Professional Documents
Culture Documents
POC GUIDE - V6-v10 PDF
POC GUIDE - V6-v10 PDF
Certified Professional
(WCP)
Duration: 2 Days
Goal: Mastery of the solution in terms of deployment, administration and usage within a
standard environment.
Email: wkarl@wallix.com
Training Guide for WALLIX Certified Professional (WCP)
1
Training Guide for WALLIX Certified Professional (WCP)
CONTENTS
1 Installation And Initial Configuration .............................................................................................. 4
1.1 Installation of the WAB Image................................................................................................. 4
1.2 Initial Configuration ................................................................................................................. 7
2 First Login ...................................................................................................................................... 14
3 Use Cases ....................................................................................................................................... 19
3.1 Use Case #1 : First Authorization for Windows ..................................................................... 19
3.1.1 Define Users Objects ..................................................................................................... 19
3.1.2 Define Resources Objects .............................................................................................. 21
3.2 Use Case #2: ADS/LDAP Integration ...................................................................................... 30
3.2.1 External Authentication................................................................................................. 30
3.2.2 LDAP/AD Domains ......................................................................................................... 31
3.3 Use Case #3: Map AD-Groups to WALLIX Session Manager Groups ..................................... 32
3.4 Use Case #4: Different Account Types for Session Manager ................................................ 34
3.5 Use Case #5: Authorization with Linux .................................................................................. 36
3.5.1 UID/PWD based Login ................................................................................................... 36
3.5.2 SSH Key based Login ...................................................................................................... 37
3.5.3 Direct Logon to Linux Targets ........................................................................................ 39
3.6 Use Case #6: Time Frame ...................................................................................................... 40
3.7 Use Case #7: Approval Workflow .......................................................................................... 43
3.7.1 Definition of an Approval Workflow ............................................................................. 43
3.7.2 Different Variants of using ‘Quorum’ ............................................................................ 47
3.8 Use Case #8: Application Integration .................................................................................... 47
3.8.1 Integration of a simple application ............................................................................... 48
3.8.2 Integration with credentials using virtual channel ........................................................ 50
3.9 Use Case #9 Password Manager............................................................................................ 53
3.9.1 Periodical Change of Passwords and SSH Keys ............................................................. 53
3.9.2 ‘Check out/Check in’ of Passwords ............................................................................... 61
3.9.3 Email account where changed passwords are sent to .................................................. 64
3.10 Use Case #10: Session & Password Manager ........................................................................ 68
4 Appendix........................................................................................................................................ 71
4.1 Using Rest API (curl) .............................................................................................................. 71
4.1.1 Create API Key ............................................................................................................... 71
2
Training Guide for WALLIX Certified Professional (WCP)
4.1.2 Usage of Rest API and API Key (i.e. User Management) ............................................... 71
3
Training Guide for WALLIX Certified Professional (WCP)
4
Training Guide for WALLIX Certified Professional (WCP)
• Go to network settings of the imported virtual machine and change the Network Adapter to
Custom (VMnet2). See document ‘TrainingGuide2018 - WCP_MetaData.docx’.
5
Training Guide for WALLIX Certified Professional (WCP)
6
Training Guide for WALLIX Certified Professional (WCP)
7
Training Guide for WALLIX Certified Professional (WCP)
8
Training Guide for WALLIX Certified Professional (WCP)
9
Training Guide for WALLIX Certified Professional (WCP)
10
Training Guide for WALLIX Certified Professional (WCP)
• Type in the hostname you want to use then select OK and press Enter.
11
Training Guide for WALLIX Certified Professional (WCP)
• No use of DHCP
12
Training Guide for WALLIX Certified Professional (WCP)
13
Training Guide for WALLIX Certified Professional (WCP)
2 FIRST LOGIN
• Login with …
o UID: admin
o PWD: admin
• Encryption on WAB – this passphrase is used to salt our encryption key with which the data
are encrypted. This means that the data can only be read both secrets – the encryption key
and the passphrase.
Note: When a passphrase is set on every reboot an admin has to put in the passphrase
otherwise no logon to targets can be made.
14
Training Guide for WALLIX Certified Professional (WCP)
15
Training Guide for WALLIX Certified Professional (WCP)
16
Training Guide for WALLIX Certified Professional (WCP)
17
Training Guide for WALLIX Certified Professional (WCP)
• Note:
CIFS – The ancient version of SMB that was part of Microsoft Windows NT 4.0 in 1996. SMB1
supersedes this version.
SMB 1.0 (or SMB1) – The version used in Windows 2000, Windows XP, Windows Server 2003
and Windows Server 2003 R2
SMB 2.0 (or SMB2) – The version used in Windows Vista (SP1 or later) and Windows Server
2008
SMB 2.1 (or SMB2.1) – The version used in Windows 7 and Windows Server 2008 R2
SMB 3.0 (or SMB3) – The version used in Windows 8 and Windows Server 2012
SMB 3.02 (or SMB3) – The version used in Windows 8.1 and Windows Server 2012 R2
18
Training Guide for WALLIX Certified Professional (WCP)
3 USE CASES
• Fill in the user name (usrUserA01), the email address (usera01@wallix.com), choose the
preferred language and the profile user. This profile is mainly used to give administrators
access to target systems.
19
Training Guide for WALLIX Certified Professional (WCP)
Set the password for the user and let Force password change on No. Apply the settings.
• Now create a user group – got to Users/Groups and click on Add a group.
• Define the Group name, move the user usrUserA01 to the Selected Users area and apply the
settings.
20
Training Guide for WALLIX Certified Professional (WCP)
• Go to Resources/Domains and click in the Global type section on Add a global domain. Name
the global domain, define the real name and save the settings.
21
Training Guide for WALLIX Certified Professional (WCP)
• Fill in the values as can be find in the screenshot and save the setting clicking on the Apply
button
22
Training Guide for WALLIX Certified Professional (WCP)
• Go to Resources/Devices and click on the target devWindows01. For local domain use the IP
name of the machine. In addition activate the global domain. Next choose in the Service box
the RDP button. RDP service name, Port and connection policy can be modified and sub
protocols of RDP can be enabled/disabled.
Furthermore more than one protocol can be defined for one target for example if a SSH
server runs on that target as well.
Apply the definitions.
23
Training Guide for WALLIX Certified Professional (WCP)
24
Training Guide for WALLIX Certified Professional (WCP)
• Then go to Resources/Groups and click on grpWindows01. Move here the global domain user
to the Selected Target accounts area.
Note: Suggested best practice will be to create the global domain before starting to create AD/LDAP
target devices. In that case the global domain can be activated with target device creation. Which
means less work.
25
Training Guide for WALLIX Certified Professional (WCP)
• As Account type choose Device. Since there is only one device and one domain they are
automatically selected. Put in the privileged account which should be used and its password.
Disable Automatic password change and Automatic SSH key change. Apply the definitions.
Note; this is the typical shared account/shared password scenario often found at customer
site.
26
Training Guide for WALLIX Certified Professional (WCP)
• Type in the Group name, move the privileged account to the Selected Target Accounts and
apply the settings.
Note: What the difference is between Account, Scenario Account, Account mapping and
Interactive login will be explained in a later lab.
• Next create an Authorization – means give the users in group grpUserA access to targets in
group grpWindows01. Therefore go to Authorizations/Manage Authorization and click on
Add an authorization.
27
Training Guide for WALLIX Certified Professional (WCP)
• Since there is only one User group and one Resource group they are preselected. Give the
authorization a name and move the RDP protocols to the Selected Protocols/Subprotocols
area. Select Enable session recording and apply the settings.
Note: Not only on device level sub protocols (remember) can be enabled/disabled on this
level as well.
• Now everything is done to use WALLIX Session Manager to access the target systems.
Log off as admin and log on as usrUserA01 or use a browser which supports different user
profiles (Chrome, Firefox).
Note: There are two ways to access the target system by the marked icons. With the left one
28
Training Guide for WALLIX Certified Professional (WCP)
a modified RDP configuration file can be downloaded and stored on the local computer. With
this the Web GUI is not needed anymore double click on the configuration file and the RDP
client is started and is connected to the WALLIX Bastion appliance. The user has to
authenticate himself as a WALLIX Bastion user (here usrUserA01) and WALLIX Session
Manager logs him on to the target system and the user don’t know the target password.
The second icon is the same RDP configuration file but combined with a onetime password
(OTP). That means that no authentication against WALLIX Session Manager is needed. The
OTP is valid for 30 seconds (default setting). Use this to log on to the target system.
• Note: From version 6.0 on the resolution for RDP session can be chosen.
29
Training Guide for WALLIX Certified Professional (WCP)
30
Training Guide for WALLIX Certified Professional (WCP)
• Fill in the WAB domain name, the LDAP/AD domain name, under the Available
Authentications select LDAP-AD and move the AD-connection to the Selected Authentications
31
Training Guide for WALLIX Certified Professional (WCP)
area and add the Default mail domain. Save the definitions with the Apply button.
Note: If Default domain is not selected for log in usrADSUserA01@ad.wallix.com has to be
used. If it is selected usrADSUserA01 is all what is needed.
3.3 USE CASE #3: MAP AD-GROUPS TO WALLIX SESSION MANAGER GROUPS
• Go to Users/Groups and click on grpUsers01. To modify the group settings click on Edit this
group. Choose the LDAP/AD domain (here only one exist and is preselected) and for Profile
the profile user. The LDAP group needs to be defined in LDAP notification. Finally click on the
plus sign and apply the settings.
• Note: To verify whether the connection to the AD/LDAP is working go to Users/Accounts and
switch to the defined domain. When users are listed the connection to the AD/LDAP works
fine.
32
Training Guide for WALLIX Certified Professional (WCP)
• Log in as an AD user – if the defined domain in the LDAP/AD domains definition is not set as
default user name plus domain name needs to be used.
33
Training Guide for WALLIX Certified Professional (WCP)
• Since the AD group is mapped to grpUsersA the AD user has the same target assigned as the
local user usrUserA01.
3.4 USE CASE #4: DIFFERENT ACCOUNT TYPES FOR SESSION MANAGER
• Go to Resources/Groups and click on grpWindows01. To modify the group click on Edit this
group. In the Session Management section leave the setting for the Account button.
34
Training Guide for WALLIX Certified Professional (WCP)
Click on Account mapping and move the target to the Selected Account mapping targets
section.
Click on Interactive login and move the target to the Selected Interactive login targets
section.
• Log on as usrADSUserA01@ad.wallix.com.
With the first two targets Session Manager logs in with the privileged user Administrator.
With the second target Session Manager asks for the credentials with which the login should
be done.
With the third target Session Manager logs in with the AD credentials.
35
Training Guide for WALLIX Certified Professional (WCP)
• To create the target account go to Resources/Accounts and define the root target account as
shown in the screenshot. Deselect Automatic password change and Automatic SSH key
change. Apply the settings.
36
Training Guide for WALLIX Certified Professional (WCP)
• Create the target account usera02 and import the private key as shown in the screenshot
Note: the key pair has to be OpenSSH or PuTTY based.
37
Training Guide for WALLIX Certified Professional (WCP)
• Now go to Resources/Groups and open the group grpLinux01. Then add the account
usera02@local@devLinux01:SSH to the Selected target accounts area. Apply the
configuration.
38
Training Guide for WALLIX Certified Professional (WCP)
• Using WinSCP client: define as User name the combination of WALLIX Bastion target account
definition plus WALLIX user.
39
Training Guide for WALLIX Certified Professional (WCP)
• Create a new local user usrUserB01 and a new user group grpUsersB and make the user a
member of this group.
• Go to Configuration/Time Frames and click on Add a time frame.
• Fill in the Time frame name and click on Add period in the Periods box.
Note: by default the session is closed when the time frame ends. If this is not wanted enable
the Do not close sessions at the end of the time period option.
• Define the time frame tfOfficeHours as shown in the screenshot. Click on Create period and
apply the settings.
40
Training Guide for WALLIX Certified Professional (WCP)
• Go back to Users/Groups and change for the group grpUsersB the time frame parameter and
apply it.
• Go to Resources/Groups and create a new device group grpWindows02 and define the
shared privileged account Administrator@... as a target.
41
Training Guide for WALLIX Certified Professional (WCP)
• During the log on process an additional information is displayed regarding the end of the
session.
• Go back to Configurations/Time frames and deselect the current day of the time frame
OfficeHours.
• Log on as user usrUserB01 and start the target session. Information is displayed that access is
not allowed at this time.
42
Training Guide for WALLIX Certified Professional (WCP)
• Create a new local user usrUserC01 with profile user and a new user group grpUserC and
make the user a member.
• Create a new local user usrApproverC01 with profile approver and a new user group
grpApprovers03 and make the user a member.
• Go to Authorizations/Manage authorizations and create a new authorization as shown in the
screenshot.
• Enable the Enable approval workflow option, make Comment mandatory and Ticket optional,
move the group grpApproversC to Selected Approver groups and set both Quorums to 1.
Apply the settings.
43
Training Guide for WALLIX Certified Professional (WCP)
• Log in as user usrUserC01. A Request button can be seen in the Approval column.
• With this Request button session in the future can be requested. Click on the button to see
the dialog.
Click on the Start date field and choose the day. Same for the Start time. Fill in the Duration
time and the Comment as it is mandatory.
44
Training Guide for WALLIX Certified Professional (WCP)
• There is also a way to request an access to a target ad hoc. Click on the right icon.
• The session is started and the dialog to request an access ad hoc is displayed. Fill in the data
and confirm it.
• Every member of the group grpApprovers01 is informed by email. The email contains a link
to WALLIX Bastion appliance. Log in as user usrApprover01 and click on the one approval link.
45
Training Guide for WALLIX Certified Professional (WCP)
• All information about this request are shown. Fill in a comment and approve the request.
• Go back to the pending session. After a few seconds the session continues and informs how
long this session will last.
46
Training Guide for WALLIX Certified Professional (WCP)
• When an approval workflow is used in combination with a time frame the behavior within
and outside of the time frame can be defined different.
The behavior of the screenshot means:
no approval workflow within the time frame
outside the time frame an approval workflow is initiated
• Leaving the line(s) empty causes that the approval workflow ad hoc dialog is displayed (see
chapter before) but the request is automatically approved and the approver group gets an
informal email.
Note: To integrate applications an additional Terminal Server is used as jump server. As prerequisites
following items has to be fulfilled
47
Training Guide for WALLIX Certified Professional (WCP)
48
Training Guide for WALLIX Certified Professional (WCP)
49
Training Guide for WALLIX Certified Professional (WCP)
• Minimize the application window and see that there is no access to the desktop.
50
Training Guide for WALLIX Certified Professional (WCP)
• The compiled AutoIT script is already copied to the Windows target system and is located in
C:\WABscripts\WABLogonVC.exe
• To create the application got to Resources/Applications click on Add an application
51
Training Guide for WALLIX Certified Professional (WCP)
• Now go to Resources/Accounts and do the settings as shown in the screenshot and save it.
• Change to Resources/Groups open the group grpApplications01 and add the new created
account admin@local@appWABGUI and apply it.
• Login as usrUserA01 and start the login for the application appWABGUI.
52
Training Guide for WALLIX Certified Professional (WCP)
• Set policy name, define password complexity and timeframe of periodical change
53
Training Guide for WALLIX Certified Professional (WCP)
• Select Enable password change option to activate periodical password change. Define the
administrative account, the change policy, the plugin to be used and the administrative
password.
Note: if no administrative account is defined only the user account itself is used to change
the password.
• Go to Resources/Accounts and activate Auto password change for each user where
passwords should be changed automatically. Here we create a new target account named
usera01 for the device devLinux01 and activate the Automatic password change option.
54
Training Guide for WALLIX Certified Professional (WCP)
• The last password can be found at the Audit section (see screenshots).
55
Training Guide for WALLIX Certified Professional (WCP)
For this the already existing account usera02 for the device devLinux01 is used
• Activate for the target account usera02 the Automatic SSH key change option. For this go to
Resources/Accounts
56
Training Guide for WALLIX Certified Professional (WCP)
• Again in the Syslog section the change off the SSH key can be seen in addition to the
password change. It can also be seen that the first attempt – done with the usera02 log on –
was not successful. Therefore root was used (‘Needing reconciliation …’) to do the change.
57
Training Guide for WALLIX Certified Professional (WCP)
3.9.1.3 Set up Password Change for Windows Domain with Global Domain
This use case addresses the password change of a shared domain user in the whole Windows
domain.
• Activate Enable password change option then select Password change policy, the Password
change plugin and define the Domain controller address as IP address or full qualified IP
name.
Note: In this case no administrative account is used to change the password. That means that
WAB Password Manager uses the user account itself to change the password. If you want to
change the password with an administrative account (for example: Administrator) it has to
be defined first under /User/Accounts.
58
Training Guide for WALLIX Certified Professional (WCP)
• Go to Recourses/Domains and create a new share domain user name dba. Select as Account
type ‘Global domain’ and click on ‘ad.wallix.com’ and add the account.
59
Training Guide for WALLIX Certified Professional (WCP)
• In the System/Syslog and Audit/Account history the password changes can be verified.
60
Training Guide for WALLIX Certified Professional (WCP)
• Activate the Enable lock option. Define Checkout duration – this is the time the account is
locked and after which the password is changed automatically (when option Change
password at check in is activated). The option Checkout duration extension means based on
this time period the duration can be extended by the user. The option Maximum checkout
duration means how long duration can be at maximum. Activate Change password at check
in when password should be changed after usage.
61
Training Guide for WALLIX Certified Professional (WCP)
• Activate for the target account dba the password checkout policy. Do this for the usera01
and usera02 as well.
• In the Resources/Groups section open the group grpWindows01. Click on the ‘Password
Management Account’ button and move the dba account to the Selected Accounts area.
62
Training Guide for WALLIX Certified Professional (WCP)
• Do this also for the accounts usera01 and usera02 in the grpLinux01 group as well.
63
Training Guide for WALLIX Certified Professional (WCP)
• The password can now be copied the log in dialog of a RDP client.
• Note: Due to the setting made before the password will be changed on Check in or when the
countdown timer ends.
64
Training Guide for WALLIX Certified Professional (WCP)
• Now log in to WALLIX Session & Password Manager as admin, go to Users/Profiles and click
on Add a profile.
65
Training Guide for WALLIX Certified Professional (WCP)
66
Training Guide for WALLIX Certified Professional (WCP)
• The private GPG key needs to be imported to the email account of this user.
• From now on every new created password is emailed encrypted to this email account and
once on day the list of all new created passwords.
67
Training Guide for WALLIX Certified Professional (WCP)
• Create a Checkout Policy. The Checkout duration can be any figure the session will be
protected as long it lasts.
• Select the Checkout Policy in the account(s) which shall be protected to be kicked out.
68
Training Guide for WALLIX Certified Professional (WCP)
• Create an Authorization where usrUserA01 and usrUserA02 can log on to this account. Log on
as usrUserA01 and then try to log on as usrUserA02 – the result can be seen in the following
screenshot.
69
Training Guide for WALLIX Certified Professional (WCP)
• If in the Checkout Policy the option Change password at check-in is selected the password is
changed after every session end.
70
Training Guide for WALLIX Certified Professional (WCP)
4 APPENDIX
• Create the API key with the command add_api_key –n “<key name>”
• Copy the key.
4.1.2 Usage of Rest API and API Key (i.e. User Management)
71
Training Guide for WALLIX Certified Professional (WCP)
72
Training Guide for WALLIX Certified Professional (WCP)
73