Password Manager Security Overview

FlexNet Manager Suite 2023 R1 (On-Premises)
Password Manager may operate in either of two modes:
  • It may manage and store credentials in the FlexNet Beacon vault, an encrypted area of the registry on the inventory beacon Windows server, as described below.
  • Where integration with CyberArk is detected (by the presence of the CyberArk Credential Provider installed on the inventory beacon), Password Manager can request use of credentials already saved in a CyberArk vault. In this mode, Password Manager stores references to the credentials, including query strings that allow for the recovery of the appropriate credential for a given purpose.
When CyberArk is detected, its use may be disabled for a given inventory beacon, in which case storage remains available in the FlexNet Beacon vault.
As well, when CyberArk integration is detected and enabled, individual credentials may be designated for storage either in the FlexNet Beacon vault or in the CyberArk vault. This mix-and-match capability is convenient for mixed environments, such as one that requires CyberArk credentials for use in production, but allows credentials stored locally in the FlexNet Beacon vault for testing purposes, to reduce administrative overhead.
Tip: The CyberArk option remains available when either of the following is true:
  • The CyberArk Credential Provider is detected on the same inventory beacon
  • There is at least one credential saved in Password Manager on the inventory beacon for which the Vault value is CyberArk.

In either mode, whether storing credentials locally or saving references to credentials available in CyberArk, the FlexNet Beacon vault makes use of the same security technologies, as described here.

Independence

Each Password Manager is completely independent on its own inventory beacon. (Further, no Password Manager communicates accounts or passwords to the central application server, although of course error reporting is centrally available.)

On each inventory beacon, you can create records in Password Manager using a graphical user interface or using a command-line utility. These methods operate independently. For example, even if an operator disables CyberArk integration in the graphical user interface, you can still manage integration with CyberArk (such as adding records of credentials available there) through the command-line interface.

Storage

Credentials entered into the Password Manager for saving the FlexNet Beacon vault are encrypted, Base64 encoded, and stored in the registry on the inventory beacon under HKLM\SOFTWARE\ManageSoft Corp\ManageSoft\PasswordStore. Encryption uses a key derived from a primary password. (References to credentials saved in a CyberArk vault are not encrypted, since the security aspect here belongs to CyberArk.)

Initialization

On each inventory beacon, the primary password is created the first time that Password Manager is accessed, using CryptGenRandom to generate a 256-bit string. This string is then encoded using Base64 and stored as a local private data object using LsaStorePrivateData. This is accessible only to administrators on the individual inventory beacon.
Important: Private data objects are only as secure as the computer on which they are stored, and any operator with administrator privileges can read them. If regular domain operators are members of the Administrators group on an inventory beacon, they too will be able to view the Password Manager vault on that server. Review your user configuration to ensure that only appropriate operators are members of the Administrators group on any inventory beacon.

Re-encryption

The following command line tool can be used if it ever becomes necessary to generate a new primary password (or security key):
C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecution\mgspswd --recrypt
With the --recrypt option, this tool decrypts all the credentials in the Password Manager on the inventory beacon where it runs (using the old primary password), generates a new primary password, and re-encrypts all stored credentials/references with the new primary password. For more information about the mgspwd utility, see Command-Line Updates to Password Manager.

Operation

In use in the FlexNet Beacon vault, the encryption and key derivation functions rely on the CryptoAPI support in the inventory beacon's version of Windows. The process is:
  1. The primary password is retrieved using LsaRetrievePrivateData.
  2. An encryption key is derived from it using PBKDF2 with HMAC-SHA-256, using the AES cypher and a 256-bit key. This uses the default CryptoAPI provider of type PROV_RSA_AES.
  3. The key derivation function generates an additional 128-bit initialization vector.

All ciphers are used in CBC mode with PKCS #5 / RFC 1423 padding.

FlexNet Manager Suite (On-Premises)

2023 R1