Password Manager Security Overview
- It may manage and store credentials in the FlexNet Beacon vault, an encrypted area of the registry on the inventory beacon Windows server, as described below.
- Where integration with CyberArk is detected (by the presence of the CyberArk Credential Provider installed on the inventory beacon), Password Manager can request use of credentials already saved in a CyberArk vault. In this mode, Password Manager stores references to the credentials, including query strings that allow for the recovery of the appropriate credential for a given purpose.
- The CyberArk Credential Provider is detected on the same inventory beacon
- There is at least one credential saved in Password Manager on the inventory beacon for which the Vault value is CyberArk.
In either mode, whether storing credentials locally or saving references to credentials available in CyberArk, the FlexNet Beacon vault makes use of the same security technologies, as described here.
Independence
Each Password Manager is completely independent on its own inventory beacon. (Further, no Password Manager communicates accounts or passwords to the central application server, although of course error reporting is centrally available.)
On each inventory beacon, you can create records in Password Manager using a graphical user interface or using a command-line utility. These methods operate independently. For example, even if an operator disables CyberArk integration in the graphical user interface, you can still manage integration with CyberArk (such as adding records of credentials available there) through the command-line interface.
Storage
Credentials entered into the Password Manager for saving the FlexNet Beacon vault are encrypted, Base64 encoded, and stored in the registry on the inventory beacon under HKLM\SOFTWARE\ManageSoft Corp\ManageSoft\PasswordStore. Encryption uses a key derived from a primary password. (References to credentials saved in a CyberArk vault are not encrypted, since the security aspect here belongs to CyberArk.)
Initialization
CryptGenRandom
to generate a
256-bit string. This string is then encoded using Base64 and stored as a local private data
object using LsaStorePrivateData
. This is accessible only to administrators
on the individual inventory beacon. Re-encryption
C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecution\mgspswd --recrypt
With
the --recrypt
option, this tool decrypts all the credentials in the
Password Manager on the inventory beacon where it runs (using the
old primary password), generates a new primary password, and re-encrypts all stored
credentials/references with the new primary password. For more information about the
mgspwd
utility, see Command-Line Updates to Password Manager.Operation
CryptoAPI
support in the inventory beacon's version of
Windows. The process is: - The primary password is retrieved using
LsaRetrievePrivateData
. - An encryption key is derived from it using
PBKDF2
withHMAC-SHA-256
, using the AES cypher and a 256-bit key. This uses the defaultCryptoAPI
provider of typePROV_RSA_AES
. - The key derivation function generates an additional 128-bit initialization vector.
All ciphers are used in CBC mode with PKCS #5 / RFC 1423 padding.
FlexNet Manager Suite (On-Premises)
2023 R1