Chat now with support
Chat with Support

Password Manager 5.10.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies One Identity Starling Reporting Password Manager Integration Appendixes Glossary

Configuring Password Manager Secure Token Server

Before the first visit of STS settings, you need to have a binding for your Password Manager site in IIS with the same port that is present in the <Password Manager installation folder>\One Identity\Password Manager\Service\QPM.Service.Host.exe.config under the StsHttpsPort key. By default 20000 is used.

To start using Password Manager STS,

  1. Open the IIS manager and create an HTTPS binding with this port for Password Manager sites.

  2. On the home page of the Administration site, click General Settings > Secure Token Server. The Secure Token Server page is displayed.

  3. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password. The default password is admin.

    CAUTION: For security reasons, you must change the password immediately after you have logged in to the configuration interface the first time.

    To change the password, go to Server settings > Administration Password.

To configure the port used by Password Manager STS,

  1. On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.

  3. Navigate to Server Settings > Listening Ports.

  4. In the HTTPS Port field, enter the port that is the same as the HTTPS port of the website binding in IIS.

  5. In the SSL Certificate section, select the certificate that is the same as the HTTPS certificate of the website binding in IIS.

  6. To save your settings, click Save.

  7. Refresh the page.

  8. Follow the instructions in the Secure Token Server error popup window.

  9. Enter your modified port number in the text field. To create or modify a firewall rule, select Create firewall rules for the port automatically.

  10. To save your settings, click Save.

  11. Open the Registry Editor and modify the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PasswordManagerSTS@ImagePath key value. At the end of the string, change the value of https-port to the modified port number.

  12. Modify the port number of the HTTPS binding in IIS for your Password Manager site.

  13. Restart the Password Manager service and the Password Manager STS service.

To set authentication providers,

  1. On the home page of the Administration site, click General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.

  3. Navigate to Authentication Providers, then click Add Authentication Provider, or select an existing one to edit by clicking on its name.

  4. In the Display Name field, enter the name of the current provider. It is only displayed on the administration site.

  5. Follow the instructions of this page to specify the Directory Type, the Connection Information and the Authentication Schemes for the current authentication provider.

  6. Follow the instructions of this page to specify the Two Factor Authentication Settings for the current authentication provider. Your options are the following:

    • None

    • OneLogin MFA

    • RADIUS

    • FIDO2/WebAuthn

    • Duo Web iFrame

    To validate and save your settings, click Finish.

To configure STS Server Settings,

  1. On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.

  3. Navigate to Server Settings.

  4. You can edit the Issuer Name that will be used by the STS server to identify itself to relying party applications.

  5. You can change the Administration Password for STS settings. Note: Every time you change this password, you need to revisit General Settings > Secure Token Server page and provide the new password in the popup window.

  6. You can edit general STS server wide settings in General Settings.

  7. You can set the HTTPS port that the STS service will use to accept incoming requests from relying party applications in Listening Ports. Also, choose an available SSL certificate to be used for HTTPS requests.

    NOTE: Every time you change the port and/or the certificate, you need to revisit General Settings > Secure Token Server page and follow the instructions on the popup window.

  8. You do not need to specify any login page image under Login Page Images, it will not be displayed.

  9. If you have an authentication provider which uses OneLogin you can set a proxy server in Proxy Settings to be used with OneLogin communication.

NOTE: To be able to use STS features, you do not need to create an application in Applications of the Secure Token Server Home page for Password Manager.

Provider-specific informations: Duo

In the Duo admin interface you need to create a Web SDK type application to connect with Password Manager STS.

Unregistering users from Password Manager

Unregistering users from Password Manager

Using the unregister feature, users registered to the Password Manager can be removed. Note that the user is removed only from the Password Manager and not Active Directory.

To unregister a user from the Password Manager

  1. On the home page of the Administration site, click General Settings | Unregister Users.
  2. On the Unregister Users page:

    • If you want to unregister individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.
    • If you want to select a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.
    • If you want to select the entire organization unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Add.
  3. Click Unregister User to unregister the users.

NOTE:

  • If you want to run the task at a specified time, select the Schedule at check box to specify the time to run the task and click Save.
  • If a task to unregister an user is scheduled at a later time and you want to unregister the user at the current instance, click Remove Setting to delete the scheduled task settings and click Save.
  • If you have the Domain management account configured with a user other than the Active Directory Administrator then, make sure that Write permissions are available to the storage attribute of the security questions (comment, by default) for all the users/ groups/OUs that are configured to be unregistered.

  • If the users/ groups/ OUs that need to be unregistered are a member of DomainAdmins/ Administrators group in the Active Directory then, the Write Permissions are already inherited.

Working with Redistributable Secret Management account

Redistributable Secret Management Service (rSMS) can be used to manage user passwords across multiple connected systems. Using the rSMS service it is possible to quickly synchronize the passwords across connected systems. By default, the rSMS service is installed with the Password Manager software.

An rSMS account must be created and configured to interact with the rSMS service to execute password change functionality on connected systems. After creating the rSMS account and configuring the certificate binding settings (optional), you can configure the settings to reset the password in connected systems. For more information, see Reset password in connected systems through embedded connectors.

To create rSMS account and configure certificate binding settings

  1. On the home page of the Administration site, click General Settings.

  2. Click the rSMS Settings tab from the options.

    The Redistributable Secret Management Service page is displayed.

    NOTE: An rSMS account must be created before working with rSMS activity. An rSMS user is automatically created if the imported configuration file has the rSMS account details.

  1. In the Create Account section, click Create Account to create an rSMS account.

  2. In the Certificate binding section, select a custom certificate from the drop-down list, if available. By default, the built-in certificate is used. If the certificate binding settings are modified you must restart the One Identity rSMS Service.

    NOTE: If you import a configuration file, the rSMS certificate binding details are not imported. The default binding settings or the certificate binding settings of the system are used.

  3. Select the IP address from the rSMS IP address drop-down list.

    NOTE: For built-in certificates, the Port number field is automatically populated with the value 20001. For a custom certificates, custom port number can be provided.

  4. Click Save Settings to save the certificate binding settings.

    NOTE:

    • By default, all Password Manager logs are available in C:\Windows\TEMP folder. If the default Password Manager log path is changed during an update, rSMS automatically uses the updated log path instead of the default path used earlier.
    • Additional rSMS logs are available in the rSMS.Service-{Date}.log file. Enable Password Manager logging from the Administrator site under General Settings | Logging Settings.

Redistributable Secret Management Service supported platforms

Redistributable Secret Management Service (rSMS) supports the platforms that are mentioned here.

Table 12: rSMS supported platforms
Platform Description
WindowsServer A name for a group of server operating systems released by Microsoft.
SolarisSsh A Unix operating system, using an SSH connection.
PanosSsh An operating system developed by Acorn Computers, using an SSH connection.
Aixssh A series of proprietary Unix operating systems developed by IBM, using an SSH connection.
OdbcMysql An open-source relational database management system, using an ODBC Driver.
postgres An open-source relational database management system (RDBMS).
vsphere Server virtualization software
IloSsh HP Integrated Lights-Out (iLO) is a proprietary embedded server management technology, using an SSH connection
OdbcSqlServer A relational database management system, using an ODBC Driver.
ad Microsoft Windows Active Directory
SonicWall SonicWall Secure Mobile Access (SMA) is a unified secure access gateway.
Aws Amazon Web Services (AWS), an on-demand cloud computing platform.
Acf2Tn3270 IBM's Access Control Facility (z-Series), using a TN3270 connection.
F5BigIpSsh A load balancer and a full proxy, using an SSH connection
TopSecretTn3270 CA TopSecret is a streamlined and scalable mainframe security for IBM's zseries operating system, using a TN3270 connection.
OdbcSybase Used to manage and analyze information in relational databases, using an ODBC Driver.
PixSsh Cisco PIX (Private Internet eXchange) is an IP firewall, using an SSH connection.
FreeBsdSsh FreeBSD is a free and open-source Unix-like operating system, using an SSH connection.
DracSsh Dell Remote Access Controller (DRAC) is an out-of-band management platform, using a SSH connection.
Hpuxssh Hewlett Packard Unix Operating systems, using a SSH connection.
Acf2Ldap Access Control Facility, a discretionary access control software security system over LDAP authentications.
RacfLdap Resource Access Control Facility is an IBM security system that provides access control and auditing functionality for zSeries operating systems over LDAP authentications.
SapHana A relational database management system.
LinuxSsh Linux Operating system, using a SSH connection.
RacfTn3270 IBM's Resource Access Control Facility (z-Series), using a TN3270 connection.
SonicSsh SonicOS, an operating system for SonicWall network security appliances (firewalls), using a SSH connection.
TopSecretLdap CA TopSecret is a streamlined and scalable mainframe security for IBM's zseries operating system, using a SSH connection.
MongoDb MongoDb is a cross-platform document-oriented database program.
JunosSsh Junos OS is the FreeBSD-based operating system used in Juniper Networks hardware routers, using an SSH connection.
SapNetweaver SAP NetWeaver is an open application server platform.
OdbcOracle Oracle Database is a multi-model database management system, using an ODBC driver.
As400Tn3270 IBM's Application System/400, using a TN3270 driver.
FortinetSsh Fortinet firewall client, using an SSH connection.
Ldap A protocol used for accessing Active Directory object, user authentication, and authorization in windows server.
MacOsSsh Apple Mac Operating system, using a SSH connection.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating