TPAM

Quest One Privileged Password Management

Introduction
 Privileged Password Manager automates,
controls and secures the entire process of
granting administrators the credentials
necessary to perform their duties. Privileged
Password Manager is deployed on a secure,
hardened appliance.

 Privileged Password Manager ensures that
when administrators require elevated access
(typically through shared credentials, such
as the Unix root password), that access is
granted according to established policy, with
appropriate approvals; that all actions are
fully audited and tracked; and that the
password is changed immediately upon its
return.

 The Privileged Appliance and Modules (TPAM) suite from Dell
Software delivers privileged identity management and
privileged access control. The TPAM suite includes two
integrated modules:
 Privileged Password Manager (PPM)
 Enables secure storage, release control and change control of
privileged passwords across a heterogeneous deployment of
systems and applications, including passwords that are hardcoded
in scripts, procedures and programs.

 Privileged Session Manager (PSM)
 Enables you to issue privileged access for a specific period or session
to administrators, remote vendors and high-risk users, with full
recording and replay for auditing and compliance.

last-usebased. granular change control of shared credentials.  Change control  Supports configurable. A password request can be automatically approved or require any level of manual approvals. programs and scripts for the accounts they are entitled to access. including time-based. and manual or forced change . via a secure Web browser connection with support for mobile devices.Features  Release control  Manages password requests from authorized users.

 Auto discovery of:  Accounts and systems – Instantly discovers new accounts and systems.  Users – Automatically provisions users and maps permissions using your organization’s existing LDAP or Active Directory environment. and then either sends notifications about them to specified users or automatically enrolls them in management. .

 Application password management capabilities include:  Programmatic access – Includes both a command-line interface (CLI) and an application programming interface (API) with access for C++. . for a “Requestor.NET and Perl. satisfying the requirements of your most demanding applications. this is appropriate. Java.  Extensive command set – Includes a comprehensive set of commands that can be executed via the CLI or API. the appliance supports an optional cache that supports more than 1. procedures and other programs. Connectivity is via SSH with DSS key exchange. Application password support  Replaces hardcoded passwords in scripts.000 password requests a second. for example.  Optimal performance – Natively executes approximately 100 call requests per minute.  Role-based access – Supports role-based access for the CLI and API. Basic access enables the CLI or API to request account passwords and be granted access for authorized targets or accounts.” Admin access enables the CLI or API to perform administrative tasks. the solution supports extensive admin-level commands to provide tight integration with existing enterprise tools and workflows. You add a “programmatic” user with either “basic” access or “admin” access. . For applications requiring higher performance. Beyond simple “Get Password” commands.

database or other system-level modifications. It also fully supports two-factor authentication through Defender® or other third-party two-factor authentication products.  Secure appliance  Lacks a console port or console-level interface – the appliance can only be accessed via a secure. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities. as well as OS. Enterprise-ready integration  Integrates with existing directories. A robust CLI/API supports end-to-end integration with existing workflows and tools. including reviewer notification and escalation workflows. role-based Web interface that provides protection from host admin attacks. . including Active Directory and LDAP. ticketing systems and user authentication sources.

000 accounts at once. .  Secure password storage  Encrypts all passwords stored in Privileged Password Management using AES 256 encryption.  Handheld device support  Supports password request.  Robust target support  Manages shared credentials on the widest range of target servers. the appliance itself also includes full disk encryption using BitLocker™ Drive Encryption. network devices and applications. Scalable appliance  Provides secure. enterprise-ready access and management of shared credentials for more than 250. which is configurable on a per-user basis. approval and retrieval via handheld devices. In addition.

 Automated privileged governance   Take the hassle out of governing privileged users by automating the process for certifying and approving that only users that need access can request and gain access to privileged credentials. provision and attest to privileged and general user access within the same console when you integrate Identity Manager(D1IM) with Privileged Password Manager. . Users can request.

 With DPA v3.  PSM performs simplistic load balancing by sending the next session record or replay request to the active DPA with the most available sessions remaining.Distributed Processing Appliances (DPAs)  You have the option to purchase Distributed Processing Appliances (DPAs) to increase the number of concurrent PSM sessions that can be run.0+ you can now assign a DPA to a system to optimize password checking and changing.  Each additional DPA supports up to 150 additional concurrent sessions. At the system level (on the Affinity tab) you can assign the DPA that should perform password checking and changing for all the accounts on that system. .

High Availability Cluster  High availability clustering is an option for customers to support TPAM with a minimum of down time and eliminate a single point of failure.redundant appliance that is kept in synch with the primary.  Replica . .this role only applies to DPAs enrolled in the cluster and cannot be changed. Each appliance is configured with a cluster role.Acts as the information source for the cluster. Can be configured to automatically fail over if it loses contact with the primary. Only one primary allowed per cluster.  The cluster role choices are:  Primary .  Standalone .

.Archive Servers  Archive servers provide an external storage location for logs and offline backup files from TPAM.

Logs  The Logs menu lets the System Administrator view many logs with critical information about the appliance.  Logs available  Sys-Admin Activity Log  Security Log  Firewall Log  Database Log  Alerts Log  Proc Log  Archive Log  SysLog . All logs can be exported to an excel or csv file.

Reason Codes  Reason codes can be configured for requestors and ISAs to use when making a file. . To enable reason codes make sure that the reason code global settings have been set to Optional or Required. password or session request.

The number displayed in the Setting column represents the value set for the Option Name. .Global Settings  Global settings are used to maintain many key controls and parameters in TPAM.

Two managed accounts on the same system can have different password rules assigned. . If a system and account have different password rules the password rule assigned at the account level takes precedence.Password Rules  Password construction rules for managed systems are system and account specific.

as well as providing error alerting for defined administrators. requestors. system contacts. account contacts. . reviewers.Email Configuration  TPAM uses mail (SMTP) to provide notifications to approvers.

.Date and Time Configuration  The server time of the appliance is based on coordinated universal time (UTC). The UTC time zone never undergoes transitions between Standard and Daylight Savings time.

The remote systems have the public key of the key pair. has the private key. and is used to make secure connections to remote managed systems. not even Dell Software.Keys and Certificates  The SSH Private Key is stored on TPAM. . Dell Software provides an initial key pair for these connections when TPAM is shipped. It is common (and recommended) that these keys eventually be replaced. This ensures that no one.

several different agents can be enabled on the engine to perform privileged password management functions. Logs provide a record of agent activities and messages of success or failure.Automation Engine  The automation engine is the heart of TPAM. . Once the automation engine is running. This portion of the TPAM architecture is where password management on remote systems is configured and scheduled.

 Agents     Daily Maintenance Agent Auto Discovery Agent Post-Session Processing Agent SSH Daemon .Agents  The agents in TPAM execute scheduled tasks for different functions on a regular basis.

so the backup can be maintained without the risk of exposing sensitive data. Backups can be configured to run on automatically and moved securely to offline storage. .Backups  Considering the value of the information stored in TPAM the backup engine is an integral part of TPAM.  The backup is always encrypted.

Alerts  The alerts in TPAM allow you to receive notification via email or SNMP. for over eighty different errors or status notifications. .

External Authentication  TPAM supports several different methods of external authentication.        Certificate Based Authentication SafeWord RSA SecurID LDAP Windows Active Directory RADIUS Quest Defender .

request.” More than one ticket system can be configured. file. file. and so on. dates. accounts and files in the /tpam interface . requested account. or session request fails the validation rules that have been configured the request is immediately canceled and the requestor has the option to try again. or session request is submitted. If a password.  Assign the ticket system to systems.Ticket Systems  Ticket Systems are configured so that TPAM will validate ticket numbers and other information about the request that are entered at the time the password. The validation may be as simple as “they entered a number and that’s all we need” or as involved as “not only must the ticket number exist in the ticket system but the data returned must match the user’s name. file.  To set up ticket systems you must complete the following steps:  Configure the ticket system in the /admin interface.  If a password. system. the number is passed to the indicated ticket system for a “yes/no” answer. or session is requested that requires a Ticket Number.

Custom Logo  Customers have the ability to upload a custom logo. PNG. GIF or BMP file format GIF files must be static. no animation allowed Maximum size of 30KB Image dimensions must be between 10H x 10W and 47H x 120W pixels . that will be displayed in the header of the TPAM web interface.  In order to be uploaded as a custom logo the file must meet the following requirements:     JPEG.

.License Management  When initially configuring your TPAM appliance you need to update the license quantities that were purchased. This is also needed if additional licenses are purchased at a later date.

Login Banner and Message of the Day  The login banner and message of the day are two ways that TPAM system administrators can post information for users that log on to TPAM. and /config interfaces. such as a company policy or legal warning message. /admin.  Message of the day is a brief text message that will appear on the home page of the /tpam. .  They can be customized to display any text.  The message of the day can also be added as an optional message body tag in the email notifications sent by TPAM.

Net Tools  To assist the TPAM System Administrator with troubleshooting common network related problems. TPAM contains network tools that are accessible from the configuration interface. In addition. some specialized configurations can be made to add or manage static routes.  Net Tools      The Ping Utility Nslookup Utility TraceRoute Utility Telnet Test Utility Route Table Management .

.System Status Page and O/S Patch Status Page  The O/S patch status page and the system status page provide important information about the patch level of the TPAM appliance.

The release notes for each product update list the prerequisite version of TPAM required before the update can be applied to the appliance.Software Updates  Product patches are not always cumulative.  To apply a patch to TPAM perform the following steps:  Check the current version of TPAM  Take a backup. This means that some product patches must be applied to the system in order and none can be skipped.  On Demand BackUp      Download the patch from the Customer Portal Stop any applicable agents Apply the Patch Check the Patch Log for errors Restart any applicable agents .

patches for the specific purpose of upgrading the underlying TPAM OS.  OS Patches  .an upgrade is a software package that replaces an installed version of TPAM with a newer version of the product.a feature pack is new product functionality that is distributed outside the context of a product release and is typically included in the next scheduled upgrade. These patches bear the distinct naming convention beginning with TPAM_OS.a hotfix is a single.  Upgrade  . A hotfix does not increment the software version number. Types of Software Updates  Hotfix  . .  Feature Pack  . The software version number is changed after an upgrade. The software version number is changed after an upgrade.these patches update the online documentation available under the Help menu in TPAM. cumulative package that includes one or more files that are used to address a problem in the product that cannot wait until the next scheduled upgrade.  Documentation Patch  .

Shut Down/Restart the Appliance  If the need arises to shutdown or restart your appliance this can be done from the /config or /admin interface. .

 Applying the restore will set any non-primary cluster members (replicas. .  Another use for restore is for test environments where customers may be testing an upgrade to a new version of TPAM. These will not automatically restart when the restore is complete. Once the restore is complete these will have to manually be set to active on the cluster management page. and auto discovery agents. mail agent. DPAs) to inactive.Restore and Revert  In the event of a catastrophic failure a System Administrator can restore the data using an offline backup to another appliance. even if the auto start check boxes were selected prior to the restore.  Applying a restore will stop the automation engine.

.Remote Access  Remote access to the /config interface is enabled by default. TPAM will allow access to the /config interface through port 8443. To access the /config interface remotely enter https://[IP address]:8443/config. When enabled.

 SSH software must be installed on any system before it can be used for TPAM CLI access.  A specific CLI system administrator user ID is also required. .CLI Commands for the System Administrator  The TPAM command line interface (CLI) provides a method for authorized system administrators or automated processes to retrieve information from the TPAM system.  Commands must be passed to TPAM via SSH (secure shell) using an identity key file provided by TPAM.

2.  All commands recognize an option of --Help. and a description of the option and allowed values. whether the option is required or optional. This expanded help syntax will show all valid options for each command.754 still also accept the comma-separated syntax. . Commands accept parameters in the style of --OptionName option value (two dashes precede the option name) with the exception of the GetStatus command.  Existing commands prior to TPAM v2. so existing scripts do not need to be modified unless you wish to take advantage of new parameters that have been added to the command in later versions of TPAM.

Relocating/Readdressing an Appliance  If it becomes necessary to relocate and readdress a TPAM primary or replica  Change a Primary’s IP Address  Change a Replica’s IP Address .

 The functions available on the kiosk are to be used as a last resort before having to return the appliance if an issue cannot be fixed over the phone with technical support. . You will not be able to perform any of these functions without technical support providing you the keys needed.Kiosk Access  The kiosk should ONLY be accessed if recommended by Technical support.

TPAM Quest One Privileged Password Management .