Using Password Manager
You may update the credentials saved in Password Manager using a graphical user interface, or by using a command-line tool (see the topic Command-Line Updates to Password Manager in the FlexNet Manager Suite 2019 R1 System Reference PDF, available through the title page of online help). This topic describes how to use the Password Manager GUI to change stored credentials.
net use
\\machineName\ipc$
to test that login
credentials work before adding them to Password Manager. To maintain credentials registered in the Password Manager:
-
Start Password Manager in either of the following ways:
- In the inventory beacon interface, select the Password management page, and click Launch Password Manager.
- Run the Password Manager executable from Windows Explorer or a
command line. By default, the file location is
C:\Program Files\Flexera Software\Inventory Beacon\RemoteExecution\mgspswdw.exe
.
The FlexNet Beacon Password Manager opens in its own window. In this dynamic interface, the controls displayed depend on your choices (initially, default fields are shown disabled until you make the appropriate first choices). -
Choose whether to create a new entry or modify an existing one:
- To create a new entry, in the Current credentials group, click New.
- To modify an existing entry, click that entry in the list in the Current credentials group.
In either case, controls in the Editor group are activated. When you are updating an existing entry, the controls are populated with the currently saved values.Tip: The other controls available in the Current credentials group have the following effects:- Refresh clears any selection in the listing, and updates the listing from the FlexNet Beacon vault.
- Re-Initialize... decrypts all encrypted credentials from the FlexNet Beacon vault using the current master password; clears that master password; initializes a new master password for this inventory beacon; and re-encrypts all existing credentials with the new master password.
- Delete... (enabled only when you select one credential from the listing) offers to remove the selected credential from the FlexNet Beacon vault. (If you are using CyberArk to store credentials, the credential saved in the CyberArk Vault is not affected, and only the reference to that credential is removed from the FlexNet Beacon vault.)
- Delete All... offers to purge the FlexNet Beacon vault on this inventory beacon of all saved credentials. (Once again, when CyberArk is in use, no credentials within the CyberArk Vault are affected, and these must be managed separately. However, references in the FlexNet Beacon vault to those credentials are deleted, rendering the credentials saved in CyberArk unusable by this inventory beacon.)
- Use only filtered credentials check box below the list of Current credentials, when selected, means that a credential is only tested and used when at least one filter has been applied, limiting its use to a specific set of target devices. (Adding filters is described below.) Unfiltered credentials, which are those showing None in the Filters column in the list of Current credentials, are never used on this inventory beacon while this check box is set. They are not removed from the vault, however, and may all be returned to use by clearing the Use only filtered credentials check box. Alternatively, you may update any individual unfiltered credential to add at least one filter to it. (Keep in mind that there is no communication of settings between inventory beacons, so if you are changing this setting on one, consider whether you need to repeat that change across all your inventory beacons.)
-
For a new credential, supply a Logical name that you will recognize in
listings over time.
This descriptive, friendly name for a credential (that is, an account name and password pair) must be unique on this inventory beacon. You may repeat logical names on other inventory beacons, since they do not share credential data; but within each Password Manager, the logical name must be unique.
Logical names allow flexibility, in conjunction with filter settings, to specify a credential for exactly one computer, or a credential that you may use on a group of computers.
-
When the Vault control is visible, CyberArk integration
has been detected on this inventory beacon (or the local vault already
contains at least one credential referenced from CyberArk). For normal use,
accept the default CyberArk value (which means that
the credentials are saved in a CyberArk Vault that is referenced from Password Manager).
For special cases (such as quick settings in a test environment), you may switch this value to FlexNet Beacon if required. Switching this value changes the controls displayed in the remainder of the editor.Tip: When there is no Vault control visible, storage is always local in the FlexNet Beacon vault.
-
Specify the kind of credential in the Account type field.
Choose the account type appropriate for the kind of connection that the inventory beacon must make:
- Windows domain account if remote execution tasks run as a domain user
- Local account on Windows device if remote execution tasks run as a local user on the computer
- SSH account (password) if you connect to managed devices using SSH in order to run tasks on them, and SSH on the managed devices is configured to require a password for login
- SSH account (key pair) if you connect to managed devices using SSH in order to run tasks on them, and SSH on the managed devices is configured to require a public-private key pair for login
- Account on VMware ESX server if you remotely execute tasks on virtual servers of this type
- Account on VMware VirtualCenter if you remotely execute tasks on virtual servers of this type
- Password for Oracle listener to connect to a server running Oracle listener services
- Account on Oracle database to connect to an instance of Oracle Database
- Oracle VM management API account to connect to Oracle VM Manager.
-
Complete the remaining editor controls. All possible controls (ordered
alphabetically) are included in this list, and only a selection of these are
available for your chosen Account type:
Control Comments Domain
Enter the domain hosting the target device. This is mandatory for credentials that require cross-domain trust.
If you include special characters such as
/[]:;|=,+*?<>
, a dialog displays, asking you to confirm that you have correctly typed the domain name. This is to help prevent you recording domain names incorrectly in Password Manager.Displayed when:- Vault is FlexNet Beacon (or when Vault is not available, in which case FlexNet Beacon is used)
- Account type is Windows domain account or VMware VirtualCenter.
Elevate privilege with For target devices running UNIX-like operating systems, you can specify that login should be attempted with elevated privileges. To do so, select one of the available options, or enter the command name to use. There is a separate password for privilege elevation, distinct from the login password: enter the privilege elevation password in both the Privilege password and adjacent Re-type password fields.Tip: Ifsudo
on the target device(s) is configured to allow escalation of privileges without requiring an interactive password, just leave blank the two fields for privilege elevation password.The login process is then like this:- The first (non-elevated) credential is used to log in to the device.
- The command identified in this field is issued to start the privilege escalation tool (such as sudo or priv).
- That tool issues a prompt for interactive entry of the privilege password (such as Password:).
- Recognizing that prompt, the inventory beacon supplies the privilege password.
Obviously, if the inventory beacon does not recognize the prompt, login and subsequent inventory collection will stall. To prevent this, you can specify the exact text that the inventory beacon must recognize. The FlexNet Beacon engine waits for a prompt matching the Privilege password prompt value before it responds with the privilege password. If the real prompt is not an exact match for the default Password:, enter the correct value in Privilege password prompt (described below).Tip: Thesudo
tool typically issues a prompt similar to this:
You could enter this entire value, since you know the User name for this login, in the Privilege password prompt field; but (assuming that this credential is reused across multiple servers) this approach is at risk because of variations across different versions of UNIX-like operating systems. A risk-free alternative is to use the following special settings:[sudo] password for userName:
- In Elevate privilege with, enter
Thesudo -p flxpwd:
-p
option instructssudo
to issue the specified prompt (for a password) when it is invoked by the FlexNet Beacon engine. - In Privilege password prompt,
enter
(or exactly the prompt value you specified in the field described above).flxpwd:
- Be sure to also specify the Privilege password in both the required fields.
sudo
now issues a known prompt, which in turn is recognized by the FlexNet Beacon engine, and inventory collection can proceed.Tip: Check that sudo elevation is permitted for the following commands:/bin/date
is used as a test to confirm that login and privilege escalation has worked/bin/sh
is required for execution of the adoption agent (ndinstall.sh
)/bin/rm
is required to remove the file saved during adoption.
Displayed when:- Vault is either value
- Account type is either SSH account (password) or SSH account (key pair).
Key pair loaded: You see a visual indication of whether or not the private-public key pair is loaded. If it is not already loaded, use the Browse... button to browse to and select the file containing the private key data. The key can be in the OpenSSH format (generated with ssh-keygen) or in the PuTTY format (generated with PuTTYgen.exe). For information on generating key pairs, see the OpenSSH and PuTTY documentation.
Before you attempt to connect to target devices using these credentials, the public key data must be in place on the target. The intended location for this data varies according to the SSH implementation you are using. For example, for OpenSSH, the public key is expected to be a one-line entry in ~/.ssh/authorized_keys. Use the View... button to see the public key in order to copy and paste it to the appropriate location on target devices.
Displayed when:- Vault is FlexNet Beacon (or when Vault is not available, in which case FlexNet Beacon is used)
- Account type is SSH account (key pair).
Password A password is mandatory for the Password for Oracle listener account type, if the Oracle listener has been configured with a password. Passwords are optional for all other account types. Displayed when:- Vault is FlexNet Beacon (or when Vault is not available, in which case FlexNet Beacon is used)
- Account type is anything other than SSH account (key pair).
Privilege password Enter the password the inventory beacon should issue for privilege escalation. For further discussion, see Elevate privilege with.
Displayed when:- Vault is FlexNet Beacon (or when Vault is not available, in which case FlexNet Beacon is used)
- Account type is SSH account (password) or SSH account (key pair).
Privilege password prompt Enter the exact password prompt to which the inventory beacon should respond for privilege escalation. For further discussion, see Elevate privilege with.
Displayed when:- Vault is either value
- Account type is any value.
Privilege query Specify a distinct query string expected by CyberArk for it to return the privilege escalation credential. This credential must already exist in CyberArk, where it is regarded as "just another credential" — the recognition of this credential as a second-stage requirement for the same device is all saved in Password Manager. As with Query, get details of the query string from your CyberArk administrator; and if it includes white space, enclose it in double quotation marks.Tip: In this mode, using a CyberArk vault for storage, Password Manager has no knowledge of the public/private key pair, which are now under the control of CyberArk (and its administrator). The public key is still required to be in place before FlexNet Beacon attempts remote execution on a target device; but now you must ask your CyberArk administrator for that data.Displayed when:- Vault is CyberArk
- Account type is SSH account (password) or SSH account (key pair).
Query Specify the exact query string expected by CyberArk for it to return the required credential. Of course, the credential itself (account name and password pair) must already exist in the appropriate CyberArk vault and safe (the vault is specified when CyberArk integration is first configured, and the safe may optionally be specified as part of the query string). If the query string contains any white space, it should be enclosed in double quotation marks (otherwise, these are optional). Details of the query string are specific to your implementation of CyberArk, and must be obtained from your CyberArk administrator.
Displayed when:- Vault is CyberArk
- Account type is SSH account (password) or SSH account (key pair).
Re-type password If you supplied a password in the Password (or Privilege password) field, repeat it here to confirm that you have entered it correctly.
Displayed when:- Vault is FlexNet Beacon (or when Vault is not available, in which case FlexNet Beacon is used)
- Displayed for all account types.
User The account name, or username. If you include special characters such as/[]:;|=,+*?<>
, a dialog displays, asking you to confirm that you have correctly typed the account name. This is to help prevent you recording account names incorrectly in Password Manager.Note: For Oracle listeners, no user name is required in Password Manager.Tip: Where a credential supports (or requires) cross-domain trust, best practice is to use the separate Domain control to specify the target domain. For special cases where the Domain control is not available but a domain is required, you may include the domain name in this field with the typical backslash separator:myDomain\svcAccount
Displayed when:- Vault is FlexNet Beacon (or when Vault is not available, in which case FlexNet Beacon is used)
- Account type is anything other than Password for Oracle listener.
-
Optionally, for Filter, click
View/Edit... if you want to
restrict the target devices on which this named pair of account name and
password should be tested.
The Password Store: Password Filter dialog displays.
-
Complete any number of the fields to filter devices where the current named
pair of account name and password will be used. If this pair may apply to
multiple devices, you may include multiple values, comma separated, in any of
these fields. Click OK to save your filter
settings.
Filter matching is applied when tasks are being remotely executed on devices. The purpose of filtering is to limit the devices on which each credential is tested, so that a compromised device in your network cannot harvest those passwords that are never tested against it. The following details apply:
- No rules map particular credentials to particular types of remote execution. Filters only apply to the characteristics of the target device.
- When you specify multiple values in a filter field, separated by commas, a match is made against that field if any one of the specified values matches the device (logical OR). There is no operating difference between a match for one of the values and a match of multiple values in the same filter field.
- If a filter match occurs between a credential and a targeted device, the username/password pair are used to attempt connection to the device.
- Unfiltered accounts are only tested as credentials if both:
- The Use only filtered credentials check box below the list of Current credentials is clear (not selected), and
- All accounts with filter field matches have already been attempted without success.
- If a target device matches filters recorded for several credentials, the
credentials are ordered by the number of matches in the filters for each
credential. The credential with the most matches is tried first. For
example: device MyComputer matches two
filter fields for the credential operator
and one filter for the credential
administrator, so that the credentials
for operator are attempted first. When
credentials have the same number of filter matches, ordering is random.
To give one credential higher priority than others, give it more
matching filter fields.Tip: When CyberArk integration is available and enabled, the vault used for saving a particular credential has no effect on the prioritization of the credentials for testing against the target device. When CyberArk integration is available but disabled, any credentials stored in the CyberArk vault are ignored; but the priority order is otherwise unchanged. (For enabling/disabling the use of CyberArk, see Password Management Page.) In the general case where you wish to use only credentials saved in the CyberArk Vault in your production environment, do not save any overlapping credentials in the FlexNet Beacon vault.
- DNS names and Oracle names are matched against leading, complete
sub-sections of the relevant name. For example, the name
tmnis:
- Matches either
tmnis.MyDomain.com
ortmnis.AnotherDomain.com
- Does not match
tmnisou.MyDomain.com
(becausetmnis
is not immediately followed by a period) - Does not match
MyComputer.tmnis.com
(because it does not begin withtmnis
).
- Matches either
Tip: The Oracle service names filter only applies for accounts of type Account on Oracle database. - Complete your editing by clicking Apply. You may either repeat the process for another credential, or click Exit to close the Password Manager.