Using Password Manager
You may update the credentials saved in Password Manager using a graphical user interface, or by using a command- line tool (see Command-Line Updates to Password Manager in System Reference). This topic describes how to use the Password Manager GUI to change stored credentials.
You use these processes on any applicable inventory beacon in your enterprise. They apply independently on each inventory beacon, with no possible interaction between them.
Tip:For Windows-based computers, use net use \\machineName\ipc$ to test that login credentials work before adding them to Password Manager.
The Password Manager interface is dynamic, with the available controls depending on whether the inventory beacon is configured for integration with CyberArk Privileged Account Security, as well as on the type of credential you are storing.
Tip:When integration with CyberArk is required, your CyberArk administrator must complete the configuration of CyberArk before you start the following process (for more information, see Configuring CyberArk for Use with Password Manager in System Reference). As well, use of CyberArk for storing credentials referenced through Password Manager requires that the Use CyberArk Credential Provider on this inventory beacon check box (on the Password management tab of the FlexNet Beacon interface, described in Password Management Tab) is selected.
To maintain credentials registered in the Password Manager:
| 1. | Start Password Manager in either of the following ways: |
| • | In the inventory beacon interface, select the Password Management tab, and click Launch Password Manager. |
| • | Run the Password Manager executable from Windows Explorer or a command line. By default, the file location is: |
C:\Program Files\Flexera Software\Inventory Beacon\RemoteExecution\ mgspswdw.exe
The FlexNet Beacon Password Manager opens in its own window. In this dynamic interface, the controls displayed depend on your choices (initially, default fields are shown disabled until you make the appropriate first choices).
| 2. | Choose whether to create a new entry or modify an existing one: |
| • | To create a new entry, in the Current credentials group, click New. |
| • | To modify an existing entry, click that entry in the list in the Current credentials group. |
In either case, controls in the Editor group are activated. When you are updating an existing entry, the controls are populated with the currently saved values.
Tip:The other controls available in the Current credentials group have the following effects:
| • | Refresh clears any selection in the listing, and updates the listing from the FlexNet Beacon vault. |
| • | Re-Initialize... decrypts all encrypted credentials from the FlexNet Beacon vault using the current primary password; clears that primary password; initializes a new primary password for this inventory beacon; and re-encrypts all existing credentials with the new primary password. |
| • | Delete... (enabled only when you select one credential from the listing) offers to remove the selected credential from the FlexNet Beacon vault. (If you are using CyberArk to store credentials, the credential saved in the CyberArk Vault is not affected, and only the reference to that credential is removed from the FlexNet Beacon vault.) |
| • | Delete All... offers to purge the FlexNet Beacon vault on this inventory beacon of all saved credentials. (Once again, when CyberArk is in use, no credentials within the CyberArk Vault are affected, and these must be managed separately. However, references in the FlexNet Beacon vault to those credentials are deleted, rendering the credentials saved in CyberArk unusable by this inventory beacon.) |
| • | Use only filtered credentials check box below the list of Current credentials, when selected, means that a credential is only tested and used when at least one filter has been applied, limiting its use to a specific set of target devices. (Adding filters is described below.) Unfiltered credentials, which are those showing None in the Filters column in the list of Current credentials, are never used on this inventory beacon while this check box is set. They are not removed from the vault, however, and may all be returned to use by clearing the Use only filtered credentials check box. Alternatively, you may update any individual unfiltered credential to add at least one filter to it. (Keep in mind that there is no communication of settings between inventory beacons, so if you are changing this setting on one, consider whether you need to repeat that change across all your inventory beacons.) |
| 3. | For a new credential, supply a Logical name that you will recognize in listings over time. |
This descriptive, friendly name for a credential (that is, an account name and password pair) must be unique on this inventory beacon. You may repeat logical names on other inventory beacons, since they do not share credential data; but within each Password Manager, the logical name must be unique.
Logical names allow flexibility, in conjunction with filter settings, to specify a credential for exactly one computer, or a credential that you may use on a group of computers.
| 4. | When the Vault control is visible, CyberArk integration has been detected on this inventory beacon (or the local vault already contains at least one credential referenced from CyberArk). For normal use, accept the default CyberArk value (which means that the credentials are saved in a CyberArk Vault that is referenced from Password Manager). |
For special cases (such as quick settings in a test environment), you may switch this value to FlexNet Beacon if required. Switching this value changes the controls displayed in the remainder of the editor.
Tip:When there is no Vault control visible, storage is always local in the FlexNet Beacon vault.
| 5. | Specify the kind of credential in the Account type field. |
Choose the account type appropriate for the kind of connection that the inventory beacon must make:
| • | Windows domain account if remote execution tasks run as a domain user |
| • | Local account on Windows device if remote execution tasks run as a local user on the computer |
| • | SSH account (password) if you connect to managed devices using SSH in order to run tasks on them, and SSH on the managed devices is configured to require a password for login |
| • | SSH account (key pair) if you connect to managed devices using SSH in order to run tasks on them, and SSH on the managed devices is configured to require a public-private key pair for login |
| • | Account on VMware ESX server if you remotely execute tasks on virtual servers of this type |
| • | Account on VMware VirtualCenter if you remotely execute tasks on virtual servers of this type |
| • | Password for Oracle listener to connect to a server running Oracle listener services |
| • | Account on Oracle database to connect to an instance of Oracle Database |
| • | Oracle VM management API account to connect to Oracle VM Manager. The available controls dynamically change to suit your selection. |
| 6. | Complete the remaining editor controls. All possible controls (ordered alphabetically) are included in this list, and only a selection of these are available for your chosen Account type: |
|
Property |
Description |
||||||||||||||||||||||||
|
Domain |
Enter the domain hosting the target device. This is mandatory for credentials that require cross-domain trust. If you include special characters such as /[]:;|=,+*?<>, a dialog displays, asking you to confirm that you have correctly typed the domain name. This is to help prevent you recording domain names incorrectly in Password Manager. Displayed when:
|
||||||||||||||||||||||||
|
Elevate privilege with |
For target devices running UNIX-like operating systems, you can specify that login should be attempted with elevated privileges. To do so, select one of the available options, or enter the command name to use. There is a separate password for privilege elevation, distinct from the login password: enter the privilege elevation password in both the Privilege password and adjacent Re-type password fields. Tip:If sudo on the target device(s) is configured to allow escalation of privileges without requiring an interactive password, just leave blank the two fields for privilege elevation password. The login process is then like this:
|
||||||||||||||||||||||||
|
Elevate privilege with (Continued) |
Obviously, if the inventory beacon does not recognize the prompt, login and subsequent inventory collection will stall. To prevent this, you can specify the exact text that the inventory beacon must recognize. The FlexNet Beacon engine waits for a prompt matching the Privilege password prompt value before it responds with the privilege password. If the real prompt is not an exact match for the default Password:, enter the correct value in Privilege password prompt (described below). The sudo tool typically issues a prompt similar to this: [sudo] password for userName: You could enter this entire value, since you know the User name for this login, in the Privilege password prompt field; but (assuming that this credential is reused across multiple servers) this approach is at risk because of variations across different versions of UNIX-like operating systems. A risk-free alternative is to use the following special settings:
sudo -p flxpwd: The -p option instructs sudo to issue the specified prompt (for a password) when it is invoked by the FlexNet Beacon engine.
flxpwd: (or exactly the prompt value you specified in the field described above).
When invoked by the FlexNet Beacon engine, sudo now issues a known prompt, which in turn is recognized by the FlexNet Beacon engine, and inventory collection can proceed. Tip:Check that sudo elevation is permitted for the following commands:
Displayed when:
|
||||||||||||||||||||||||
|
Key pair loaded |
You see a visual indication of whether or not the private-public key pair is loaded. If it is not already loaded, use the Browse... button to browse to and select the file containing the private key data. The key can be in the OpenSSH format (generated with ssh-keygen) or in the PuTTY format (generated with PuTTYgen.exe). For information on generating key pairs, see the OpenSSH and PuTTY documentation. Before you attempt to connect to target devices using these credentials, the public key data must be in place on the target. The intended location for this data varies according to the SSH implementation you are using. For example, for OpenSSH, the public key is expected to be a one-line entry in ~/.ssh/authorized_keys. Use the View... button to see the public key in order to copy and paste it to the appropriate location on target devices. Displayed when:
|
||||||||||||||||||||||||
|
Password |
A password is mandatory for the Password for Oracle listener account type, if the Oracle listener has been configured with a password. Passwords are optional for all other account types. Displayed when:
|
||||||||||||||||||||||||
|
Privilege password |
Enter the password the inventory beacon should issue for privilege escalation. For further discussion, see Elevate privilege with. Displayed when:
|
||||||||||||||||||||||||
|
Privilege password prompt |
Enter the exact password prompt to which the inventory beacon should respond for privilege escalation. For further discussion, see Elevate privilege with. Displayed when:
|
||||||||||||||||||||||||
|
Privilege query |
Specify a distinct query string expected by CyberArk for it to return the privilege escalation credential. This credential must already exist in CyberArk, where it is regarded as "just another credential"—the recognition of this credential as a second-stage requirement for the same device is all saved in Password Manager. As with Query, get details of the query string from your CyberArk administrator; and if it includes white space, enclose it in double quotation marks. Tip:In this mode, using a CyberArk vault for storage, Password Manager has no knowledge of the public/private key pair, which are now under the control of CyberArk (and its administrator). The public key is still required to be in place before FlexNet Beacon attempts remote execution on a target device; but now you must ask your CyberArk administrator for that data. Displayed when:
|
||||||||||||||||||||||||
|
Query |
Specify the exact query string expected by CyberArk for it to return the required credential. Of course, the credential itself (account name and password pair) must already exist in the appropriate CyberArk vault and safe (the vault is specified when CyberArk integration is first configured, and the safe may optionally be specified as part of the query string). If the query string contains any white space, it should be enclosed in double quotation marks (otherwise, these are optional). Details of the query string are specific to your implementation of CyberArk, and must be obtained from your CyberArk administrator. Displayed when:
|
||||||||||||||||||||||||
|
Re-type password |
If you supplied a password in the Password (or Privilege password) field, repeat it here to confirm that you have entered it correctly. Displayed when:
|
||||||||||||||||||||||||
|
User |
The account name, or username. If you include special characters such as /[]:;|=,+*?<>, a dialog displays, asking you to confirm that you have correctly typed the account name. This is to help prevent you recording account names incorrectly in Password Manager. Note:For Oracle listeners, no user name is required in Password Manager. Tip:Where a credential supports (or requires) cross-domain trust, best practice is to use the separate Domain control to specify the target domain. For special cases where the Domain control is not available but a domain is required, you may include the domain name in this field with the typical backslash separator: myDomain\svcAccount Displayed when:
|
| 7. | Optionally, for Filter, click View/Edit... if you want to restrict the target devices on which this named pair of account name and password should be tested. |
The Password Store: Password Filter dialog displays.
| 8. | Complete any number of the fields to filter devices where the current named pair of account name and password will be used. If this pair may apply to multiple devices, you may include multiple values, comma separated, in any of these fields. Click OK to save your filter settings. |
Filter matching is applied when tasks are being remotely executed on devices. The purpose of filtering is to limit the devices on which each credential is tested, so that a compromised device in your network cannot harvest those passwords that are never tested against it. The following details apply:
| • | No rules map particular credentials to particular types of remote execution. Filters only apply to the characteristics of the target device. |
| • | When you specify multiple values in a filter field, separated by commas, a match is made against that field if any one of the specified values matches the device (logical OR). There is no operating difference between a match for one of the values and a match of multiple values in the same filter field. |
| • | If a filter match occurs between a credential and a targeted device, the username/password pair are used to attempt connection to the device. |
| • | Unfiltered accounts are only tested as credentials if both: |
| • | The Use only filtered credentials check box below the list of Current credentials is clear (not selected), and |
| • | All accounts with filter field matches have already been attempted without success. |
| • | If a target device matches filters recorded for several credentials, the credentials are ordered by the number of matches in the filters for each credential. The credential with the most matches is tried first. For example: device MyComputer matches two filter fields for the credential operator and one filter for the credential administrator, so that the credentials for operator are attempted first. When credentials have the same number of filter matches, ordering is random. To give one credential higher priority than others, give it more matching filter fields. |
Tip:When CyberArk integration is available and enabled, the vault used for saving a particular credential has no effect on the prioritization of the credentials for testing against the target device. When CyberArk integration is available but disabled, any credentials stored in the CyberArk vault are ignored; but the priority order is otherwise unchanged. (For enabling/disabling the use of CyberArk, see Password Management Tab.) In the general case where you wish to use only credentials saved in the CyberArk Vault in your production environment, do not save any overlapping credentials in the FlexNet Beacon vault.
| • | DNS names and Oracle names are matched against leading, complete sub-sections of the relevant name. For example, the name tmnis: |
| • | Matches either tmnis.MyDomain.com or tmnis.AnotherDomain.com |
| • | Does not match tmnisou.MyDomain.com (because tmnis is not immediately followed by a period) |
| • | Does not match MyComputer.tmnis.com (because it does not begin with tmnis). |
It may be helpful to specify the fully qualified service name in the Oracle service names filter to avoid unintentional matches. To use a filter to match service names with multiple suffixes, you can specify each fully qualified service name in the filter, separated by commas.
Tip:The Oracle service names filter only applies for accounts of type Account on Oracle database.
| 9. | Complete your editing by clicking Apply. You may either repeat the process for another credential, or click Exit to close the Password Manager. |
The details you have specified are encrypted and saved in the FlexNet Beacon vault (in the registry on this inventory beacon), either as a saved credential, or as a reference to a credential previously saved in CyberArk.
Tip:If fetching a credential fails during production, an error is reported on the Status tab of the discovered device properties for the target device. Where the credentials are saved in the CyberArk Vault, the error report includes the entire error message received from CyberArk.