteproc.exe is terminated, it will leave the job in an inconsistent state. If there is no activity from rouletteproc.exe in the form of CPU or memory usage and an appropriate amount of time has been spent monitoring the process, go ahead and End process tree for rouletteproc.exe. Then check the JOBS dialog for any jobs that are listed as running and clear the job locks prior to upgrade. Simply viewing the jobs will prompt to remove the lock if the job is locked.
Upgrade Instructions 332 Stop all scheduling services and zone processors. Scheduling services and zone processors can be stopped from the services snap-in of each system. The service names will be called Enterprise Random Password Manager Deferred Processing Service or Random Password Manager Deferred Processing Service. It is also possible to stop the service from within the management console.
Upgrade Instructions 333 All zone processors will need to be updated as part of this process. To see what zone processors are installed, select View Jobs from the left navigation bar, then click Zone Processors. If no items are listed in this dialog, then none are installed. Zone processors should be un-installed and re-installed as there is no formal update process. Alternatively, from this dialog, select all the zone processors, right-click and choose Stop. Then manually copy the zone processor executable from the ERPM host system to each zone processor system. Then after the upgrade, copy rouletteproc.exe and roulettesked.exe to each of the target zone processor systems. Close the application and begin running the new installer.
Upgrade Instructions 334 Click Next to continue.
Upgrade Instructions 335 Read the licensing agreement (EULA) and if acceptable, click Agree to continue.
Upgrade Instructions 336 As this is an upgrade and not a fresh install, the program will wish to ensure that all steps are taken to prevent installation issues before proceeding. Click READ ME! and read the instructions (a condensed version of this section). Then as appropriate, select each of the check-boxes indicating that each step has actually been performed. When ready, click Next to continue.
Upgrade Instructions 337 If the registration information has changed re-enter it here. Click Next to continue.
Upgrade Instructions 338 Choose the installation folder. This should be the same folder where ERPM is currently installed.
Upgrade Instructions 339 Click Next to proceed with the upgrade.
Upgrade Instructions 340 The new files will be copied to your system. Click Finish to complete the installation. After the upgrade is complete, it will be necessary to deploy the updated web files (which also updates the COM objects). Re-deploy any zone processors to ensure they are up to date and will not cause problems with the updated database. The deferred processing service, if it was installed and running previously, will need to be re-started.
Upgrade Instructions 341 Launch the newly updated application. Go to Help About and validate the new version number and build number.
Upgrade Instructions 342 Go to Settings Application Components and validate that all components are listed as valid.
Upgrade Instructions 343 From the management console, select Manage Web App from the left actions pane. On the Manage Web Application Instances dialog, click Install to begin the upgrade of the website. All settings will still be in place. It is highly recommended to retype the correct username and password. When finished, click Install Web Application at the bottom of the dialog. This will replace/update all files associated with the website including the COM object. Following installation, a prompt will appear asking to launch the website. If the website was stopped at the beginning of this process, beware, it is still stopped and the website will fail to launch until the website is started again.
Upgrade Instructions 344 Start/Enable the website(s) in IIS. Make note of all deployed web sites and open Internet Information Services Manager on those systems. In IIS 7, select the parent website and choose Start from the right-hand actions pane. The purpose is to stop all new connections and operations to the database and release the locks on the COM object. If the website is stopped, it will need to be started following the upgrade.
Upgrade Instructions 345 Once the website is installed and IIS started. login to the website as an all access user, and go to Admin Tools Site Settings. Validate the updated version number of the COM object and web pages.
Upgrade Instructions 346 Start all scheduling services and zone processors. Scheduling services and zone processors can be started from the services snap-in of each system. The service names will be called Enterprise Random Password Manager Deferred Processing Service or Random Password Manager Deferred Processing Service. It is also possible to start the service from within the management console. If electing to start the service from the management console, it is highly recommended to re-type the user name and password of the deferred processor service account. If the Service Status is listed as Scheduler Service not installed, click Install. Following installation, a prompt asking to start the service will appear. If the service is already installed but not started, click Start. All zone processors will need to be updated as part of this process. To see what zone processors are installed, select View Jobs from the left navigation bar, then click Zone Processors. If no items are listed in this dialog, then none are installed. Zone processors should be un-installed and re-installed as there is no formal update process. If zone processors were removed as part of the update process, reinstall them
Upgrade Instructions 347 now by clicking on the INSTALL button and providing all information requested. When they are re-installed, the services will start up. Alternatively, if the zone processors were stopped rather than removed, manually copy the zone processor executable from the ERPM host system to each zone processor system. The files required are rouletteproc.exe, roulettesked.exe, ipworks8.dll and ipworksssh9.dll. Once updated, right click on the instances from the Zone Processing Services dialog and choose Start. At this point, the application is updated and verified. The only other steps to take post upgrade will be to copy the SDK files to any other systems using the older versions. IN THIS CHAPTER Upgrade Notes... 348
Upgrade Instructions 348 UPGRADE NOTES As with an upgrade for any application where the data contained within the application is of the utmost importance, be sure to backup the program's database prior to running an upgrade. When an upgrade of the product occurs, structures within the database are also updated and may not be compatible with older versions of the product. If upgrading from version 4.83.0 or older to version 4.83.1 or newer and the program database is still running on Microsoft SQL 2000, the database will need to be re-hosted to Microsoft SQL 2005 or newer prior to upgrade. For tips on how to move the program database from one Microsoft SQL server to another, please refer to the following article: http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/552-how-move-you r-program-database-new-server.html. If upgrading from version 4.83.4 or earlier and running ERPM on a Windows 2003 Server to version 4.83.5 or newer, it is necessary to migrate the installation to a Windows Server 2008 R2 or later operating system; These products are not supported on Windows Server 2008 (non R2) and earlier. Contact Lieberman Software account representative for more information. Versions of the product prior to version 4.83.4 did not make use ASP.NET. The ASP.NET IIS role feature must be installed/enabled prior to upgrade of a version to v4.83.4 or newer. Starting with version 4.83.4 of the product there are now charting and visualization controls available for the user interface. These controls make use of AJAX,.Net, and Jquery. The product expressly makes a call to.net 4.x, therefore,.net 4.x is a requirement for the ERPM web server. If you are looking to migrate from Random Password Manager (as opposed to Enterprise Random Password Manager) to ERPM, please contact your account representative for assistance on this matter. If you are under a current support, Lieberman Software will assist you in a once time migration free of charge.
349 INDEX 1 1. MANUALLY CONFIGURE THE WEB FILES 249 2 2. IIS 7 AND ASP PAGES 252 3 3. CONFIGURE IIS DIRECTORIES 256 4 4. FILE STORE MANUAL SETUP 259 5 5. COM+ IDENTITY WRAPPER 263 6 6. COM COMPONENTS 267 6. COM COMPONENTS 267 64-BIT RSA CLIENT SUPPLEMENT 328 7 7. WEBSITE CONFIGURATION OPTIONS AND SETTINGS 269 A ACCOUNT ELEVATION 227 ADDITIONAL OATH RESOURCES 279 APP OPTIONS 215 B BACKGROUND AND GOALS 10 C COMPONENT OVERVIEW 166 CONFIGURE THE COM OBJECT AND DEFERRED PROCESSOR ACCOUNT 148 CONFIGURING ERPM DATASTORE FOR HA WITH ORACLE DATABASE SERVERS 191 CONFIGURING ERPM DATSTORE FOR HA CONFIGURATIONS WITH MS SQL SERVER 185 CONFIGURING OATH REQUIREMENTS FOR MANAGEMENT CONSOLE ACCESS 290 CONFIGURING OATH REQUIREMENTS FOR WEB INTERFACE ACCESS 296 CONFIGURING RSA SECURID 326 CONFIGURING RSA SECURID REQUIREMENTS FOR MANAGEMENT CONSOLE ACCESS 330 CONFIGURING RSA SECURID REQUIREMENTS FOR WEB INTERFACE ACCESS 335 CONFIGURING SSL ENCRYPTION TO THE DATABASE 179 CONFIGURING SSL ENCRYPTION TO THE DATABASE 192 CONSOLE DISPLAY 239 CONTROLLING ACCESS TO THE ADMIN CONSOLE 204
Index 350 D DATABASE CONNECTORS 107 DB2 132 E ENABLE ASP SUPPORT 36 ENABLE ASP SUPPORT 47 ENABLE ASP.NET SUPPORT 37 ENABLE ASP.NET SUPPORT 51 ENABLE IIS6 COMPATIBILITY SUPPORT 39, 45 ENABLE IIS6 COMPATIBILITY SUPPORT 55 ENCRYPTION SETTINGS 183, 215 ENCRYPTION SETTINGS 193 F FAILED RSA SECURID USER AUTHENTICATION 341, 345, 348 FAILED RSA SECURID USER AUTHENTICATION 352 FILE STORE SETTINGS 224 G GRANTING RIGHTS TO THE DATABASE 72 GRANTING RIGHTS TO THE DATABASE 161 H HOW TO CONFIGURE SSL 244 HOW TO CONFIGURE SSL 59 HSM TROUBLESHOOTING 198 I INSTALLATION 165 INSTALLATION OF PREREQUISITES 31 INSTALLING AND CONFIGURING IIS 209, 244 INSTALLING AND CONFIGURING IIS 33 INSTALLING IIS 34 INTEGRATED AUTHENTICATION 244 INTRODUCTION 7 L LICENSE AGREEMENT 9 LIMITED WARRANTY 10 M MANAGED COMPUTERS AND DEVICES PRE-REQUISITES 26 MANAGED DATABASE PRE-REQUISITES 23 MANAGEMENT CONSOLE INSTALLATION 166 MANUAL WEB APPLICATION INSTALLATION 249 MICROSOFT SQL 107 MINI-SETUP 174 MINI-SETUP 175 MS SQL AND ORACLE 72 MS SQL REQUIREMENTS FOR SOLUTION 19 MYSQL 126
Index 351 N NCIPHER CONNECTION STATUS 198 NCIPHER COULD NOT ENUMERATE SLOTS 200 O OATH 2-FACTOR 272 OATH TOKENS 284, 289 OATH TOKENS 274 OATH WITH EXISTING TOKENS 280 OATH WITHOUT EXISTING TOKENS 284 ORACLE 107 ORACLE 11G INSTALLATION 162 ORACLE 11G INSTALLATION 90 ORACLE REQUIREMENTS FOR SOLUTION 20 OVERVIEW 7 P PASSWORD ACCESS 220 PERFORMANCE NOTES 8 PHONEFACTOR 300 PORT REQUIREMENTS 27 PREREQUISITES 13 PROBLEMS CONNECTING TO THE RSA SECURID AUTHENTICATION SERVER 341, 344 PROBLEMS CONNECTING TO THE RSA SECURID AUTHENTICATION SERVER 352 Q QUICK INSTALLATION 169 R RADIUS 2-FACTOR 308 RADIUS 2-FACTOR FOR EXPLICIT ACCOUNTS 314 RECOMMENDED KNOWLEDGE 14 REMOTE COM+ AND IIS ACCESS 18, 26 REMOTE COM+ AND IIS ACCESS 141 REMOTE SESSIONS 235 REQUIRED WEB COMPONENTS ON A NON-WEB SERVER 42 RSA SECURID 320 RSA SECURID CONFIGURATION TEST SCRIPTS 339 RSA SECURID CONFIGURATION VERIFICATION APPLICATION 342 RSA SECURID CONFIGURATION VERIFIER 329 RSA SECURID CONSOLE USER AUTHENTICATION TROUBLESHOOTING 345 RSA SECURID WEB APPLICATION USER AUTHENTICATION TROUBLESHOOTING 348
Index 352 S SECURITY 228 SOLUTION DATABASE REQUIREMENTS 19 SOLUTION HOST SYSTEM REQUIREMENTS 14 SOLUTION SERVICE ACCOUNTS 22 SOLUTION WEB SERVICES REQUIREMENTS 16 SQL 2008 INSTALLATION 72 SSL WITH IIS - NO EXISTING CERT 62 SSL WITH IIS - WITH AN EXISTING CERT 59 SYBASE ASE 115 T TROUBLESHOOTING RSA SECURID CONFIGURATION 339 WEB APPLICATION - UPDATING SETTINGS 195, 197, 210, 215, 250 WEB APPLICATION - UPDATING SETTINGS 247 WEB APPLICATION AUTHENTICATION AND DELEGATION 211 WEB APPLICATION INSTALLATION 183 WEB APPLICATION INSTALLATION 209 WEB APPLICATION INSTALLATION DIALOG 213 WEB APPLICATION OVERVIEW 209 WEB APPLICATION SECURITY 212 WEB APPLICATION SETTINGS 270 WEB APPLICATION SETTINGS 215 WINDOWS 2008 & LATER REMOTE COM+ ACCESS 141 TWO FACTOR AUTHENTICATION CONFIGURATION 230 TWO FACTOR AUTHENTICATION CONFIGURATION 271 U UPGRADE INSTRUCTIONS 353 UPGRADE NOTES 372 USER DASHBOARDS 241 USER/SESSION MANAGEMENT 233 W WEB APPLICATION - POST INSTALLATION 244