Getting Started

Cookbook
3.12

Copyright 2021 MT4 Tecnologia Ltda.

All rights reserved. Reproduction or distribution of this material in any format without
formal permission of MT4 is prohibited.
v1.0 2021–2.
Contents

1 Introduction 4

1.1 Who is this cookbook for? . . . . . . . . . . . . . . . . . . . . . . 4

1.2 Symbols used in this cookbook . . . . . . . . . . . . . . . . . . . 4

2 Deployment 6

2.1 How to get the OVA . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 Configuring Network Interfaces . . . . . . . . . . . . . . . . . . . . 7

2.2.1 For senhasegura® version 3.2 or above . . . . . . . . . . . . . . 7

2.2.2 For senhasegura® versions prior to 3.2 . . . . . . . . . . . . . . 10

3 Affinity Portal 12

4 Activation of the senhasegura application 16

4.1 Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.2 Activate the application . . . . . . . . . . . . . . . . . . . . . . . 18

4.3 Creating a new administrator user . . . . . . . . . . . . . . . . . . 20

4.3.1 Through the quick actions button . . . . . . . . . . . . . . . . 20

4.3.2 Through the side menu . . . . . . . . . . . . . . . . . . . . . 21

1
CONTENTS

4.3.3 New user . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.4 First Log In . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.4.1 EULA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5 Devices, Credentials and their actions 28

5.1 Registering the First Device . . . . . . . . . . . . . . . . . . . . . 28

5.1.1 Through the quick actions button . . . . . . . . . . . . . . . . 28

5.1.2 Through the side menu . . . . . . . . . . . . . . . . . . . . . 28

5.1.3 Device registration . . . . . . . . . . . . . . . . . . . . . . . 29

5.2 Adding First Credential . . . . . . . . . . . . . . . . . . . . . . . 31

5.2.1 Through the quick actions button . . . . . . . . . . . . . . . . 32

5.2.2 Through the side menu . . . . . . . . . . . . . . . . . . . . . 32

5.2.3 Credential registration. . . . . . . . . . . . . . . . . . . . . . 32

5.3 Performing a session and a password view . . . . . . . . . . . . . . 34

5.3.1 Start a session . . . . . . . . . . . . . . . . . . . . . . . . 34

5.3.2 Performing a password view . . . . . . . . . . . . . . . . . . 35

5.4 Performing a password change . . . . . . . . . . . . . . . . . . . . 36

5.4.1 Enabling password change on credential . . . . . . . . . . . . . 36

5.4.2 Requesting a password exchange . . . . . . . . . . . . . . . . 39

5.4.3 Checking the change . . . . . . . . . . . . . . . . . . . . . . 40

6 Notifiers 42

2
CONTENTS

6.1 Registering notifications . . . . . . . . . . . . . . . . . . . . . . . 42

6.1.1 Sent notification list . . . . . . . . . . . . . . . . . . . . . . 44

6.1.2 Texts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6.2 Configuring an E-mail account . . . . . . . . . . . . . . . . . . . . 46

6.2.1 Setting up an SMTP account . . . . . . . . . . . . . . . . . . 46

6.2.2 Setting up a POP3/IMAP account . . . . . . . . . . . . . . . . 47

6.3 Screen notifications . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.3.1 Registering screen notifications . . . . . . . . . . . . . . . . . 48

6.3.2 Screen notifications list . . . . . . . . . . . . . . . . . . . . . 49

6.3.3 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6.4 Integration with SMS service . . . . . . . . . . . . . . . . . . . . . 50

7 Conclusion 53

8 Use terms and conditions 54

8.1 senhasegura licenses . . . . . . . . . . . . . . . . . . . . . . . . 54

8.2 Other licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3
1 Introduction

This book will explain simply the use of the senhasegura® from its installation to the use
of basic functions.

1.1 Who is this cookbook for?

The senhasegura® Getting Started Cookbook was written to set deployers, users, and sys-
tem administrators who require a first experience when using some features of the senhasegura®
.

1.2 Symbols used in this cookbook

This book uses the following symbols to highlight information that should be taken into
account for the best use of senhasegura® :

Tip - useful information that can make the use of the solution
more dynamic.

Alert - actions and items that cannot be ignored

4
CHAPTER 1. INTRODUCTION

Commands : data that must be entered in the same way as described in this book.

URLs : paths to access web pages.

<KEYS> : keyboard paths that will be used to perform actions.

5
2 Deployment

2.1 How to get the OVA

To start using the solution it is necessary to purchase the virtual machine to perform
the installation and other activities. The OVA of the senhasegura® can be found in our
support portal:

1. Access the support portal through the URL: https://suporte.senhasegura.com.br/

and insert the access credentials granted by the deployment team.

2. When accessing the portal follow the following path: Solution Þ Deployment Þ Public
Þ senhasegura virtual machines

3. A list of available machines will be displayed, click on the desired machine and
download.

If you do not have your credentials to access our support

portal or cannot access the list of virtual machines, I rec-
ommend that you contact our support team through one
of the following channels:

Telephone: +55 11 3069.3930

Email: support@senhasegura.com.br

Portal: https://suporte.senhasegura.com.br

6
CHAPTER 2. DEPLOYMENT

2.2 Configuring Network Interfaces

2.2.1 For senhasegura® version 3.2 or above

From version 3.2 or above, senhasegura® provides the user mt4adm as the mainte-
nance and configuration user of the operating system that hosts the senhasegura® .

To standardize and ensure the operation of all systems that make up the solution, we
provide a command line Orbit client to handle the tasks already accessible through the
Orbit Web interface. In this cookbook we will only explain how to configure the network
interface through the command line, but you can find more details of the command line
Orbit in its dedicated manual.

To configure the network interface, perform the following steps:

1. Login locally.

For senhasegura® OVAs version 3.10 and above, you

should login using the following user:

user: mt4adm

password: mt4adm

For older versions, contact our Support team.

After the first successful access the immediate change of
password of the default user will be requested

2. Check that the instance contains the binary orbit with a simple version check
test;

$ sudo orbit version

If the binary is not installed, please contact our support so that we can assist
you in updating the instance;
If the binary is installed correctly, let’s configure the network interface;

7
CHAPTER 2. DEPLOYMENT

3. Execute the command $ sudo orbit network and answer the questions related
to the primary network interface configuration eth0 ;
4. At the end, you should receive a success message according to the example;

Figure 2.1: Network configuration example

5. Now that the network interface is properly configured, let’s configure the NTP server
to correct the server time;

$ sudo orbit ntp --servers=SERVER1,SERVER2

--listen-interface=eth0

8
CHAPTER 2. DEPLOYMENT

Figure 2.2: Example of NTP configuration

6. Update the platform using our official mirror so that this instance receives the most
up-to-date version of senhasegura® ;

If you are configuring an instance that is part of a cluster,

ensure that all instances are properly updated in the same
version before starting the cluster.

The sequence of commands below will update the package list, update the Or-
bit binary and update the platform. A long log output will be displayed and this
process may take a few minutes.

$ sudo apt-get update

$ sudo apt-get install orbit
$ sudo orbit upgrade

7. You will need to restart the instance to ensure that all services use this configured
interface.

$ sudo orbit shutdown --reboot

8. Wait for the instance to finish the reboot and the system will be available to be
accessed by the web interface.

9
CHAPTER 2. DEPLOYMENT

2.2.2 For senhasegura® versions prior to 3.2

Once imported the OVA senhasegura® in your virtualization framework, you must log in
locally to the senhasegura® console using the user and password provided by the senhasegura®
support to proceed with the network interface configuration.

Please contact our support team if you have not received your
login information.

1. Hold a local session with the access information acquired in the Deployment pro-
cess.

This connection can only be made locally for security rea-

sons.

2. You will be presented with a network configuration screen as shown in the figure
2.3. Use the <TAB> key and the arrow keys to navigate between the fields.

3. Confirm the dialog box if you want to configure senhasegura® via DHCP, or deny it
if you want to configure network settings manually.

10
CHAPTER 2. DEPLOYMENT

Figure 2.3: Screen of choice for network configuration

4. Fill in the fields according to your network settings and confirm at <Save> . If
you want to cancel the changes, click <Cancel> .

If there is any change in the future these network settings

can be changed in the application itself after activation

5. A new confirmation window will be displayed, use the <TAB> key again to select
between the options and end the <ENTER> key to confirm your choice. If you
wish to cancel this setting and use the information provided by DHCP select the
cancel option.

6. If you have confirmed your choice, the machine will restart and you will be able to
activate the solution as we will demonstrate in the sequence.

All confirmed changes generate a server restart.

11
3 Affinity Portal

This chapter follows the steps for the successful activation of the application, as well as
an explanation of the use of the Affinity portal for partners and specialized users.

It is important to note that this step focuses on activating the license to use the appli-
cation and not the activation of the application itself, i.e. it confirms that the activation
requestor has the right to use the application as well as deliver the services according
to what was contracted.

To activate the senhasegura® license, follow these steps:

1. In your Web browser enter the host IP senhasegura® configured in the previous
step to access the activation screen of your instance.

2. An activation code will be displayed as in the figure 3.1. Copy this code.

12
CHAPTER 3. AFFINITY PORTAL

Figure 3.1: Instance activation code

3. In another window of your browser, access the senhasegura® activation portal, Affin-
ity 1 and use your username and password to authenticate yourself.

If this is your first access to Affinity Portal, you will need

to change your password before access can be granted.
Check the criteria for creating the password

4. Once authenticated access the menu: Activation Þ Activation Þ Activation license

5. In this first step select for which resale this license is destined and click the arrow
button to continue.

6. Then choose the type of license that will be used, which can be:

POC: Used in presentations and proofs of concept. It should preferably have a short
expiration time and fewer devices and users.
1
https://affinity.senhasegura.io

13
CHAPTER 3. AFFINITY PORTAL

Production: Used in real customer productive environments. Its term and quantities
are adequate to the client’s reality.

And click the arrow button to continue.

The licensing of the senhasegura® depends on the con-

tract signed between the client and MT4 Technology, this
license will directly influence the number of users and de-
vices that can be inserted in the application.

It is also possible to request new license types. Please

contact the support team for more details.

7. In the next step define the license details in the fields:

Account: Select the organization to which the license will be destined

Start of term: The date on which the terms of this license begin to be valid. The
date set in this field is the calculation parameter for the Expiration days field
Expiration days: Period of validity of the license.
Block senhasegura after license expiration: Check this option if you want the senhasegura®
to be blocked after the license expires. If this option is not selected, the senhasegura®
will display only a renewal alert.

For licenses of the type POC it is not possible to inter-

act with this option, since this type of license already
performs the automatic blocking

8. Paste the activation code into the Request code genered by Orbit field

9. Select the senhasegura® modules that will be available in this instance.

10. Click on Generate Activation Key.

The result will be the issuance of a license key. Besides the key you can see a
detailed summary of the license with information such as: who made the request,
start date of validity of the license, the expiration date calculated, if it has the au-
tomatic block set, the modules of the instance among other details.

14
CHAPTER 3. AFFINITY PORTAL

11. Copy the license code issued in the Activation code field and paste it in the activa-
tion screen of your instance.

12. After entering the key click on the Activate application button.

After entering the activation key it is necessary to click

the Activate application button only once, if by accident you
click the button without having a valid license filled, the
application will be inactivated and you will need to per-
form the process again.

From this moment on the senhasegura® will be active and the chosen modules will
be available for the instance.

After the license activation it will be possible to make the application activation.

After performing the application activation, explained in the fol-

lowing section, you can access the menu: Orbit Þ Application
Þ Licenses and check license details, such as: name of the in-
stance client, calculation of expiration date, licenses assigned
to this instance, modules granted and other details.

15
4 Activation of the senhasegura application

This section will describe how to make the activation of the application, this will make
the senhasegura® ready for us to perform the first activities in the system.

To activate the application access the IP or host URL again through your web browser
and follow these steps:

1. On the login screen, enter the default administrator user credentials.

For senhasegura® 3.10 and above, the login information is:

user: admin

password: 5enh@5eGuR@!

For previous versions of senhasegura® , you should contact

the support team to require the admin password.
After the first successful access you will be asked to im-
mediately change the password of the default user.

2. Once successfully authenticated and the password change is done, the Orbit options
panel and the Wizard settings screen will be displayed.

4.1 Wizard

In a new instance of senhasegura® , right after activation through license, you will be
presented with the first step of the Orbit Wizard. If for any reason you wish to review

16
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

the Orbit Wizard procedures, a button on the main panel can be used to restart your
steps.

First step In this first step you can define: Hostname, Application URL, Application title, De-
fault language, Timezone, NTP settings e DNS Settings.

When you change the Hostname, the server will be restarted.

When changing the NTP server, the NTP service will be
restarted and users will be logged off.
When changing the DNS server, make sure that the
senhasegura® will have access to the other network ele-
ments already configured.

Second step In the second step you can configure Backup. If you want the backup to
be exported to a remote disk partition, you can configure it through CIFS, NFS or direct
sending using RSYNC. The partition type is specified later in the section ”Managing disks
and partitions”.

There is no need to install third-party software to manage the backup. And this atti-
tude should be discouraged, as the platform is homologated with restricted third-party
software.

If the client has a backup agent, we indicate that this agent is installed on the server
that contains the remote folder that will receive the backup copy.

If the system loses access to the remote backup directory a

notification via email and SIEM will be sent.

Third step In this third and last step you can add the instance to an existing cluster.

The senhasegura® cluster is restricted to the database. However, you can configure that
the files generated by the instance are also replicated to other members.

17
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

If you have chosen to configure the cluster, the database ser-

vice will be restarted.

The steps of this third step of the Wizard can be summarized as follows:

1. If you want to activate the cluster, select yes in enable high availability and/or Contin-
gency environment
2. By default, the senhasegura® will only replicate the database layer between the in-
stances. If you also want to replicate the video files, select yes in enabling replication
of session files
3. In the members of the section members of the High Availability or Contingency environ-
ment, indicate the IP of the cluster members.

The order of these members should be the same among

all members

4. If cluster members are in different datacenters, select yes from the the members are
in different datacenters field;
Configure latency between clusters within field options Latency between nodes.
Also, set the instance indicator in the Network segment field if you have more than
one instance of senhasegura® in the same datacenter.
5. Click Finish for Orbit to apply cluster settings
6. You will be directed to the replication status screen to check the results.

When you finish the third step, wait for the instance to normalize and you will be ready
to activate the application and use all functionalities!

4.2 Activate the application

After passing through the Wizard steps follow the instructions:

18
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

1. Then Click on the button Settings.

You can also access the settings screen via the side menu by clicking on Settings
Þ Application

2. In the application settings screen (4.1) select the option Enable application.
On this screen you can also change the title and URL of the application, as well
as email for notifications. These and other application settings items will be dealt
with in future chapters.

Figure 4.1: Application settings screen

3. Click on Save.

From this moment the application is ready to start the first configurations and activities.
Logout and access the solution again so that the other modules can be loaded.

19
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

4.3 Creating a new administrator user

After activating the application it is important to create another administrator user, this
will prevent that the access to the application is interrupted in the hypothesis that some
problem occurs that leads the user already configured to be blocked or his password is
lost.

To create a second administrator user you can follow one of the paths below:

4.3.1 Through the quick actions button

In the top corner of the application click the Quick Actions button and select the User
option as in the image 4.2.

Figure 4.2: Quick actions button to access the user creation form

20
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

4.3.2 Through the side menu

In the side menu (4.3) click on the shield icon and follow the path Settings Þ System
users Þ Users.

Figure 4.3: Side menu to access the user creation form

Click the Show actions button in the report and then click the New option.

4.3.3 New user

Both paths led to the system’s user creation form, it is important to fill in the fields
carefully as this information will not only be used for system access, but will also be
present in some module reports that may influence audit activities. To fill out the form:

21
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

General Tab

1. In the field Name fill in the name of the new user who will use this user to access
the system.

2. In the field Email enter the email to contact this user, if desired since this field is
not required.

The e-mail must be filled in if you want the system to

create a password and send it automatically to the user.
No administrator knowledge of the password is required.

3. Then enter in the Username field the login name of this user.

Figure 4.4: User registration form

4. Click the Set Password Manually checkbox next to the Password field and register a
password for this user.
The password to be registered must follow a policy that requires that the password
has:

• at least 10 characters
• at least one lower case letter

22
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

• at least one capital letter

• at least one symbol
• Numbers that are not in numerical sequence

If you choose not to register your password, do not click the checkbox.

If a password is not registered, the user will receive a

password generated by the system in his e-mail.
If the e-mail has not been filled in the user will not re-
ceive the password thus making access to the application
impossible.

5. In the field Department select the department of the employee, if desired since this
field is not mandatory.

6. Likewise, enter the phone number for contacting the employee in the phone field,
this is not a required field either.

7. Select the options in relation to the Orbit.

Status: if you want the user to be active for use select the option Enabled, if you
do not select the option Disabled.
Access to Orbit: if you want this user to be able to access and configure Orbit select
the option Enabled, if you don’t want to select the option Disabled

This decision is very important due to the criticality that

Orbit represents for the application, so select only those
users who actually should have access to this module

8. After entering the desired information go to the next tab:

senhasegura Tab In this tab will be presented the profiles and access groups that this
user can be part of.

In other books, and in the manual it will be better explained what they are and how
to create and edit profiles and access groups, for now what you should keep in mind is
that these profiles define the levels and amounts of permissions you will receive.

23
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

Figure 4.5: Profiles and access groups registered by default in senhasegura®

Likewise, access groups define various access permissions that users may receive in re-
lation to different modules of the senhasegura® .

The senhasegura® has some profiles and access groups reg-

istered by default, understand that the profile Administrator is
the one with the highest number of permissions, as well as
the group Full Access that grants full access to the credentials
registered.
So be very careful when selecting these options for any user,
make sure that only those who need these privileges have
these options set

Select the profiles and access groups you wish to assign to the user and click the Save
button.

This way it will be possible to use this user to perform some activities in the application,

24
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

for this it will be necessary to perform a login with your credentials.

4.4 First Log In

The first log in of a user in the senhasegura® results in the definition of a new password,
since for security reasons the password should be known only by the employee.

In the first log in the user will go through the following steps:

1. In the login screen enter the credentials defined in the previous registration and
click on Login.
Remember to use safe means to pass these credentials on to the user who will
use them effectively.

2. A screen will appear requiring a new password to be set by the user.

3. Enter the current password, the same one used to login as shown in the image
4.6

4. Then enter the new password following the password policy described in the box.

25
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

Figure 4.6: Password change screen

5. Enter the confirmation of the new password

6. Click the Save button

If the current password entered is correct and the new password follows the standards
required by the policy the change will be saved and the user will be redirected to the
application.

4.4.1 EULA

If the user who is logging in for the first time has the profile of Administrator and has
access to the module Orbit Web he will be automatically redirected to the acceptance
screen of the EULA senhasegura® .

The screen will display the text of the EULA which are the terms and conditions govern-
ing the use of passwords, and it is necessary that at least one of Administrator users

26
CHAPTER 4. ACTIVATION OF THE SENHASEGURA APPLICATION

with access to the Orbit Web module perform the acceptance of the terms in order to
be granted access to the rest of the solution.

After reading the text fill in the fields:

This acceptance will only be made by administrator users who

have access to the module Orbit.
It must be done again every time the EULA text is updated.

Name: Full name of the user is doing the acceptance;

Email: Email address of the user who is carrying out the acceptance;

Company: Name of the organization that the user who is accepted works for;

Job title: Name of the position that the user who is doing the acceptance, occupies in
the organization filled in the previous field.

To see which versions of the EULA have been accepted and which users have carried out
the acceptances access the menu: Settings Þ EULA Þ Versions.

In this report you will be able to consult when each version was accepted, besides the
information entered by the user during the acceptance, it is also possible to consult the
IP that he used when he accepted the EULA.

The report action button allows you to see the text of the
EULA that was accepted.

27
5 Devices, Credentials and their actions

5.1 Registering the First Device

Now that the additional settings have been made it will be possible to start using the
senhasegura® to manage access to devices and credentials.

Devices: are all the items that will be accessed through the passwords such as servers,
workstations and others.

To register a device you can follow one of the paths below:

5.1.1 Through the quick actions button

In the top corner of the application click the Quick Actions button and select the Device
option.

5.1.2 Through the side menu

In the side menu click on the shield icon and follow the path Devices Þ Devices. Click
the button in the report and then click the New option.

28
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

5.1.3 Device registration

Both ways led to the form to register devices in the senhasegura® , it is important to
fill out the fields carefully as this information will enable access to the devices through
the application. To fill out the form follow the instructions:

Tab: Information

1. Fill in the IP of the device that will be registered.

2. Fill in the Internal Name.

3. Insert the device’s site.

4. Select the options: Type, Manufacturer and Model. The senhasegura® has pre-registered
options to be selected.

If your desired option is not on the list just type in the

term, these fields allow the immediate registration in the
system of unregistered items, like the figure 5.1 displays.

29
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

Figure 5.1: Immediate registration of typed items

5. In the section of Domain settings it will be possible to add the domain to which the
device is linked through the Add button.

6. Tags can also be inserted for the device. This option is not mandatory, but can help
in future configurations to create relationships with other devices and modules, we
will address the subject of tags in other books and in the manual.

7. Go to the next tab.

Tab: Connectivity

1. Select from the list the protocol you want to add to this device.

2. Enter the number of the port that will be used.

3. Click Add. At this point the protocol will be set for this device, if you want to add
other protocols in the same way.

4. Test the added connections by clicking the Test button.

30
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

Figure 5.2: Test connectivity with the device

Please note that the connection to the chosen protocol was successfully made through
the status flag next to the button.

5. Click on Save.

After you finish the settings and click the save button the device will be included in the
report.

It is not necessary to fill in the tab Additional Settings at the

moment, but if you wish to do so, consult the Operations Ad-
ministrator’s Manual.

5.2 Adding First Credential

In this section we will present the steps necessary to insert a credential to be managed
by the senhasegura®

After inserting a device in the senhasegura® , access to it through the solution cannot

31
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

be made before the access credential to it is inserted in the system.

The vault can also protect these credentials from being accessed and used by users who
do not have privileges.

To insert a credential follow the instructions:

5.2.1 Through the quick actions button

In the top corner of the application click the Quick Actions button and select the Credential
option.

5.2.2 Through the side menu

On the side menu click on the shield icon and follow the path PAM Þ Credentials Þ All.
Click the Show actions button on the report and then click the New option.

5.2.3 Credential registration

Both ways led to the form to insert credentials in the senhasegura® it is important to
fill the fields carefully as this information will enable access to the devices using these
credentials or using them in other ways. To fill out the form follow the instructions:

Tab: Information

1. Fill in the username used to access the machine. According to the picture 5.3

32
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

Figure 5.3: Credential registration form

2. Choose the Password type that this credential uses.

Local administrator: The credential has a password that belongs to a local adminis-
trator.
A local administrator is a user account that only has administrative access in
one device.
Local user: The credential has a password of a local regular user.
A local user is a user account used to authenticate just in one device but with-
out any administrator privileges.
Domain user: The credential has a password of a user belonging to the domain.
A domain user is a user account used to authenticate in different devices of
the same domain. When the password from this type of account is changed
the setting is replicated in all the domain’s devices.

3. Choose or fill in the IP or hostname of the device to which this credential will grant
access.

4. In some systems the login can be done using only the username for authentication
because of that the field password is not required.

33
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

If the password is not filled in it will not be possible to

perform a Password view or Start a session in a system that
requires the filling of a password for authentication.

However if you wish to fill in the password follow the instructions: Select the Set
current password box and enter the password that this credential uses to access the
device.
Click on Show password if you want to check the characters you have typed.

You can also generate a password if the credential does

not already have one. The system will create a password
following the appropriate password policy for the previ-
ously selected password type.

You can also enter the password later by editing the credential.

5. Click Save to finish.

From now on the credential can be managed and protected by the vault.

To understand how to fill in the other tabs of the credential registration form please refer
to the Operation Administrator Manual.

5.3 Performing a session and a password view

Now that the senhasegura® already manages and stores the device’s credential, it is pos-
sible to allow users to view the credential’s password or start a session.

5.3.1 Start a session

Now that you have registered a credential of the device it is already possible to perform
the first session, to do so follow the instructions:

1. Access the credentials report along the way: PAM Þ Credentials Þ All

34
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

2. Choose the credential you wish to use to conduct the session:

You can use the filter at the top of the report and find the credential through
yours: Code, Device, Type, Site, Domain and other items.

3. When you find the desired credential click on the Start Session button for it.
The session will begin immediately.

5.3.2 Performing a password view

It is also possible to perform a first password view, to do so follow the instructions:

1. Access the credentials report along the way: PAM Þ Credentials Þ All

2. Choose the credential you want to view the password:

You can use the filter at the top of the report and find the credential through
yours: Code, Device, Type, Site, Domain and other items.

3. When you find the desired credential click on the View password button for it. The
options to view the password will be displayed:

View Password: This mode allows the password to be viewed completely by increas-
ing or decreasing its level of clearness.
Copy Password: This mode copies the password to your clipboard without you need-
ing to view or be aware of its content
Spell password: This mode displays the password character by character.

After choosing a mode the password can already be viewed. Remember that the
mode display has a set time, if you do not choose the mode in time will need
to click again on the button View password and choose the credential and click the
button View password again.
Password withdrawals and sessions can also be used to test the effectiveness of
a password change, which we will learn in the following section.

35
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

5.4 Performing a password change

In this section you can understand how to execute a password change for a credential.

As previously mentioned, the credentials are very important since they make it possible
to use the devices managed by the senhasegura® . Therefore many of them need to be
changed in some situations, but changing each one manually takes a lot of time.

senhasegura® provides a function for automatic exchange of passwords through the solu-
tion, to request a password exchange you must first configure the exchange in the cre-
dential, follow the instructions:

5.4.1 Enabling password change on credential

1. Access the credentials report along the way: PAM Þ Credentials Þ All.

2. Choose the credential you wish to use to conduct the session:

You can use the filter at the top of the report and find the credential through
yours: Code, Device, Type, Site, Domain and other items.

3. When you find the desired credential click on the More Actions button for this one.

4. Then click on the Edit option.

5. Go to the Execution Settings guide.

6. Select the checkbox Enable automatic change as in the figure 5.4.

36
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

Figure 5.4: Edit the run settings tab to enable automatic password exchange

7. Then the Plugin that will be used to execute the exchange.

8. Choose which Template 1 will also be used.

Parent credential If you wish to use a Parent Credential to perform the exchange
select from the options the credential you wish to use as a parent to perform the
exchange on child credential.
1
For more information on password exchange templates see the ”Password Change Cookbook”

37
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

Parent credentials and child credentials are credentials that, for some reason, need
to have the same password.

• They can be related to each other, that is, they are the same credential used
for different services.
• They are not related, that is, they are different credentials, but with the same
password.

When you change the password of the parent credential automatically, the child
credentials will have their passwords changed to the same value as the parent cre-
dential.

Changing the password for the parent credential will trig-

ger the child credentials changing process. Each child cre-
dential can have different executors and templates. In
other words, senhasegura® will apply the parent password
to the child credentials respecting which plugin and tem-
plate each child credential uses.
You can even keep your child credentials without a plu-
gin and template. In this case, senhasegura® will only up-
date the credential password value in senhasegura® with-
out starting a remote exchange process.
When using the exchange schema with parent and child
credentials, the parent credential will always be the first
to be recycled and persisted in senhasegura® .

Remember to adjust the number of asynchronous execu-

tors for password change operations to the number of
credentials managed by senhasegura® .

Authentication settings To execute the change you need to use an authentication

credential to perform the procedures that can be:

Use own credential to connect: Select this box if you want the exchange to be exe-
cuted by the very credential that will take over the exchange.
Authentication Credential: Select a different credential that you want to use to ex-
ecute and perform the password change.

38
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

This means that another credential registered in the senhasegura® will authen-
ticate itself on the device to perform the change of the credential you want
to change the password.

9. After entering the desired settings click on Save.

This way the credential will already be available in the exchange request report to
be selected.

5.4.2 Requesting a password exchange

For the exchange to be executed, you must follow the instructions:

1. Access execution reports: Executions Þ Request password change.

2. Pick the credential you want the password changed:

You can use the filter at the top of the report and find the credential through
yours: Code, Device, Type, Site, Domain and other items.

3. When you find the credential click on the corresponding checkbox, as in the figure
5.5.

4. Click on the Request password change button.

39
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

Figure 5.5: Example of credential selection for exchange

5.4.3 Checking the change

To verify that the exchange has been successfully performed, follow the instructions:

1. After verifying the request follow it to the operations report through the menu:
Executions Þ List operations. If the listed operation is in color:

Green: the change was successfully performed

Red: some error occurred and the change was not performed

Figure 5.6: Example of a list of successfully performed operations

Click the View attempts button if you want to understand how the process was ex-
ecuted.

40
CHAPTER 5. DEVICES, CREDENTIALS AND THEIR ACTIONS

To validate the effectiveness of the execution perform a

password view and see if there was in fact a swap.

41
6 Notifiers

The purpose of the Notifications module is to manage notifications sent through senhasegura®
. Some actions performed on senhasegura® can be configured to send notifications to
chosen users to reporting about a change or an alert.

These notifications can be an error, certificate expiration or an access request. Administra-

tors can know what is happening on the system and be aware of any suspicious behavior
or error occurred.

The senhasegura® allows the notifications to be sent through email, SMS or screen, it
can be organized by type and you can also choose which users will receive that type of
notification.

6.1 Registering notifications

To register a new notification type, follow these steps:

1. Access the menu: Settings Þ Notifications Þ Settings

2. Click on the New notification register action button, and fill in the following fields:

Field Description

Notification name Name that will identify the notification. Ex: SSH
Command Audit Detected
Email If this option is selected, notifications will be sent
via email

42
CHAPTER 6. NOTIFIERS

Screen If this option is selected, notifications will be will

be displayed on the user’s desktop screen like a
pop-up
SMS If this option is selected, notifications will be sent
via SMS
Send notifications only to If this option is selected, the notifications are
contacts who have access to sent only to contacts who have access to
credentials or devices credentials or devices

The following sections of this chapter will teach you how

to configure the three types of notification.

3. On the Notification tab, click on the Add button to include a notification type

Figure 6.1: List of notification types

4. Select the notification types to be added

43
CHAPTER 6. NOTIFIERS

5. Click on the Add selected button

Figure 6.2: Notification configured with types of alert

6. On the Contacts tab, click on the Add button to include the contacts that will re-
ceive the registered alerts

7. Select the contacts to be added

8. Click on the Add selected button

9. Click on the Save button to complete the registration.

6.1.1 Sent notification list

To list sent notifications, follow this step, access the menu: Settings Þ Notifications Þ List
sent.

44
CHAPTER 6. NOTIFIERS

Figure 6.3: Report of notifications sent

On this screen, you can view the list of sent notifications along with a series of informa-
tion, such as sending date, notification method, message content and number of notified
users.

In addition, you can perform some operations such as approving or disapproving access
and viewing the notification details.

6.1.2 Texts

You can also modify all text templates used by senhasegura® into its notifications. To
view notification texts, follow these steps:

1. Access the menu: Settings Þ Notifications Þ Texts

2. On this screen, you can set up the notification texts sent by email to approvers
and requesters, as well as automatic notifications from senhasegura® . To modify a
text:

3. Click on the Edit text button from the text to be modified.

4. Modify the desired data

5. Click on the Save button to complete the changes.

45
CHAPTER 6. NOTIFIERS

6.2 Configuring an E-mail account

Setting an E-mail Account on senhasegura® will allow the application to send notifications
about a password change, before a Certificate expiration or even suspect access, for ex-
ample.

It’s important to include valid email addresses because some access requests will be no-
tified to the approvers through email, and likewise the requesters will receive the request
disapproval or approval reply.

6.2.1 Setting up an SMTP account

Through the Settings Þ Notifications Þ E-Mail Þ SMTP configuration menu you have access
to all registered accounts on the platform.

Like all system entities, accounts can be active or inactive. But in the case of SMTP
accounts there must be a standard account. This default account will be the account
that platform will use.

Access the new account registration through the New report action, and fill the blanks.

Account Name: Account name for internal identification and distinction from other regis-
tered accounts;

Enabled: Flag it if this account is active for use on the platform;

Sender email: The email account that will be used to perform the sending;

Reply email: The email account that will receive the reply from the recipient;

Reply email (return path): Return email for error cases;

Confirmation email: Email for reading confirmation;

Default Account: Flag whether this account will be the platform’s default sending account;

Send read receipt: Flag whether to forward the read confirmation request;

46
CHAPTER 6. NOTIFIERS

Force settings use: Flag whether the email accounts set to Reply , Return-Path, and Con-
firmation must be maintained or can be changed by the module that performs the
submission;

Enable footnote: Flag it if the automatic footer should be added in the email body;

SMTP server settings: SMTP Host: Serveraddress that hosts the SMTP service;
Port: SMTP service port;
Use a safe connection: Flag i if the sender should be done by protocols with encryp-
tion;
Secure connection type: Type of cryptography. TLS or SSL;
Use authentication: Flag whether the server requires authentication or not;
Ignore certification error: Ignore SMTP server certificate errors;
Credential for authentication: The credential to be used for authentication on the SMTP
server;

When you save the registration the account will be available for submission testing and
also for platform use.

Perform the submission test using the Send test mail record action. Fill in the recipient,
subject, and email body fields and click Send . The email is immediately sent.

Emails forwarded by the platform can be seen in the report accessible in Notifications Þ
Email Þ Outbox.

6.2.2 Setting up a POP3/IMAP account

Through the Settings Þ Notifications Þ E-Mail Þ IMAP Configuration / POP3 menu. In this
report, you have access to all inbox accounts that senhasegura will interact with. Through
the New report action you can register new accounts.

Account name: Name of the sign-in account for the identification of the record on the
platform;

Keep copy on server: Flag whether the received email should have a copy in the POP3/IMAP
server inbox;

47
CHAPTER 6. NOTIFIERS

Automatic check: Flag whether the platform should read inbox messages automatically;

Enabled: Flag whether the account is active for use on the platform;

Server configuration: Address: Server address that hosts the POP3/IMAP service;
Protocol: Inbox read protocol. POP3 or IMAP;
Skip certificate: Flag whether inbox server certificate errors should be ignored;
Credential for authentication: The credential that will be used for authentication;
Port: The port on which the service is running on the target server;
Use safe connection: Flag it if communication with the service should be done using
encryption;
Secure connection type: Type of cryptographic algorithm.

Then Save the registration.

6.3 Screen notifications

The senhasegura® screen notifications allow the administrator to create notifications that
will be displayed on the user desktop like a pop-up.

Besides the previous notifications that had pre-configured messages and types, screen no-
tifications can be elaborated by the administrator.

It’s possible to create a personalized text, choose the display time and the user that will
be notified.

6.3.1 Registering screen notifications

To register a new screen notification type, follow these steps:

1. Access the menu: Settings Þ Notifications Þ Screen notifications Þ New notification

2. Enter a title for the notification identification on the platform

48
CHAPTER 6. NOTIFIERS

3. Type the message you want to be displayed in the text of the notification

4. Determine the duration time, in milliseconds, in which the notification will be dis-
played

5. Select the system users who will have the notification displayed on their screens

6. Click on Save

6.3.2 Screen notifications list

To list the screen notifications, follow these steps, access the menu: Settings Þ Notifica-
tions Þ Screen notifications Þ List notifications.

On this screen, you can view the list of sent screen notifications along with the text of
the notification, such as the author and date of display.

The senhasegura® provide details about the screen notifications

that can be used on an audit process such the time the no-
tification was displayed for each user and the time each user
closed the pop-up; this becomes evidence that the user was
indeed notified by something and helps with the nonrepudia-
tion of the information.

Click on the View notification by user register action button to see all the details.

6.3.3 Parameters

It’s possible to adjust default settings of the screen notifications through the menu: Set-
tings Þ Notifications Þ Screen notifications Þ Parameters. On this screen will be possible
to configure the display time, the maximum number of screen notifications and more.

49
CHAPTER 6. NOTIFIERS

6.4 Integration with SMS service

senhasegura® has an integration with Zenvia1 SMS service.

To be able to use this feature it is necessary to have an ac-

count Zenvia.

To configure this feature access: Settings Þ System parameters Þ System parameters and
click on the tab Notifications, as in the picture 6.4.

Figure 6.4: SMS service configuration

1. In the field SMS Broker select the service Zenvia

2. Then enter the name that will appear in the message in the Sender field
1
https://www.zenvia.com/

50
CHAPTER 6. NOTIFIERS

3. In the field User enter the username of the user Zenvia who will be responsible for
notifications

4. Enter the password of this user in the field Password and finally click Save.

With this setting you will need to adjust an SMS notification for this:

1. Create a new notification by logging in: Settings Þ Notifications Þ Settings

2. Enter a name for the notification and select the option SMS as in the figure ??

Figure 6.5: SMS notification register

3. Click the Save button and wait for the window to reload. If it closes, go back to the
notification registration report and click the action button Edit of the newly created
notification.

4. Select the type of Notification that will be sent by SMS.

The types of notifications that can be sent by SMS are:

• Access behaviour
• Workstation alerts
• Expiration of certificates

51
CHAPTER 6. NOTIFIERS

• About remote sessions

• Password operations
• Password backup
• Audit of commands
• Equipment connectivity
• About protected information
• Operations with credentials
• Monitoring

5. Then in the tab Contacts add the users who should receive these notifications by
SMS

Users selected to receive this type of notification must

have their mobile phone numbers registered in the
senhasegura® .

6. Click on Save to finish.

52
7 Conclusion

By completing this book you will have acquired the knowledge to perform the basic ac-
tivities of the system and move on to more complex ones.

If you wish to continue learning how to use the system in the best possible way, please
ask our support team for our available documentation according to your profile and needs:

Manuals

• Technical Specification
• User Manual
• Tool Administrator Manual
• Operation Administrator Manual
• Auditor Manual
• Developer Manual

Guides

• Monitoring Guide

Cookbooks

• Getting Started Cookbook

53
8 Use terms and conditions

These terms and conditions define the use of any information in senhasegura user man-
ual. By using the manual or downloading materials from it you agree that you know and
understood these terms and conditions and have accepted them. If not, please do not
use this manual. MT4 reserves the right to change this manual and these terms and
conditions at any time.

The information in this manual is protected by international copyright laws and treaties,
and other intellectual property laws and treaties. You can download, reproduce, display
and distribute the materials of the manual only for informational and non-commercial or
personal use, since you do not modify it and keep all copyright and proprietary notices
as they are shown in those Materials.

MT4 shall not be liable for any damages, including but not limited to indirect, special, in-
cidental or consequential damages, as a result of contractual, negligent or other defective
action resulting from the use of this material, even if MT4 has warned or not about the
chance of such damage.

If you have questions in respect to these Terms, or if you wish to contact MT4 senhase-
gura, please email to sales@senhasegura.com or support@senhasegura.com

8.1 senhasegura licenses

The terms and conditions of use the senhasegura software licenses are established in the
sales contracts.

54
CHAPTER 8. USE TERMS AND CONDITIONS

8.2 Other licenses

The senhasegura software development in MT4 uses some other software’s. The licenses
usage conditions of these software are respected throughout the application. The soft-
ware that is used in part or in full, in one or more senhasegura modules that are listed
below:

Bootstrap: https://getbootstrap.com/docs/4.0/about/license/

DataTables: https://datatables.net/license

Debian: https://www.debian.org/legal/licenses/

Dojo: https://dojotoolkit.org/license.html

Fontawesome: https://fontawesome.com/license/free

Goutte: https://github.com/FriendsOfPHP/Goutte/blob/master/LICENSE

Guacamole: https://github.com/apache/guacamole-server/blob/master/LICENSE

Highcharts: https://www.highcharts.com/blog/products/highcharts/

iCheck: https://github.com/fronteed/iCheck/

inputmask: https://github.com/RobinHerbots/jquery.inputmask

Jquery: https://jquery.org/license/

jQuery Tags Input: https://github.com/xoxco/jQuery-Tags-Input

MariaDB: https://mariadb.com/kb/en/library/licensing-faq/

Mozilla: Firefox https://www.mozilla.org/en-US/MPL/

NGINX: https://nginx.org/en/

NProgress: http://ricostacruz.com/nprogress

Oracle Java 8: https://www.oracle.com/technetwork/java/javase/overview

Paramiko: https://github.com/paramiko/paramiko/blob/master/LICENSE

PhantomJS: https://phantomjs.org/

55
CHAPTER 8. USE TERMS AND CONDITIONS

PHP: https://www.php.net/license/index.php

Python: https://docs.python.org/3/license.html

SmartWizard: https://github.com/mstratman/jQuery-Smart-Wizard

Switchery: https://www.javascripting.com/view/switchery

Tomcat: http://tomcat.apache.org/legal.html

WInRM: https://github.com/WinRb/WinRM

XRDP: https://github.com/deskor/xrdp/blob/master/LICENSE

CaitSith: https://caitsith.osdn.jp/

56