Chat now with support
Chat with Support

We are currently experiencing a OneLogin Outage within the US region, please consult https://www.onelogin.com/status for further details.

Password Manager 5.12.3 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable S2FA for Administrators & Enable S2FA for HelpDesk Users Reporting Password Manager Integration Accounts Used in Password Manager Open Communication Ports for Password Manager Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Glossary

Enabling HTTPS

We strongly recommend that you use HTTPS with Password Manager. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web.

For instructions on how to configure SSL in order to support HTTPS connections from client applications, see the article “Configuring Secure Sockets Layer in IIS 7” at http://technet.microsoft.com/en-us/library/cc771438%28WS.10%29.aspx.

NOTE: To enable the Password Manager installation to be redirected from HTTP to use HTTPS by default, the HSTS (web security policy mechanism) functionality must be enabled. To enable HSTS in Password Manager, in the "HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager" registry key, set the registry value of the "HSTSEnabled" string to "true".

Steps to Install Password Manager

Installing Password Manager

For an overview of various installation scenarios, see Typical deployment scenarios.

To install Password Manager

  1. Depending on the hardware, run Password Manager x86 or Password Manager x64 from the installation CD autorun window.
  2. Read the license agreement, select I accept the terms in the license agreement, and then click Next.
  3. On the User Information page, specify the following options, and then click Next:
    1. Full name- Type your name

    2. Organization- Type the name of your organization
    3. Licenses- Click this button and specify the path to the license file

    NOTE:A license file is a file with the .ASC extension that you have obtained from your One Identity representative.
  1. On the Custom Setup page, select the components to install, and then click Next:
    1. Full Installation- Select this option to install Password Manager Service and the Administration, Self-Service and Helpdesk sites on this computer.
    2. Legacy Self-Service Site- Select this option to install only the legacy Self-Service site.
    3. Password Manager Self-Service Site - Select this option to install only the Password Manager Self-Service site.
    4. Helpdesk Site- Select this option to install only the Helpdesk site.

You can install all Password Manager components together on a single server or you can deploy the Legacy Self-Service, Password Manager Self-Service, and Helpdesk sites on a standalone server. To learn more about installing the Self-Service and Helpdesk sites on a standalone server, see Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server.

IMPORTANT: Note, that by default Secure Password Extension uses the Self-Service site that is installed on the same server with the Password Manager Service. If you want Secure Password Extension to use another Self-Service site, see Locating Self-Service site for more information.
  1. On the Password Manager Service Account Information page, specify the name and password for the Password Manager Service account, and then click Next. Use the following user name format: DOMAIN\Username. For more information on the requirements for the Password Manager Service account, see Configuring Password Manager service account and application pool identity.
  2. On the Specify Web Site and Application Pool Identity page, select the website name, specify the name and password for the account to be used as application pool identity, and then click Next. For more information on the requirements for the application pool identity, see Configuring Password Manager service account and application pool identity.
  3. Click Install.

    When the installation is complete, click Finish.

    IMPORTANT: By default, Password Manager uses built-in certificates to encrypt traffic between Password Manager websites and Password Manager Service. After installing Password Manager, if the Web sites (Self-Service and Helpdesk) and the Password Manager Service are installed on different computers, it is recommended to replace these certificates with new ones. For more information, see Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Websites.

Instance Initialization

Initializing instance

After installing Password Manager on your computer, you need to initialize an instance before you begin to configure a new Management Policy: that is, before configuring the user and Helpdesk scopes, Questions and Answers policy, and managing workflows. When initializing a Password Manager instance, you can choose one of the two options: Create a unique instance or a replica of an existing instance. When you create a replica of the existing instance, the new instance shares its entire configuration with the existing instance. Password Manager instances sharing the same configuration are referred to as a Password Manager realm. For more information about Password Manager realms, see Installing multiple instances of Password Manager.

To initialize Password Manager instance

  1. Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdmin, where <ComputerName> is the name of the computer on which Password Manager is installed. You can obtain the URL path to the Admin site from your system administrator. On the logon page, enter your user name and password and click Log on. The Instance Initialization page will be displayed automatically.

NOTE: For Password Manager versions 5.8.x or later, users must be a part of the local PMAdmin group and either of IIS_IUSRS or Administrators group to access the PMAdmin site.

  1. On the Instance Initialization page, select one of the following options, depending on what type of instance you want to create:
    • Unique instance. Creates a new instance.
    • Replica of existing instance. Joins a new instance to a Password Manager realm.
  2. If you have selected the option Replica of an existing instance, follow the instructions provided later in Installing multiple instances of Password Manager.
  3. If you have selected the option Unique instance, under Service connection settings, specify the following:
    • Certificate name- Select the certificate that was issued for the computer running the Password Manager Service. If you decide to install the Legacy Self-Service, Password Manager Self-Service, and Helpdesk sites separately from the Password Manager Service, it is recommended to replace the built-in certificate that is used encrypt traffic between the Service and the sites. For more information, see Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Websites.
    • Port number- Specify the port that the Self-Service and Helpdesk sites will use to connect to the Password Manager Service. By default, port 8081 is used.
  4. Under Advanced settings, specifying the following:
    1. Encryption algorithm- Specify the encryption algorithm that will be used to encrypt users’ answers to secret questions and other security sensitive information. You can select from two options: Triple DES and AES. By default, Password Manager uses Triple DES algorithm to encrypt data. Note that users’ answers will be encrypted if the Store answers using reversible encryption option is selected in the Q&A Profile settings. Otherwise, the answers will be hashed.
    2. Encryption key length- Specify whether a 192-bit or 256-bit encryption key will be used.
    3. Hashing algorithm- Specify the hashing algorithm that will be used to hash users’ answers to secret questions. The following algorithms are available: MD5 and SHA-256. By default, Password Manager uses SHA-256 hashing algorithm. Password Manager will hash users’ answers if Store answers using reversible encryption option is not selected in the Q&A profile settings.
    4. Store user’s Questions and Answers profile in the following attribute of user’s account in Active Directory- In the text box, type the attribute name that will be used for storing Q&A profile data. By default, Password Manager stores Q&A profile data in the comment attribute of each user's account and configuration data in the comment attribute of a configuration storage account, which is automatically created when installing Password Manager.
  5. Click Save to complete instance initialization.

Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server

Password Manager allows you to install the legacy Self-Service, Password Manager Self-Service, and Helpdesk sites on a standalone server. For example, you can use this installation scenario to deploy Password Manager in a perimeter network (DMZ).

When deploying Password Manager in a perimeter network, it is recommended to install the Password Manager Service and the sites in a corporate network at first (that is, use the Full Installation option in the Password Manager setup), and then install only the legacy Self-Service or the Password Manager Self-Service site in the perimeter network.

When you use this installation scenario, only one port should be open in the firewall between the corporate network and the perimeter network (by default, port number 8081 is used).

To install Legacy Self-Service, Password Manager Self-Service, and Helpdesk sites on a standalone server

  1. Depending on the hardware, run Password Manager x64 from the installation CD autorun window.
  2. Read the license agreement, select I accept the terms in the license agreement, and then click Next.
  3. On the User Information page, specify the following options, and then click Next:
    1. Full name- Type your name
    2. Organization- Type the name of your organization
    3. Licenses- Click this button and specify the path to the license file

    NOTE:A license file is a file with the .ASC extension that you have obtained from your One Identity representative.
  1. On the Custom Setup page, select the Legacy Self-Service Site, Password Manager Self-Service Site, and/or Helpdesk Site features, and then click Next.
  2. On the Specify Web Site and Application Pool Identity page, select the website name and specify the name, and password for the account to be used as application pool identity, and then click Next. For more information on the requirements for the application pool identity, see Configuring Password Manager service account and application pool identity.
  3. Click Install.
  4. When installation is complete, click Finish.

After you installed the Self-Service and Helpdesk sites on a standalone server, you need to initialize the sites to start using them.

To initialize the Legacy Self-Service site and the Password Manager Self-Service site

  1. Open the Legacy Self-Service site by entering the following address: http(s)://<ComputerName>/PMUser, where <ComputerName> is the name of the computer on which Self-Service site is installed.

    For the Password Manager Self-Service site, enter the following address: http(s)://<ComputerName>/PMSelfService.

    The Self-Service Site Initialization page will be displayed automatically.

  1. In the Computer name or IP address text box, specify the Password Manager Service host name or IP address.
  2. In the Port number text box, specify the port number that the Self-Service site will use to connect to the Password Manager Service.
  3. From the Certificate name drop-down list, select the name of the certificate to be used by this site. By default, Password Manager uses a built-in certificate issued by Password Manager. You can specify a custom certificate for authentication and traffic encryption between the Password Manager Service and the websites (Self-Service and Helpdesk). For more information on using custom certificates, see Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Websites.

    IMPORTANT: Before selecting a custom certificate on the Self-Service site, specify a custom certificate on the Administration site.
  4. Click Save.

To initialize the Helpdesk site

  1. Open the Helpdesk site by entering the following address: http(s)://<ComputerName>/PMHelpdesk, where <ComputerName> is the name of the computer on which Helpdesk site is installed. The Helpdesk Site Initialization page will be displayed automatically.
  2. In the Computer name or IP address text box, specify the Password Manager Service host name or IP address.
  3. In the Port number text box, specify the port number that the Helpdesk site will use to connect to the Password Manager Service.
  4. From the Certificate name drop-down list, select the name of the certificate to be used by this site. By default, Password Manager uses a built-in certificate issued by One Identity. You can specify a custom certificate for authentication and traffic encryption between the Password Manager Service and the websites (Self-Service and Helpdesk). For more information on using custom certificates, see Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Websites.

    IMPORTANT: Before selecting a custom certificate on the Helpdesk site, specify a custom certificate on the Administration site.
  5. Click Save.

NOTE: After the initialization of Helpdesk and Self-Service site, WcfServiceRealms.xml file is created. WcfServiceRealms.xml file has records of all the instances of Password Manager Services installed. WcfServiceRealms.xml file is used to help the user to use one of the realm instances from the list, in case of unavailability of services in the primary instance of Password Manager Service. For more information, see FailSafe support in Password Manager
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating