Tpam Admin Guide
Tpam Admin Guide
(TPAM) 2.5
Administrator Guide
Copyright© 2015 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and
AIX are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.
Juniper, JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
Linux® is a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered
trademark of MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are
registered trademarks of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and
other countries. Nokia is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the
United States and/or other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS
is a registered trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc.
PROXYSG is a trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered
trademark of Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in
the United States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States
and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks
and names or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
TPAM 2.5
2
Administrator Guide
Contents
Initial Set Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Recommended steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
User ID’s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Web tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Key based tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Cache tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Time tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Group membership tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Add a web user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Add a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Add a user ID using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Add a CLI user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Add an API user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Regenerate keys for CLI/API users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Duplicate a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Disassociate a user from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Delete a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Delete a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Disable/enable a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Unlock a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Reset user ID password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Manage the paradmin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
TPAM 2.5
3
Administrator Guide
List user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Manage your TPAM user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Add a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Duplicate a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Delete a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
List groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Default global groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Permission Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Permission precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Permissions example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Add an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Make an access policy inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Reactivate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Duplicate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Delete an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Rebuild assigned policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Password Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Add a password check profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Add a password change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Delete a password check/change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Assign a password check /change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Connection tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Ticket system tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
LDAP schema tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Account discovery tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
TPAM 2.5
4
Administrator Guide
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Add a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Add a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Add a system using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Test a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Clear a stored system host entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Duplicate a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Disassociate a system from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Delete a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Delete a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
List systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Local appliance systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Custom Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Custom platform Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Add a conversational custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Add a jump box custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Test a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Duplicate a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Delete a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Using custom platforms in TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Batch processing custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
CLI and API commands for custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . .88
Jump boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Add a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Duplicate a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Delete a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
List collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Reviews tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Custom Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
TPAM 2.5
5
Administrator Guide
Dependents tab (Windows® AD only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Past Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Current Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
PSM Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Session Authentication tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
File Transfer tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Review Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Add an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Duplicate an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Delete an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Retrieve a password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
List accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
List PSM accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Password current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Manual password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Managing services in a Windows® domain environment . . . . . . . . . . . . . . . . . . . . . . 126
Add generic account to TPAM for PSM sessions to a user specified Windows account . . . 127
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
File History tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Current File tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
TPAM 2.5
6
Administrator Guide
Add a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Duplicate a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Review file history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Delete a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Retrieve a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
List files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
TPAM 2.5
7
Administrator Guide
Hosts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Cache current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Create a cache team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Remove a cache team member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Alerts for the cache appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Delete a cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
List cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Cache logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Usage examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
TPAM 2.5
8
Administrator Guide
Duplicate a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Delete a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Create access policy with the command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Assign access policy to user or group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Setup requirement for Windows® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
TPAM 2.5
9
Administrator Guide
Configure data extracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Customize data extract dataset file names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
TPAM 2.5
11
Administrator Guide
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Command standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
TPAM 2.5
12
Administrator Guide
1
Privileged Password Management
Overview
• Introduction
• Resource requirements
• Access the privileged password appliance
Introduction
TPAM is a robust collection of integrated modular technologies designed specifically to meet the complex and
growing compliance and security requirements associated with privileged identity management and privileged
access control.
NOTE: This guide explains the core functionality available in TPAM regardless of the product licenses that
has been applied.
TPAM 2.5
13
Administrator Guide
Resource requirements
One IP address is required for each TPAM appliance in a cluster. The 1U hardware design provides a small
footprint for the device and requires minimal rack space.
Connectivity
To communicate with TPAM and successfully initiate a session your computer needs to be able to pass traffic on
ports 443 (HTTPS), 8000, and 22 (SSH).
If TPAM will be accessed via Microsoft® Internet Explorer® (IE), there is one important setting to verify or
change in the IE configuration:
Pop-Up blocker
When the /tpam website is accessed, the initial instance of the browser is closed and a new window opens
without menu or title bars. Browsers that are configured to block pop-ups often interpret this as a Popup and
the page will not display. Be sure to add the URL for TPAM to the list of allowed pop ups. If your desktop
environment does not allow pop-up blockers to be disabled, this functionality may be disabled by the system
administrator with a global setting in the /admin interface.
TPAM 2.5
14
Administrator Guide
2
Initial Set Up
• Introduction
• Recommended steps
Introduction
This chapter covers the recommended steps for the initial set up of the TPAM appliance in the /tpam interface.
Before proceeding, the configuration of the /config and /admin interface should be completed. See the System
Administrator Guide for details. The order of the information presented in this manual reflects the
recommended steps outlined below.
Recommended steps
To configure the /tpam interface:
1 Login to the /tpam interface with the paradmin user ID.
2 Add a CLI user ID with a user type of administrator. Download and store the key outside of the appliance.
See Add a CLI user ID for details.
3 Create password check and change profiles. See Password Profiles.
4 Create password rules. See the TPAM System Administrator Guide.
5 If LDAP or Generic Integration will be utilized, add the necessary system and user templates. See Add a
system template and Add a user template.
6 Outline the desired groups within LDAP that will be used to create TPAM groups for assigning permissions.
With those groups, add LDAP mappings to create the groups and provision the users. See .
7 If Auto Discovery is not utilized, load TPAM users through Import user IDs.
8 Configure any Cache servers. See Add the cache in the TPAM interface.
9 Outline the desired OU’s within LDAP that will be used to create TPAM Collections and provision systems.
With those OU’s, add LDAP mappings to create the collection and provision the system.
NOTE: The system template can be used to add accounts as well.
10 If Auto Discovery is not used, load the systems to be managed through Import systems or Add a system.
See the Client Set Up Guide for details on configuring specific platforms.
11 If desired, add any files to be managed. See Add a file.
12 If Cache servers and/or DPAs were purchased, make the affinity assignments at the system level. See
Affinity tab.
13 For any accounts that were not provisioned using the auto-discovery process for adding systems, load the
accounts in TPAM through Import accounts.
TPAM 2.5
15
Administrator Guide
14 To utilize collections (buckets of systems, accounts and/or files) other than the ones created using auto-
discovery, add collections and then load collection membership. See Add a collection and Add or drop
collection members.
15 To utilize groups (buckets of users) other than the ones created using auto-discovery, add groups and
then load group membership. See Add a group and Add or drop group members.
16 See Permissions tab to add the permissions desired to allow the group access to the collections or to
individual systems.
17 If Privileged Session Manager (PSM) was purchased and Privileged Command Manager (PCM) will be used,
configure PCM Commands. See Add a command.
18 Create any custom Access Policies. See Add an access policy.
19 Update permissions with access policy assignment. See Batch update permissions.
20 If a PSM customer, add any PSM Connection Profiles and Post Session Processing Profiles. See Add a PSM
connection profile and Add a post session processing profile.
NOTE: In the admin interface the Post Processing Agent must be started for post session profiles to
take effect.
21 If a PSM customer see Batch update PSM accounts to update the PSM permissions for accounts.
22 If a PSM customer see Configure session log archive settings and Configure session log archive server to
configure retention settings for session logs.
23 Configure the Batch Report subscriptions and recipients. See Enable/disable scheduled reports.
24 Configure the Data Extract Schedule and data Sets. See Configure data extracts.
25 Configure Synchronized Passwords. (Optional) See Add synchronized password.
26 Configure TPAM CLI IDs. (Optional) See Add a TPAM CLI ID.
TPAM 2.5
16
Administrator Guide
3
Permission Based Home Page
• Introduction
• Message of the day tab
• Recent activity tab
• Approvals tab
• Pending reviews tab
• Current requests tab
Introduction
Your home page is based on the user type and permissions assigned to your user ID in the TPAM application.
Return to the home page from anywhere in the TPAM application by clicking the home icon located on the far
left side of the menu ribbon.
TPAM 2.5
17
Administrator Guide
Recent activity tab
The recent activity tab shows all your activity in TPAM for the last 7 days.
Approvals tab
The Approvals tab displays any requests (Password, File or Session) that require approval. After they are
approved or denied the request can be seen on this list until the release duration expires. Clicking on the
request id opens the appropriate Requests Approval Detail tab to approve or deny the request. To use the auto-
refresh option select the box and type the number of minutes you would like the window refreshed.
TPAM 2.5
18
Administrator Guide
Pending reviews tab
Eligible reviewers for any post password releases or sessions see the Pending Reviews tab on the home page. Any
password releases or sessions that are pending review are seen on this tab. Clicking on the request ID opens the
Password Release Review Details or Session Review Details tab. To use the auto-refresh option select the box
and type the number of minutes you would like the window refreshed.
The Current Requests tab displays any request (Password, File or Session) that you have made. The requests stay
visible on this tab until the release duration expires. Clicking on the Request ID link opens the Session, Password
or File Request Management tabs to view details on a request.
TPAM 2.5
19
Administrator Guide
4
User ID’s
• Introduction
• Add a web user ID
• Add a user template
• Add a user ID using a template
• Add a CLI user ID
• Add an API user ID
• Regenerate keys for CLI/API users
• Duplicate a user ID
• Disassociate a user from a template
• Delete a user ID
• Delete a user template
• Disable/enable a user ID
• Unlock a user ID
• Reset user ID password
• Manage the paradmin user ID
• List user IDs
• Manage your TPAM user ID
Introduction
This chapter covers, adding and managing TPAM User ID’s.
To add and manage user ID’s, information is entered on the following tabs in the TPAM interface:
TPAM 2.5
20
Administrator Guide
Details tab
The table below explains all of the box options available on the Details tab.
TPAM 2.5
21
Administrator Guide
Table 2. User Management: Details tab options
Web tab
The table below explains all of the box options available on the Web tab:
TPAM 2.5
22
Administrator Guide
Table 3. User Management: Details Web tab options
TPAM 2.5
23
Administrator Guide
Key based tab
The table below explains all of the box options available on the Key Based tab:
Cache tab
The Cache tab is only enabled when a user type of cache user is selected. For more details on cache users see
Add cache users.
The table below explains all of the box options available on the Cache tab:
TPAM 2.5
24
Administrator Guide
Table 5. User Management: Details Cache tab options
Time tab
The Time tab allows administrators and user administrators to set a user’s local time zone. This tab is not
enabled for Cache, CLI and API users.
NOTE: The TPAM server is always at UTC time and never uses daylight savings time.
The table below explains all of the box options available on the User ID Time tab:
TPAM 2.5
25
Administrator Guide
Custom information tab
There are six custom boxes that can be used to track information about each user. These custom boxes are
enabled and configured by the System Administrator in the /admin interface. If these boxes have not been
enabled the Custom Information tab will not be visible.
Template tab
The template tab is used to save all the settings for a user ID as a template. Templates may be used to quickly
create new users with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. User templates do not store a default password. Only TPAM
Administrators and ISAs may use templates.
The table below explains all of the box options available on the User ID Template tab:
TPAM 2.5
26
Administrator Guide
Group membership tab
A group is a container of users, which can share common permissions. The group membership tab is used to
assign users to groups.
NOTE: If a group is tied to either AD or Generic Integration the user’s membership status in that group
cannot be changed.
The table below explains all of the box options available on the User ID Group Membership tab:
Permissions tab
The permissions tab is used to assign systems, accounts, files and/or collections an access policy for this user.
TPAM 2.5
27
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the system/s, account/s, file/s and/or
collection/s to which the selected access policy is to be assigned.
2 Select an access policy from the Access Policy list in the access policy details pane, located in the right
upper side of the results tab. Selecting an access policy on the list displays the detailed permissions
describing this access policy on the rows below.
3 Select one of the icons in the access policy details pane (right upper side of page) to make the
assignment.
Icon Action
Refreshes the list of Access Policies.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. Confirmation of the
assignment is required if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. Confirmation the assignment is
required if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
Pressing the SHIFT key and left clicking the mouse can be used to select a range of rows. The first row
clicked will be surrounded by purple dashed lines. The next row that you “Shift-Click” on will cause all
the rows in between the original row and current row to be highlighted.
4 When finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: The results list can be re-filtered and re-retrieved without losing existing edits. As the Results
tab is reloaded any systems, accounts, files, or collections that have already been edited reflect
their edited policy assignment. When the Save Changes button is clicked all the Access Policy
assignment changes for the user are saved. The appliance saves these in batches, reporting of the
number of assignments added, removed, or changed for each batch.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
TPAM 2.5
28
Administrator Guide
• Details/Time
• Details/Custom
• Template
• Group Membership
• Permissions
The following procedure describes the steps to add a user ID.
TPAM 2.5
29
Administrator Guide
2 Enter the template name and placeholder first and last names.
3 Change any other settings on the various tabs.
4 Click the Save Changes button.
TPAM 2.5
30
Administrator Guide
Add a CLI user ID
A CLI user ID is a special user account used to access TPAM remotely via the CLI (command line interface). It is
now possible for one user ID to be both a web and CLI user. When accessing TPAM through the CLI they can only
execute specific commands supported by the TPAM CLI.
NOTE: The paradmin user ID cannot be given CLI access.
IMPORTANT: If a user ID has both web and API or CLI access to TPAM you will not be able to download or
generate keys for that user ID. They must log on to TPAM to download and/or regenerate their own DSS
key.
TPAM 2.5
31
Administrator Guide
3 Enter information on the Web tab. For more information on this tab see Web tab.
4 Click the Key Based tab. Select the API check box. Enter information on the Key Based tab. For more
information see Key based tab.
5 To enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6 To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7 Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
Duplicate a user ID
To ease the burden of administration and help maintain consistency, user IDs can be duplicated. This allows the
administrator to create new user IDs that are very similar to those that exist, while only having to modify a few
details. The new user ID inherits time information, group membership, and permissions settings from the
existing user ID.
TPAM 2.5
32
Administrator Guide
To duplicate a user ID:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be duplicated.
5 Click the Duplicate button. A new user ID is created and the User ID Details page displays. The name of
the new user ID is automatically DuplicateoOfXXXXX.
6 Enter a first name and last name for the user.
7 Make any changes to the user configuration on the various tabs.
8 Click the Save Changes button.
Delete a user ID
To delete a user ID:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
TPAM 2.5
33
Administrator Guide
4 Select the user template to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
NOTE: A template that is currently being used by AD or Generic Integration cannot be deleted.
Disable/enable a user ID
To disable/enable a user ID:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be changed.
5 Click the Details tab.
6 Select/Clear the User Disabled? box.
7 Click the Save Changes button.
Unlock a user ID
A user may need to be unlocked if they enter an incorrect password multiple times.
To unlock a user:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be unlocked.
5 Click the Unlock button.
TPAM 2.5
34
Administrator Guide
This creates a one time use password that the user will be forced to change upon logging on.
NOTE: You cannot change passwords for users with external primary authentication. If Primary
Authentication has been minimilized then you cannot change the user’s local password.
TPAM 2.5
35
Administrator Guide
9 Select Accounts | Manage Accounts from the menu.
10 Filter for the paradmin account. Click the Details tab.
11 Click the Management tab. Verify that the password check and changes profiles you want used to manage
this account are assigned.
The password will be scheduled for an immediate reset. Depending on the number of password changes in the
queue it may take some time to reset. Any users currently logged on as paradmin will be prompted to enter a
new password once it has been reset.
TPAM 2.5
36
Administrator Guide
6 To view group membership for a user, select the user ID and click the Groups tab.
7 To view the permissions assigned to the user, select the user and click the Permissions tab.
2 Enter the Old Password, the New Password, and Confirm New Password.
3 Click the Save Changes button.
NOTE: User passwords are subject to the requirements of the Default Password Rule.
TPAM 2.5
37
Administrator Guide
Table 10. Fields available on My User Details
NOTE: If the System-Administrator disables User Time zone changes in the /admin interface the
User Time Zone Information block shown above is visible only for Administrator users.
TPAM 2.5
38
Administrator Guide
5
Groups
• Introduction
• Add a group
• Duplicate a group
• Delete a group
• List groups
• Default global groups
Introduction
Groups are defined sets of users. Groups can be used to simplify the process of assigning permissions.
To add and manage groups, information is entered on the following tabs in the TPAM interface:
Details tab
TPAM 2.5
39
Administrator Guide
Members tab
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this group.
TPAM 2.5
40
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the user/s to which the selected access
policy is to be assigned.
2 Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3 Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Icon Action
Refreshes list of available Access Policies.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Users that you have already edited reflect their edited policy assignment. When you click
the Save Changes button all the Access Policy assignment changes for the account are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a group
When adding a group in TPAM, information is entered on the following tabs to configure the group:
• Details
• Members
TPAM 2.5
41
Administrator Guide
• Permissions
The following procedure describes the required steps to add a group.
TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.
6 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
NOTE: The Permissions tab is disabled for any of the default Global Groups because you cannot
change the Access Policy for a system generated group.
Duplicate a group
To ease the burden of administration and help maintain consistency, groups can be duplicated. This allows the
administrator to create new groups that are very similar to those that exist, while only having to modify a few
details. The new group inherits membership and permissions from the existing group.
To duplicate a group:
1 Select Users & Groups | Groups | Manage Groups from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the group to be duplicated.
5 Click the Duplicate button. A new group is created and the Group Details page displays. The name of the
new group is automatically DuplicateofXXXXX.
6 Make any changes to the group on the various tabs.
7 Click the Save Changes button.
Delete a group
To delete a group:
1 Select Users & Groups | Groups | Manage Groups from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the group to be deleted.
5 Click the Delete button.
TPAM 2.5
42
Administrator Guide
6 Click the OK button on the confirmation window.
List groups
The List Groups option allows you to export the group data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
TPAM 2.5
43
Administrator Guide
3 Select a global group.
4 Click the Members tab to edit membership to the group.
TPAM 2.5
44
Administrator Guide
6
Permission Hierarchy
• Introduction
• Permission precedence
• Permissions example
Introduction
Because TPAM allows groupings of users (Groups) and remote systems (Collections), it is possible, even likely,
that a user could appear to have multiple conflicting permissions for a particular system, account, and or file.
To prevent this, TPAM implements a precedence of permissions.
Permission precedence
The precedence, in order of decreasing priority is:
• An Access Policy assigned to a User for an Account/File (most specific)
• An Access Policy assigned to a User for a Collection containing Accounts or Files
• An Access Policy assigned to a User for a System
• An Access Policy assigned to a User for a Collection of Systems
• An Access Policy assigned to a Group for an Account /File
• An Access Policy assigned to a Group for a Collection containing Accounts or Files
• An Access Policy assigned to a Group for a System
• An Access Policy assigned to a Group for a Collection of Systems (least specific)(*)
(*) This category includes Users who are assigned to any of the “Global XXX” Groups. The groups grant their
respective permissions to an internally-maintained “All Systems” collection.
IMPORTANT: A Denied access policy assignment at any level overrides all other permissions at that level.
After any permissions are changed, for example, by adding or removing a user from a group, the precedence is
recalculated, and if necessary, the permissions for the user are changed to reflect the new level that results.
TPAM 2.5
45
Administrator Guide
Permissions example
In the scenario shown above, the groups and users have been assigned Access Policies that grant the permissions
specified. In this situation, the precedence of permissions will be applied and the effective permissions would
be as follows:
• User A has Approver permission on System C through the Group to System assignment.
• User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection
B assignment. These Review rights on File C1 take precedence over the Approve rights on System C
because assignment to a Collection containing an Account or File is more specific than a collection
containing just the System. User A may still Approve requests to all accounts on System C and all of C’s
files with the exception of File C1.
• Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that
as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override
the Approver rights from Group A.
• Since User A is in both Groups A and B he has both Review and Request rights on all the items in
Collection B. Assignments at the same hierarchy level are combined.
• User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though
the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still
denied access because the User to Collection assignment trumps the Group to Account in a Collection
assignment. If User B had instead been assigned the Review permission directly (as opposed to through
Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that
one account.
• User B also has Review rights on all Accounts and Files on System A and File C1 on System C.
• User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes
both policies User C received via the Group to Collection assignments, but only for Account B1. User C
still has Review and Request permissions to System A and File C1.
• User D has been granted ISA rights over Collection A. This assignment takes precedence over D’s Request
permission on System A, which is through the Group B to Collection B. D still retains the Request
permissions on Account B1 and File C1 from the Group assignment, however that removes D’s ISA
permissions on Account B1 (although D still has ISA permissions over any other accounts on System B).
Where there is more than one permission granted at the same level of the permission hierarchy those
permissions are combined, as long as one of those permissions is not “Denied”. If a User is in 3 different groups
TPAM 2.5
46
Administrator Guide
(A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor)
the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead
of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System.
TPAM 2.5
47
Administrator Guide
7
Access Policies
• Introduction
• Details tab
• Permission types
• Add an access policy
• Make an access policy inactive
• Reactivate an access policy
• Duplicate an access policy
• Delete an access policy
• Rebuild assigned policies
Introduction
Access polices allow permissions to be assigned at the system, account and file level. Access policies allow
permissions to be broken down and assigned at a more granular level. For example you could create one access
policy that would allow someone to review password releases, request password releases and request a session
that would limit them to two commands. Default access policies exist in TPAM that mimic the old TPAM roles of
“EGP Requestor”, “PAR ISA” etc, so that existing permission assignments are migrated to the new access policy
model and so that the default Global Groups can be supported.
Details tab
The table below explains all of the box options available on the details tab.
TPAM 2.5
48
Administrator Guide
Table 15. Access Policies: Details tab options
TPAM 2.5
49
Administrator Guide
Table 15. Access Policies: Details tab options
Max Duration The request will use the value here or the value set at the account, No
whichever is less.
Permission types
When creating access policies in TPAM there are several different permission types to choose from. The table
below explains the different types.
Type Description
Denied This permission type was created so that collection permissions could be assigned
to a user and then the denied permission set for specific entities within this
collection that the user should not have access to. If a user is Denied for a system
but has access to a specific account/file on that system they can still access the
account/file, because account or file permission assignment holds precedence over
system.
ISA (Information Security The role of ISA is intended to provide the functionality needed for security help
Administrator) desk personnel, and as a way to delegate limited authority to those responsible for
resource management.
An ISA permission with a type of session allows the user to add and update all
aspects of PSM Only systems, PSM only accounts, and for PSM supported platforms.
An ISA permission with a type of password allows the user to add and update
systems and accounts for all platforms except those that are PSM only.
A user must be assigned an access policy with a type of both password and session
and permission of ISA to be able to assign access policies to other entities. The ISA
permission does not allow the user to delete a system.
Approver An approver can be configured to approve password, session and / or file requests.
An approver can also be configured to only approve sessions that are requesting
specific commands.
Requestor A Requestor can be configured to request password, session, and / or file requests.
A requestor can also be configured to only request sessions that run specific
commands.
NOTE: A user requesting a session that has an interactive proxy type must also have
an access policy assigned to them that includes password/requestor for that
account.
Reviewer The reviewer role permits the individual to view reports on specific systems that
they have been granted reviewer rights. A session/command reviewer can also
replay sessions and review/comment on these sessions. If the user has password
reviewer permissions they can review a password release that has expired and
comment on that password release.
TPAM 2.5
50
Administrator Guide
Table 16. Access Policies: Available permission types
Type Description
PAC (Privileged Access) With a PAC permission type, the user must go through the request process for
passwords, files, and sessions but after they submit the request it is automatically
approved, regardless of the number of approvers required.
NOTE: If a user has session /PAC permissions but does NOT have password/PAC
permissions on an account, they can only start a session that is configured for one
of the automatic proxy connection types, since they do not have permissions to
access the password.
NOTE: There is no way to create a policy that allows a user to “Request, Approve or Review any Session
using any PCM Command”. A separate detail row must be created for each PCM command that is allowed
through the policy.
TIP: Any detail rows on an access policy that include a command permission need to have their own line.
See the example screen shot below.
Detail rows should not conflict with each other in the same policy. For example, if you have one row granting
Password/REQ, you cannot have another row with Password/DEN. Nor are you allowed to have two rows in the
policy that grant the same permission to the same type or command, e.g., you cannot have two rows both
granting Password/REQ, however you may have two (or more) rows granting Command/REQ as long as all the
rows reference different PCM Commands.
TPAM 2.5
51
Administrator Guide
Make an access policy inactive
Making an access policy inactive removes it from the list of possible access polices that can be assigned to users
or groups for a system, account, collection or file. Also making the policy inactive will remove it from any entity
it is assigned to.
7 After reading the warnings, to proceed select the Yes, this is really what I want to do check box.
8 Click the Save Changes button.
NOTE: If this is a system generated policy it makes the associated Global XXX Group effectively useless,
but does not change membership in the group.
TPAM 2.5
52
Administrator Guide
7 Click the Save Changes button.
NOTE: Reactivating a system-generated access policy brings back assignments of the associated global
group to the “All Systems” collection.
TPAM 2.5
53
Administrator Guide
• Changing collection membership
• Changing the Global Groups setting in Global Settings
The Rebuild Assigned Policies page shows how much data is in the cache, when it was last updated, and the
current state of the background job. An Administrator or a user with both PPM and PPM ISA permissions may use
the Run Now button to run the job immediately if there are pending changes. This job will automatically run in
the background every 60 seconds as needed to update changes.
TPAM 2.5
54
Administrator Guide
8
Password Profiles
• Introduction
• Add a password check profile
• Add a password change profile
• Delete a password check/change profile
• Assign a password check /change profile
Introduction
Password check and change profiles define the rules for the checking and changing of an account’s password.On
a brand new TPAM appliance there will be 3 factory default check profiles and 5 factory default change profiles
that can be used to assign to systems/accounts as desired or new ones can be configured. The three check
profiles available are:
• Check and Reset- marked as default until another profile is marked as default.
• Check, No Reset
• Check Disabled.
The change profiles available are:
• Change Disabled
• Change Daily
• Change Every 5 days
• Change on First of Month - marked as default until another profile is marked as default.
• Change on Last of Month
TPAM 2.5
55
Administrator Guide
Table 17. Password check profile page options
TPAM 2.5
56
Administrator Guide
Table 17. Password check profile page options
TPAM 2.5
57
Administrator Guide
Field Description Required? Default
Default If selected, this password change profile will automatically be No Off
Change Profile assigned to any new system added.
Schedule Specifies the interval that the password is changed.Choices Yes Daily, 1 time
are: per day
• No scheduled password changes - accounts or
synchronized password with this setting will never be
scheduled for changes. Post-release resets may still
occur based on the account level setting.
• Daily - password changed n time(s) per day.
NOTE: If a password is scheduled to be changed more than
once a day the recommendation is to use the Test Port option
as well.
• Weekly - password is changed once on the day(s)
selected.
• Every n Days- password is changed every n days. The n
value can be between 1 and 999.
• Monthly - if selected then the password is changed every
month depending on one of the options below:
• First Day of the Month – the password is changed
every month, on the first day of the month
• Last Day of the Month – the password is changed
every month, on the last day of the month,
• Days of the Month- specific days can be entered.
Multiple days can be entered separated with
semi-colons. -1 can be entered to represent the
last day of the month.
Changes will The time windows entered indicate the time(s) the password is Yes 00:00-23:59
be scheduled scheduled to be changed. Time windows are entered as
during the Starttime-EndTime. Times must be entered using a 24 hour
following format. Multiple time windows may be entered separated by a
window(s) semi-colon. Up to 4 windows may be entered. Each window
must be a minimum of 60 minutes long, and there must be at
least 30 minutes in between each window. Windows that cross
midnight will be listed as two separate windows once the
profile is saved.
Allow system If selected, the system can notify TPAM that is online and No Off
to notify TPAM available for password changes. If this selected and the system
it is available is online, a password change will be scheduled if the last
for change successful change date indicates that a password change is
overdue. The system must have a unique certificate thumbprint
assigned in order to use this option. The certificate is assigned
to the system on the System Management tab. See Management
tab for details.
Account that are overdue for a change will be scheduled
regardless of the current schedule settings, unless this account
has No scheduled password changes selected. Accounts
subscribed to a Synchronized Password will be checked against
the current synchronized password and reset if needed.
Do not change If selected, the password while not be changed while the No Off
password account has an active request open.
while release
is active
TPAM 2.5
58
Administrator Guide
Field Description Required? Default
Change Determines the amount of time in seconds that an attempt to Yes 20
password change the password remains active before being aborted. In
timeout most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with
the system, this value can be increased
Test If selected, the port that is used for the password change is No Off
Port/Timeout tested before attempting to change the password. If selected a
timeout in seconds is required. Recommend a small value for
timeout. Using the test port helps reduce the number failed
passwords that TPAM has to store as well as reduces network
resources waiting on unsuccessful change password attempts. A
test port failure is logged, but does not count as a failed
password change.
After n n is a value between 0-99. Options available if failure occur Yes 0, Do nothing
consecutive are:
failures to • Do nothing
change do ...
• Disable change schedule -account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Change
schedule disable check box.
• Lock - locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
NOTE: Test port failures do no count toward consecutive
failures.
Also notify Only available if consecutive failures setting is greater than 0. No Off
account Email addresses saved on the system detail information tab will
owner of receive notifications when the nth failure occurs and every nth
change failure time after. Ex. 3 failures, email sent, 3 more failures, email
sent.
TPAM 2.5
59
Administrator Guide
To assign a password check or change profile to an system:
1 Select Systems, Accounts, & Collections | Accounts | Manage Systems.
2 Select the system on the Listing tab.
3 Click the Management tab.
4 Select the profiles from the lists.
5 Click the Save Changes button.
TPAM 2.5
60
Administrator Guide
9
Systems
• Introduction
• Add a system
• Add a system template
• Add a system using a template
• Test a system
• Clear a stored system host entry
• Duplicate a system
• Disassociate a system from a template
• Delete a system
• Delete a system template
• List systems
• Local appliance systems
Introduction
This chapter covers the steps to add and manage systems in TPAM. To add and manage systems, information is
entered on the following tabs in the TPAM interface:
TPAM 2.5
61
Administrator Guide
Information tab
The table below explains all of the box options available on the details information tab.
TPAM 2.5
62
Administrator Guide
Table 19. Systems Management: Details information tab options
TPAM 2.5
63
Administrator Guide
Table 19. Systems Management: Details information tab options
TPAM 2.5
64
Administrator Guide
There are six fields that can be customized to track information about each system. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.
Connection tab
The connection tab is used to configure the functional account that TPAM will use to connect to the system. This
tab is not enabled unless the Enable Automatic Password Management? check box is selected on the details
information tab (except for the SPCW platforms). The fields available on the connection tab are dependent on
the platform type of the system being configured.
The table below describes the different box options on the Connection tab.
TPAM 2.5
65
Administrator Guide
Table 20. Systems Management: Details Connection tab options
TPAM 2.5
66
Administrator Guide
Table 20. Systems Management: Details Connection tab options
TPAM 2.5
67
Administrator Guide
Management tab
The management details tab is used to configure how TPAM manages the passwords for accounts on this system.
This tab is not enabled unless the Enable Automatic Password Management? check box is selected on the
details information tab. Once set, these parameters are inherited by accounts added to this system. These
options can be overridden at the account level.
The table below explains the options on the Management Details tab.
TPAM 2.5
68
Administrator Guide
Table 21. Systems Management: Details Management tab options
TPAM 2.5
69
Administrator Guide
• CertificateThumbprint - 40-byte hexadecimal value of the certificate attached to the request. This does
not indicate the request was accepted or not - it's just an echo of what the cert is. Debug purposes
primarily. This value may or may not stay.
• ErrorID - number - 0 = good, non-zero = error occurred. Note that "success" does not necessarily mean
anything was added flagged for processing.
• ResultMessage - text. Either "Success" or some error message. Right now it will return an error message
informing you of an unrecognized thumbprint.
• If no certificate is attached the call will result in a 403 error (403 - Forbidden: Access is denied).
TPAM 2.5
70
Administrator Guide
LDAP schema tab
This tab is only enabled for LDAP, LDAPS and Novell® NDS® systems. It is used to customize the schema. The
fields in this tab specify the value of core attributes as well as the name(s) of optional attributes. For example
‘objectClass’ is a core attribute with defined values that distinguish the specific directory object as group, user
or computer. Similarly with attribute naming, a group object’s member attribute may be called ‘member’
‘uniquemember’ or ‘memberUid’, first name attribute may be called ‘givenName’, etc.
Template tab
The template tab is used to save all the settings for a system as a template. Templates may be used to quickly
create new systems with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. Only TPAM Administrators and ISAs may use templates.
The table below explains all of the box options available on the Template tab.
TPAM 2.5
71
Administrator Guide
Table 23. Systems Management: Template tab options
The table below describes the options available on the Account Discovery tab
TPAM 2.5
72
Administrator Guide
Table 24. Systems Management: Account Discovery tab options
Affinity tab
The Affinity tab is used to assign the system to a distributed processing appliance (DPA) if DPA’s are configured
to work with the TPAM appliance. Assigning the system to a DPA can help optimize performance for session
recording, session playback and password checking and changing. The affinity tab is not enabled until the
system has been saved.
The table below describes the options available on the Affinity tab.
TPAM 2.5
73
Administrator Guide
Table 25. Systems Management: Affinity tab options
Collections tab
A collection is a group of systems, accounts and or files. The collections tab is used to assign the system to a
collection/s. Systems can belong to more than one collection. The collections list shows all collections that
have been defined to the TPAM appliance if the user modifying the system is an administrator. If the user
modifying the system is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the system to collections, the system automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: A system cannot belong to a collection that already contains any of its accounts or files.
Conversely, an account or file cannot be added to a collection that already contains that entity’s parent
system.
NOTE: If a collection is tied to either AD or Generic Integration the system’s membership status in that
collection cannot be changed.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
TPAM 2.5
74
Administrator Guide
The table below explains the fields on the Results tab.
Permissions tab
The permissions tab is used to assign users and/or groups an access policy for this system.
TPAM 2.5
75
Administrator Guide
Table 27. Access policy details pane icons
Icon Action
Refreshes list of available Access Policies.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the system are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over a system to be allowed to assign an access policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a system
When adding a system in TPAM, information is entered on the following tabs to configure the system:
• Details
• Template
• Connection
• Management
• Affinity
• Ticket System
• Collections
TPAM 2.5
76
Administrator Guide
• Permissions
• Account Discovery
• LDAP Schema
The following procedure describes the required steps to add a system.
To add a system:
1 Select Systems, Accounts, & Collections | Systems | Add System from the menu.
2 Enter information on the details information tab. For more information on this tab see Information tab.
3 Click the Custom Information tab to add custom information about this system. (Optional) For more
details see Custom information tab.
4 Click the Connection tab to configure the functional account that TPAM will use to connect to the
system. For more details see Connection tab.
5 Click the Management tab and select preferences for managing account passwords. For more details see
Management tab.
6 Click the Ticket System tab and set external ticket system requirements for submitting password release
requests. For more details see How to call the notification service. (Optional)
7 Click the LDAP Schema tab to tweak LDAP mapping attributes. For more details see LDAP schema tab.
(Optional)
8 To save this system as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
9 Click the Account Discovery tab to assign an account discovery profile. (Optional) For more details see
Account discovery tab.
10 Click the Affinity tab and make DPA assignments. For more details see How to call the notification
service. (Optional)
11 Click the Collections tab and assign/remove membership. For more details see Collections tab.
(Optional)
12 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
13 Click the Save Changes button.
TPAM 2.5
77
Administrator Guide
2 Enter the template name and a placeholder network address.
3 Change any other settings on the various tabs.
4 Click the Save Changes button.
Test a system
Once a system has been saved, to test TPAM’s connectivity to the system, click the Test System button. The
results of the test will be displayed on the Results tab.
TPAM 2.5
78
Administrator Guide
To clear the System Host entry:
1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the system whose host entry is to be removed from TPAM’s known hosts file.
5 Click the Clear Sys. Host Entry button.
Duplicate a system
To ease the burden of administration and help maintain consistency, systems can be duplicated. This allows the
administrator to create new systems that are very similar to those that exist, while only having to modify a few
details. The new system inherits collection membership, permissions, affinity and ticket system settings from
the existing system.
To duplicate a system:
1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the system to be duplicated.
5 Click the Duplicate button. A new system object is created and the System Details page displays. The
name of the new system is automatically DupofXXXXX.
6 Make any changes to the system configuration on the various tabs.
7 Click the Save Changes button.
TPAM 2.5
79
Administrator Guide
Delete a system
When you delete a system from the Manage Systems listing it is “soft” deleted. This means that the system
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the admin interface.
NOTE: You cannot delete a system that has an active PSM session or any accounts with pending session or
password reviews.
NOTE: A soft deleted system using an inactive custom platform cannot be un-deleted until the custom
platform is made active again.
TPAM 2.5
80
Administrator Guide
2 Click the Yes, continue with hard-delete button.
List systems
The List Systems option allows you to export the system data from TPAM to Microsoft Excel or CSV format. This
is a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
TPAM 2.5
81
Administrator Guide
10
Custom Platforms
• Introduction
• Custom platform Details tab
• Add a conversational custom platform
• Add a jump box custom platform
• Test a custom platform
• Duplicate a custom platform
• Delete a custom platform
• Using custom platforms in TPAM
• Batch processing custom platform systems
• CLI and API commands for custom platform systems
• Jump boxes
Introduction
Custom Platforms allow you to create new platforms for managed systems which cannot be managed by existing
platforms. A custom platform allows you to customize the check system, check password, and change password
operations used to check and change passwords of managed accounts. PSM sessions are also available or custom
platforms. There are two types of custom platforms:
• Jump Box - This platform type uses an intermediary server on your network to do all communication to
the target system and returns the results to the TPAM appliance. TPAM will call a script of your choosing
on the jump box passing all parameters relevant to the operation being performed. The script must
communicate with the target system, perform the indicated action, and return the result. A jump box
can be used when platforms require the use of an API or SDK that is not supported natively by TPAM. For
details on how to configure the jump box see Jump Boxes.
• Conversational - A conversational platform is created by importing an XML file to create or update a
platform file on the appliance. The XML file describes the entire conversation with a managed system
when performing the check system, check password, or change password operations. It includes
parameters describing how the communication is done, commands issued to test a system and check or
change a password, and how to interpret the results of those commands.
TPAM 2.5
82
Administrator Guide
Table 28. Custom Platforms: Details tab
TPAM 2.5
83
Administrator Guide
Field Description Required?
Port Test Applies to jump box custom platforms only. If selected and the No
assigned password change profile also has test port selected, a call will
be made to the jump box script for test port. The script must return
“host unreachable’, “check failure”, or “check success”. If the
assigned password change profile has the test port selected and the
jump box does not, the test port call will fail.
Allowable Proxy Proxy types selected here will display on the PSM Details tab for Yes, if PSM
Types accounts set up on this platform type. sessions
selected.
Allowable File File transfer types selected here will display on the File transfer tab Yes, if PSM
Transfer Types for accounts set up on this platform type. sessions
selected.
IMPORTANT: For help building the XML file please contact Dell Software Professional Services.
TPAM 2.5
84
Administrator Guide
6 Click the Compile Platform from Upload button. If successful a Y will appear in the Success? column
when complete and the custom platform can me marked active. See example below:
If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.
NOTE: The platform file on the appliance will reflect the most recent successful compilation indicated by
Current in the Success? column.
NOTE: For help building the script please contact Dell Software Professional Services.
TPAM 2.5
85
Administrator Guide
3 Select the custom platform to duplicate.
4 Click the Duplicate button. A new custom platform is created and the Custom Platform Details page
displays. The name of the new custom platform is automatically named Copy_of_XXXXXXX.
5 Make any changes to the custom platform configuration.
6 Click the Save Changes button.
7 For a conversational custom type platform click the Select File button to upload an XML file describing
the platform conversations.
IMPORTANT: For help building the XML file please contact Dell Software Professional Services.
8 For a conversational custom platform type click the Compile Platform from Upload button. If successful
a Y will appear in the Success? column when complete and the custom platform can me marked active.
See example below:
If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.
TPAM 2.5
86
Administrator Guide
When using a Filter tab in TPAM you have the option to select Custom Platform (Any) to pull all custom
platforms meeting the filter criteria or you can select a specific custom platform name.
TPAM 2.5
87
Administrator Guide
CLI and API commands for custom platform
systems
For CLI and API commands, when passing the PlatformName parameter the platform name is indicated by
“Custom” or “Custom Platform” followed by a forward slash (/) and the custom platform name. The “Custom
Platform” must be properly quoted on the CLI command line based on the shell being used. For example in
Windows cmd.exe the format would be as follows:
ssh -i keyFile [email protected] “AddSystem --SystemName newSystem --
PlatformName \”Custom Platform/Router Jumpbox\” […other options…]”
When specifying functional account credentials using CLI, API or batch processing you can pass SPECIFIC as a
value to indicate that the account will be using a system specific key. A system specific key is required for jump
box custom platforms. Conversational custom platforms may also use the credential DSS to indicate the use of
any of the system standard keys defined on the appliance.
Jump boxes
One aspect of custom platforms is the use of a jump box. A jump box can be used when platforms require the
use of an application programing interface (API) or software development kit (SDK) that is not supported
natively by TPAM. Users can call a script on the jump box from TPAM to perform platform management on
target systems. The script (or program) is responsible for requesting the information, performing the password
management task, and reporting back the status during the connection to TPAM. The data that is available for
request will be listed in each of the function sections.
Platform management can be divided into three functions: CheckSystem, CheckPassword, and ChangePassword.
Each function is described below.
TPAM 2.5
88
Administrator Guide
Check system
The CheckSystem function is designed to determine platform connectivity using the functional account. The
table below describes the tags available for request.
Tag Description
%netaddr% Target system’s address
%funcacct% Target system’s functional account
%funcacctpwd% Target system’s functional account password
%port% Target system’s port
%timeout% Time to wait before ending the connection
%key% The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc% Functional account description. Currently this is used for LDAP platforms.
%domainname% Target system’s domain name
%netbiosname% Target system’s netBIOS name
%enablepwd% Target system’s enable password
The following tags are recognized as return tags from the jump box:
• %host unreachable% - Return this to TPAM when the host is unreachable
• %account does not exist% - Return this to TPAM when the account does not exist
• %check failure% - Return this to TPAM when the target system fails the check
• %check success% -Return this to TPAM when the target systems passes the check
Check password
The CheckPassword function is designed to determine if an account’s password is correct on the target system.
The table below describes the tags available for request.
Table 30. Jump Boxes: CheckPassword Tags
Tag Description
%netaddr% Target system’s address
%funcacct% Target system’s functional account
%funcacctpwd% Target system’s functional account password
%funcacctdn% Target system’s functional account distinguished name
%port% Target system’s port
%timeout% Time to wait before ending the connection
%key% The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
TPAM 2.5
89
Administrator Guide
Table 30. Jump Boxes: CheckPassword Tags
Tag Description
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc% Functional account description. Currently this is used for LDAP platforms.
%acctdesc% Managed account description
%acctdn% Managed account distinguished name
%domainname% Target system’s domain name
%netbiosname% Target system’s netBIOS name
%enablepwd% Target system’s enable password
%acctname% Account name to check the password on the system.
%acctpwd%‘ Account’s password to check on the target system.
The following tags are recognized as return tags from the jump box:
• %host unreachable% - Return this to TPAM when the host is unreachable
• %account does not exist% - Return this to TPAM when the account does not exist
• %check failure% - Return this to TPAM when the target system fails the check
• %check success% -Return this to TPAM when the target systems passes the check
Change password
The ChangePassword function uses the functional account to connect to the target and change the target
account’s password. The table below describes the tags available for request.
Table 31. Jump Boxes: ChangePassword Tags
Tag Description
%netaddr% Target system’s address
%funcacct% Target system’s functional account
%funcacctpwd% Target system’s functional account password
%port% Target system’s port
%timeout% Time to wait before ending the connection
%key% The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc% Functional account description. Currently this is used for LDAP platforms.
%acctdesc% Managed account description
%domainname% Target system’s domain name
%netbiosname% Target system’s netBIOS name
%enablepassword% Target system’s enable password
%acctname% Account name to check the password on the system.
TPAM 2.5
90
Administrator Guide
Table 31. Jump Boxes: ChangePassword Tags
Tag Description
%oldacctpwd% Account’s current password on the target system.
%newacctpwd% Account’s password to be changed to on the target system.
The following tags are recognized as return tags from the jump box:
• %host unreachable% - Return this to TPAM when the host is unreachable
• %account does not exist% - Return this to TPAM when the account does not exist
• %change failure% - Return this to TPAM when the target system fails the check
• %change success% -Return this to TPAM when the target systems passes the check
TPAM 2.5
91
Administrator Guide
TPAM 2.5
92
Administrator Guide
Table 32. Jump Boxes: Details tab
TPAM 2.5
93
Administrator Guide
Delete a jump box
A jump box can only be deleted if there are no custom platforms dependent on the jump box. To see a list of
dependent platforms click the Dependent Platforms tab.
TPAM 2.5
94
Administrator Guide
11
Collections
• Introduction
• Add a collection
• Duplicate a collection
• Delete a collection
• List collections
Introduction
Collections are groups of systems, accounts and/or files. Collections can be used to simplify the process of
assigning permissions.
To add and manage collections, information is entered on the following tabs in the TPAM interface:
Details tab
TPAM 2.5
95
Administrator Guide
Members tab
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this collection.
TPAM 2.5
96
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2 Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3 Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Icon Action
Refreshes list of available Access Policies.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
TPAM 2.5
97
Administrator Guide
Affinity tab
The Affinity tab is used to assign the collection to a distributed processing appliance (DPA) if DPA’s are
configured to work with the TPAM appliance. Assigning the collection to a DPA can help optimize performance
for session recording and session playback. The Affinity tab is not enabled until the Collection has been saved.
The table below describes the options available on the Affinity tab.
Add a collection
When adding a collection in TPAM, information is entered on the following tabs to configure the collection:
• Details
• Members
• Permissions
• Affinity
The following procedure describes the required steps to add a collection.
TPAM 2.5
98
Administrator Guide
2 Enter information on the Details tab. For more information on this tab see Details tab.
3 Click the Members tab.
4 Enter your search criteria on the Filter tab.
5 Click the Results tab to assign/remove members from the collection. For more details see Members tab.
NOTE: A system cannot be in the same collection as any of its accounts or files and vice versa.
NOTE: A collection used by either AD or Generic Integration cannot have its membership changed
here. The current member status is displayed, but all buttons in the list are disabled.
TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.
6 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
7 Click the Save Changes button.
8 Click the Affinity tab and make DPA assignments. (Optional) For more details see Affinity tab.
9 Click the Save Changes button.
Duplicate a collection
To ease the burden of administration and help maintain consistency, collections can be duplicated. This allows
the administrator to create new collections that are very similar to those that exist, while only having to modify
a few details. The new collection inherits membership and permissions, affinity settings from the existing
collection.
To duplicate a collection:
1 Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the collection to be duplicated.
5 Click the Duplicate button. A new collection is created and the Collection Details page displays. The
name of the new collection is automatically DupofXXXXX.
6 Make any changes to the collection on the various tabs.
7 Click the Save Changes button.
Delete a collection
To delete a collection:
1 Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the collection to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
TPAM 2.5
99
Administrator Guide
List collections
The List Collections option allows you to export the collection data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.
TIP: Enter ! in the System, Account and File name filters to find empty collections.
TPAM 2.5
100
Administrator Guide
12
Accounts
• Introduction
• Add an account
• Duplicate an account
• Delete an account
• Retrieve a password
• List accounts
• List PSM accounts
• Password current status
• Manual password management
• Password management
• Managing services in a Windows® domain environment
• Add generic account to TPAM for PSM sessions to a user specified Windows account
Introduction
This chapter covers the steps to add and manage accounts in TPAM. To add and manage accounts, information is
entered on the following tabs in the TPAM interface:
TPAM 2.5
101
Administrator Guide
Information tab
The table below explains all of the box options available on the details information tab.
TPAM 2.5
102
Administrator Guide
Table 39. Account Management: Details information tab options
TPAM 2.5
103
Administrator Guide
Table 39. Account Management: Details information tab options
TPAM 2.5
104
Administrator Guide
Table 39. Account Management: Details information tab options
Reviews tab
The table below explains all of the options available on the Reviews tab.
TPAM 2.5
105
Administrator Guide
Table 40. Account Management: Review tab options
There are six fields that can be customized to track information about each account. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.
Management tab
The Management tab is used to configure how TPAM manages the passwords for this account. This tab is not
enabled unless Automatic or Manual is selected on the Details Information tab. The settings here will default
from the system settings but can be overridden.
The table below explains the options on the Management Details tab.
TPAM 2.5
106
Administrator Guide
Table 41. Account Management: Details Management tab options
TPAM 2.5
107
Administrator Guide
Table 42. Account Management: Details Ticket System tab options
Logs tab
The Logs tab contains three sub-tabs that provide detailed password history for the account. The log data
displays the user’s time zone. The following table explains the sub-tabs.
TPAM 2.5
108
Administrator Guide
Table 43. Account Management: Logs tab sub-tabs
Tab Description
Filter This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log Provides details on password change history.
Test Log Provides details on password test activity.
Release Log Provides details on password release history.
Dependent Only visible if account resides on Windows® Domain Controller with dependent systems
Change Log assigned. Provides details on changes of the domain account.
Change Agent Provides details on change agent log records for the account that have occurred after a 2.3+
Log TPAM upgrade.
TPAM 2.5
109
Administrator Guide
Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the account to a
collection/s. Accounts can belong to more than one collection. The collections list shows all collections that
have been defined in the TPAM appliance if the user modifying the account is an administrator. If the user
modifying the account is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the account to collections, the account automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: An account cannot belong to the same collection as its parent system, or vice versa.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this account.
TPAM 2.5
110
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2 Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3 Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Icon Action
Refreshes list of available Access Policies.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
TPAM 2.5
111
Administrator Guide
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
NOTE: PSM sessions to Windows® machines using an RDP proxy connection type can be configured on the
Windows® machine to use SSL/TLS security for RDP connections. Note that the computer name set in
TPAM for the system may need to be uppercase for the connections to succeed.
General tab
TPAM 2.5
112
Administrator Guide
Table 46. Account Management: PSM General tab options
TPAM 2.5
113
Administrator Guide
Table 46. Account Management: PSM General tab options
TPAM 2.5
114
Administrator Guide
Table 46. Account Management: PSM General tab options
TPAM 2.5
115
Administrator Guide
Table 46. Account Management: PSM General tab options
TPAM 2.5
116
Administrator Guide
Session Authentication tab
The following table explains the options on this tab.The option selected on the session authentication tab
determines the authentication credential storage method.
Table 47. Account Management: PSM Details Session Authentication tab options
TPAM 2.5
117
Administrator Guide
File Transfer tab
Table 48. Account Management: PSM Details File Transfer tab options
Review Requirements
Table 49. Account Management: PSM Details Review Requirements tab options
TPAM 2.5
118
Administrator Guide
Table 49. Account Management: PSM Details Review Requirements tab options
Add an account
When adding an account in TPAM, information is entered on the following tabs to configure the account:
• Details - Information, Reviews, Custom Information, Management, Ticket System
• Dependents
• Collections
• Permissions
• PSM Details - General, Session Authentication, File Transfer, Review Requirements
The following procedure describes the required steps to add an account.
5 Click the Details tab. Enter information on the Details tab. For more information on this tab see
Information tab.
6 Click the Reviews sub-tab to configure review requirements for password releases. For more information
on this tab see the Reviews tab. (Optional)
7 Click the Custom Information sub-tab to enter custom information for the account. For more
information on this tab see Custom Information tab. (Optional)
8 Click the Management sub-tab and select preferences for managing account passwords. For more details
see Management tab.
9 Click the Ticket System sub-tab and set external ticket system requirements for submitting password
release requests. For more details see Ticket System tab. (Optional)
10 Click the PSM Details tab to enable/disable PSM sessions. For more information see PSM Details tab.
(Optional)
11 Click the Session Authentication sub-tab to select session authentication method. For more information
see The following table explains the options on this tab.. (Optional)
TPAM 2.5
119
Administrator Guide
12 Click the File Transfer sub-tab to enable file transfers during sessions. For more information see File
Transfer tab. (Optional)
13 Click the Review Requirements sub-tab to set review requirements for sessions. For more information
see Review Requirements. (Optional)
14 Click the Save Changes button.
15 Click the Dependents tab to assign/remove dependents to Windows Active Directory® systems. For more
details see Dependents tab (Windows® AD only). (Optional)
16 Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
17 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
18 Click the Save Changes button.
Duplicate an account
To ease the burden of administration and help maintain consistency, accounts can be duplicated. This allows the
administrator to create new accounts that are very similar to those that exist, while only having to modify a few
details. The new account inherits password management, review, ticket system, and PSM details settings from
the existing account. Collections and permissions assignments are not inherited.
To duplicate an account:
1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account to be duplicated.
5 Click the Duplicate button. A new account object is created and the Details tab displays.
6 Enter the Account Name.
7 Make any changes to the account configuration on the various tabs.Click the Collections tab and assign
membership. (Optional)
8 Click the Permissions tab and assign access policies. (Optional)
9 Click the Save Changes button.
Delete an account
When you delete an account from the Manage Accounts listing it is “soft” deleted. This means that the account
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the /admin interface.
IMPORTANT: The only way to delete a functional account is to delete the system.
NOTE: You cannot delete an account that has an active PSM session.
TPAM 2.5
120
Administrator Guide
4 Select the account to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
To view “soft” deleted accounts go to Systems, Accounts, & Collections | Accounts | Deleted Accounts on the
main menu.
TPAM allows you to undo a soft deletion prior to the Days in Trash global setting taking effect.
Retrieve a password
A user with PPM ISA permission over an account can retrieve a password.
To retrieve a password:
1 Select Retrieve | Retrieve Password from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account.
5 Click the Passwords tab.
6 Complete the following fields:
TPAM 2.5
121
Administrator Guide
Table 50. Password tab fields
7 Click the Password tab. The password will be displayed for 20 seconds after which time the ISA must
click the password tab again to view the password.
List accounts
The List Accounts option allows you to export the account data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.
TPAM 2.5
122
Administrator Guide
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.
TPAM 2.5
123
Administrator Guide
9 Take the new password that PPM has generated, in this example, rHH1omoG1, and set it to this on the
remote system.
10 If the password update on the remote system was successful, click the Update Successful button. If the
password was unable to be reset on the remote system, click the Update Failed button. PPM will discard
the new password and rollback to the previously stored password.
Password management
Password Management allows TPAM Administrators and PPM ISA’s to do a “mass” forced reset of account
passwords that are auto-managed. If manually managed passwords are scheduled for reset, the automatic email
notification will be generated to the system contact to manually reset the password.
NOTE: If the account is a synchronized password subscriber, it cannot be reset from this window.
This window also gives you a central location to view the current password status for all passwords.
TPAM 2.5
124
Administrator Guide
To perform a mass password reset:
1 Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 To select all passwords returned on the Listing tab for reset, select the All check box in the column
header. To select more than one, but not all, select the check box in the Select for Scheduling column
for the passwords to be reset.
TPAM 2.5
125
Administrator Guide
4 Select an account.
5 Click the Logs tab.
6 Enter your search criteria on the Filter tab.
7 Click the Change Log, Test Log, Release Log, Dependent Change Log, or Change Agent Log to view the
specific history.
NOTE: Dependent systems will always have the passwords for Windows Services and Scheduled Tasks
changed regardless if the check boxes are selected on the Account Details Information tab.
TPAM 2.5
126
Administrator Guide
8 Select the Dependent button for systems with dependencies on the domain level account.
9 Click the Save Changes button.
When the password for the managed domain account (i.e. Administrator) is changed, PPM enumerates the
services on each selected dependant system and changes the password for all services being run by the domain
account.
In the example used in the figures above, ‘Administrator’ is a domain account, specified on a domain controller
called Saturn. The system Jupiter is defined as a dependant system to this account, indicating that services are
running on Jupiter using the domain Administrator account. When the password for ‘Administrator’ is changed
by PPM, each system defined as dependant, such as Jupiter, has the password changed for any service using the
domain Administrator password.
TPAM 2.5
127
Administrator Guide
11 Select RDP- Interactive Login as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.
How it works
A TPAM user requests a session using the :prompt: account on the target system. When the PSM session is
initiated, the user is prompted to enter the Windows account name and password.
After the account name and password are entered, the RDP session is connected as desired.
NOTE: If performing file transfer, credentials must be specified at file transfer time.
TPAM 2.5
128
Administrator Guide
13
Using Quest Authentication Services
with TPAM
• Introduction
• Configure QAS integration
• How it works
Introduction
Quest Authentication Services (QAS) is patented technology that empowers non-Windows® systems to become
members of Active Directory® (AD) for centralized authentication. The ability for Linux®, UNIX® and Mac®
systems to join the Active Directory® domain provides the benefit of central control over which an AD user is
permitted to authenticate to which non-Windows® system.
TPAM is able to leverage QAS with UNIX®, Linux®, and Mac® systems to allow for Active Directory® functional
accounts on UNIX®, Linux®, and Mac systems. TPAM also allows for currently logged on users to request a session
using it’s currently logged on username through a special account defined in TPAM for each system called
:myaccount: This is beneficial because many implementations use Active Directory® as the primary
authentication source and are granted permissions through this integration. A user may request access to a
system using their own username and password by requesting a session with the account :myaccount:. The user
then proxies access to the system through TPAM using their own credentials, without having to store additional
information on each defined system in TPAM for that user.
TPAM 2.5
129
Administrator Guide
9 Click the PSM Details tab.
10 Select the Enable PSM Sessions check box.
11 Select one of the "interactive" proxy types as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.
How it works
A TPAM user requests a session using :myaccount: on the target system. In this example the TPAM user ID of the
requestor is testuser.
The user requests a session.
TPAM 2.5
130
Administrator Guide
When the PSM session is initiated the account of the user is sent to the target system as the TPAM user ID and
they must provide the domain password for authentication. The domain password is then sent to QAS for
authentication.
TPAM 2.5
131
Administrator Guide
14
TPAM Account Discovery
• Introduction
• Configure account discovery
• Account discovery profiles
• Add an account discovery profile
• Delete an account discovery profile
• Assign an account discovery profile to a system/system template
• Combine account discovery with auto discovery
Introduction
For Windows®, *nix, and database systems, account discovery can be configured in TPAM. Configuration allows
these accounts to be added or removed from TPAM as they are discovered or removed from the remote system.
Administrators can also opt to just have email notifications sent when these accounts are discovered/removed.
2 Add an account to the system template. Select Accounts | Add Account from the menu. Filter for the
system template you just created. Select the template from the System tab and click the Details tab.
TPAM 2.5
132
Administrator Guide
Configure the account and click the Save Changes button.
When creating the account discovery profile you will select this account to be the template account.
The template account is what is used to add accounts during account discovery. The accounts added will
be set up with the same permissions, collections membership, etc as the account on this template.For
more information on system templates see Add a system template and Add an account.
NOTE: For a disabled account that is newly discovered, if the Enable Account Before Release check box
is selected on the template used in account discovery the account WILL be brought into TPAM. If the
Enable Account Before Release check box is clear on the template the disabled account will not be
brought into TPAM.
NOTE: For a disabled account that exists in TPAM, and the Enable Account Before Release check box is
selected on the template used in account discovery, the account WILL NOT be considered deleted. For a
disabled account that exists in TPAM, and the Enable Account Before Release check box is clear on the
template used in account discovery, the account WILL be considered deleted.
3 Create an account discovery profile. For more information on how to create an account discovery profile
see Account discovery profiles.
TPAM 2.5
133
Administrator Guide
4 Assign the account discovery profile to the system and click the Save Changes button. Click the Test
Account Discovery button to see what accounts are found.
5 If desired click the Run Discovery Profile button to immediately have the profile run instead of waiting
for the next scheduled run. A maximum of 5,000 accounts can be discovered this way.(Optional)
Accounts will display on the Discovered Accounts tab if the Delete Account Action or New Account
Action setting is set to Notify via Email on the account discovery profile. If accounts are discovered,
select from the following options:
• Add Account - If selected, the account will be added to the system using the indicated template
account.
• Turn Off Auto - Accounts with this option have been deleted from the target system, but are still
set up as a managed account in TPAM. If Turn Off Auto is selected, the password management
setting for this account will be set to None.
• Add to Exclude - If selected, the account will be added to the system’s exclude list. The account
will be ignored during auto discovery processing.
After making selections click the Process Selected Actions button to execute the selections.
TPAM 2.5
134
Administrator Guide
Clicking the Clear All Staged Accounts button clears out all staged account rows for this system without
processing them.
Clicking the Refresh Current List button refreshes the list with whatever filter applies.
6 Confirm with the System Administrator that the Account Discovery agent has been enabled in the admin
interface.
The table below explains the options on the Account Discovery profile page.
TPAM 2.5
135
Administrator Guide
Table 51. Account Discovery profile page options
TPAM 2.5
136
Administrator Guide
Table 51. Account Discovery profile page options
TPAM 2.5
137
Administrator Guide
Add an account discovery profile
IMPORTANT: An account discovery profile cannot be added unless at least one system template has been
added to TPAM.
8 Select the various detail options available. For more information on how these are configured see the
table in the Account discovery profiles section.
9 To add another detail row repeat steps 7 and 8.
10 Click the Save Changes button.
TPAM 2.5
138
Administrator Guide
2 Select Account Discovery as the profile type.
3 Select the profile to be deleted from the list.
4 Click the Delete Profile button.
5 Click the OK button on the confirmation window.
NOTE: An account discovery profile can only be deleted if it is not assigned to any systems.
TPAM 2.5
139
Administrator Guide
15
Files
• Introduction
• Add a file
• Duplicate a file
• Review file history
• Delete a file
• Retrieve a file
• List files
Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.
To add and manage files, information is entered on the following tabs in the TPAM interface:
Details tab
The Details tab is where you upload the file to TPAM and set approval requirements.
TPAM 2.5
140
Administrator Guide
The table below explains all of the options available on the File Details tab.
TPAM 2.5
141
Administrator Guide
Table 53. Files Management: Details tab options
TPAM 2.5
142
Administrator Guide
Logs tab
The Logs tab for stored files shows the activity associated with accessing the file.
Field Description
Request ID Request ID for the file request.
User Name User ID of the requestor.
User Full Name Full name of the requestor.
Release Date Date and time that the file was retrieved.
Release Type Indicates of the file was retrieved by a requestor or an ISA.
Field Description
Actual Filename The name of the file that was stored on TPAM.
Stored Date The date the file was uploaded to TPAM.
Replaced Date The date the file was replaced with another file.
Filesize Size of the file in bytes.
TPAM 2.5
143
Administrator Guide
The following table explains the options on this tab.
Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the file to a
collection/s. Files can belong to more than one collection. The collections list shows all collections that have
been defined in the TPAM appliance if the user modifying the file is an administrator. If the user modifying the
file is an ISA, only the collections that the user holds the ISA role for are displayed. By assigning the file to
collections, the file automatically inherits user and group permissions that have been assigned at the collection
level.
NOTE: A file cannot belong to the same collection as its parent system, or vice versa.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
TPAM 2.5
144
Administrator Guide
Table 58. Files Management: Collections Results tab options
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this file.
Icon Action
Refreshes list of available Access Policies.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment.This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
TPAM 2.5
145
Administrator Guide
Table 59. Access Policy Details pane icons
Icon Action
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the file are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a file
When adding a file in TPAM, information is entered on the following tabs to configure the file:
• Details - File name, Approvals required
• Ticket System
• Collections
• Permissions
The following procedure describes the required steps to add a file.
TPAM 2.5
146
Administrator Guide
8 Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
9 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
10 Click the Save Changes button.
Duplicate a file
To ease the burden of administration and help maintain consistency, files can be duplicated. This allows the
administrator to create new files that are very similar to those that exist, while only having to modify a few
details. The new file inherits approval requirements, ticket system settings, collection and permission
assignments from the existing file.
To duplicate a file:
1 Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the file to be duplicated.
5 Click the Duplicate button. A new file object is created and the Details tab displays.
6 Enter the file name.
7 Upload the file.
8 Make any other additional changes on the Details and Ticket System tabs. (Optional)
9 Click the Save Changes button.
10 Click the Collections tab and assign membership. (Optional)
11 Click the Permissions tab and assign access policies. (Optional)
12 Click the Save Changes button.
Delete a file
To delete a file:
1 Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2 Enter your search criteria on the Filter tab.
TPAM 2.5
147
Administrator Guide
3 Click the Listing tab.
4 Select the file to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
Retrieve a file
A user with ISA permission over a file can retrieve it.
To retrieve a file:
1 Select Retrieve | Retrieve File from the menu.
2 Select the file to retrieve.
3 Click the Current File tab.
4 Complete the following fields:
List files
The List Files option allows you to export the account data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet.
To list files:
1 Select Systems, Accounts, & Collections | Files | List Files from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.
6 To view collection membership for the file, select the file and click the Collections tab.
7 To view the permissions assigned to the file, select the file and click the Permissions tab.
TPAM 2.5
148
Administrator Guide
16
Auto Discovery - LDAP Integration
• Introduction
• Source tab
• Add a LDAP data source
• Add user/system template
• Delete a LDAP system/user mapping
• Discover accounts on auto discovered systems
Introduction
TPAM can be configured to integrate with LDAP, LDAPS, Novell® NDS and Windows Active Directory® to
automatically detect, enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
• Set up the LDAP data source as system in TPAM
• Add templates for the systems and/or users you want to import
• Set up the LDAP Directory Mapping
• Confirm that the Auto Discovery Agent is running
Source tab
The table below explains all of the options available on the LDAP Source tab. The field names and collision
strategy questions and answers will differ based on whether you are mapping systems or users.
TIP: Hover your mouse over the buttons on this page for descriptions of how each button functions. Click
the help buttons for more details on the Filter and Template Name fields.
TPAM 2.5
149
Administrator Guide
Table 62. LDAP Directory Mapping: Source tab options
TPAM 2.5
150
Administrator Guide
Table 62. LDAP Directory Mapping: Source tab options
TPAM 2.5
151
Administrator Guide
2 Click the Connection tab to configure the details for the functional account, distinguished name and
other communication options.
NOTE: When setting up a Windows Active Directory® domain controller for LDAP integration TPAM
relies on the domain name to leverage Active Directory’s built in fail over capabilities. TPAM must
be able to resolve the domain name, either via DNS or by adding a mapping in the hosts file. See
the System Administrator manual.
3 Click the LDAP Schema tab. This tab is pre-populated with well known attributes and changes to the
mappings can be made here.(Optional)
TPAM 2.5
152
Administrator Guide
Add LDAP user/system mapping
To add a LDAP User/System Mapping:
1 Select Auto Discovery | LDAP Directory from the menu.
2 Click the Add Systems or Add Users button.
3 Complete the information on the Source tab.
1 Select the LDAP Directory.
2 Enter the TPAM Group/Collection name.
3 Click the Plus button to add a Distinguished Name and Filter (optional). Click the check box
button to validate the DN name and the filter. Repeat as needed to add more filters.The validate
button will either return the number of discovered entities or an error.
NOTE: During auto discovery the query will be executed in the order that the filters are
listed. This order can be changed by using the arrow buttons on the left of the Filters
listing.
TPAM 2.5
153
Administrator Guide
Delete a LDAP system/user mapping
To delete a LDAP System/User Mapping:
1 Select Auto Discovery | LDAP Directory from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the mapping to delete.
5 Click the Delete button.
When the mapping is deleted the association of the system/user with that mapping are removed.
TPAM 2.5
154
Administrator Guide
17
Auto Discovery - Generic Integration
• Introduction
• Source tab
• System tab
• User tab
• Add a generic system mapping
• Add a generic user mapping
• Delete a generic system/user mapping
Introduction
TPAM can be configured to integrate with MySQL®, Oracle®, SQL Server® and Sybase® to automatically detect,
enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
• Set up the database server as system in TPAM
• Create templates for the systems and/or users you want to import
• Set up the Generic Directory Mapping
• Confirm that the Auto Discovery Agent is running
TPAM 2.5
155
Administrator Guide
Source tab
TPAM 2.5
156
Administrator Guide
Table 64. Generic Auto Discovery Mappings: Source tab options
TPAM 2.5
157
Administrator Guide
Table 64. Generic Auto Discovery Mappings: Source tab options
System tab
The table below explains all of the options available on the Generic Auto Discovery System tab. Clicking on the
Edit Template button will take you to the system template page to make your changes.
TPAM 2.5
158
Administrator Guide
Table 65. Generic Auto Discovery Mappings: System tab options
User tab
The table below explains all of the options available on the Generic User tab. Clicking on the Edit Template
button will take you to the user template page to make your changes.
TPAM 2.5
159
Administrator Guide
Table 66. Generic Auto Discovery Mappings: User tab options
TPAM 2.5
160
Administrator Guide
8 Click the Save Changes button.
9 Click the Test SQL button to retrieve the source column set.
10 Map the source columns to the TPAM target columns.
11 Click the Save Changes button.
12 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
TPAM 2.5
161
Administrator Guide
18
Application Password Virtual Cache
• Introduction
• Importing the virtual cache
• Boot the cache
• Configure network settings
• Enable remote access
• Change setup password
• Define remote IP address restrictions
• Prepare the cache for enrollment
• Add the cache in the TPAM interface
• Add cache users
• Add cache client hosts
• Add cache trusted root certificates
• Add the cache server
• Cache server permissions
• Cache current status
• Create a cache team
• Remove a cache team member
• Alerts for the cache appliance
• Delete a cache
• List cache server permissions
• Cache logs
• Usage examples
Introduction
The Password Virtual Cache is an add-on product designed to provide additional performance capability and
support distributed architecture deployment for TPAM. It provides extremely fast, concurrent, password
retrieval to support high demand application to application (A2A) requirements. To support this, the data stored
on the cache(s) must be current. The following gives a very high level overview of how this is accomplished.
As cache provisioning data (such as users, accounts, hosts, and permissions) is set up within TPAM, the relevant
data is pushed by TPAM to the virtual cache via secure connection. Passwords that are cached on the virtual
cache need to be updated whenever TPAM changes the account passwords. This is accomplished by pushing the
new password to the cache as soon as the password is successfully changed on the device and stored within
TPAM. The password is updated on the cache within a few seconds of being changed and stored within TPAM.
TPAM 2.5
162
Administrator Guide
All updates are pushed from TPAM to the necessary cache(s). The cache does not pull any data from TPAM. If a
cache is restarted for any reason, during the cache initialization, a message will be sent to TPAM requesting that
all data for that cache to be sent to it again. TPAM will then push the required data to the cache.
Retrieval of passwords from the cache is via secure web service using certificate authentication. Using this
technology makes access possible from clients written in numerous programming languages. Client
authentication is described and programming examples are provided later in this document.
To get the cache up and running you must perform the following steps:
• Import the cache file
• Boot the cache virtual
• Configure the network settings
• Enable remote access (Optional)
• Define remote access IP restrictions (Optional)
• Prepare the cache for enrollment
• Add the cache to the TPAM interface
• Test the connection between TPAM and the cache.
TPAM 2.5
163
Administrator Guide
Configure network settings
1 Enter 4 and press the ENTER key to configure the network settings.
3 Enter the IP Address for eth0 as prompted and press the ENTER key
4 Enter the Network Mask for eth0 as prompted and press the ENTER key.
5 Enter the Gateway for eth0 as prompted and press the ENTER key.
6 Enter Y and press the ENTER key to save your changes.
7 From the Manage Network Settings menu, enter 1 and press the ENTER key to display the new running
values.
8 If a different network address is required/desired for application access to the cache, enter 3 and press
the ENTER key.
9 Repeat steps 3-6 for eth1.
10 Press the ENTER key to return to the manage network settings menu.
11 Enter 4 and press the ENTER key to modify the DNS settings.
TPAM 2.5
164
Administrator Guide
12 Enter the DNS IP and press the ENTER key.
13 Enter the Secondary DNS IP and press the ENTER key. (Optional)
14 Enter the DNS Domain and press the ENTER key. (Optional)
15 Enter Y and press the ENTER key to save your changes.
16 Press the ENTER key to return to the manage network settings menu.
17 Enter Q and press the ENTER key to return to the main menu.
TPAM 2.5
165
Administrator Guide
4 Enter the current password and press the ENTER key.
5 Enter the new password and press the ENTER key.
To configure restrictions:
1 From the main cache menu, enter 5 and press the ENTER key.
TPAM 2.5
166
Administrator Guide
To prepare for enrollment:
1 From the main menu, enter 3 and press the ENTER key.
2 When prompted, enter the IP address of the TPAM primary or standalone device, and press the ENTER
key.
3 Enter the IP address (es) of the replica(s), if applicable, and press the ENTER key.
4 Enter E and press the ENTER key to enroll the cache.
5 Enter Y and press the ENTER key.
6 Copy the key that is presented. You will need to enter this key in procedure below.
TPAM 2.5
167
Administrator Guide
supplied by the customer. Each certificate is associated with a user type of Cache User in TPAM. Use one
of the following methods to select certificate type:
• Select User-Supplied. Click the Select File button. Click the Browse button and select the file.
Click the Upload button. When uploading a user-supplied certificate, you can upload a
PKCS12/PFX file (password is typically associated with this type of file since they contact a
private key) or a PEM-encoded text file (password not required). Additionally, when using a user-
supplied certificate, a trusted root certificate that can establish trust in the user certificate must
be uploaded to TPAM and assigned to the Cache(s) from which the user will request passwords.
This is needed so that applications requesting passwords using this user-supplied certificate can
be authenticated by the Cache. See Add cache trusted root certificates.
• Select Created by TPAM. Click the Download TPAM Root Certificate button to generate the
certificate.The generated user certificate must be downloaded and used by applications
requesting passwords from the Cache.
5 Enter and confirm the Password. The password is not required if uploading a PEM encoded text file.
6 Click the Save Changes button.
TPAM 2.5
168
Administrator Guide
3 Enter a name for the certificate.
4 Enter a description for the certificate. (Optional)
5 Use one of the following methods to select the certificate source:
• Select Upload certificate file. Click the Select File button. Click the Browse button and select
the file. Click the Upload button.
• Select Enter Certificate. Paste the certificate in the text area.
6 Click the Save Changes button.
TPAM 2.5
169
Administrator Guide
Details tab
The table below explains the fields available when adding a cache server in the TPAM interface.
TPAM 2.5
170
Administrator Guide
Table 68. Cache Server Management: TPAM interface fields
WSDL tab
On the WSDL (Web Services Description Language) tab the developers can find the XML they need when
programming the interface to the cache server.
TPAM 2.5
171
Administrator Guide
Accounts tab
The table below explains all of the options available on the Accounts tab:
Field Description
System Name The system name.
Account Name The account name.
Sys Auto? Indicates whether the system is auto-managed by TPAM (Y) or not managed (N).
Acct Auto? Indicates whether the account is auto-managed by TPAM (Y), manually managed (M), not
managed (N), or a member of a synchronized password (S).
Assigned? If selected, the account is assigned to this cache server. Pressing the Ctrl key and selecting
one row will select or clear all check boxes in the column.
Enabled? If selected, the password for this account can be retrieved from the cache server. Pressing
the Ctrl key and selecting one row will select or clear all check boxes in the column.
By default TPAM generates its own root certificate that can be assigned to the cache server. You also have the
option to upload your root certificates that can be assigned to the cache server. To add your certificates see Add
cache trusted root certificates. Select the Assigned box to assign the certificate to the cache server and then
click the Save Changes button.
TPAM 2.5
172
Administrator Guide
Users tab
The Users tab is where you configure the users that can access the cache server. Select the Assigned? box next
to the users for this cache server and click the Save Changes button.
Hosts tab
Any hosts that you have configured in TPAM are listed on the Hosts tab. See Add cache client hosts to configure
cache client hosts. Select the Assigned? check box next to each host you want to be able to access this cache
server and click the Save Changes button.
The cache server permissions page is where you configure the combination of accounts, users and hosts to
specify who and what are able to be accessed on a specific cache server
IMPORTANT: This page will accommodate a maximum of 512 possible permissions (#users * #accounts*
#hosts) before forcing you to use Update Cache Server Permissions under the Batch Processing menu.
To add permissions:
1 Select Management | Cache Servers | Manage CS Permissions from the menu.
TPAM 2.5
173
Administrator Guide
2 Select the cache server from the list.
3 Using the mouse, select the combination of accounts, users, and hosts that you want to configure for the
cache server.
4 Click the Add Items button to add the selections to the list.
5 To remove any combinations on the list select the Select? check box and click the Remove Selected
button.
6 After you are finished adding and removing entries to the list click the Save Changes button.
TIP: You can use Shift-Click and Ctrl-Click mouse gestures to select more than one item on each list. Then
when you click Add Items it adds all combinations of the selected items to the list.
TPAM 2.5
174
Administrator Guide
8 Select the cache server you want to add to the team. This cache will act as a mirror image of the first
team member.
9 Click the Details tab.
10 If selected, clear the Enabled check box.
11 Click the Save Changes button.
12 Enter the same exact team name from Step 5 in the HA Team Name box. This box will only appear for
enrolled cache servers.
13 Click the Save Changes button.
14 Select the Enabled check box.
15 Click the Save Changes button.
16 Repeat steps 8-15 to add additional team members.
In addition to the alerts above, these alerts can also be generated by the cache server:(% shows variable data)
“Alert from Password Cache Appliance: Communication with TPAM restored. AlertDate:
%“
"Alert from Password Cache Appliance: Communication with TPAM has failed.
AlertDate: %"
TPAM 2.5
175
Administrator Guide
"Alert from Password Cache Appliance: The Password Cache(%) at % is shutting down
because there has been no communication to/from TPAM for over % minutes AlertDate:
%"
"Alert from Password Cache Appliance: The Password Cache needs to be disabled and
re-enabled to complete configuration changes. AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate with any SMTP servers
returned in the MX lookup for %. No mail will be sent. AlertDate: %"
"Alert from Password Cache Appliance: Unable to locate MX records for %: %
AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate to the SMTP server at
%. No mail will be sent. AlertDate: %"
Delete a cache
To delete a cache:
1 Select Management | Cache Servers | Manage Cache Servers from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the cache to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
Cache logs
On the cache console there are a variety of logs that can be viewed.
TPAM 2.5
176
Administrator Guide
2 Enter the number for the log you wish to view and press the ENTER key.
Usage examples
Any programming language capable of invoking secure web services over SSL/TLS using client certificates for
authentication can be used to request passwords from the Password Virtual Cache. Below are some examples of
requesting a password from the Cache using various programming languages. In all cases, the WSDL file,
available within TPAM for each Cache, is used to generate web service client code that is used by the client
application when requesting passwords.
For brevity, in each example, only one password is retrieved and displayed, and there is no error handling.
Note that if a nonzero value is returned when invoking the web service method handleRequestWS, a descriptive
reason for the failure is provided in place of the password. This can prove useful when setting up accounts,
users, and permissions for the Cache within the TPAM web interface.
Perl
Perl package SOAP::Lite can be used when requesting passwords from the Cache.
The first thing to do is to generate client stubs from the WSDL file. The SOAP::Lite package contains a Perl
script named stubmaker.pl that can generate the client stubs. Assuming the WSDL file is named cache.wsdl,
execute the following command to generate the client stub file:
perl path\to\stubmaker.pl file:cache.wsdl
A file named HandlePWRequestService.pm will be created. You can see by editing this file that it uses
SOAP::Lite, so this package must be present on the machine where the Perl application will be run.
Next, create the Perl application that will use the client stub file generated by stubmaker.pl, and add code to
request a password. Here is a very simple example, in a file named perlclient.pl.
use HandlePWRequestService;
my $certfile = "cacheuser.p12";
my $certpw = "CertPassword";
my $system = "linux10";
my $account = "linuxacct1";
$ENV{HTTPS_PKCS12_FILE} = $certfile;
$ENV{HTTPS_PKCS12_PASSWORD} = $certpw;
TPAM 2.5
177
Administrator Guide
The output from execution of "perl perlclient.pl" is:
rc=0, password=linuxacct1pw
There are other Perl packages besides SOAP::Lite that can be used to generate web service client stubs and
request passwords, but SOAP::Lite is one of the simplest.
NOTE: Perl installations vary due to different versions of Perl itself and different versions of installed Perl
modules. The differences in installations may sometimes keep this simple example from working as
expected. Also, for simplicity, this client intentionally omits some security checks such as server
certificate validation and server host name validation.
Java®
This Java® example was created using MyEclipse™. For this example, a Java® project has been created, and
within that project, packages sample.client and sample.generated have been created.
Within MyEclipse, use the New Web Service Client tool and provide the location of the WSDL file. MyEclipse will
generate the client web service code (have the tool put the generated code in the package sample.generated).
Next, create a new Java® class in package sample.client, and write the code that requests a password. This
example shows setting of the keystore and truststore properties inline, but this can also be done by providing
the appropriate arguments when starting the Java® application.
package sample.client;
import javax.xml.ws.Holder;
import sample.generated.HandlePWRequest;
import sample.generated.HandlePWRequestService;
TPAM 2.5
178
Administrator Guide
}
}
}
Other IDEs that are used for Java® development should also provide a way to generate the client stub code from
the WSDL.
C#
This C# example was created using Visual Studio® 2010. For this example, a C# Console Application has been
created.
Within Visual Studio, use the Add Service Reference tool and provide the location of the WSDL file. In this
example, when adding the service reference, we named it HandlePWRequestReference. Visual Studio will
generate the client web service code, and then the client application can make use of that reference. Now, add
the code that requests a password.
using System;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
namespace CacheWSClient
{
class Program
{
static void Main(string[] args)
{
// For testing, we'll accept the server certificate instead of
// having to put the trusted root in our certificate store.
ServicePointManager.ServerCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) => true;
string pw;
// Invoke the web service to get the password.
var rc = client.handleRequestWS(out pw, "linux10", "linuxacct1");
if (rc == 0)
TPAM 2.5
179
Administrator Guide
{
Console.WriteLine("Password is {0}", pw);
}
else
{
Console.WriteLine("Request failed: rc={0}, msg={1}", rc, pw);
}
}
}
}
The output from execution of the C# client application is:
Password is linuxacct1pw
TPAM 2.5
180
Administrator Guide
19
Batch Processing
• Introduction
• Advanced file settings
• Import user IDs
• Import systems
• Import accounts
• Import or update collections
• Import or update groups
• Add or drop collection members
• Add or drop group members
• Batch update user IDs
• Batch update systems
• Batch update accounts
• Batch update PSM accounts
• Batch update permissions
• Batch update cache server permissions
• Cancel a batch process
• View batch job history
Introduction
For ease of administration, new systems, accounts, and users can be imported into TPAM. Also if mass changes
are needed these same entities can be updated without having to make individual changes one at a time in the
GUI. The following sections will describe the various import and update options available in TPAM.
TPAM 2.5
181
Administrator Guide
Advanced File Settings are an option on all of TPAM’s batch processing pages. These settings allow the user to
specify in more detail how TPAM should process the upload file. The table below explains all of the Advanced
File Settings options.
TPAM 2.5
182
Administrator Guide
2 Click the Show Template button.
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
5 Paste the template text into the header row of your CSV or tab delimited file.
6 Enter the data for the various columns in the import file.
As of the writing of this manual, the valid local time zone values for a user can be used from the list
below. As needed Dell Software will post OS patches on the Customer Portal to update time zone
information. Any portion of the time zone name may be used as long as it is unique. For example, using
TPAM 2.5
183
Administrator Guide
“Guam” will find only one time zone but using “02:00” or “US” will find multiple entries. A value of
“Server” sets the user to follow the Server time zone.
TPAM 2.5
184
Administrator Guide
Table 71. Time zones
TPAM 2.5
185
Administrator Guide
To view import history:
1 Select Batch Processing | Import UserIDs from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.
Import systems
Rather than individually adding systems to TPAM, they may be bulk imported. Importing systems can ease
administrative burden and expedite migration to TPAM.
When importing systems it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
TPAM 2.5
186
Administrator Guide
5 Paste the template text into the header row of your CSV or tab delimited file.
6 Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Systems page.
TPAM 2.5
187
Administrator Guide
NOTE: Platform Name is not required when importing systems if a system template is being used or if a
default template has been defined in TPAM.
Import accounts
Rather than individually adding accounts to TPAM, they may be bulk imported. Importing accounts can ease
administrative burden and expedite migration to TPAM.
When importing accounts it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
TPAM 2.5
188
Administrator Guide
2 Click the Show Template button.
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
5 Paste the template text into the header row of your CSV or tab delimited file.
6 Enter the data for the various columns in the import file.
TPAM 2.5
189
Administrator Guide
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Accounts page.
TPAM 2.5
190
Administrator Guide
To cancel an Account Import:
1 Select Batch Processing | Import Accounts from the main menu.
2 Click the History tab.
3 Select the import you want to cancel.
4 Click the Cancel Batch button.
NOTE: An Account Import can only be cancelled if the Start Date column on the History tab is still null.
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
5 Paste the template text into the header row of your CSV or tab delimited file.
TPAM 2.5
191
Administrator Guide
6 Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collections page.
6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
192
Administrator Guide
To view import history:
1 Select Batch Processing | Import/Update Collections from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.
TPAM 2.5
193
Administrator Guide
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
5 Paste the template text into the header row of your CSV or tab delimited file.
6 Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Groups page.
6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
TPAM 2.5
194
Administrator Guide
As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
195
Administrator Guide
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
5 Paste the template text into the header row of your CSV or tab delimited file.
6 Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collection Membership page.
6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
TPAM 2.5
196
Administrator Guide
As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
197
Administrator Guide
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
5 Paste the template text into the header row of your CSV or tab delimited file.
6 Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Group Membership page.
6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
TPAM 2.5
198
Administrator Guide
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
199
Administrator Guide
• To delete all rows, select the Delete option. Skip to step 9.
• To update all rows, select the Update option. Skip to step 9.
• To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7 Insert a column in the file with a column name of Update Action.
8 Enter D (delete) or U (update) as appropriate for each account.
9 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Users page.
TPAM 2.5
200
Administrator Guide
To cancel a batch update:
1 Select Batch Processing | Update UserIDs from the main menu.
2 Click the History tab.
3 Select the batch to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
TPAM 2.5
201
Administrator Guide
5 Select Batch Processing | Update Systems from the main menu.
6 Select update action to be taken on each row.
9 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.
TPAM 2.5
202
Administrator Guide
To cancel a batch update:
1 Select Batch Processing | Update Systems from the main menu.
2 Click the History tab.
3 Select the batch to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
TPAM 2.5
203
Administrator Guide
5 Select Batch Processing | Update Accounts from the main menu.
6 Select update action to be taken on each row.
9 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.
TPAM 2.5
204
Administrator Guide
To cancel a batch update:
1 Select Batch Processing | Update Accounts from the main menu.
2 Click the History tab.
3 Select the batch to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
TPAM 2.5
205
Administrator Guide
5 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update PSM Accounts page.
TPAM 2.5
206
Administrator Guide
Batch update permissions
System, Account, File, Collection, User and Group permissions can be updated through Update Permissions.
3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.
5 Paste the template text into the header row of your CSV or tab delimited file.
6 Enter the data for the various columns in the batch update permissions file.
TPAM 2.5
207
Administrator Guide
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Permissions page.
6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
9 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
208
Administrator Guide
3 Select the import to view.
4 Click the Detail tab.
TPAM 2.5
209
Administrator Guide
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
6 Click the Process File button.
7 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
TPAM 2.5
210
Administrator Guide
5 Click the Cancel Select Batch button.
6 Enter the text displayed to continue with the batch job cancellation and click the Continue button.
TPAM 2.5
211
Administrator Guide
20
PSM Connection Profiles
• Introduction
• Add a PSM connection profile
• Delete a PSM connection profile
• Assign a PSM connection profile
Introduction
PSM connection profiles allow for overriding the default connection parameters during a session. These
connection profiles can be modified by the Administrator to specify other connection settings for mainframe
connections.
The table below explains the options on the PSM Connection profile page.
TPAM 2.5
212
Administrator Guide
Add a PSM connection profile
To add a connection profile:
1 Select Management | Profile Management from the menu.
2 Select PSM Connection from the Profile Type list.
3 Click the New Profile button.
TPAM 2.5
213
Administrator Guide
To assign a connection profile to an account:
1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts.
2 Select the account on the Listing tab.
3 Click the PSM Details tab.
4 Select the profile from the Custom Connection Profile list.
5 Click the Save Changes button.
TPAM 2.5
214
Administrator Guide
21
Post Session Processing Profiles
• Introduction
• Add a post session processing profile
• Delete a post session processing profile
• Assign a post session processing profile
Introduction
Post session processing profiles can be used to trigger specific events after a session request has expired. For
post session profiles to take affect the System Administrator must have enabled the Post Session Processing
Agent in the /admin interface.
TPAM 2.5
215
Administrator Guide
Table 73. Profile Editor page options
Enter the settings as desired and click the Save Changes button.
TPAM 2.5
216
Administrator Guide
22
Privileged Command Management
• Introduction
• Add a command
• Commands to assist with authentication
• Duplicate a command
• Delete a command
• Create access policy with the command
• Assign access policy to user or group
• Setup requirement for Windows®
Introduction
Privileged command management provides command control for administrative tasks that require elevated
credentials. The commands a user can execute using privileged session manager can be controlled.
Add a command
The first step in using privileged command manager is setting up the commands. PCM comes with a set of
default commands, but custom commands can be added.
To add a command:
1 Select Management | Command Management from the main menu.
2 Click the Add Command button.
TPAM 2.5
217
Administrator Guide
3 Enter the Command Name.
4 Enter the Command Text.
5 Enter the Working Directory.
6 Enter the Description of the command. (optional)
7 Click the Save Changes button.
8 Click the Proxy Types tab.
9 Select the Proxy Types for this command.
10 Click the Save Changes button.
Duplicate a command
For the ease of creating commands that are similar, commands can be duplicated.
To duplicate a command:
1 Select Management | Command Management from the main menu.
2 Select the command to duplicate.
3 Click the Duplicate Command button.
4 Edit the Command Name, Command Text, Working Directory and Description as needed.
5 The proxy types are inherited from the command duplicated. Click the Proxy Types tab to edit the proxy
types.
6 Click the Save Changes button.
Delete a command
To delete a command:
1 Select Management | Command Management from the main menu.
2 Select the command to delete.
3 Click the Delete Command button.
4 Click the OK button on the confirmation window.
NOTE: A command cannot be deleted if it is associated with an Access Policy.
TPAM 2.5
218
Administrator Guide
Create access policy with the command
Once the commands have been created, the next step is to create an access policy that includes this command.
3 Enter a unique policy name. This is the name that appears in the list when selecting it for assignment, so
be as descriptive as possible.
4 Enter a description. This information is only visible to administrators when editing the policy. (optional)
5 Select the Command check box.
6 Select the command from the list.
7 Select the REQ check box.
8 To add another command to the access policy click the Add button.
9 Repeat steps 5, 6 and 7.
10 Click the Save Changes button.
TPAM 2.5
219
Administrator Guide
6 Enter the filter criteria to find the system.
7 Click the Results tab.
TPAM 2.5
220
Administrator Guide
23
Restricted Commands
• Introduction
• Add a restricted command profile
• Assign profile to access policy
• Restricted command account settings
• Command detection during a session
Introduction
Restricted command profiles enable the TPAM administrator to restrict the commands that can be executed
during a session, and/or put notifications in place when specific commands are executed.
IMPORTANT: Restricted commands cannot always detect and terminate a command when it is executed. It
is possible that some commands complete execution before TPAM has time to detect them.
Restricted commands are limited to Windows® and *nix platforms. The restricted command functionality also
requires a DPA.
To configure restricted commands you must perform the following steps:
• Add a restricted command profile
• Add restricted command profile to an access policy.
• Assign access policy to a user or group for a system or account.
• Enable account to capture events during a session.
*nix platforms
In order to detect and kill processes on *nix systems, the DPA connects to and monitors the target system using
SSH. The following commands must be executable on the target system by the functional account in order to
detect and kill processes.
• - uname
• - echo
• - kill
TPAM 2.5
221
Administrator Guide
• - "ps -ef" or "ps -axlww" depending on *nix variant
• - "netstat -ntp", "sockstat -c4", or "lsof -i -n -P" depending on *nix variant
Delegation prefixes are supported for the relevant platforms.
Windows®
In order to detect and kill processes on Windows®, the DPA connects to and monitors the target system using
WMI. There are a number of items that must be configured to allow these WMI connections, which may include
but are not limited to setting up remote WMI access, setting WMI CIMV2 namespace security, setting DCOM
security to allow remote access and launch, altering firewall settings to allow the WMI traffic, and handling
UAC. Notes related to UAC are provided when executing Test Event Configuration.
Additionally, various security events must be generated by Windows® to identify the beginning and end of PSM
sessions. For operating systems prior to Windows® Vista, events with event identifiers of 528, 538, 551, 682, and
683 must be generated. For Windows® Vista and later operating systems, events with event identifiers of 4624,
4634, 4647, 4778, and 4779 must be generated. Note that restricted command detection for operating systems
prior to Windows® XP and Windows Server 2003 in not supported.
TPAM 2.5
222
Administrator Guide
• Notify via Email? - If command has the Notify? check box selected and command is detected
during a session an email will be sent to the email addresses listed. Multiple email addresses can
be entered separated by a semi-colon. You can also enter :System: or :Account: to have the
notification sent to the system or account contacts.
6 Click the Add Cmd Detail button.
7 Select platform/s that command applies to:
• Kill Login - the login to the remote system is terminated, but the session remains open.
• Kill Session - the current session to the remote system is terminated.
NOTE: None of the actions above will cancel the session request.
TPAM 2.5
223
Administrator Guide
3 Select the Record Events check box.
4 Select the restricted command profile from the list.
5 Click the Save Changes button.
6 The access policy then needs to be assigned to the appropriate, system, account, or group.
TPAM 2.5
224
Administrator Guide
• RDP - Interactive Login
• SSH - Automatic Login Using Password
• SSH- Automatic Login Using DSS key
• SSH - Interactive Login
• Telnet - Automatic Login Using Password
• Telnet - Interactive Login
6 Click the Test Event Configuration button.
7 If the test events was successful, select the Capture Events? check box.
If the profile is configured to kill the login, the user will see the following:
If the profile is configured to kill the session, the user will see the following and then the session is closed a few
seconds later:
TPAM 2.5
225
Administrator Guide
TPAM 2.5
226
Administrator Guide
24
Archive Session Logs
• Introduction
• Configure session log archive settings
• Configure session log archive server
• Test the archive server
• View archive files
• View archive log
• Delete a session log archive server
• Clear a stored system host entry
Introduction
This chapter covers the configuration and settings for session log archive.
The table below explains the options on the Session Logs Archival Settings page:
TPAM 2.5
227
Administrator Guide
Table 74. Session Logs Archival Settings page options
Enter the settings as desired and click the Save Changes button.
TPAM 2.5
228
Administrator Guide
The table below explains the options on the archive server management page:
TPAM 2.5
229
Administrator Guide
Table 75. Archive Server Management: Details tab options
Enter the settings as desired and click the Save Changes button.
TPAM 2.5
230
Administrator Guide
View archive log
To view the archive log:
1 Select Management | Session Mgmt | Archive Log from the menu.
2 Enter your filter criteria.
3 Click the Report Layout tab. (Optional)
4 Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5 Select the appropriate box in the Sort Column column to specify sort order.
6 Select the Sort Direction.
7 If viewing the report in Privileged Account Manager, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.
8 To view the report results in Privileged Account Manager click the Report tab. To adjust the column size
of any column on a report hover the mouse over the column edge while holding down the left mouse
button and dragging the mouse to adjust the width.
9 To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.
TPAM 2.5
231
Administrator Guide
4 Click the Delete Server button.
5 Click the OK button on the confirmation window.
TPAM 2.5
232
Administrator Guide
25
Synchronized Passwords
• Introduction
• Logs tab
• Add synchronized password
• Add subscriber to a synchronized password
• Remove a subscriber from a synchronized password
• Delete a synchronized password
• Force reset of synchronized password
Introduction
Synchronized Passwords (formerly known as Collection Accounts prior to v2.3.761) provide a way to allow
multiple accounts, on different systems, to have the passwords synchronized.
The synchronized password functionality depends heavily on the Synch Pass Change Auto Agent that must be
enabled by the System Administrator in the admin interface. If the agent is not running, synch member
passwords are not changed unless you perform a manual forced reset.
To add and manage synchronized passwords, information is entered on the following tabs in the TPAM interface:
TPAM 2.5
233
Administrator Guide
Details tab
The table below explains all of the options available on the details tab:
TPAM 2.5
234
Administrator Guide
Table 77. Synchronized Password Management: Details tab options
Candidates tab
The table below explains all of the options available on the candidates tab:
Field Description
Candidate Name System name and account name of the candidate. Only accounts that are auto-managed or
manually managed are eligible.
Account Auto Management setting for the account.
Network Address Network address for the account.
Platform System platform for the account.
Select If selected the account becomes a member of the synchronized password.
Priority Level Number entered here represents the order that the Synch Pass Change agent uses to
synchronize the subscribers. Only auto-managed accounts can be assigned a priority
level.The agent attempts to synchronize the prioritized subscribers from lowest to
highest. If any subscribers fail to synchronize then the process stops, and the agent does
not attempt to process any other subscribers. Next, any auto-managed non-prioritized
accounts are synchronized. Any non-prioritized accounts that fail to synchronize are
scheduled through the regular password change agent. Then any manually managed
accounts get put in the manual password notification queue. If the subscriber is in the
regular change queue any ISA or Administrator can force a password reset through the
password management page or account management listing page.
TPAM 2.5
235
Administrator Guide
Subscriber status tab
The table below explains all of the options available on the subscriber status tab:
Field Description
Subscriber Name System name and account name of subscriber.
Account Auto Indicates whether the account is auto-managed by TPAM (Y) or manually managed (M).
Network Address Network address for the system.
Platform Platform for the system.
Unsubscribe / If unsubscribe is selected and changes saved, the subscriber is removed from the
Priority synchronized password. Priority level can be edited and saved here.
Password Status Password will either be current or out of synch. If the password is out of synch then the
Synch Now button will be available to force an immediate synchronization.
Pending Change Displays status if password is in the regular change queue.
Pending Check Displays status is password is in the regular check queue.
Logs tab
The logs tab contains three sub-tabs that provide detailed password history for the subscribers of the
synchronized password. The following table explains the sub-tabs. The time displayed on the logs is in server
time (UTC).
Tab Description
Filter This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log Provides details on password change history.
Test Log Provides details on password test activity.
Release Log Provides details on password release history.
Dependent Only visible if account resides on Windows® Domain Controller with dependent systems
Change Log assigned. Provides details on changes of the domain account.
Change Agent Provides details on change agent log records for the accounts that have occurred after a 2.3+
Log TPAM upgrade.
TPAM 2.5
236
Administrator Guide
3 Click the Save Changes button.
TPAM 2.5
237
Administrator Guide
3 Click the Listing tab.
4 Select the synchronized password.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
NOTE: After the synchronized password is deleted the subscribers revert to the Password Management
settings that they had prior to becoming a subscriber.
TPAM 2.5
238
Administrator Guide
26
Scheduled Reports
• Introduction
• Enable/disable scheduled reports
• Send scheduled reports to archive server
• Subscribe/unsubscribe to scheduled reports
• Add/remove additional recipients to scheduled reports
• View scheduled reports
• Resubmit scheduled reports
Introduction
Scheduled reports (also known as Batch Reports) are standard reports available in TPAM. The TPAM
Administrator configures these reports to automatically run on a daily, or weekly basis. The reports are run by
the Daily Maintenance job which is configured in the /admin interface. The reports are stored on the appliance
and can be emailed to designated subscribers or sent directly to an archive server. Only Administrators and
Auditors can view these reports from the TPAM interface. Additional users can be configured to receive these
reports via email.
TPAM 2.5
239
Administrator Guide
2 Next to each report select one if the following from the far right hand column:
• Disabled - the report will not run.
• HTML Only- only the HTML version of the report will run.
• CSV Only - only the CSV version of the report will run.
• HTML & CSV - CSV and HTML versions will be run.
• XML Only - the report will only be run in XML format.
3 Click the Save Changes button.
NOTE: If any option other than Disabled is selected the XML file is always generated (a zero byte file will
be generated even if no data is reported).
IMPORTANT: The Entitlement reports are very resource intensive and can cause severe performance
degradation for online users during the daily report cycle. If the reports will be used on a daily basis it is
recommended that only the versions required are enabled. It is very common for these reports to be over
1 million rows and customers have found that the CSV files are more manageable.
TPAM 2.5
240
Administrator Guide
2 Select an archive server from the list. An archive server must be already configured in TPAM by the
System Administrator to display in this list.
3 Click the Save Changes button.
TPAM 2.5
241
Administrator Guide
3 Click the Additional Recipients tab.
4 Enter the email address for the additional recipient in the EmailAddress box.
5 Select the report format/s from the Type list. If None is selected, the recipient will receive an email
informing the report has been generated but without an attachment.
6 Select the Zip check box to zip all subscribed format into one file that will be emailed.
7 Click the Add New Recipient button.
8 Repeat steps 4 through 6 for any additional email addresses.
TPAM 2.5
242
Administrator Guide
Resubmit scheduled reports
The System Administrator has the ability to resubmit batch report runs for a prior date. Once the report run has
been resubmitted, the reports can be viewed on the same page as the daily report runs. See the procedure
above.
TPAM 2.5
243
Administrator Guide
27
Data Extracts
• Introduction
• Configure data extracts
• Enable/disable a data extract schedule
• Data extract logs
• Customize data extract dataset file names
Introduction
Data extracts are defined data sets that can be extracted from TPAM on a scheduled basis and automatically
transferred to a pre-configured Archive server.
Extracted data is supplied as a *.CSV file and is easily viewed with MS Excel or any text editor. Information that
may be extracted includes lists of systems, accounts, users, etc. and many logs of user activity and entitlement.
The extracted files are compressed (ZIP file format) and named with a date and time stamp.
Data extracts are configured much in the same way as TPAM system backups. The extracts can be set to occur
daily, weekly or monthly at a specific time.
TPAM 2.5
244
Administrator Guide
6 To have the file formatted differently than comma delimited, type another format in the Delimiter box.
If left blank, tab is the default. (optional)
7 Set the frequency for the data extract run:
• Daily
• Weekly - select day/s of the week.
• Monthly - choose First, Last, or specific Day of the Month.
8 Enter the time when the extraction is to start running. Time must be entered in 24 hour format.
9 Select the archive server where the data is to be transferred. The TPAM System Administrator is
responsible for configuring the Archive Servers.
10 Select All or Failed and enter the email address of the recipient who is to receive data extract results.
(optional)
11 Click the Data Sets tab.
12 Select the Enabled? check box to add the Data Set as part of the scheduled extract.
13 Select the Column Headings? check box to have column headings included in the CSV file results.
(optional)
14 Click the Save Changes button.
The Password Release Activity and Password Update Activity data extracts will pull the last 24 hours of activity.
The Activity Log, Password Release Log and SysAdmin Activity Log data extracts will pull data based on the
number of days configured as the retention period in global settings.
TPAM 2.5
245
Administrator Guide
To immediately kick off a Data Extract:
1 Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2 Select a schedule from the list.
3 Click the Start button.
TPAM 2.5
246
Administrator Guide
2 Click the Dataset Filenames tab.
3 Place your cursor in the FileName box and rename the file for all the file names to be changed.
4 Click the Save Filename Changes button.
TPAM 2.5
247
Administrator Guide
28
TPAM CLI IDs
• Introduction
• Add a TPAM CLI ID
• Connect PSM account to TPAM CLI ID
• Delete a TPAM CLI ID
Introduction
In some cases it might be necessary to use an account for PSM authentication which is managed by another,
independent TPAM device. An example use case is an MSP managing systems for several customers which require
password data to be stored in a physically separate database like financial institutions. This can be
accomplished by using TPAM CLI IDs.
A CLI user ID is a special account used to access TPAM remotely via the CLI (command line interface). TPAM CLI
IDs may be defined to TPAM and used to access passwords that may be stored and managed on a remote TPAM
appliance.
2 Enter the user details, clear the Allow Web Access check box on the Web tab and select CLI key based
authentication on the Key Based tab.
TPAM 2.5
248
Administrator Guide
3 Click the Save Changes button.
4 Click the Download key button to download and save the key.
TPAM 2.5
249
Administrator Guide
When initiating a session for this account, TPAM02 will now log on to TPAM01 and request the password for
qsrv_qppm, managed by TPAM01 and use this to authenticate the session. After the session, the password will
be checked back in to TPAM01 and will be changed.
TPAM 2.5
250
Administrator Guide
29
Password Requests
• Introduction
• Request a password
• Email notification
• View submitted password requests
• Access the password
• Cancel/expire a password request
Introduction
System account passwords that are configured using Privileged Password Manager can be released by submitting
a password request. The request will either require approval by one or more TPAM users, or be auto-approved,
based on how the account is configured. This process ensures the security of the system account password,
provides accountability, and provides dual control over the system accounts.
Request a password
To request a password:
1 Select Request | Password | Add Request from the main menu.
2 To request a password on a specific system or a specific account enter the criteria on the Filter tab.
3 Click the Accounts tab.
4 Select the check box next to each account to be included in the password request. When selecting
multiple accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.
TPAM 2.5
251
Administrator Guide
5 Click the Details tab.
Once the request has been submitted it will reflect one of these statuses:
TPAM 2.5
252
Administrator Guide
• Pending Approval - waiting for authorized approver/s to approve the request.
• Active/Approved - the request has been approved and is within the release duration window.
• Approved - the request has been approved but the request date/time is in the future.
• Denied - the request was denied by the approver/s.
• Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
• Expired - the release window for the password has passed or the requestor is done accessing the
password and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.
Email notification
Once a password request is submitted, the requestor receives an email notification when the request is
approved, denied, or automatically cancelled as a result of a request conflict.
If a password request is submitted and does not require any approvals, the request is auto-approved by PPM and
the requestor immediately sees this message in the feedback area.
TPAM 2.5
253
Administrator Guide
5 Open the following tabs to view more detailed information about the request.
• Details - Date and time stamps relevant to the life cycle of the request.
• Responses - Request responses from approvers, or responses auto-generated by TPAM for auto-
approved or cancelled requests.
• Approvers - All TPAM users with permissions to approve or deny the request.
• Password - If enabled, displays the password for the account for 20 seconds.
b The Reveal Password button can be clicked to reveal the password or the password can be copied
to the clipboard without displaying it on the screen.
c You must put your mouse in the designated area, and press the Ctrl-C keys to copy the password
to a clipboard.
The password can be displayed by the requestor as often as necessary during the release duration period.
TPAM 2.5
254
Administrator Guide
This scenario can be prevented by selecting Do not automatically change the password while a release
is active on the account details management tab.
• The ISA post-release reset interval has occurred. In this case, an ISA may have recently retrieved the
password and it is being reset because the configured interval for that action has expired. This scenario
can be prevented by selecting Do not automatically change the password while a release is active on
the account details management tab.
• The ISA or the Administrator has forced a reset of the password.
The requestor should try and access the password at a later time.
TPAM 2.5
255
Administrator Guide
30
Approve/Deny Password Request
• Introduction
• Approve/deny password request
• Revalidate ticket on a request
• Deny request after it is approved
Introduction
When a password request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.
TPAM 2.5
256
Administrator Guide
6 If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for your approval.
7 Select the Req. IDs to approve/deny.
8 Click the Conflicts tab to see if any other pending requests for this password overlap with the same
release duration.
9 Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.
2 Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
TPAM 2.5
257
Administrator Guide
31
Review a Password Release
• Introduction
• Review status definitions
• On the Password Release for Review listing tab there is a column labeled Review Started. if the value isY,
at least one review comment has been submitted. If the value is N, no review comments have been
submitted.If the value is -(dash) then the review is complete.
• Provisional ticket validation on a password release
Introduction
Accounts can be configured to have review requirements for password releases once the release duration has
expired. Users eligible to review password releases receive email notification to alert them of pending reviews.
Status Definition
Pending An authorized reviewer is still required to complete the review process.
Completed All the required reviewers have clicked the Complete My Review button.
Overdue A reviewer has not reviewed the password release within the required time period.
On the Password Release for Review listing tab there is a column labeled Review Started. if the value isY, at
least one review comment has been submitted. If the value is N, no review comments have been submitted.If
the value is -(dash) then the review is complete.
TPAM 2.5
258
Administrator Guide
6 Click the Reviews tab to see any review comments made.
7 Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.
8 Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.
9 If the password release being reviewed was part of a multi-request, select the Apply Review check box
for the appropriate row.
10 To enter a comment before officially marking the release as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
11 To mark the review as complete, enter a review comment and click the Complete My Review button.
TPAM 2.5
259
Administrator Guide
Provisional ticket validation on a password
release
If the required ticket system for this account has “provisional validation” enabled in the admin interface and
the ticket system was not available for validation at the time the requestor submitted the request, you see the
following message note on the review details tab:
A reviewer does not have the ability to retroactively check for ticket validation.
TPAM 2.5
260
Administrator Guide
32
Session Requests
• Introduction
• Request a session
• Email notification
• View submitted session requests
• Cancel/expire a session request
Introduction
Systems that are configured using Privileged Session Manager can be accessed remotely by submitting a session
request. The request will either require approval by one or more TPAM users, or be auto-approved, based on
how the account is configured. The activity during the session will be recorded and can be played back by
authorized users.
Request a session
To request a session:
1 Select Request | Session | Add Request from the main menu.
2 To request a session on a specific system or a specific account enter the criteria on the Filter tab.
3 Click the Accounts tab.
4 Select the check box next to each account to be included in the session request. When selecting multiple
accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.
TPAM 2.5
261
Administrator Guide
6 Complete the following fields:
TPAM 2.5
262
Administrator Guide
7 Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page:
Once the request has been submitted it will reflect one of these statuses:
• Pending Approval - waiting for authorized approver/s to approve the request.
• Active/Approved - the request has been approved and is within the release duration window.
• Approved - the request has been approved but the request date/time is in the future.
• Denied - the request was denied by the approver/s.
• Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to connecting to the remote system.
The request will also be cancelled if the ticket number entered on the request requires validation, and
fails.
• Expired - the release window for the session has passed or the requestor is done conducting the session
and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.
Email notification
Once a session request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a session request is submitted and does not require any approvals, the request is auto-approved and the
requestor can immediately start the session by clicking the Connect button.
TPAM 2.5
263
Administrator Guide
View submitted session requests
To view requests that have been submitted:
1 Select Request | Session | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Open the following tabs to view more detailed information about the request.
• Details - Date and time stamps relevant to the life cycle of the request.
• Responses - Request responses from approvers, or responses auto-generated by TPAM for auto-
approved or cancelled requests.
• Approvers - All TPAM users with permissions to approve or deny the request.
• Connect Options - If enabled can be used to change settings such as keyboard language mapping
for the session.
TPAM 2.5
264
Administrator Guide
7 If the request contains multiple accounts, select the Apply Reason check box next to the applicable
accounts.
8 Click the Save Changes button.
TPAM 2.5
265
Administrator Guide
33
Approve/Deny Session Request
• Introduction
• Approve/deny session request
• Revalidate ticket on a request
• Deny request after it is approved
Introduction
When a session request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.
TPAM 2.5
266
Administrator Guide
6 If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for approval.
7 Select the Req. IDs to approve/deny.
8 Click the Conflicts tab to see if any other pending requests for this session overlap with the same release
duration.
9 Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.
2 Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
TPAM 2.5
267
Administrator Guide
34
Start a Remote Session
• Introduction
• Client requirements
• Start a session
• File transfer
• End a session
Introduction
Once a session is approved a user can use TPAM to connect to a remote system This chapter covers the steps for
starting a session and files transfer options during a session.
Client requirements
Java® version 7 update 45 or higher is required to run the session applet. Java® 32 bit is supported, but not
Java® 64 bit.
IMPORTANT: If the recording session reaches the limit set in Max Recording Size global setting (set by the
TPAM System Administrator), the session is automatically terminated. Warning messages will be sent when
the session reaches 60% of the set limit.
Start a session
To start a session:
1 Select Request | Session | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Connect Options tab. Connection options are dependent on the platform, proxy type and if a
DPA is assigned to the system. Clear the Use Default Connection Options check box to select different
session connection options. The connection options selected by the user will persist for this user every
time they connect with this account to a session, using the same proxy type. If the proxy type changes
the user will have to save their preferred connection settings again, in order for them to persist.
(optional)
TPAM 2.5
268
Administrator Guide
Table 84. Session Request Management: Connection Options
NOTE: The window display size selection is not saved, and must be reselected before connecting
each time.
7 Click the Connect button.The remote session is initiated in a new page. All activity performed by the
remote user is logged and recorded. When a session begins, a new window is opened and the Java®
environment is initialized. This step can take up to a minute.
TPAM 2.5
269
Administrator Guide
8 Click Yes to accept web certificate for the applet. This should only appear the first time you start a
session in PSM.
9 Depending upon the configuration for session authentication for the account one of these scenarios
occurs:
• The session uses auto-logon with a predefined account and its password.
• The password is provided by TPAM but must typed in by the user.
• The password is not stored in TPAM and must be typed in by the user.
NOTE: Sessions to remote systems are also subject to the configuration of the access method at the
remote system. Example: if Windows® RDP or Terminal Services is the connection method then the
configuration for disconnected session time outs, maximum connections, and so on, govern certain session
behavior. In addition, troubleshooting problems with connectivity to these systems should include
examining the configuration of the remote system.
Clipboard transfer between the RDP session and the desktop is available if this option was selected at the
account level on the PSM Details tab. The Clipboard transfer feature allows copy/cut and paste of text between
the remote session and the desktop.
TPAM 2.5
270
Administrator Guide
If the proxy type for the session is SSH, then the client is PuTTY. When connecting to the session a PuTTY
security warning message will be presented to validate the client machine host keys. Clicking the Accept button
will cache the host key so that this message will not be presented again during the session.
Pressing the Ctrl key and right clicking the mouse will bring up the Putty menu. This menu provides options to
copy the scroll back buffer, change fonts, and reconfigure other settings.
On the bottom of the PSM session window you will see the system name, account name, keyboard mapping
chosen, the hot keys menu, session connection status and the size of any data pasted to the clipboard.
File transfer
Depending on how the account is configured there are options to upload files to the remote system and
download files from the managed system during the session. The time out period for file transfers is 10 hours.
To upload a file:
1 Click the File Transfer tab in the session window.
TPAM 2.5
271
Administrator Guide
2 Click the Select File button to locate the file or directory to transfer. Repeat this step for each file or
directory to upload. As files and/or directories are selected they are displayed in the Selected Files list.
IMPORTANT: There is 20 GB size limit on any files transferred.
3 To remove a file that was selected by mistake use the Remove Selected or the Remove All buttons as
needed. Additionally files and directories may be selected by simply dragging and dropping them on the
Selected Files list.
4 If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.
5 Click the Upload button to start the transfer process. After the transfer is complete a successful or
unsuccessful message will appear at the bottom of the page.
IMPORTANT: The upload process overwrites any existing file(s) if the user has the file system rights to do
so. If the user does not have sufficient rights to an existing file and they attempt to upload a file of the
same name the upload fails.
To download a file:
CAUTION: File downloads can put a big strain on the appliance. If other users start to see
performance problems in TPAM the file download could be the cause.
3 If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.
4 Click the Download button. After the download is complete a successful or unsuccessful message will
appear at the bottom of the page.
End a session
Once you have completed what you wanted to do on the remote system you can end the session. To end the
session close the session window. A new session can be started until the release duration on the request expires.
TPAM 2.5
272
Administrator Guide
35
Session Management
• Introduction
• Session playback controls
• Meta data window
• Replay a session log
• Add a bookmark to a session
• View bookmarks/captured events
• Jump to a bookmark
• Jump to an event
• Monitor a live session
• Terminate a session
Introduction
The session management menu provides access to session logs and the ability to playback sessions.
The table below defines the functions and display information on the playback tool bar.
Option Description
System Name The name of the remote system where the session was established.
Account Name The name of the remote account used to access the system during the session.
TPAM 2.5
273
Administrator Guide
Table 85. Playback tool bar options
Option Description
Slider Control Displays the current position of playback, and after the session is paused lets a new
position be selected. To reposition session replay, pause the session and position the
slider control to the desired spot. Resume playback using the pause control. The
session playback moves at maximum speed to the desired playback position.
NOTE: The session time position is based on network packet timestamps. This
means that the playback control slider may appear to move in an uneven fashion
depending on the ‘data density’ of each packet, especially for very short recorded
sessions. If for some period time there is a minimal amount of activity followed by a
flurry of dialog openings and keystroke input, this would cause the uneven control
slider movement. Longer session files tend to provide a smoother control slider
movement.
Elapsed Time Time elapsed in the session replay.
Total Session Time Total length of time of the session.
Pause Button When green the session is playing. When red the session is paused. To pause or
resume playback simply click the control.
Loop Button Selecting this button sets the session to replay over and over.
Controls Menu/Select Session play speed in relation to normal speed. For example .5x will play the session
Speed at half normal speed.
Controls If selected this opens a window to display the keystroke log, and tags for events and
Menu/Metadata/Open bookmarks. The keystroke slider at the top of the window can be adjusted so that
Dialog they can see the keystrokes taking place in this window before or after they occur
in the actual session replay window.
Controls Menu/Add If selected allows the user to add a bookmark at a specific point in the session.
Bookmark
Controls Menu/Always on If selected, the meta data dialog window will be displayed in front of the session
Top replay window.
Keystrokes/events will be displayed in green as they occur during the session replay. Bookmarks are displayed in
red. Slide the keystroke slider to the left to view the keystroke log in advance of the activity occurring in the
TPAM 2.5
274
Administrator Guide
session replay window. If the Clear on Loop check box is selected the keystroke log will be cleared before the
session is replayed each time.
The remote access session is displayed and played back in real time. The playback session may be paused and
resumed, moved ahead or back at increased speed, or continuously played at various speeds.
Prior to v2.5.915 a session logs could be “stranded” by closing the browser when a session was recording and
clicking the Terminate button. To fix the problem so the session can be replayed, select the session from the
Listing page and click the Reset Stats button.
To add a bookmark:
1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the session log to replay.
5 Click the Replay Session button.
6 When you get to the point in the session where you want to add a bookmark click the Pause button on
the session playback controls at the bottom of the window.
TPAM 2.5
275
Administrator Guide
7 Select Controls Menu | Metadata | Add Bookmark.
TPAM 2.5
276
Administrator Guide
Jump to a bookmark
To jump to a bookmark while replaying a session:
1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the session log to replay.
5 Click the Replay Session button.
6 On the session playback menu select Controls Menu | Metadata | Open Dialog.
TPAM 2.5
277
Administrator Guide
Jump to an event
To jump to an event while replaying a session:
1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the session log to replay.
5 Click the Replay Session button.
6 On the session playback menu select Controls Menu | Metadata | Open Dialog.
TPAM 2.5
278
Administrator Guide
Monitor a live session
With the appropriate permissions a user can monitor another user’s session. The user running the session has no
indication that their session is being watched.
NOTE: You cannot view the Keystroke Log when monitoring a session.
4 Select the session to monitor. Live sessions will have a status of Connected.
5 Click the Monitor Session button. The PSM Session Monitor window will open with a view of the live
session.
Terminate a session
An administrator user has the ability to terminate (kill) active sessions. Unless the session request is also
expired or cancelled the user has the ability to restart the session.
CAUTION: Be aware that terminating a session could leave unfinished work on the remote system and
even do potential damage.
To terminate a session:
1 Select Management | Session Mgmt | Manage Sessions from the main menu.
2 On the Active Sessions tab select the session to terminate.
TPAM 2.5
279
Administrator Guide
36
Review a Session
• Introduction
• Review status definitions
• Review a session
• Provisional ticket validation on a session
Introduction
Accounts can be configured to have review requirements for PSM Sessions once the sessions are expired. Users
eligible to review sessions receive email notification to alert them of pending reviews.
Status Definition
Pending Review An authorized reviewer is still required to complete the review process.
Completed All the required reviewers have clicked the Complete My Review button.
Overdue A reviewer has not reviewed the session within the required time period.
On the PSM Sessions for Review listing tab there is a column labeled Review Started. if the value is Y, at least
one review comment has been submitted. If the value is N, no review comments have been submitted.If the
value is -(dash) then the review is complete.
Review a session
To review a session:
1 Select Approve/Review | PSM Session from the main menu.
2 To review a session for a specific account enter the criteria on the Filter tab.
3 Click the Listing tab.
4 Select the session to review.
5 Click the Session Logs tab.
TPAM 2.5
280
Administrator Guide
6 Select a session log to replay.
7 Click the Replay Session button. For details on replaying sessions see Session playback controls.
NOTE: A session review cannot be completed until one of the session logs has been replayed by the
reviewer. TPAM may be configured so that all session logs must be replayed before the review can
be completed.
These comments do not flag a session as being reviewed, but may be informative to other reviewers.
10 To view information about a file transfer, select a session log on the Session Logs tab and click the File
Transfers tab. (optional)
11 Click the Reviewers tab to see the list of eligible reviewers. (optional) These are the review
requirements at the time the session request was submitted.
TPAM 2.5
281
Administrator Guide
12 Click the Reviews tab to see any review comments made.
13 Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.
14 Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.
15 If the session being reviewed was part of a multi-session request, select the Apply Review check box for
the appropriate row.
16 To enter a comment before officially marking the session as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
17 To mark the review as complete, enter a review comment and click the Complete My Review button.
TPAM 2.5
282
Administrator Guide
TPAM 2.5
283
Administrator Guide
37
File Requests
• Introduction
• Request a file
• Email notification
• View submitted file requests
• Access the file
• Cancel/expire a file request
Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.
Request a file
To request a file:
1 Select Request | File | Add Request from the main menu.
2 To request a file on a specific system enter the criteria on the Filter tab.
3 Click the Files tab.
TPAM 2.5
284
Administrator Guide
6 Complete the following fields:
Once the request has been submitted it will reflect one of these statuses:
• Pending Approval - waiting for authorized approver/s to approve the request.
• Active/Approved - the request has been approved and is within the release duration window.
• Approved - the request has been approved but the request date/time is in the future.
• Denied - the request was denied by the approver/s.
• Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
• Expired - the release window for the file has passed or the requestor is done accessing the file and
expires the request early.
TPAM 2.5
285
Administrator Guide
Email notification
Once a file request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a file request is submitted and does not require any approvals, the request is auto-approved by PPM and the
requestor immediately sees this message in the feedback area. The Retrieve button will be enabled.
TPAM 2.5
286
Administrator Guide
Cancel/expire a file request
A file request can be cancelled by the requestor if the status is Pending Approval. Once approved, a password
request can be expired to immediately end the release duration. Expiring a request early makes the file
available for other users to request.
TPAM 2.5
287
Administrator Guide
38
Approve/Deny File Request
• Introduction
• Approve/deny file request
• Revalidate ticket on a request
• Deny request after it is approved
Introduction
When a file request is submitted, the associated approver(s) is notified via email of the pending request. The
approver logs on to TPAM to approve/deny the request.
6 Click the Conflicts tab to see if any other pending requests for this file overlap with the same release
duration.
7 Click the Approvers tab to see the list of other eligible approvers for this request.
8 Click the Responses tab to see the responses other eligible approvers have made for this request.
9 Enter comments in the Request Response box.
TPAM 2.5
288
Administrator Guide
10 Click the Approve Request or Deny Request button.
2 Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
TPAM 2.5
289
Administrator Guide
39
On Demand Reports
• Introduction
• Report time zone options
• Run a report
• Report descriptions
Introduction
TPAM has a number of pre-defined reports to aid in system administration, track changes to objects, and
provide a thorough audit trail for managed systems. All reports are accessed via the Reports menu. The reports
can be filtered by criteria that are specific to each report type.
For example, the server is at UTC time and the user is in Athens, Greece (UTC +2). When the user enters a date
range of 9/16/2009-9/17/2009 with the local time zone option, the report retrieves transactions that happened
on the server between 9/15/2009 22:00 through 9/17/2009 21:59.
All reports that use the local time zone filter have an extra column indicating the UTC offset that was used to
generate the report. This value is either the current UTC offset of the user. This column will also display in
reports that are exported using Excel or CSV.
Run a report
The following procedure describes the steps to run a report in TPAM.
To run a report:
1 From the Reports menu select the report.
2 On the Report Filter tab enter the filter criteria.
TPAM 2.5
290
Administrator Guide
3 Click the Report Layout tab. (Optional)
4 Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5 Select the appropriate box in the Sort Column column to specify sort order.
6 Select the Sort Direction.
7 If viewing the report in the TPAM interface, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.
8 To view the report results in TPAM click the Report tab. To adjust the column size of any column on a
report hover the mouse over the column edge while holding down the left mouse button and dragging
the mouse to adjust the width.
9 To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.
Report descriptions
The following table lists the on demand reports available in TPAM.
TPAM 2.5
291
Administrator Guide
Table 88. TPAM report descriptions
TPAM 2.5
292
Administrator Guide
40
Network Tools
• Introduction
• The ping utility
• Nslookup utility
• TraceRoute utility
• Telnet test utility
• Display routes
Introduction
To assist the TPAM Administrator with troubleshooting common network related problems, TPAM contains
network tools that are accessible from the tpam interface.
TPAM 2.5
293
Administrator Guide
Nslookup utility
Nslookup is a common TCP/IP tool used to test DNS settings and perform similar information gathering using DNS
resolution. The TPAM utility for nslookup will use the DNS server(s) configured to TPAM only. The option to
specify a server is not provided. TPAM Administrators can benefit from the ability to use nslookup to resolve
hostnames to IP addresses and vice versa.
To use Nslookup:
1 Select Management | Network Tools | Nslookup from the menu.
TraceRoute utility
The traceroute utility is available for examining network routing and connectivity from TPAM to a remote IP
address or hostname. The use of traceroute is often disallowed by firewalls, routers, and other network security
infrastructure – but if allowed, it can be a valuable diagnostic tool.
To use Traceroute:
1 Select Management | Network Tools | TraceRoute from the menu.
TPAM 2.5
294
Administrator Guide
Telnet test utility
The Telnet test utility lets a test be performed from the appliance to another system over a specific port. The
tool will test the defined port using telnet functionality to verify the port, whether a connection can be made,
and then immediately close the connection.
Display routes
Several tools are available to manage the routing table on TPAM, if the need arises.
If necessary, TPAM System Administrators have the ability to edit the routes in the config interface.
TPAM 2.5
295
Administrator Guide
41
CLI Commands
• Introduction
• Command standards
• Commands
Introduction
The TPAM command line interface (CLI) provides a method for authorized users or automated processes to
retrieve information from the TPAM system. Commands must be passed to TPAM via SSH (secure shell) using an
identity key file provided by TPAM. A specific CLI user ID is also required. See Add a CLI user ID for more details
on creating the user ID. CLI user IDs are case sensitive when logging on.
SSH software must be installed on any system before it can be used for TPAM CLI access.
Commands accept parameters in the style of --OptionName option value (two dashes precede the option
name). Existing commands prior to TPAM v2.2.754 still also accept the comma-separated syntax, so existing
scripts do not need to be modified unless you wish to take advantage of new parameters that have been added
to the command in later versions of TPAM.
All commands recognize an option of --Help. This expanded help syntax will show all valid options for each
command, whether the option is required or optional, and a description of the option and allowed values.
NOTE: Many of the CLI commands will not run if the TPAM appliance is in maintenance mode.
Command standards
• Options may be specified in any order in the command
• Option names are not case sensitive, --SystemName and --systemname are equivalent
• When the --Help option is used, no other processing takes place. The help text is printed and the
command terminates.
• Options marked as “optional” are just that – optional. They do not need to be included in the command
line to “save space” for commands that come afterwards.
• Option names may be abbreviated “to uniqueness” for each command. For example if a command
accepts options of --SystemName, --AccountName, and --Description the option names can be
abbreviated to --S, --A, and --D, respectively. However if the options were --AccountName and --
AccountDescription they can only be abbreviated to --AccountN and --AccountD.
• Any option value that contains spaces, e.g., --Description or --RequestNotes, must surround the
description with single or double quotes, depending on your command line shell. It’s also recommended
that you surround the entire command invocation with quotes to prevent the shell from unintentionally
stripping desired quotes from your command. Additionally your shell environment may require escaping
extra quotes within your command. The following is an example using Windows® cmd.exe
[...]"UpdateSystem[...]\"Sytem1[...]\"Description for System1\"[...]
TPAM 2.5
296
Administrator Guide
Commands
AddAccount--options
Adds a new system account. The CLI user must have ISA or Administrator privilege.
TPAM 2.5
297
Administrator Guide
Table 89. AddAccount options
TPAM 2.5
298
Administrator Guide
Table 89. AddAccount options
AddCollection--options
Creates a new collection. The CLI user must have ISA or administrator privilege.
Legacy support:
AddCollection <CollectionName>,<CollectionDescription>
AddCollectionMember--options
Creates a new collection member where the system, account, and or file and collection(s) currently exist. The
CLI user must have administrator privilege or the ISA permission over the collection and system, and or file.
TPAM 2.5
299
Administrator Guide
Table 91. AddCollectionMember options
Legacy support:
AddCollectionMember <MemberName>,<CollectionName>
AddGroup--options
Creates a new group. The CLI user must have ISA or administrator privilege.
Legacy support:
AddGroup <GroupName>,<GroupDescription>
AddGroupMember--options
Adds an existing user account to one or more existing groups. The CLI user must have administrator privilege.--
GroupID or --GroupName may be passed, but not both.
Legacy support:
AddGroupMember <UserName>,<GroupName>
AddPwdRequest--options
CLI users can create a password request for themselves as well as other users. Both users (the calling CLI and
the user they're adding for) must have request permissions on the target system. The target user must be a web-
based user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.
TPAM 2.5
300
Administrator Guide
Table 94. AddPwdRequest options
AddSessionRequest--options
CLI users can create a session request for themselves as well as other users.Both users (the calling CLI and the
user they're adding for) must have request permissions on the target system. The target user must be a web-
based user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.
TPAM 2.5
301
Administrator Guide
Table 95. AddSessionRequest options
AddSyncPass--options
Allows you to add a synchronized password.
TPAM 2.5
302
Administrator Guide
Table 96. AddSyncPass options
AddSyncPwdSub--options
Allows you to add subscribers to a synchronized password.
AddSystem--options
Creates a new system. The CLI user must have ISA or Administrator privilege.
TPAM 2.5
303
Administrator Guide
Table 98. AddSystem options
TPAM 2.5
304
Administrator Guide
Table 98. AddSystem options
TPAM 2.5
305
Administrator Guide
Table 98. AddSystem options
AddUser--options
Creates a new user account. The CLI user must have user administrator or administrator privilege.
TPAM 2.5
306
Administrator Guide
Table 99. AddUser options
TPAM 2.5
307
Administrator Guide
Table 99. AddUser options
Legacy support:
AddUser
<UserName>,<LastName>,<FirstName>,[EmailAddress],[Phone],[Mobile],[UserType(Basic
default
\Admin\Auditor\UserAdmin)],[InitialPassword],[DisableFl(Y\N)],[SecAuthType(NONE,SAF
EWORD,SECUREID,LDAP,RADUIS,DEFENDER,WINDAD)],[SecAuthUserID],[Description]
Approve--options
Allows password requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve requests
for the system/account in the request. The CLI user cannot approve a password request they have added on
behalf of another user. Successful execution of the approve command will produce no output. This is by design.
Legacy support:
Approve <request ID>, <comment>
ApproveSessionRequest--options
Allows session requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve session
requests for the system/account in the request. The CLI user cannot approve a session request they have added
on behalf of another user. Successful execution of the approve command will produce no output. This is by
design.
Cancel--options
Allows password requests to be cancelled via TPAM CLI.The CLI user ID must be an authorized approver for the
system/account in the request. Successful execution of the cancel command will produce no output. This is by
design.
TPAM 2.5
308
Administrator Guide
Table 102. Cancel options
Legacy support:
Cancel <requestid>,<comment>
CancelSessionRequest--options
Allows session requests to be cancelled via TPAM CLI. The CLI user ID must be an authorized approver for the
system/account in the request.
Legacy support:
CancelSessionRequest <requestid>,<comment>
ChangeUserPassword--options
Performs a forced reset on a user’s password. The CLI user must have user administrator (for non-privileged
accounts only) or administrator privilege.
Legacy support:
ChangeUserPassword <UserName>,<Password>
CheckPassword--options
Initiates a password test for the specified system account. The CLI user must have administrator privilege or the
ISA permission over the system.
Legacy support:
CheckPassword <SystemName>,<AccountName>
ClearKnownHosts--options
Removes the host entry for the system from TPAM’s known hosts file.The CLI user must have PPM ISA or
Administrator privilege.
TPAM 2.5
309
Administrator Guide
Table 106. ClearKnownHosts options
DeleteAccount--options
Soft deletes the system account. The CLI user must have ISA or Administrator privilege.
Legacy support:
DeleteAccount <systemname>,<accountname>
DeleteSyncPass--options
Deletes a synchronized password. The CLI user must have administrator privilege.
DeleteSystem--options
Soft deletes the named system. The CLI user must have administrator privilege.
Legacy support:
DeleteSystem <systemname>
DeleteUser--options
Permanently deletes the named user account. The CLI user must have administrator privilege to delete any user,
or user administrator privilege to delete any non-administrator user.
Legacy support:
DeleteUser <username>
DropCollection--options
Deletes an existing collection. The CLI user must have ISA or administrator privilege.
TPAM 2.5
310
Administrator Guide
Table 111. DropCollection option
Legacy support:
DropCollection <CollectionName>
DropCollectionMember--options
Removes a system, account or file from one or more collections. The CLI user must have administrator privilege
or the ISA permission over the collection and system.
Legacy support:
DropCollectionMember <MemberName>,<CollectionName>
DropGroup--options
Deletes an existing group. The CLI user must have ISA or administrator privilege.--GroupID or --GroupName may
be passed, but not both.
Legacy support:
DropGroup <GroupName>
DropGroupMember--options
Removes an existing user account from one or more groups. The CLI user must have administrator privilege.--
GroupID or --GroupName may be passed, but not both.
Legacy support:
TPAM 2.5
311
Administrator Guide
DropGroupMember <UserName>,<GroupName>
DropSyncPwdSub--options
Removes a subscriber from a synchronized password. Must have administrator privileges.
ForceReset--options
Forces a password change for the specified system account. The CLI user must have administrator privilege or
ISA permission over the system. The specified system must be auto managed.
Table 116. ForceResetManual options
ForceResetManual--options
Allows password reset for a manually managed account through the CLI. This command will return a password to
be set manually and a PasswordID to be used by the ManualPasswordReset to indicate the success or failure of
updating the password.
GetPwdRequest--options
Returns the details associated with the specified password request.
Legacy support:
GetPwdRequest <RequestID>
GetSessionRequest--options
Returns the details associated with the specified session request.
TPAM 2.5
312
Administrator Guide
Table 119. GetSessionRequest options
Legacy support:
GetSessionRequest <RequestID>
ListAccounts--options
Lists all defined system accounts. Only systems for which the CLI user has ISA privilege will be listed.
Administrators may list all accounts.
Legacy support:
TPAM 2.5
313
Administrator Guide
ListAccounts SystemName (* for wildcard)],AccountName (* for
wildcard)],[NetworkAddress (* for wildcard)],[CollectionName (* for
wildcard)],[Platform (All| (see Supported platform list)) default=All],[SysAutoFl
(All|Y|N) default=All],[AcctAutoFl (All|Y|N|M) default=All],[Dual Control Required
Flag (All|Y|N) default=All],[Sort (SystemName|AccountName|NextChangeDt)
default=SystemName],[MaxRows Default=25]
ListAcctsForPwdRequest--options
Provides a list of accounts that the user can submit a password request for.
ListAcctsForSessionRequest--options
Provides a list of accounts that the user can submit a session request for.
ListAssignedPolicies--options
Lists access policies assigned to accounts, collections, files, groups, systems or users based on specified filter
criteria. ListAssignedPolicies takes the place of both ListPermissions and ListEGPPermissions.
The output of this command is essentially the same data as the entitlement report. All users will be listed,
along with their effective permissions over any system. The output can potentially be very large. The CLI user
must be an Administrator to return the full list. ISA users will obtain a limited list based upon the scope of their
privilege.
TIP: At least one of the following options must contain a non-wildcard value in order to run this report:
AccessPolicyName, AccountName, CollectionName, FileName, GroupName, SystemName, UserName.
TPAM 2.5
314
Administrator Guide
Table 123. ListAssignedPolicies options
ListCollections--options
Lists collections and collection members, specified by collection name or system name.
ListCollectionMembership--options
Lists collection system, account, and file name for all collections, specified collections, or specified systems.
The CLI user must have administrator privilege or the ISA permission over the collection and system.
TPAM 2.5
315
Administrator Guide
Table 125. ListCollectionMembership options
Legacy support:
ListCollectionMembership [CollectionName (* for wildcard)],[SystemName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]
ListDependentSystems--options
Lists status of systems (dependent or not dependent) for a specific account. You must have administrator or PPM
ISA privileges on the system.
ListEGPAccounts--options
Lists all accounts that can be PSM enabled. This command has been replaced by ListPSMAccounts. See
ListPSMAccounts--options.
ListGroups--options
Lists groups and group members, specified by group name or member name, or GroupID.
ListGroupMembership--options
Lists group name and username for all groups, specified groups, or specified users. The CLI user must have
administrator privilege.
TPAM 2.5
316
Administrator Guide
Table 128. ListGroupMembership options
Legacy support:
ListGroupMembership [GroupName (* for wildcard)],[UserName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]
ListPSMAccounts--options
Lists all accounts that can be PSM enabled.
TPAM 2.5
317
Administrator Guide
Table 129. ListPSMAccounts options
ListReasonCodes
Will list any active reason codes and their description that have been defined in TPAM.
ListRequest--options
Lists basic details about password requests for which the CLI user is an approver or requestor.
Legacy support:
ListRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorName(*
for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListRequestDetails--options
Lists specific details about password requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.
Legacy support:
TPAM 2.5
318
Administrator Guide
ListRequestDetails [Status(All|Pending|Active|Open|Current)
Default=Open],[RequestorName (* for wildcard)],[AccountName(* for
wildcard)],[SystemName (* for wildcard)],[StartDate (MM/DD/YY)], [EndDate
(MM/DD/YY)],[MaxRows Default=25]
ListSessionRequest--options
Lists basic details about session requests for which the CLI user is an approver or requestor.
Legacy support:
ListSessionRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorN
ame(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListSessionRequestDetails--options
Lists specific details about session requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.
Legacy support:
ListSessionRequestDetails[Status(All|Pending|Active|Open|Current)Default=Open],[Req
uestorName(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListSynchronizedPasswords
Lists all synchronized passwords configured in TPAM.
TPAM 2.5
319
Administrator Guide
ListSyncPwdSubscribers--options
List the subscribers of a specific synchronized password. You must have administrator privileges.
ListSystems--options
Lists all defined systems. Only systems for which the CLI user has ISA privilege will be listed. Administrators may
list all systems.
Legacy support:
ListSystems <SystemName (* for wildcard),[NetworkAddress (* for
wildcard)],[CollectionName (* for wildcard)],[Platform (All| (see Supported platform
list)) default=All],[SysAutoFl (All|Y|N) default=All],[Sort
(SystemName|NetworkAddress|PlatformName) default=SystemName],[MaxRows Default=25]
ListUsers--options
Lists all non-CLI users defined in TPAM. The CLI user must have administrator or user administrator privilege.
TPAM 2.5
320
Administrator Guide
Table 136. ListUsers options
Legacy support:
ListUsers <UserName (* for wildcard),>[EmailAddress (* for wildcard)],[GroupName (*
for wildcard)],[UserInterface (All|CLI|WEB|API) default=All],[UserType
(All,Basic,Admin,Auditor,UAdmin) default=All],[Status (All|Enabled|Disabled|Locked)
default=All],[SecondaryAuthType (All|SafeWord|SecureID|LDAP|RADIUS|WINAD|DEFENDER
|None) default=All],[Sort (UserName|FirstName|LastName) default=UserName],[MaxRows
Default=25]
ManualPasswordReset--options
Ability to indicate if resetting a password for a manually managed account succeeded or failed.
ReportActivity--options
Ability to run the activity report from the CLI.
TPAM 2.5
321
Administrator Guide
Table 138. ReportActivity options
Retrieve--options
Provides a mechanism to retrieve a password for a managed system/account. The CLI user ID must be
authorized to retrieve the password, by either having ISA permissions for the account or having an approved
request ID. If a requestor the --RequestID parameter must be used. The optional requirement for dual control
does not apply to CLI releases. The comment is not required.
Legacy support:
Retrieve <systemname>, <accountname>, <TimeRequired(in minutes)>,<comment>
SetAccessPolicy--options
Allows you to add or remove an access policy assignment to an account, collection, file, group, system, or user.
Replaces the old CLI commands of GrantPermission, SetPermission, SetEGPPermission, and RevokePermissions.
TPAM 2.5
322
Administrator Guide
Table 140. SetAccessPolicy options
SSHKey--options
Retrieves or regenerates system and PSM specific keys. Also can retrieve system standard keys.
SyncPassForceReset--options
Forces the reset of a synchronized password, changing it in priority order.You must have administrator
privileges.
TestSystem--options
Initiates a system test. The CLI user must have administrator privilege or the ISA permission over the system.
TPAM 2.5
323
Administrator Guide
Table 143. TestSystem option
Legacy support:
TestSystem <SystemName>
UnlockUser--options
Unlocks a currently locked user account. The CLI user must have ISA, User Administrator or Administrator
privilege.
Legacy support:
UnlockUser <UserName>
UpdateAccount--options
Modifies an existing account. The CLI user must have ISA or Administrator privilege. You can only update the
password for an account that is not auto-managed.
TPAM 2.5
324
Administrator Guide
Table 145. UpdateAccount options
TPAM 2.5
325
Administrator Guide
Table 145. UpdateAccount options
UpdateCollection--options
Allows you to update the PSM Affinity assignment for a collection.
Table 146. UpdateCollection options
TPAM 2.5
326
Administrator Guide
UpdateDependentSystems--options
Allows you to update the dependent systems assigned to an account. You must have Administrator or PPM ISA
privileges on the system.
UpdateEGPAccount--options
Modifies the PSM details of an existing account. The CLI user must have PPM ISA and PSM ISA or Administrator
privilege. Same parameters as UpdatePSMAccount.
UpdatePSMAccount--options
Replaces the UpdateEGPAccount command.
TPAM 2.5
327
Administrator Guide
Table 148. UpdatePSMAccount options
TPAM 2.5
328
Administrator Guide
Table 148. UpdatePSMAccount options
UpdateSyncPass--options
Allows you to update a synchronized password.
TPAM 2.5
329
Administrator Guide
Table 149. UpdateSyncPass options
UpdateSystem--options
Modifies an existing system. The CLI user must have ISA or Administrator privilege.
TPAM 2.5
330
Administrator Guide
Table 150. UpdateSystem options
TPAM 2.5
331
Administrator Guide
Table 150. UpdateSystem options
TPAM 2.5
332
Administrator Guide
Table 150. UpdateSystem options
UpdateUser--options
Modifies an existing user account. The CLI user must have user administrator or administrator privilege.
TPAM 2.5
333
Administrator Guide
Table 151. UpdateUser options
TPAM 2.5
334
Administrator Guide
Table 151. UpdateUser options
Legacy support:
UpdateUser
<UserName>,[LastName],[FirstName],[EmailAddress],[Phone],[Mobile],[UserType
(Basic|Admin|Auditor|UserAdmin)],[DisableFl(Y|N)],[SecAuthType(NONE,SAFEWORD,SECURE
ID,LDAP,RADIUS,DEFENDER WINAD)],[SecAuthUserID],[Description]
UserSSHKey--options
Regenerate or retrieve a key for yourself or others. Must be an Administrator.
IMPORTANT: If regenerating your own key make sure not to overwrite the old key file before the command
has completed.
IMPORTANT: Regenerating a user’s key will immediately make their old key invalid. The user will have to
put this new key in place before being able to access TPAM again.
TPAM 2.5
335
Administrator Guide
42
Application Programming Interface (API)
• Introduction
• C++ library
• .NET library
• PERL library
• Java® library
• C++ examples
• .NET examples (C#)
Introduction
The TPAM Application Programming Interface (API) allows client applications, via an SSH (Secure Shell)
connection to the TPAM appliance, to perform many of the operations provided in the TPAM User Interface.
The operations supported by the TPAM API are identical to the operations provided by the TPAM Command Line
Interface (CLI). See CLI Commands for details on the TPAM CLI.
The TPAM API is available in several programming languages to allow customers to use their choice of
programming languages when working with the API. Details for using the API in each programming language are
provided in later sections of this document.
As mentioned above, the operations are invoked on the TPAM appliance via an SSH connection. An identity file
key created by TPAM and a user ID with API key based authentication selected are required for the API to be
able to establish the SSH connection.The necessary SSH client software is included with the TPAM API library,
except for non-Windows® installations of the Perl version of the TPAM. In this case, the client machine must
have SSH software installed and available in the directory path.
C++ library
The TPAM API C++ library is provided as a static library. It is distributed with several other libraries that are
required by the TPAM API C++ library.
The main class of the library is ApiClient. This class provides the SSH connection to TPAM and provides the
method used to execute the various operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the C++ library.
Most classes fall into the category of business objects, commands, results, or exceptions.
See C++ examples for examples of using the C++ library.
Class APIClient
Class ApiClient is used to create the SSH connection to TPAM and execute the various commands provided by the
library. This main class contains only a few functions.
TPAM 2.5
336
Administrator Guide
Table 153. Class APIClient functions
Class Description
Account This class contains the attributes of an account.
Alias This class contains the attributes of an alias.
CollectionMembership This class contains the attributes of a collection membership.
EDMZSystem This class contains the attributes of a system.
EgpAccount This class contains the attributes of a EGP account.
GroupMembership This class contains the attributes of a group membership.
Permission This class contains the attributes of a permission.
Policy This class contains the attributes of an access policy.
PsmAccount This class contains the attributes of a PSM account.
PwdRequest This class contains the attributes of a password request. It is based on the Request
class.
Request This class contains the attributes common to a password or session request.
SessionRequest This class contains the attributes of a session request. It is based on the Request
class.
SynchronizedPassword This class contains the attributes of a synchronized password.
SyncPwdSubscriber This class contains the attributes of a synchronized password subscriber.
User This class contains the attributes of a user.
Command classes
Each “command” class implements a single operation that can be performed on TPAM. The constructor for each
class accepts the mandatory data that is required by TPAM to execute the operation.
TPAM 2.5
337
Administrator Guide
Some operations have optional values that may be specified. Several of the add and update operations allow
optional attributes of the business object being added or updated to be set. The list operations allow optional
selection criteria to be specified in order to narrow the results returned by TPAM. See Setting operational values
for operations for details.
An instance of one of these “command” classes is passed to method sendCommand of class ApiClient to have
the operation carried out on TPAM. After execution, a “result” class can be queried for details of the outcome
of the operation. This result class is accessed via method getResult() of the “command” class. In the case of
commands that query data from TPAM, if the result indicates success, the retrieved data will be available within
the “command” class after execution of the operation on TPAM.
TPAM 2.5
338
Administrator Guide
Table 155. C++ Library: Command classes
TPAM 2.5
339
Administrator Guide
Table 155. C++ Library: Command classes
Result class detailing
Class Method used to access retrieved data
execution outcome
RetrieveCommand Result getPassword() returns the password as
a string
RetrieveWithTicketCommand Result getPassword() returns the password as
a string
SetAccessPolicyCommand Result N/A
SshKeyCommand Result getMessage() method of Result
contains returned SSH key
SyncPassForceResetCommand Result N/A
TestSystemCommand Result N/A
UnlockUserCommand Result N/A
UpdateAccountCommand IDResult N/A
UpdateAccountTicketCommand IDResult N/A
UpdateCollectionCommand Result N/A
UpdateDependentSystemsCommand Result N/A
UpdateEgpAccountCommand IDResult N/A
UpdatePsmAccountCommand IDResult N/A
UpdateSyncPassCommand Result N/A
UpdateSystemCommand IDResult N/A
UpdateSystemTicketCommand IDResult N/A
UpdateUserCommand IDResult N/A
UserSshKeyCommand Result getMessage() method of Result
contains returned SSH key
TPAM 2.5
340
Administrator Guide
Table 156. Command classes
Selection criteria for the list operations are specified by using the setter methods of the “command” classes
that perform the list operations. See the example code provided in C++ examples.
Results classes
The “result” classes detail the result of the execution of operations on TPAM.
Class Attributes
Result Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the
modified database record.
ListResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have
been returned by TPAM. Query the appropriate attribute of the "command" class to access
the data returned by TPAM.
Exception classes
The C++ TPAM API Library will throw exceptions under error conditions. Each exception contains a message
describing the failure.
Class Description
ParseException This exception will be thrown if there is a failure while parsing a response from TPAM.
SshException This exception will be thrown if there is a problem with the SSH connection being used
to communicate TPAM.
ValidationException This exception will be thrown if validation fails on any data prior to sending that data to
TPAM for processing. Note that most data validation is done by TPAM itself. Under this
scenario, if invalid data is passed to TPAM, ValidationException is not raised. Instead,
the result from execution of the command on TPAM will indicate a failure and the result
message details the failure reason.
TPAM 2.5
341
Administrator Guide
.NET library
The TPAM API .NET library is provided as a Windows® DLL file. It is distributed alongside the TPAM API C++
Library.
The main class of the library is ApiClientWrapper. This class provides the SSH connection to TPAM and methods
to execute all available operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the .NET library.
These classes fall into the categories of business objects, filters, and results.
See .NET examples (C#) for examples of using the .NET library.
TPAM 2.5
342
Administrator Guide
Table 159. ApiClientWrapper methods
TPAM 2.5
343
Administrator Guide
Table 159. ApiClientWrapper methods
TPAM 2.5
344
Administrator Guide
Table 159. ApiClientWrapper methods
TPAM 2.5
345
Administrator Guide
Table 159. ApiClientWrapper methods
TPAM 2.5
346
Administrator Guide
Table 159. ApiClientWrapper methods
Class Description
Account This class contains the attributes of an account.
AcctForPwdRequest This class contains the attributes of an account that is available for password request.
AcctforSessionRequest This class contains the attributes of an account that is available for session request.
Activity This class contains the attributes of an entry in the activity report.
Collection This class contains the attributes of a collection.
CollectionMembership This class contains the attributes of a collection membership.
DependentSystem This class contains the attributes of a dependent system.
EDMZSystem This class contains the attributes of a system.
EgpAccount This class contains the attributes of an Egp account.
Group This class contains the attributes of a group.
GroupMembership This class contains the attributes of a group membership.
Policy This class contains the attributes of an access policy.
TPAM 2.5
347
Administrator Guide
Table 160. .Net Library: Business object classes
Class Description
PsmAccount This class contains the attributes of a PSM account.
PwdRequest This class contains the attributes of a password request. It is based on the Request
class.
ReasonCode This class contains the attributes of a reason code.
Request This class contains the attributes common to a password or session request.
SessionRequest This class contains the attributes of a session request. It is based on the Request class.
SynchronizedPassword This class contains the attributes of a synchronized password.
SyncPwdSubscriber This class contains the attributes of a synchronized password subscriber.
User This class contains the attributes of a user.
Filter classes
The “filter” classes are used to specify selection criteria for data being requested from TPAM.
Class Description
AccountFilter Provides selection criteria for ListAccounts
AcctForPwdRequestFilter Provides selection criteria for listAccountsForPwdRequest
AcctforSessionRequestFilter Provides selection criteria for listAccountsForSessionRequest
ActivityFilter Provides selection criteria for reportActivity
CollectionFilter Provides selection criteria for listCollections
CollectionMembershipFilter Provides selection criteria for listCollectionMembership
DependentSystemFilter Provides selection criteria for listDependentSystems
EgpAccountFilter Provides selection criteria for listEgpAccounts
GroupFilter Provides selection criteria for listGroups
PolicyFilter Provides selection criteria for listAssignedPolicies
PsmAccountFilter Provides selection criteria for listPSMAccounts
RequestFilter Provides selection criteria for listRequestDetails
SessionRequestFilter Provides selection criteria for listSessionRequestDetails
SystemFilter Provides selection criteria for listSystems
UserFilter Provides selection criteria for listUsers
Parms classes
The “parms” classes are used to specify optional parameters for various methods implemented in
ApiClientWrapper.
Class Description
AddCollectionMemberParms Allows setting of optional parameters for addCollectionMember method
AddCollectionParms Allows setting of optional parameters for addCollection method
AddPwdRequestParms Allows setting of optional parameters for addPwdRequest method
AddSessionRequestParms Allows setting of optional parameters for addSessionRequest method
AddSyncPassParms Allows setting of optional parameters for addSyncPass method
TPAM 2.5
348
Administrator Guide
Table 162. .Net Library: Parms classes
Class Description
DropCollectionMemberParms Allows setting of optional parameters for dropCollectionMember method
RetrieveParms Allows setting of optional parameters for the retrieve method
SetAccessPolicyParms Allows setting of optional parameters for the setAccessPolicy method
SshKeyParms Allows setting of optional parameters for sshKey method
UpdateCollectionParms Allows setting of optional parameters for updateCollection method
UpdateDependentSystemParms Allows setting of optional parameters for updateDependentSystems method
UpdateEgpAccountParms Allows setting of optional parameters for updateEgpAccount method
UpdatePsmAccountParms Allows setting of optional parameters for updatePsmAccount method
UpdateSyncPassParms Allows setting of optional parameters for updateSyncPass method
UserSshKeyParms Allows setting of optional parameters for userSshKey method
Results classes
The “result” classes detail the result of the execution of operations on TPAM.
Class Attributes
Result Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the modified
database record.
ListResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have been
returned by TPAM.
Array of Objects: array containing "row count" elements, with each element being an object of
type described under business objects as requested by the operation.
NOTE: This array is used internally by the API. It simply refers to the data being returned as an
OUT parameter of list operations. It is suggested that applications using the API use the OUT
parameters instead of this array.
PERL library
Documentation for the TPAM API Perl library is available in PERL POD format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.
Java® library
Documentation for the TPAM API Java® library is available in Javadoc format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.
TPAM 2.5
349
Administrator Guide
C++ examples
The following examples have minimal error checking for simplicity.
void addSystem(ApiClient& client)
{
// Add a dummy system.
AddSystemCommand asc("testsys", "147.148.149.150", "AS400");
TPAM 2.5
350
Administrator Guide
Result* result = rc.getResult();
if (result->getReturnCode() == 0)
{
cout << "retrieve: The password is " << rc.getPassword() << endl;
}
else
{
cout << "Failed retrieving password: " << result->getMessage() << endl;
}
}
TPAM 2.5
351
Administrator Guide
// Execute the operation on TPAM.
client.sendCommand(dac);
int main()
{
ApiClient client("192.168.70.3", "C:/keys/parapiuser.txt", "parapiuser");
try
{
client.connect();
try
{
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
TPAM 2.5
352
Administrator Guide
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ValidationException& vex)
{
cout << "ValidationException: " << vex.toString() << endl;
}
catch (ParseException& pex)
{
cout << "ParseException: " << pex.toString() << endl;
}
TPAM 2.5
353
Administrator Guide
idresult.returnCode, idresult.message);
}
if (result.returnCode == 0)
{
// If returnCode indicates success, the message is the password.
Console.WriteLine("retrieve: The password is {0}",
result.message);
}
else
{
// If returnCode indicates failure,
// the message is an actual message.
Console.WriteLine("Failed retrieving password: {0}",
result.message);
}
}
TPAM 2.5
354
Administrator Guide
}
}
if (lr.returnCode == 0)
{
for (int i = 0; i < lr.rowCount; i++)
{
Console.WriteLine("listSystems: System name: {0}",
systems[i].systemName);
}
}
}
if (lr.returnCode == 0)
{
Console.WriteLine(
"getPwdRequest: Status of request {0} is {1}",
request.requestID,
request.requestStatus);
}
else
{
Console.WriteLine("Unexpected result for getPwdRequest: {0}",
lr.message);
}
}
TPAM 2.5
355
Administrator Guide
"192.168.70.3",
"C:\\keys\\parapiuser.txt",
"parapiuser");
try
{
client.connect();
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ApplicationException aex)
{
Console.WriteLine("Exception: {0}", aex.Message);
}
finally
{
client.disconnect();
}
}
TPAM 2.5
356
Administrator Guide
43
Configuration for Capturing Events on
Windows® Systems
• Introduction
• General j-Interop requirements
• Summary of common problems
• Firewall related problems
• Explicitly opening DCOM ports
• Dynamically opening DCOM ports
• Remote registry related problems
• Local security policy related problems
• User account control (UAC) related problems
• Registry key related problems
• Operating systems
• Windows® event requirements
Introduction
TPAM provides the ability to capture events during PSM sessions to certain platforms. J-Interop is used on DPAs
to help capture events on Windows® systems. Special configuration may be required on Windows® systems in
order for j-Interop to work. In addition to setting up the Windows® system so that j-Interop works correctly,
certain Windows® events must be generated in order for the event capture code to determine when sessions
start and stop.
This chapter describes configuration that may be necessary to enable event capture on Windows® systems.
These are general directions, so buttons, dialog boxes, etc. discussed here may be slightly different than those
encountered on the various Windows®operating systems.
TPAM 2.5
357
Administrator Guide
Depending on which version of Windows® you are using, different steps have to be taken or have to be taken
differently.
Remote
Operating Local security User account Registry key
Firewall registry
system permissions control (UAC) permissions
service
Windows® XP Action No Changes Action Required N/A No Changes
Required Needed Needed
Windows® Vista Action Action No Changes Needed Action Required No Changes
Required Required Needed
Windows® 7 Action Action No Changes Needed Action Required Action Required
Required Required
Windows® No Changes No Changes No Changes Needed N/A No Changes
Server 2003 Needed Needed Needed
TPAM 2.5
358
Administrator Guide
Explicitly opening DCOM ports
If you want to control which ports DCOM may open, you can limit the port range by using dcomcnfg. This makes
it possible to explicitly open ports for DCOM communication. Otherwise the DCOM system will use any free port.
For the first 5 entries all Windows® versions already have predefined rules that can be activated:
TPAM 2.5
359
Administrator Guide
Local security policy related problems
This seems to be a problem that is related only to Windows® XP systems. Even if this configuration option is
present in all Windows® operating systems, only with Windows® XP is it configured in a way that prevents j-
Interop from working correctly.
The security policy Network access: Sharing and security model for local accounts is set to: Guest only: local
users authenticate as Guest per default. This has to be changed to Classic: local users authenticate as
themselves. If this is set to Guest only, all remotely logged-in users have only guest permissions on the target
system.
TPAM 2.5
361
Administrator Guide
8 In order to make the ownership change effective, you have to commit the changes by clicking on OK first
and then reopening the Permissions dialog
9 In the reopened Permissions dialog, add or select the user or group you want to access the system under
and select the check box for allowing Full Control.
10 Click OK
11 Right-click the key a third time and select Permissions...
12 Click Advanced
13 Select the Owner tab. (In some releases this is not a tab, so find the mechanism used to change the
owner.)
14 Enter the following username (you can't select it from any list) NT Service\TrustedInstaller.
15 Click OK as necessary to exit
NOTE: After the first session is started, and j-Interop has created these registry entries, it is safe to reset
the permissions back to original values.
Operating systems
The following sections describe changes that may be required for each Windows® operating system to support j-
Interop.
Windows® XP
All Microsoft client operating systems starting with Windows® XP SP2 and later were shipped with a firewall.
This is blocking almost all inbound traffic. See Firewall related problems for more information.
After the firewall is configured on Windows® XP systems some Local Security Policy settings have to be changed,
or j-Interop will not be able to connect. See Local security policy related problems for more information on how
to resolve that problem.
Now the system should be accessible.
TPAM 2.5
362
Administrator Guide
Windows® Vista
Starting with Windows® Vista the client operating systems have the Remote Registry Service disabled per
default. Therefore check see Remote registry related problems for how to fix this.
As with Windows® XP the firewall has to be configured.See Firewall related problems for more information.
Also, Windows® Vista introduced the User Account Control (UAC). See User account control (UAC) related
problems for details.
Now the system should be accessible.
Windows® 7
In order to have Windows® 7 accessible the same steps have to be done as with Windows® Vista: configure the
firewall, start the Remote Registry service and configure the User Account Control (UAC).
There were also some changes with permissions in the Registry. These are preventing j-Interop from functioning
correctly. See the Registry key related problems.
Now the system should be accessible.
After these changes the connection should work with Windows® Server 2008 R2 and later operating systems.
TPAM 2.5
363
Administrator Guide
Windows® event requirements
The event capture code must be able to track the beginning and end of a specific Windows® login session. This
is accomplished by monitoring specific Windows® logon and logoff events, Therefore, events indicating
successful logon or reconnect and logoff or disconnect must be generated by the Windows® system. The IDs of
the specific events required to be generated by the Windows® system and where to configure generation of the
events are as follows.
Operation Windows® Vista / Server 2008 and later Security path policy
event ID
Logon 4624 - An account was successfully logged on. Advanced Audit Policy Configuration -
Logon/Logoff - Audit Logon
Logoff 4634 - An account was logged off. Advanced Audit Policy Configuration -
Logon/Logoff - Audit Logoff
Logoff 4647 - User initiated logoff. Advanced Audit Policy Configuration -
Logon/Logoff - Audit Logon
Reconnect 4778 - A session was reconnected to a Advanced Audit Policy Configuration -
Windows® station. Logon/Logoff - Audit Other Logon/Logoff
events
Disconnect 4779 - A session was disconnected from a Advanced Audit Policy Configuration -
Windows® station. Logon/Logoff - Audit Other Logon/Logoff
events
TPAM 2.5
364
Administrator Guide
44
Appliance Specifications
Standard TPAM
Feature/
Standard DPA Enterprise TPAM
Spec
Standard cache
Processor 1 E5-2400 Intel® Xeon® processor family 2 E5-2400 Intel® Xeon® processor family
# of Processors 1 2
# of Cores per Quad Quad
Processor
L2/L3 Cache 10 MB 10 MB
Chipset ®
Intel C600 series Intel® C600 series
DIMMs DDR3 R-DIMMs DDR3 R-DIMMs
RAM 4 GB 8 GB
HD Bays 4 x 3.5 Hot Plug 4 x 3.5 Hot Plug
HD Types SATA/SAS/SSD SAS add-in controller
Internal HD PERC H310 Integrated RAID Controller PERC H710P Integrated RAID Controller, 1 GB
Controller NV Cache
Disk 2 x 500 GB 4 x 300 GB SAS
Availability ECC Memory, Hot-swap HDD; Redundant Hot-swap HDD; Redundant PSU; Memory
PSU, TPM mirroring, TPM
I/O Slots 1 x PCIe x 16 1 x PCIe x16; half height, half length
RAID RAID 1 Mirrored RAID10
NIC/LOM 2x GbE LOM 2x GbE LOM
DRAC iDRAC7 Enterprise iDRAC7 Enterprise
USB 2 front/2 rear/2 internal 2 front/2 rear/2 internal
Power Supplies/ Redundant, 350W, Auto Ranging Redundant, 550W, Auto Ranging (100V~240V),
Details (100V~240V), ACPI compatible ACPI compliant
Fans 3 Non-redundant, non-hot swappable 4 Non-redundant, non-hot-swappable
Chassis 1U rack 1U rack
Dimension 42.8 x 434.0 x 677.3 (mm) (w/o bezel) 42.8 x 434.0 x 607 (mm) (w/o ear, w/o bezel)
(HxWxD) 1.68 x 17.08 x 26.66 (in) 1.68 x 17.08 x 23.9 (in)
TPAM 2.5
365
Administrator Guide
Table 167. Application specifications
Standard TPAM
Feature/
Standard DPA Enterprise TPAM
Spec
Standard cache
Operating Temp 10° to 35°C 10° to 35°C
Regulatory Class A: Australia/ N.Z. - AMCA or C-Tick Class A: Australia/ N.Z. - AMCA or C-Tick
Certifications Canada - SCC, IES Canada - SCC, IES
Additional country European Union - CE European Union - CE
certification
Germany - TUV Germany - TUV
available upon
request United States - FCC, NRTL United States - FCC, NRTL
TPAM 2.5
366
Administrator Guide
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
[email protected]
TPAM 2.5
367
Administrator Guide