Remote Password Reset

  1. Overview
  2. Remote Password Reset via Agent-less Mode
  3. 2.1 Configuring Remote Password Reset for Individual Resource Types

    2.1.1 Windows

    2.1.2 Windows Domain

    2.1.3 Linux/IBM AIX/HP UX/Solaris/Mac OS/VMWare ESXi

    2.1.4 IBM AS400/Sun Oracle ALOM/ILOM/XSCF Sun Oracle ALOM/ILOM/XSCF

    2.1.5 Cisco Devices(IOS, CatOS, PIX)

    2.1.6 MS SQL Server

    2.1.7 MySQL/PostgreSQL

    2.1.8 Sybase ASE

    2.1.9 Oracle DB Server

    2.1.10 HP Pro Curve

    2.1.11 Juniper Net screen

    2.1.12 HP iLO

    2.1.13 Oracle WebLogic server

    2.1.14 AWS IAM

    2.1.15 Google Workspace

    2.1.16 Microsoft Azure

    2.1.17 Rackspace

    2.1.18 Salesforce

    2.1.19 Amazon Aurora PostgreSQL

    2.1.20 Amazon Aurora MySQL

    2.1.21 RabbitMQ

    2.1.22 LDAP Server

    2.2 Configuring Remote Password Reset for Resource Types in Bulk

  4. Remote Password Reset via Agent Mode

1. Overview

PAM360 provides the option to remotely change the passwords of certain resource types. In general, you can configure remote password reset in PAM360 for any device that can be reached via command-line interface (CLI) and accept commands for managing passwords. Read further to know more about configuring remote password reset for resources.

PAM360 allows you to change the password of a remote resource through two modes; agent-less mode and agent mode.


2. Remote Password Reset via Agent-less Mode

If you're configuring remote password reset via agent-less mode, specify the account which will be used to log in remotely to the target resource and reset the password.


2.1 Configuring Remote Password Reset for Individual Resource Types

Operating Systems

2.1.1 Windows

PAM360 supports remote password resets for local accounts across all Windows resources in your domain. It can execute the remote password reset operation in three different ways: using a Service Account, Local Account, or Domain Account.

By default, PAM360 is designed to perform password reset for all Windows local accounts using the service account with which it is running. Follow these steps to view or modify the service account for PAM360:

  1. Log in to the PAM360 server.
  2. Open the Services console (services.msc).
  3. Update the service account for the PAM360 service. If the PAM360 service is running with a privileged service account (An account with domain admin or local admin privileges on all member servers), it can forcefully reset Windows passwords without needing the old password.

Note: To execute remote password reset operations successfully, the service account mentioned above should have either domain admin rights or local admin rights in the PAM360 server and in the target systems that you would like to manage.

You can override this configuration and use a local account or domain account for remote password resets. Follow these steps to configure remote password resets for your Windows local accounts:

  1. Log in to your PAM360 account and navigate to the Resources tab.
  2. Click the Resource Actions icon beside the desired Windows resource and select Configure >> Remote Password Reset.
  3. In the Configure Windows Password Reset window, select the Account Type as Local and choose a local account with the necessary privileges to execute the password reset operation on the target machine.
  4. Click Save to successfully save the configured remote password reset settings.

Alternatively, you can reset the password of a Windows resource using a domain account.

Note: The following procedure to use a domain account to reset the passwords of Windows local accounts is only valid from build 7200 onwards.

  1. In the Configure Windows Password Reset window, select the Account Type as Domain.
  2. Select the Domain Controller and a domain account from the Resource Name and Administrator Account dropdown fields, respectively. PAM360 will use the selected domain account to execute the password reset operation on the target machine.
  3. Click Save to successfully save the configured remote password reset settings.

Note: You can use Windows Domain accounts to set up remote password reset configuration for Windows local accounts in bulk. This feature is available from build 7200 and above.


2.1.2 Windows Domain

If you are using the Privileged Accounts Discovery feature to import Windows resources from Active Directory, then PAM360 will automatically add your domain controller as a resource with Resource Type as Windows Domain.

To reset domain account passwords that are present in your Windows Domain resource, specify an admin account to be used for remote password reset. Follow the below steps to configure remote password reset.

  1. Navigate to the Resources tab, click the Resource Actions icon beside the desired Windows Domain resource, and click Configure >> Remote Password Reset.
  2. On the Configure Windows Domain Password Reset window, select the domain account as the administrator account.
  3. If you want to use an administrator account of another Windows Domain resource, select Other Domain Accounts from the configure Using field and select the respective administrator account in the Administrator Account field.
  4. Note: It is recommended to use the same PAM360 Service Account here so that it will be helpful for AD Audit purposes.

  5. If you opt to perform the remote password reset over an encrypted channel, set the Connection Mode to SSL.

    If you set the Connection Mode to SSL, PAM360 will be connecting to the domain controller through SSL, for which the domain controller's root certificate is required in the PAM360 server machine's certificate store. If you have not yet imported the domain controller's root certificate into PAM360, do the steps that follow:

    Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:
    For Windows:
    importCert.bat <Absolute Path of certificate>
    For Linux:
    importCert.sh <Absolute Path of certificate>

    Restart the PAM360 server and perform the above steps for the remote password reset.

    Note: In the event that the PAM360 application is installed on a domain and there arises a requirement for executing remote password resets for accounts in a different domain, it is necessary to import the available root and private/intermediate certificates of the other domain into the trusted store of the Microsoft Management Console (MMC) on the PAM360 server. For example, the different domain's root and private/intermediate certificates should be imported into the Trusted Root Certificate Authorities store within the PAM360 server's system.

    Note: If PAM360 has the domain administrator credentials, it can reset domain account passwords regardless of the trust between the domain in which PAM360 server is installed and the target domain. Any user with 'modify password' permission for the domain account password in PAM360 will be able to modify the password.



2.1.3 Linux/IBM AIX/HP UX/Solaris/Mac OS/VMWare ESXi

For remote password reset of Unix resources, PAM360 first uses the remote login account to log in to the target system. Then, to carry out password reset, privilege elevation is needed. If the target system supports execution of password reset commands through Sudo, PAM360 can either use the two options available here: 'su' as root or use 'sudo' to execute the remote password reset commands.

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset and then do the following:
    1. Selecting the Protocol
      1. Select the protocol for remote login method - SSH or Telnet. Next, specify your remote login account. For remote login, PAM360 allows you to either choose an account of the resource type for which you're setting up the password reset or specify an account of any Windows Domain resource stored in PAM360. To use a Windows Domain account as the remote login account, select the option 'other resource' while setting up the remote login account. Then, specify the Resource Name as well as the Remote Login Account of the desired account.
      2. Specify the authentication method. If you have chosen Telnet or SSH with Windows Domain account for remote login, you can skip this step go to setting the privilege escalation method.
    2. If you opt for SSH, specify the authentication method
      1. If you choose SSH as the Remote Login Method and the remote Unix resource's account as the remote login account, there are two authentication methods you can choose from: Password Authentication or Public Key Infrastructure(PKI) Authentication.
      2. For PKI authentication, the public key would be present in the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present; browse and supply the corresponding Private Key.
      3. Note: PAM360 supports SSH2 and above only.

    3. Specifying the root account/selecting 'sudo'
      1. As mentioned above, for executing remote password reset commands, PAM360 can use either 'su' as root or 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.
      2. If you use the option, 'su' as root, select the root account.
      3. If the target system allows execution of password reset commands through 'sudo', then select that option.
      4. Click Save.

    4. Note: You can also use SSH Command sets to configure remote password reset for the types Linux, IBM AIX, HP UX, Solaris, Mac OS, VMWare ESXi and any other Linux or Unix-based resource types. Click here to learn more.


2.1.4 IBM AS400/Sun Oracle ALOM/ILOM/XSCF Sun Oracle ALOM/ILOM/XSCF

No specific password reset configuration required for these resources as PAM360 will use the accounts added to the resources to perform the password reset.


Cisco Devices

2.1.5 Cisco Devices (IOS/CatOS/PIX)

PAM360 requires Telnet or SSH service to be running in the resource. Passwords of the enable mode and a user account are required for PAM360 to log into the resource. PAM360 will use the configuration terminal mode to reset the passwords. Follow the below steps to enable remote password reset for Cisco devices:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset and specify the following details.
    1. Remote Login Method: PAM360 supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol.
    2. Remote Login Account: Login account for establishing connection with the device.
    3. Account name required for login: For the user and enable modes, if the device is configured to prompt for the user name, then check on the option Account name required for login. The account name associated will then be used with the user name prompt. If this option is unchecked, PAM360 will expect only the password prompt.
    4. User Mode Prompt: The prompt that appears after successful login.
    5. Enable Secret: This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify Enable Secret.
    6. Enable Password: This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify Enable Password.
    7. Enable Mode Prompt: This is the prompt that will appear after going into enable mode. For example, #.
    8. Configuration Mode Prompt: To carry out any change to any feature/configuration of the device, you need to enter configuration mode. The prompt that will appear while going into configuration mode has to be entered here. For example, # "Primary Credentials".
    9. Copy Password Changes to the Startup Configuration: Select this option to apply the password changes made to the running configuration in PAM360 to the startup configuration.

      Note: Enabling the option to copy the running configuration to the startup configuration will cause the current configuration content, including those made outside of PAM360, to be copied immediately.


Database Servers

2.1.6 MS SQL Server

As Password reset for MS SQL server is done over JDBC, it is required to provide either the MS SQL Administrator credentials or a domain account credentials with enough privileges to modify SQL server passwords. Follow the below steps to enable remote reset of the password of MS SQL server:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Specify the instance name of MS SQL server. If the instance name is specified, PAM360 will try to establish connection with specified instance. If not, PAM360 will try to establish connection with the specified port.
  3. Specify the port where the MS SQL server is running. By default, MS SQL occupies the port 1433.
  4. Specify the connection mode - you can configure the connection between MS SQL Server and PAM360 to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following:
  5. SSL Mode:

    1. To enable the SSL mode, the MS SQL server should be serving over SSL and you have to import the MS SQL server's root certificate into the PAM360 server machine's certificate store. Import all the certificates that are present in the respective root certificate chain - that is the certificate of the PAM360 server machine and intermediate certificates, if any.
    2. To import root certificate, open a command prompt and navigate to <pam360_server_home>\bin directory and execute the following command:

    3. For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

  6. Restart PAM360 server. Then, continue with the following steps:
  7. To enable PAM360 to access the MS SQL server, provide any one of the following details: Windows Authentication (OR) MS SQL Administrator Account. Select the domain name the MS SQL server is a part of and select any account present in the domain.
  8. Click Save.

2.1.7 MySQL/PostgreSQL Server

As password reset for a MySQL/PostgreSQL server is done over JDBC, the MySQL/PostgreSQL administrator credentials are required. Follow the below steps to enable remote reset of the password of MySQL/PostgreSQL server:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Specify the port where the MySQL/PostgreSQL server is running. By default, MySQL/PostgreSQL occupies the port 3306.
  3. Specify the connection mode: Connection between MySQL/PostegreSQL Server and PAM360 can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following:

    SSL Mode:

    1. To enable the SSL mode, the MySQL/PostgreSQL server should be serving over SSL and you have to import the MySQL/PostgreSQL server's root certificate into the PAM360 server machine's certificate store. Import all the certificates that are present in the respective root certificate chain - that is the certificate of the PAM360 server machine and intermediate certificates, if any.
    2. To import root certificate, open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

    3. For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

  4. Restart PAM360 server. Then, continue with the below steps.
  5. To enable access to the MySQL server for PAM360, provide MySQL Root Account Name.
  6. Click Save.

2.1.8 Sybase ASE

Prerequisites

  1. To perform remote password reset in Sybase ASE, jConnect 6.0 JDBC driver is required. The JDBC driver is a file named jconn3.jar which will be available under the path <sybase_install_directory>\jConnect_6_0\classes in Sybase ASE 15.0.
  2. Copy the jconn3.jar file and save it under <pam360_install_directory>\lib folder in the machine running the PAM360 server.

Steps to Configure Remote Password Reset for Sybase ASE

As administrative privileges are required to carry out password reset for Sybase ASE, specify an administrator account. Follow the below steps to enable remote password reset for Sybase ASE:

  1. Specify the Sybase ASE Port. By default, it occupies the port 5000 (in SSL mode, default port is 2748).
  2. Specify the connection mode - you can configure the connection between Sybase ASE and PAM360 to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following:
  3. SSL Mode:

    1. Copy and save the trust root certificate of the Sybase server present under <sybase_home>\ASE-15_0\certificates (in sybase ASE 15.0) to <pam360_install_directoty>\conf\ folder.
    2. Run this command to import the certificate in PAM360: '<pam360_home>\jre\bin\keytool.exe -import -v -alias sybase -file <rootcert.txt> -keystore server.keystore -keypass passtrix -storepass passtrix -noprompt'.
    3. <rootcert.txt> is the root certificate of the Sybase ASE and usually named as <hostname>.txt.
  4. Restart PAM360 server.
  5. Specify an administrator account of Sybase ASE.
  6. Click Save.

2.1.9 Oracle DB Server

Important Note: As of August 2022, Oracle extends support to the following versions of the Oracle database only: 18c, 19c, and 21c. Therefore, PAM360 will also support only these three versions of Oracle DB in the product. Refer to the Oracle Lifetime Support Policy Guide for more information.

To carry out password reset for Oracle DB server, administrative privileges are required, so specify an administrator account. Follow the below steps to enable remote reset of the password of Oracle DB server:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Specify the Oracle DB Listener Port. By default, the Oracle DB server listens to the port 1521.
  3. Specify the connection mode - you can configure the connection between Oracle DB Server and PAM360 to be over an encrypted channel (AES 256). If you choose the option YES (encrypted mode), do the following:
    1. Start Oracle Net Manager.
    2. In the Navigator window, select Oracle Net Configuration.
    3. Expand the option Local >> Profile.
    4. From the list in the right side pane, select the option Oracle Advanced Security.
    5. In the tabbed window that appears thereafter, click the tab Encryption.
    6. In the drop-down list for Encryption, select the option Server.
    7. For Encryption Type list, select the option Accepted.
    8. The text field for Encryption Seed can be left blank or enter random characters ranging between 10 and 70.
    9. Select the algorithm AES 256.
    10. Specify an Oracle administrator account.
  4. Specify the Oracle Service Name. By default, the service name is taken as ORCL.
  5. Click Save.


Network Devices

2.1.10 HP ProCurve Devices

For HP ProCurve Devices, PAM360 requires Telnet or SSH service to be running in the resource. Specify the Manager Account and Manager Mode Prompt and Configuration Mode Prompt details for PAM360 to login to the resource. PAM360 will use the configuration mode to reset the passwords.

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Provide the following details:
    1. Remote Login Method: PAM360 supports SSH and TELNET protocols through which connection could be established with the device for password reset. Select the required protocol.
    2. Manager Account: Login account for establishing connection with the device. If the device is configured to prompt for the user name, then select the option Account name required for login. The account name associated will then be used with the user name prompt. If this option is unchecked, PAM360 will expect only the password prompt.
    3. Manager Mode Prompt: The prompt that appears after successful login.
    4. Configuration Mode Prompt: This is for entering into privileged mode to perform password reset.
    5. Copy Password Changes to the Startup Configuration: Select this option to apply the password changes made to the running configuration in PAM360 to the startup configuration.
    6. Note: Enabling the option to copy the running configuration to the startup configuration will cause the current configuration content, including those made outside of PAM360, to be copied immediately.


2.1.11 Juniper Netscreen Firewall Devices

PAM360 requires Telnet or SSH service to be running in the resource. Admin Account and Prompt of Admin Account are required for PAM360 to login to the resource. Follow the below steps to enable remote reset of passwords for Netscreen devices:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset and specify the following details.
    1. Remote Login Method: PAM360 supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol.
    2. Manager Account: Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option Account name required for login. The corresponding account name will then be used with the user name prompt. If this option is unchecked, PAM360 will expect only the password prompt.
    3. Manager Mode Prompt: The prompt that appears after successful login.

2.1.12 HP iLO

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset and enter the following details:
    1. Remote Login Method: PAM360 supports SSH and TELNET protocols by which connection could be established with the device for password reset. For this to work, Telnet or SSH service must be running in the resource.
    2. Enter the port: By default, SSH occupies the port 22.
    3. Specify the prompt: Enter the prompt that appears upon successful user login and also the user account with administrator privileges.

Cloud Services

2.1.13 Oracle WebLogic Server

As Password reset for a WebLogic server is done over JMX, the administrator credentials must be specified before proceeding with the below steps.

Prerequisites

  1. The following JAR files wljmxclient.jar, wlclient.jar, rmic.jar, weblogic.jar will be available under the path <weblogic_install_directory>\wlserver\server\lib> in the WebLogic server.
  2. Copy the JAR files and save them in the \lib folder in the machine running the PAM360 server.

Steps to Configure Remote Password Reset for Oracle WebLogic Server

Follow the below steps to enable remote reset of the password of the WebLogic server:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Specify the port where the WebLogic server is running. By default, WebLogic server occupies the port 7001. Specify the connection mode - connection between WebLogic Server and PAM360 can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following.
  3. SSL Mode:

    1. To enable the SSL mode, the WebLogic server should be serving over SSL and you have to import the WebLogic server's root certificate into the PAM360 server machine's certificate store. Import all the certificates that are present in the respective root certificate chain - that is the certificate of the PAM360 server machine and intermediate certificates, if any.
    2. To import root certificate, open a command prompt, navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

      For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

  4. Restart the PAM360 server. Then, continue with the following steps.
  5. To enable PAM360 access the WebLogic server, provide the WebLogic Root Account Name.
  6. Click Save.

2.1.14 AWS IAM

  1. Password reset for AWS IAM user accounts is done using AWS SDK.
  2. Navigate to the Resources tab >> Resource Actions >> Configure >> Remote Password Reset. The administrator account's access key and secret key are required.
  3. The access key and secret key should have been added as passwords in PAM360. These passwords can be associated with an account of any resource type, which can be used for the remote synchronization.

2.1.15 Google Workspace

Remote Password Reset using Admin Account
(This reset procedure is applicable prior to build 7200)

  1. Click the Resource Actions icon beside the desired Google Workspace resource and select Configure Remote Password Reset.
  2. In the window that appears, select the administrator account and click Save.

Note: Google has updated the password reset flow for Google Workspace resources using OAuth 2.0. Therefore, the passwords of Google Workspace accounts can no longer be reset using the above-mentioned procedure. Please upgrade to the latest version of PAM360 for a seamless password reset experience.

Remote Password Reset using Service Account Key File
(This reset procedure is applicable from build 7200 onwards)

PAM360 supports remote password resets for Google Workspace accounts within your domain using a service account. To reset the passwords of your Google Workspace accounts remotely, you should:

  1. Set up a service account within your Google Workspace domain, grant it the necessary scopes and permissions to execute remote password resets, and download the service account key file. Explore this link for the detailed steps on setting up a service account within your domain.
  2. Configure remote password reset for the desired Google Workspace accounts in PAM360 using the service account key file.

The configured service account executes password resets for the selected resource based on the password reset configuration setup in PAM360. Follow these steps to configure remote password resets for your Google Workspace accounts in PAM360:

  1. Import the service account key file obtained from the Google Cloud Console (GCP) into PAM360 as a resource of resource type Filestore.
  2. Click the Resource Actions icon beside the desired Google Workspace resource and select Configure >> Remote Password Reset.
  3. In the Configure Remote Password Reset window that opens, select the administrator account and the Filestore resource and account that contains the service account key file, and click Save.

Note: When setting up or resetting passwords for Google Workspace accounts, it is important to follow the password requirements mandated by Google to ensure the security and integrity of user accounts. If the new password does not meet these requirements, the password reset for the Google Workspace account will fail due to the password not meeting the mandated password policy. To ensure a seamless password reset experience, we recommend creating a custom password policy for the Google Workspace resources that aligns with Google's password requirements. Explore this link to learn more about the password requirements for your Google Workspace accounts.


2.1.16 Microsoft Azure

Remote Password Reset using MS Online Module:
(This reset procedure is applicable prior to build 6000)

Prerequisites:

Password Reset for Microsoft Azure accounts is done using Powershell so works only if Powershell 2.0 and above. Also, the MSOnline module of Powershell needs to be installed.

Installing Windows Microsoft Entra ID Module for Powershell:

Before configuring Microsoft Azure with PAM360, install the appropriate version of the Windows Microsoft Entra ID Module for Windows PowerShell for your OS.

For 64-bit Systems

  1. Open Powershell (run as Administrator).
  2. Execute the following command to install MSOnline module:
    • Install-Module MSOnline
  3. After installing the module, move MSOnline folder from the path C:\Program Files\WindowsPowerShell\Modules to  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules.

Note: If you are unable to locate the MSOnline folder, execute the following command to find the path where the module is installed:

  • $env:PSModulePath -split ";"

Configuring Remote Password Reset for Microsoft Azure:

For resetting the passwords of user accounts, select an administrator account to enable remote login.

  1. Navigate to the Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Select an Administrator Account and click Save.

Remote Password Reset using Azure Application:
(This reset procedure is applicable from build 6000)

Prerequisites:

To perform a remote password reset for Microsoft Azure resource from PAM360, you need a Microsoft Azure administrator account and an Azure enterprise application in the Microsoft Azure portal.

  1. Create an Azure enterprise application in the Microsoft Azure portal.
  2. Create a client secret for the created Azure enterprise application.
  3. Add the created Azure enterprise application as an Azure App resource in PAM360 and the client secret as an account for the created resource.

Configuring Remote Password Reset for Microsoft Azure Resource:

Post performing the above prerequisites, do the steps that follow to perform the remote password reset for your Microsoft Azure resource from the PAM360 interface:

  1. Click the Resource Actions dropdown menu beside the respective Microsoft Azure resource for which the remote password reset has to be made.
  2. In the dropdown that opens, click Configure >> Remote Password Reset.
  3. Now, in the pop-up that opens, select the administrator account of the Microsoft Azure portal in the Administrator Account field.
  4. On the Azure App Client Credential field, in the Select Resource dropdown, select the Azure enterprise application created in the Microsoft Azure portal and added to PAM360 as an Azure App resource. In the Select Account dropdown, choose the client secret added as an account inside the Azure App resource.
  5. Now, click Save to perform the remote password reset.

2.1.17 Rackspace

  1. Password Reset for Rackspace user accounts is done using Rackspace REST APIs.
  2. To carry out password resets, navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset. Here, a Rackspace administrative credential is required which has to be selected as the admin account.

    Note: The following are the location-based Authentication End Points available for connection to the server.

    US-based end point: https://identity.api.rackspacecloud.com/v2.0

    UK-based end point: https://lon.identity.api.rackspacecloud.com/v2.0




2.1.18 Salesforce

  1. Password reset for Salesforce user accounts is done using Force.com REST API.
  2. In order to proceed with the configuration, navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset. The administrator account's Client ID and Client Secret are required.
  3. The Client ID and Client Secret should have been added as passwords in PAM360. These passwords can be associated with an account of any resource type, which can be used for remote synchronization.

2.1.19 Amazon Aurora PostgreSQL

Follow the below steps to enable remote reset of the password of Aurora PostgreSQL server:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Specify the Port where the PostgreSQL server is running.
  3. Specify the connection mode: Connection between PostegreSQL Server and PAM360 can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following:

    SSL Mode:

    1. To enable the SSL mode, the PostgreSQL server should be serving over SSL and you have to import the PostgreSQL server's root certificate into the PAM360 server machine's certificate store. Import import the rds-ca-2019-root.pem certificate.
    2. To import root certificate, open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

    3. For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

  4. Restart PAM360 server and reset the password for your account. To know more about changing password for your account, click here.

2.1.20 Amazon Aurora MySQL

Follow the below steps to enable remote reset of the password of Aurora MySQL server:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Specify the Port where the MySQL server is running.
  3. Specify the connection mode: Connection between MySQL Server and PAM360 can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following:

    SSL Mode:

    1. To enable the SSL mode, the MySQL server should be serving over SSL and you have to import the MySQL server's root certificate into the PAM360 server machine's certificate store. Import all the certificates that are present in the respective root certificate chain - that is the certificate of the PAM360 server machine and intermediate certificates, if any.
    2. To import root certificate, open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

    3. For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

  4. Place the MySQL Connector jar in the PAM360\lib folder.
  5. Restart PAM360 server and reset the password for your account. To know more about changing password for your account, click here.

RabbitMQ

2.1.21 RabbitMQ

Prerequisite

To perform remote password reset for a RabbitMQ resource from PAM360, you need a RabbitMQ administrator account.

Steps to add a RabbitMQ resource and an administrator account:

  1. Navigate to Resources and click Add Resource >> Add Manually.
  2. Specify the resource name, DNS name/IP address, Resource URL, and select RabbitMQ as your resource type.
  3. Click Save & Proceed.
  4. In the Add Accounts window, add an administrator account and the other required accounts for the RabbitMQ resource. Click Save & Proceed.

    Note: When adding a RabbitMQ resource, entering a valid HTTPS URL in the Resource URL field is mandatory.

Steps to configure remote password reset for RabbitMQ:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. From the Administrator Account dropdown, select the required RabbitMQ administrator account that permits the password reset of RabbitMQ user accounts.
  3. Click Save.

Others

2.1.22 LDAP Server

Prerequisite

At the time of adding a new LDAP resource to PAM360, you must specify a Distinguished Name for the LDAP server account.

Example: c=administrator, cn=people, dc=test, dc=com.

Steps to Configure Remote Password Reset for LDAP Server

As administrative privileges are required to carry out password reset for LDAP server, an administrator account has to be specified.

For remote reset, PAM360 supports the following types of LDAP servers:

  • Microsoft Active Directory
  • OpenLDAP
  • Oracle Internet Directory
  • Novell eDirectory.

Follow the below steps to enable remote password reset for the aforementioned types of LDAP servers:

  1. Navigate to Resources >> Resource Actions >> Configure >> Remote Password Reset.
  2. Specify the type of the LDAP Server being added.
  3. Specify the LDAP server Port. By default, it occupies the port 389 (in SSL mode, default port is 636).
  4. Specify the connection mode - you can configure the connection between the LDAP server and PAM360 to be over an encrypted channel (SSL) or Non-SSL. Except Microsoft Active Directory, for other LDAP servers, choose SSL or Non-SSL. If you choose SSL mode, do the following.


  5. Note: If the selected LDAP server is Microsoft Active Directory, the connection has to be through SSL only.

    SSL Mode:

    1. To enable the SSL mode, the LDAP server should be serving over SSL and you will have to import the LDAP server's root certificate into the PAM360 server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PAM360 server machine and intermediate certificates, if any.
    2. To import root certificate, open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:

      For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

  6. Restart PAM360 server. Then continue with the following steps.
  7. Specify an administrator account of LDAP server.
  8. Click Save.

2.2 Configuring Remote Password Reset for Resource Types in Bulk

To configure remote password reset in bulk for the supported resource types, follow the below steps:

  1. Navigate to Resources tab and select the required resources.
  2. Go to Resource Actions >> Configure >> Configure >> Remote Password Reset.
  3. In the Configure Remote Password Reset window that opens, all the available resources will be listed. Enter configuration settings individually and save changes. Click here for more details on how to configure password reset for each resource type.

3. Remote Password Reset via Agent Mode

  • If you have devices residing in a demilitarized zone (DMZ) or if you have multiple sites/networks protected by firewalls, then PAM360 will not have direct connectivity to those target systems. In such cases, use the PAM360 Agents to manage the passwords of those target systems. PAM360 Agents operate using a one-way communication from the target system to the PAM360 application server. Therefore, the ports do not have to be opened for inbound traffic in the target network. Only outbound access is required for the PAM360 Agent to reach the PAM360 login page (Default port: 8282).
  • To download the PAM360 Agent, navigate to the Admin tab >>  PAM360 Agents. There are 64-bit and 32-bit agents for Windows, Windows Domain, and Linux. Among this, the Windows Domain Agent needs to be deployed in a DMZ domain controller. Click here for more on PAM360 Agents.

See also:

Top