IBM Security Verify Privilege

PAM Implementation Documentation
Prepared for:
National Bank of Egypt (NBE)
ITS – NBE-EGY Confidential 1

INFORMATION TECHNOLOGY SOLUTIONS – ITS
26 ADEN ST., MOHANDESEEN, CAIRO, EGYPT
TEL: +202 37493773
FAX: +202 37493736
EMAIL: info@egypt-its.com
WEBSITE: HTTP://WWW.EGYPT-ITS.COM/

Contents
1. Installation............................................................................................................................. 4
2. Upload Licenses................................................................................................................... 17
3. Clustering ............................................................................................................................ 22
4. Rabbit MQ ........................................................................................................................... 42
5. Edit General Configurations ................................................................................................ 55
6. Active Directory Integration & sync with the groups ......................................................... 62
7. Enable Discovery ................................................................................................................. 70
8. Enable Heartbeat, Remote Password Changing ................................................................. 71
9. Unix Platform ...................................................................................................................... 72
11. Oracle Platform .................................................................................................................... 101
12. SQL Platform ......................................................................................................................... 131
11. Synchronize Secret Passwords During RPC .......................................................................... 162
12. Windows Platform ................................................................................................................ 145
13. Create Role & Assign it to users ............................................................................................ 171
14. Create Secret Policy to folders .............................................................................................. 174
15. Share secrets ......................................................................................................................... 176
16. Create Password Policy ......................................................................................................... 178
17. Upgrade Secret server & Privilege Manager Without Outbound Access ............................. 181

1. Installation
- Download the latest version of privilege vault.

- It is suggested that you run the setup.exe file as an administrator.
- Click next.

- Choose Connect to an existing SQL Server then click next.

- The Pre-Requisites page ensures that every prerequisite is set up
correctly.
- Listed prerequisites can be installed outside of the installer, but if
not, the installer can install and configure them by clicking fix Issues.

- Waiting until the required prerequisites installed.
- Click close.

- The tests run again with only two fails.
- Restart the server.
- Run setup.exe again then follow the above steps (until prerequisites
page).

- Click next.

- Enter server name or IP of SQL Server.
- Enter database name that created for PAM.
- Choose windows authentication using service account.

- Enter credentials of service account, click validate credentials.
- After validation is success, click next.

- Enter Username, Display name, Email, Password of the user that
will administer secret server.
- Click next.

- Click Skip Email. (we will edit email configuration from SS).

- Most settings are set to user defaults and they can still choose to
modify those settings.
- Click install.

- Waiting to finish install, click finish.

- Installation is complete and you can start by using both Secret and
Privilege Manager.

2. Upload Licenses
- Go to login page (https://plz-pamapp-v02.nbe.ahly.bank/secretserver).

- From Admin tab  choose licenses.
- Click install new license.
- Click Bulk Entry Mode.

- Copy licenses & paste them here.
- Click Add multiple licenses.
- Click license activation.

- Enter name, email & phone number.
- Click Activate offline.
- Copy license request.

- Go to activation center.

- Paste in the activation request.
- Click activate.

- Copy the following activation confirmation.
- Paste it into corresponding screen within your secret server
instance.
- Click activate.
- Click continue.

3. Clustering
- From admin tab  All.
- Click server nodes.
- Enable clustering.

- Go to path of secret server & copy inetpub folder from first node.
- Paste it in the second node & open IIS.

- Right click on application pool.
- Choose application pool.
- Enter name (SecretServerAppPool).

- Click ok.

- From sites  default web site.
- Click add virtual directory.
- Enter alias (SecretServer).

- Enter physical path (D:\inetpub\wwwroot\SecretServer).
- Click ok.

- Right click on created directory (SecretServer).
- Click convert to application.
- Click select.
- From application pool, choose (SecretServerAppPool).
- Click connect as.
- Specific user then enters credentials of service account.
- Click ok.

- Click ok.
- Right click on SecretServerAppPool  Advanced settings.

- Double click on application pool identity.
- Select custom account and click set.

- Enter username, password of service account.
- Click ok.
- The second node added successfully but disabled.

- Click on edit.

- Enable the in cluster, background worker, engine worker & session
recording worker.
- Click save.
- For TMS:
On the primary server, decrypt the connectionStrings.config file by

running the following command:
- Run CMD with as administrator:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
-pd "connectionStrings" -app "/Tms"
- Select and copy all contents of the Privilege Manager web

application folder at:
D:\inetpub\wwwroot\TMS\
- Including the unencrypted connectionStrings.config file.
- On the secondary server, create the same folder path.
- Paste the entire contents of the Privilege Manager web application

folder from the primary web server to the similar location on the
secondary web server.

- Open Internet Information Services Manager (IIS).
- Under your local server, right-click Application Pools and select Add
Application Pool…
- Add three new application pools.
 TMS
 TMSAgent
 TMSWorker.
- Make the same step for to create (TMS, TMSAgent & TMSWorker)
application pool.

- For each of the 3 app pools (TMS, TMSAgent & TMSWorker),
o right-click on each app pool,
o select Advanced Settings…
o then the Identity box in the “Process Model” section,
o click the three dots on the right of the box.
o Select the Custom Account radio button,

o Click Set, enter your service account’s name and password.

o Click ok.
o Right-click Default Web Site in IIS and select Add Virtual
Directory.

o Select an alias for your Privilege Manager. The alias is what will
be appended to the website.
 For instance, “TMS” in http://myserver/TMS.
o Enter the physical directory where you unzipped Privilege
Manager (i.e., ‘D:\inetpub\wwwroot\TMS').
o Click OK.
o In the tree, right-click the new virtual directory and select Convert
to Application.
 Set the Application Pool to the one called TMS.
 Click OK.

o In the virtual directory expand the new TMS site,
 Right click the Agent Subfolder and select Convert to
Application.
 Set the Application Pool to the one called TMSAgent, click
OK.
o In the virtual directory navigate to the ServiceBus Subfolder.

 Right-click and select Convert to Application.
 Set the Application Pool to the one called TMSWorker you
created earlier, click OK.
o In the virtual directory select the Services Subfolder,

 Right-click the new virtual directory and select Convert to
Application.
 Ensure that the Application Pool is set to the one called TMS,
click OK.
o In the virtual directory select the Setup Subfolder,

Application.
 Ensure that the Application Pool is set to the one called TMS,
click OK.

o In the virtual directory select the Worker Subfolder,
Application.
 Set the Application Pool to the one called TMSWorker, click
OK.
o Select your TMS virtual directory.

 Double-click Authentication in the features pane.
 Make sure that only Anonymous Authentication is set to
Enabled. Everything else should be set to disabled.

o Select the Setup directory.
 Double click Authentication in the features pane.
 Make sure that Anonymous Authentication and Windows
Authentication are both set to Enabled and everything else is
disabled.
o Select the Worker.

 Double-click Authentication in the features pane and make
sure that Anonymous Authentication and Windows
Authentication are both set to Enabled and everything else is
disabled.

o Folder Permissions to C:\Windows\Temp
 Navigate to the C:\Windows\TEMP folder.
 Right-click the folder and select Properties | Security |
Advanced.
 Click Add and Select a principal.
 Ensure the domain machine is listed as the Location and type
the service account into the Enter the object name to select
field.
 Click Check Names and Enter network credentials for
accessing your domain machine.
 Click OK.
 Under Basic permissions, select the Modify checkbox.

 Verify your service account has Modify, Read & execute, List
folder contents, Read, and Write permissions for the
C:\Windows\TEMP folder.
 Click OK, then Apply.
o Folder Permissions to the Privilege Manager Application Folder

 Navigate to the Privilege Manager application folder at
C:\inetpub\wwwroot\TMS.
 Right-click the folder and select Properties | Security |
Advanced.
 Select principal.
 Ensure the domain machine is listed as the Location and type
the service account into the Enter the object name to select
field.
 Click Check Names and Enter network credentials for
accessing your domain machine.
 Click OK.

o Under Basic permissions, select the Modifycheckbox
 Verify your service account has Modify, Read & execute, List
folder contents, Read, and Write permissions for the
C:\Windows\TEMP folder.
 Click OK, then Apply.
o Note: The application folder only needs Write and Modify

permissions during the installation or during an upgrade. You can
remove these once the installation process is complete.

o Verify Login on Secondary Node
 Navigate to Privilege Manager, ex: http://localhost/TMS.
 You should be able to authenticate to Privilege Manager.
 After logging in, all policies and all data accessible on the
primary node should be accessible on the secondary node.
o Re-encrypt ConnectionStrings.config
 On the primary node, run the following command to re-
encrypt the connectionStrings.config file:
-pe "connectionStrings" -app "/Tms"
 On the secondary node, run the same command to re-

encrypt the connectionStrings.config file:
-pe "connectionStrings" -app "/Tms"

4. Rabbit MQ
- From admin tab  Distributed Engine.
- Click manage Site Connectors.
- Click New Site Connector

- Click to select Rabbit MQ in the Queue Type dropdown list.
- Type a name for your new site connector in the Name text box.
- Click to select the Active check box.
- Type the host name of the machine where you plan to install
RabbitMQ in the Host Name text box.
- Click to select Use SSL.
- Click the View Credentials.

- Click the copy icons to copy both the Username and Password and
store them for use in the next section.
- Click the OK button.

- Download the Thycotic RabbitMQ Helper.
- Install the Thycotic RabbitMQ helper by running the downloaded

MSI.
- Copy file of RabbitMQ to offline file.

- Go to RabbitMQ install location and open application.
- Run the below commands.
- $path = "$env:programfiles\Thycotic Software Ltd\RabbitMq Helper\Examples";

-
- $cred = Get-Credential -Message "Enter the initial RabbitMq user username and
password";

- Enter username and password which we have saved before.
- Enter fully qualified domain name in the PFX.

- Save location in attribute.
- Run mmc to get certificate.

- Select computer account.
- Export certificate in “cer” type.

- Export certificate in “PFX”.
- Enter password and confirm password.

- Click next.
- Click finish.

- Copy certificates to RabbitMQ location.
- Run this command to save certificate password

$pfxCred = Get-Credential -UserName PfxUserName -Message "Enter the PFX
password. Username is ignored";
- Enter the password.

- Run the RabbitMQ installation commands.
Install-Connector `
-Hostname $fqdn `
-Credential $cred `
-UseTls `
-CaCertPath "$certpath\localhostca.cer" `
-PfxPath "$certpath\localhost.pfx" `
-PfxCredential $pfxCred `
-OfflineErlangInstallerPath "$path\Offline\o-erlang.exe" `
-OfflineRabbitMqInstallerPath "$path\Offline\o-rabbitMq.exe" `
-Verbose

- Return to SS and go to the site connector you created in the
previous section.
- Click the site connector’s link. The Site Connector Details page
appears.
- Click the Validate Connectivity button.
- If everything is set up correctly, you will see “Validation Succeeded.”

- Close non-SSL connection
• Add “,{rabbit,[{tcp_listeners, []} ]} ” in file advanced.config as the
below.

5. Edit General Configurations
- Edit email configuration.

o Go to admin tab  configuration  email tab.
o Click edit.
o Enter email server & email address that will used by secret server
for notifications.
o Click save.

- Edit database backup configurations.
o Go to admin tab  all  setup & system maintenance.
o Click backup.

o Edit the paths of backup files.
o Click save.
o Enable backup to schedule & repeat every 1 day.

- Enable & edit session recording configurations.
o Go to admin tab  configuration  session recording tab.
o Click edit.
o Check the box of enable session recording.

o Edit the configuration as the above screenshots.
o Click save.

- Edit X-Forwarded-For (load balancer).
o Open IIS Manager.
o On server, site or application level, double click “Logging”.

o Click “Select Fields”.
o In “W3C Logging Fields” window, click “Add Field“.
o In the “Add Custom Field” window, fill out the following fields:
 Field Name: X-Forwarded-For
 Source type: Request Header
 Source: X-Forwarded-For.
o Click “OK” in both open windows.
o Click “Apply” in the actions pane.
- Go to https://<SecretServerAddress>/ConfigurationAdvanced.aspx.
- Scroll to the bottom and click Edit.

- Locate the IP Address Header text box, type X-Forwarded-For.
- Click the Save button.

6. Active Directory Integration & sync with the groups
First, we need to create a secret to use it in synchronization.

- Choose secrets in the left panel.
- Click on (+) in the top right.
- Click new secret.
- Click on active directory account.

- Choose folder.
- Enter secret name, domain, username & password.
- Click create secret.

Second, enable active directory to integration & add a domain:
- From admin tab  Active directory.

- Click edit.
- Enable Active directory integration.

- Enable sync. of active directory.
- From user account options  choose user status mirror active
directory.
- Click save.

- Click edit domains.
- Click new.

- Enter fully qualified domain name & friendly/NETBIOS name.
- Check active & allow logins from domain.
- Add secret that we have created above.
- Form site drop list, select local.
- Click save & validate.

Third, Synchronize group of PAM users:
- From admin  Active Directory.
- Edit synchronization.
- Choose your domain from drop list.

- Search for the groups.
- Can preview users of each group from left panel.

- Select the groups & then bring it to left panel.
- Click save.
- Click synchronize now.

- Go to users from admin tab.
- You can see the users that synchronized from the group.

7. Enable Discovery
- From admin  Discovery.
- Click edit.
- Enable discovery.
- Click save.

8. Enable Heartbeat, Remote Password Changing
- From admin  remote password changer.
- Click edit.
- Check the box of enable remote password changing.

- Check the box of heartbeat.
- Click save.

9. Unix Platform
1. Create folder structure from adaption strategy.
o Choose secrets in the left panel.
o Click on (+) in the top right.

o Click on new folder.
o Enter name of the folder.

o Click create new folder.

o Click right button on root folder (Unix Platform).
o Choose add subfolder.
o Enter the name of subfolder.

Note: Follow the above steps to create the folder structure as adaption
strategy.

2. Create a secret with user credentials that have permissions to
discovery & takeover accounts on the target server.

o Click new secret.
o Click change.

o Choose the folder where you want to create secret in it.

o Choose the UNIX Account as a secret template.
o Enter the secret name, machine address & credentials of the user
that will be used in the discovery & takeover.
o Click create secret.

3. Add new UNIX discovery source & run discovery.
o From admin tab  discovery.
o Click edit discovery sources.

o Click create new.
o Choose UNIX discovery source.

o Click ok.

o Click next.
o Enter the discovery source name.

o Click next.

o Click add secret.
o Choose the created secret that will used to discover accounts.

o After the secret added.
o Click finish.
o Then from admin tab  discovery.
o Click run now.

o Then go to discovery network view.

o Click on the discovery source to view accounts that found on the
target machine.
4. Create new RPC for takeover.

o From admin tab  remote password change.
o Click configure password changers.

o Click new.
o Choose base password changer as UNIX Account custom.

o Enter the name of the password changer.
o Click save.

o Enter the fields of username & passwords in verify password
changed commands section then click save.
o Enter the fields of username & passwords in password change
commands section then click save.
o Enter the above commands.

5. Create new secret templates of UNIX platform.
o From admin tab  secret template.
o Click create new.
o Enter the name of the secret template.

o Click create.

o In the fields section we need to add the fields as the below.
o Click configure extended mappings.

o Choose the extended mapping to use  SSH private key.
o Choose the fields of private key & private key passphrase.
o Click save.
Note: we need to do all the above steps to create the secret templates
that found in the adaption strategy for UNIX platform.

6. Assign the custom RPC to the created secret template.
o From secret template (for example: service_Accounts)
o Click configure password changing.

o Click edit.
o Choose the RPC from password type drop list.

o Click save.

7. Create UNIX team launchers.
o From admin tab  secret templates.
o Configure launchers.
o Click new.
o Use the below configurations for the required launchers for UNIX
teams.

o Kitty
o SuperPutty

o WinSCP
o Mobaxterm

8. Configure launchers to secret template.
o Choose the secret templates that you want to add launchers to it.
o Click edit.
o Click configure launcher.

o Add new launcher.
o Choose the launcher type you want (example: kitty).

o Click save.
Note: you will need to do all the above steps to all needed launchers for
UNIX platform.

9. Create secret policies of UNIX platform.
o From admin tab  secret policy.
o Click create new.

o Use the below configurations for the secret policies of UNIX
teams.

o NBE_ROOT_UNIX_Policy
o NBE_Service_accounts_Policy

o NBE_UNIX_Admin_Department

10. Takeover an account
o From admin  discovery.

o Click on discovery network source.
o Click on the discovery source where the user that you want to
takeover.
o Search for the user you want to takeover.

o Select the user then click import.

o Choose the secret type from the drop list.
o Select the folder where you want to create this secret.
o Click next.
o Check (I want to change the password on the account & I want a

new random password for each created secret).
o Click next.

o Choose the password type from drop list.
o Select the secret to be used for taking over the account.
o Click next.

o Select the secret to be used for future password changing.
o Click finish.
o Secret created successfully.

11. Oracle Platform



o Click right button on root folder (Oracle Platform).

strategy.


o Click new secret.
o Click change.

o Choose the Oracle Account as a secret template.

3. Create a custom discovery for oracle accounts.
o From admin  scripts.
o Create new.
o Enter name & description.

o Choose dependency from category drop list.
o Paste the script-to-script field.

o From admin tab  discovery  extensible discovery.
o Click configure discovery scanners.
o Click on accounts.
o Click create new scanner.

o Use the above setting to add new scanner.
o Click ok.

4. Create custom scan template for oracle.
o From admin  discovery  extensible discovery.
o Click configure scan templates.
o Click accounts tab.

o Click create new scan templates.

o Enter the name of scan type.
o Add the above fields.
o Click save.

5. Create new discovery source & run discovery.

o Click create new.
o Choose UNIX discovery source.

o Click ok.

o Click next.
o Enter name of discovery source.

o Click next.

o Enter IP of target machine.
o Click next.
o Click add secret.

o Choose the created secret that will used to discover accounts.
o After the secret added.

o Click finish.

o Click on the created discovery source.
o Remove the Unix Non-Daemon User.

o Click add new account scanner.

o Choose oracle by database scanner.
o Choose:
 First secret (user that can run script on the server).
 Second secret (user that have permissions for discovery).
o Then from admin tab  discovery.

o Click run now.
o Then go to discovery network view.
o Click on the discovery source to view accounts that found on the

target machine.

6. Create new secret templates of Oracle platform.
o From admin tab  secret template.
o Click create new.
o Enter the name of the secret template.

o Click create.

o In the fields section we need to add the fields as the below.
o The secret template created successfully.
Note: we need to do all the above steps to create the secret templates
that found in the adaption strategy for Oracle platform.

7. Create Oracle team launchers.
o Click edit.
o Use the below configurations for the required launchers for UNIX
teams.

o SQL-Plus
o PL-SQL Developer

o SQL Developer
o CMD

o PowerShell

o Click add new launcher.

o Choose the launcher type you want (example: sql-plus).
o Click save.
Oracle platform.

9. Create secret policies of Oracle platform.
o Click create new.

o Use the below configurations for the secret policies of Oracle
teams.

o NBE_SYS_DBA_Recording_Policy.


takeover.


o Click next.

o Click next.

o Click next.

o Click finish.

12. SQL Platform



o Click right button on root folder (MS-SQL Platform).

strategy.


o Click new secret.
o Click change.

o Choose the Active Directory Account as a secret template.


3. Create a custom discovery for SQL accounts.
o From admin  scripts.
o Create new.
o Enter name & description.

o Choose dependency from category drop list.
o Paste the script-to-script field.

o From admin tab  discovery  extensible discovery.
o Click configure discovery scanners.
o Click on accounts.
o Click create new scanner.

o Use the above setting to add new scanner.
o Click ok.


o Choose active directory discovery source.
o Choose scanner settings.
- Click add new account scanner.

- Then choose the SQL Local Accounts.
- Click run now.

o Click edit.
o Configure launcher.

o Choose the launcher type you want (example: RDP).

o Click save.
Windows platform.

6. Create secret policies of SQL platform.
o Click create new.

o Use the below configurations for the secret policies of SQL
teams.
o NBE_SQL_SA_Policy

o NBE_SQL_SYS_ADMIN_Policy

takeover.
o Choose the secret type from the drop list (Active Directory
Account).
o Click next.
o Click next.
o Choose the password type from drop list (Active Directory
Account).
o Click next.
o Click finish.

12. Windows Platform




o Click right button on root folder (Windows Platform).

strategy.


o Click new secret.
o Click change.

o Choose the Active Directory Account as a secret template.


o Create new.

o Choose Active Directory Discovery Source.
o Click next.

o Choose windows local accounts.
o Click next.
o Enter fully qualified domain name.

o Choose the created secret.
o Click next.

o Click finish.
- Click run now.

- Go to discovery network view.

o You can see your discovery sources and the users of each one.
o Search for specific user from search indexer.

o Click edit.

o Choose the launcher type you want (example: RDP).

o Click save.
Windows platform.

5. Create secret policies of Windows platform.
o Click create new.

o Use the below configurations for the secret policies of Oracle
teams.
o NBE_Domain_Recording_Policy

o NBE_Service_Accounts_Policy

takeover.


o Click next.

o Click next.

o Click next.

o Click finish.

11. Synchronize Secret Passwords During RPC
- Download this tool from

“http://updates.thycotic.net/tools/powershell.wellnesschecker.zip”.
- Extract it.
- Open a command window in the extracted directory and run this
command “PowerShell.WellnessChecker.exe –fixerrors”.
- From Admin  Scripts.
- Click create new.

- Enter name & description.
- Choose dependency from category drop list.
- Put the below script in the script field.
$url = 'http://MySecretServerURL/webservices/sswebservice.asmx';
$username = $Args[0]
$password = $Args[1]
$newpassword = $Args[2]
$secretIdArray = $Args[3]
$domain = $Args[4]
$proxy = New-WebServiceProxy -uri $url -UseDefaultCredential
$result1 = $proxy.Authenticate($username, $password, '', $domain)
if ($result1.Errors.length -gt 0){
$errors = $result1.Errors[0]
Write-Debug "Errors result1: $errors"
exit
} else {
$token = $result1.Token
}
$secretIds = $secretIdArray -split ","
foreach($secretId in $secretIds){
$result2 = $proxy.GetSecret($token, $secretId, $false, $null)
if ($result2.Errors.length -gt 0){
} else {
$secretName = $result2.Secret.Name
Write-Debug "Updating Secret: $secretName"
foreach ($item in $result2.Secret.Items) {
if($item.IsPassword) {
$item.Value = $newpassword
}
}
$secret = $result2.Secret
$result3 = $proxy.UpdateSecret($token, $secret)
if ($result3.Errors.length -gt 0) {

} else {
Write-Debug "Updated Secret: $secretName"
}
}
}
- Click ok.
- Admin  Configuration and set Enable Webservices to Yes.

- Create user account as Application Account.
- Create role for API_Account user.

- Assign role to user.
- Create a secret with the Secret Server credentials for the new
API User Account (template works well as Active Directory or Web
Password).

- On each of the child Secrets grant the API User Account Edit
Permission on the Secrets.
- From admin tab  remote password changer.
- Click the Configure Dependency Changers button.

- Create a new changer using the below settings.
- For the Arguments field, paste the following:

$[1]$USERNAME $[1]$PASSWORD $PASSWORD $NOTES $[1]$DOMAIN
- Click save.

- Go the Primary Account Secret and on the Dependencies tab.
- Click create add New Dependency Group.

- Choose your template, and under Service/Machine name put
"default". Select a Privileged Account (active directory account
secret able to run PowerShell on the Server).
Notes:
- Ensure that the Child Secret IDs are listed comma separated in your
Parent Secret's Notes field.
- Now the Dependency has been added and the full process can be
tested by kicking a Password Change off on the Primary Account
Secret.

13. Create Role & Assign it to users
- From admin tab  Roles.
- Click Create New

- Enter Role Name for example:
o “NBE_Uinux_Admins_SSH”.
- Select form left panel (permissions unassigned) to right panel
(permission assigned) for example :
o “View Folders ,View Secrets”.
- Click save.
- Then assign the role to user.
- Click assign roles.

- Select role name in Role.
- Click edit.
- Select users from right panel (unassigned) to left panel (assigned).

- Click save changes.

14. Create Secret Policy to folders
- From admin  folders.
- Choose the folder that you will assign the secret policy to.
- Click edit.

- Select secret policy from drop list.
- Click save.

15. Share secrets
- Go to any secret that you want to share it.
- Click on sharing tab.
- In shared with section, you can see the users which the secret
shared with. (to edit in it, you must disable inherit from folder option)
- Also, can see that the secret inherits permissions from folder.
- To edit in these properties, click edit.

- After we click edit & uncheck box of inherit permissions from folder.
- We can search for the user that you want to share secret with.
- Click save.

16. Create Password Policy
- Form admin  Secret Templates.
- Click A Character Sets.
- Enter name of the list of characters that you will use in password
policy.
- Enter the characters in CHARACTER SET field.
- Click in add icon to save.
- Click back.

- Click the Password Requirements.
- Click the Create New

- Type the name and description.
- If you want the requirement to become the new default, click to
select the Is Default check box.
- Set the general options for the requirement in the Generate
Password section.
- Add one or more password rules:
• Click to select the type of rule in the first dropdown list in the
Password Rules section.
• Set that type’s parameter in the following text box.
• Click to select the character set from the “from” dropdown list.
• Click the + icon to save the rule.
- Click save.

- To set a custom password requirement for a specific secret, use the
“Customize Password Requirement” in the Security tab of a secret.
- You can enable or disable the validation of manually entered

passwords at the secret template level via the “Validate Password
Requirements on Create” and “Validate Password Requirements on
Edit” settings.

17. Upgrade Secret server & Privilege Manager Without Outbound Access
- Stop the application pool on the second node.
- From a computer that does have outbound network access and Secret Server
access, go to the Secret Server Upgrade page by browsing to:
http://<yourinstance>/Installer.aspx?patch=true (filling in your Secret Server
URL for <yourinstance>). The wizard appears:
- Click enable maintenance mode.

- Click backup.
- Click the Continue button. The next page appears:

- Download the latest version .zip file by clicking the Download Latest Version
button on the installer page. The file name will appear something like
Version_10_2_000000.zip. Note where you save it.
- Click the Choose File button & select the Secret Server .zip file you just
downloaded.
- Click the Upload Upgrade File button.

- Click install this version.
- After installation done, the above screenshot appears.

- Navigate to the TMS web folder (D:\inetpub\wwwroot\TMS\).
- Open web.config file with Notepad with Administrator.
Update the “value” field of this item :

<add key="nuget:source:SolutionCentre" value="http://tmsnuget.thycotic.com/nuget/" />
to C:\ProgramData\NugetCache\, such as:
<add key="nuget:source:SolutionCentre"value="C:\ProgramData\NugetCache\" />
- Save the web.config file.

- Recycle the TMS app pools.
- Navigate to https://<webserver>/TMS/Setup/ProductOptions/ShowProducts.
- Click the Install/Upgrade Products button.
- Wait until installation finished.

- Once upgraded and working, copy the SecretServer folder (without the
database.config or the encryption.config files) & TMS Folder (without the
connectionstrings.config file) to all secondary servers, and replace the content
of the existing Web application folder with the new.
- Without the database.config or the encryption.config files.

- Without the connectionstrings.config file.
- Disable maintenance mode.
- Start application pool in the second node.
- Upgrade done.

IBM Security Verify Privilege

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IBM Security Verify Privilege

Uploaded by

Copyright:

Available Formats

PAM Implementation Documentation

National Bank of Egypt (NBE)

ITS – NBE-EGY Confidential 1

ITS – NBE-EGY Confidential 2

ITS – NBE-EGY Confidential 3

- Download the latest version of privilege vault.

ITS – NBE-EGY Confidential 4

ITS – NBE-EGY Confidential 5

ITS – NBE-EGY Confidential 6

ITS – NBE-EGY Confidential 7

ITS – NBE-EGY Confidential 8

ITS – NBE-EGY Confidential 9

ITS – NBE-EGY Confidential 10

ITS – NBE-EGY Confidential 11

ITS – NBE-EGY Confidential 12

ITS – NBE-EGY Confidential 13

ITS – NBE-EGY Confidential 14

ITS – NBE-EGY Confidential 15

ITS – NBE-EGY Confidential 16

- Go to login page (https://plz-pamapp-v02.nbe.ahly.bank/secretserver).

- Click install new license.

- Click Bulk Entry Mode.

ITS – NBE-EGY Confidential 17

- Click license activation.

ITS – NBE-EGY Confidential 18

- Copy license request.

ITS – NBE-EGY Confidential 19

ITS – NBE-EGY Confidential 20

ITS – NBE-EGY Confidential 21

- From admin tab  All.

- Click server nodes.

ITS – NBE-EGY Confidential 22

- Paste it in the second node & open IIS.

ITS – NBE-EGY Confidential 23

- Choose application pool.

- Enter name (SecretServerAppPool).

ITS – NBE-EGY Confidential 24

- Enter alias (SecretServer).

ITS – NBE-EGY Confidential 25

ITS – NBE-EGY Confidential 26

- Right click on SecretServerAppPool  Advanced settings.

ITS – NBE-EGY Confidential 27

ITS – NBE-EGY Confidential 28

- The second node added successfully but disabled.

ITS – NBE-EGY Confidential 29

On the primary server, decrypt the connectionStrings.config file by

- Run CMD with as administrator:

- Select and copy all contents of the Privilege Manager web

- Including the unencrypted connectionStrings.config file.

- On the secondary server, create the same folder path.

- Paste the entire contents of the Privilege Manager web application

ITS – NBE-EGY Confidential 30

ITS – NBE-EGY Confidential 31

o Select the Custom Account radio button,

ITS – NBE-EGY Confidential 32

ITS – NBE-EGY Confidential 33

ITS – NBE-EGY Confidential 34

o In the virtual directory navigate to the ServiceBus Subfolder.

o In the virtual directory select the Services Subfolder,

o In the virtual directory select the Setup Subfolder,

ITS – NBE-EGY Confidential 35

o Select your TMS virtual directory.

ITS – NBE-EGY Confidential 36

o Select the Worker.