Getting Started with PAM360
Once you have finished setting up PAM360, you can get started to work with the PAM360 application. Before you begin to work with the PAM360 console and configure the required settings, you will have to know about a set of configurations that will help you get started with PAM360.
At the end of this document, you will have learned about:
- Starting and Shutting Down PAM360
1.1 In Windows
1.2 In Linux - Launching the PAM360 Web Client
2.1 Connecting to Web Client from PAM360 Server
2.2 Connecting to Web Client in Remote Hosts
2.3 Authenticating PAM360 from the Web Client - Running the PAM360 service using a group Managed Service Account
- Managing PAM360 Encryption Key
- Rotating the Encryption Key
- Updating Web Server Certificates using PAM360 Web Console
1. Starting and Shutting Down PAM360
1.1 In Windows
Using the Start Menu | Using the Tray Icon |
---|---|
|
1.2 In Linux
1.2.1 Changing PAM360 Service to 'systemd' Software Suite
(Applicable prior to build 7200)
By default, from build 7200, the PAM360 service will get installed in 'systemd' software suite for utilizing the parallel processing of services and other service capabilities. However, for existing users prior to build 7200, the service will remain the same in the 'initd' process control system unless they choose to change it. If you are an existing user and want to change the service to 'systemd' software suite, follow the procedure mentioned below.
- Log in as a root user.
- Open console and navigate to the <PAM360_Installation_Directory>/bin folder.
- Execute the script "sh pam360.sh remove" (In Ubuntu, execute as "bash pam360.sh remove") to remove the service from the 'initd' process control system.
- To reinstall the service in the 'systemd' software suite, execute "sh pam360.sh install" (In Ubuntu, execute as "bash pam360.sh install").
- Next, execute systemctl start pam360.service.
- To check the status of the service, execute systemctl status pam360.service.
2. Launching the PAM360 Web Client
There are different ways of connecting to the PAM360 web client:
2.1 Connecting to Web Client from PAM360 Server
a. Automatic Browser Launch
Once the PAM360 server has started, the login screen will appear in a browser window. Upon each server startup, the browser window will be launched automatically.
b. Launching the Web Client Manually
For Windows: Right-click the PAM360 tray icon and click PAM360 Web Console to launch the web client manually. The PAM360 Login screen shows up in a browser window.
For Linux: Open a browser and connect to the URL specified below.
https://<hostname>:portnumber/
where,
<hostname> - the host where the PAM360 server is running.
<portnumber> - the default port is 8282.
Example: https://localhost:8282
2.2 Connecting to Web Client in Remote Hosts
If you want to connect to the PAM360 web client in a remote machine (different from the one where PAM360 is running), open a browser and connect to the below URL:
https://<hostname>:portnumber/
where,
<hostname> - the host where the PAM360 server is running.
<portnumber> - the default port is 8282.
Example: https://localhost:8282
2.3 Authenticating PAM360 from the Web Client
PAM360 utilizes a secure HTTPS connection, so you will receive a prompt to accept the Security Certificate (if trusted web server certificate is not installed already). Click Yes, input your Username and Password on the login screen, and then press Enter.
For an unconfigured setup, the default Username and Password is 'admin'. You will be prompted to update the password after your initial login. The administrator can change the initial authentication mechanism via AD/LDAP/Microsoft Entra ID as required, followed by a 2FA.
For a more streamlined and passwordless authentication process, use the available Smart Login method by scanning the QR code through the PAM360 mobile application. Administrators can enable smart login or set the smart login as the preferred initial login method by navigating to Admin >> Settings >> General Settings >> User Management.
3. Running the PAM360 Service using a group Managed Service Account
PAM360 allows you to run/manage services using group Managed Service Account (gMSA). To learn about gMSA in detail, refer to Microsoft's documentation.
To create a group Managed Service Account,
- Open Powershell ISE as administrator.
- Execute the following commands:
- Import-Module ActiveDirectory
- Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
- New-ADServiceAccount -Name <MSA_AccountName> -DNSHostName <DNSNAme> -PrincipalsAllowedToRetrieveManagedPassword <Machine_Name>$
- Add-ADComputerServiceAccount -Identity <Machine_Name> -ServiceAccount <MSA_AccountName>
- Install -ADServiceAccount -Identity <MSA_AccountName>
- Provide Full Control Permission to the installation folder.
- To configure LogOn Services,
- Navigate to Services >> Properties >> LogOn.
- Browse for MSA Account.
- Now, clear the Password field and click Apply.
- Click Ok.
Now you have successfully configured the LogOn Services.
You have successfully created a group Managed Service Account (gMSA) account. Now, you can run your PAM360 service using the gMSA account.
Troubleshooting Step:
If you are unable to Install the Service Account, execute the below command before executing Install statement:
Set-ADServiceAccount -Identity <MSA_AccountName> -KerberosEncryptionType AES128,AES256
4. Managing PAM360 Encryption Key
PAM360 uses AES-256 encryption to secure the passwords and other sensitive information in the password database. The key used for encryption is auto-generated and is unique for every installation. By default, this encryption key is stored in a file named pam360_key.key under the <PAM360_HOME>/conf folder. For production instances, PAM360 does not allow the encryption key to be stored within its installation folder. This is done to ensure that the encryption key and the encrypted data, in both live and backed-up database, do not reside together.
We strongly recommend that you move and store this encryption key outside of the machine, where PAM360 is installed, in another machine or an external drive. You can supply the full path of the folder, where you want to move the pam360_key.key file, manually move the file to that location and delete any reference within PAM360 server installation folder. The path can be a mapped network drive or an external USB (hard drive / thumb drive) device.
PAM360 will store the location of the pam360_key.key in a configuration file named manage_key.conf, present under the <PAM360_HOME>/conf folder. You can also edit that file directly to change the key file location. After configuring the folder location, move the pam360_key.key file to that location and ensure the file or the key value is not stored anywhere within the PAM360 installation folder.
PAM360 requires the <PAM360 installation directory>PAM360\conf path to be accessible with necessary permissions, to read the pam360_key.key file, when it starts up every time. After a successful start-up, it does not need access to the file anymore and the device with the file can go offline.
Notes:
- Always ensure sufficient protection to the key with multiple layers of encryption (such as by using Windows File Encryption) and access control.
- Since only the PAM360 application needs access to this key, make sure no other software, script or person has access to this key under any circumstances.
- Take care of securely backing up the pam360_key.key file by yourself. You can recover the PAM360 backups only if you supply this key. If you misplace the key or lose it, PAM360 will not start.
- If you store the database_params.conf file at a different location, you will have to copy the file back to the original location (i.e. to <PAM360 Installation Folder>/conf/ ), whenever you perform an application upgrade.
5. Rotating the Encryption Key
Even if you are sure of managing the encryption key securely outside of PAM360, one of the best practices is to periodically change the encryption key. PAM360 provides an easy option to automatically rotate the encryption key.
5.1 How does the key rotation process work?
PAM360 will look for the current encryption key present in the file pam360_key.key, available in the path specified in the manage_key.conf file, present under the <PAM360_HOME>/conf folder. Only if it is present in the specified path, the rotation process will continue. Before rotating the encryption key, PAM360 will take a copy of the entire database. This is to avoid data loss, if anything goes wrong with the rotation process.
During the key rotation process, all passwords and sensitive data will be decrypted first using the current encryption key and subsequently encrypted with the new key. Later, the new key will be written in the pam360_key.key file present in the location as specified in the manage_key.conf file. At the end of successful key rotation, PAM360 will write the new encryption key in the same file that contains the old key. If any error occurs while writing the key, the rotation process will be aborted.
5.2 Steps to rotate the encryption key (if you are NOT using High Availability)
- Ensure that the current encryption key (pam360_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PAM360 gets the read/write permission while accessing the pam360_key.key file.
- Stop the PAM360 server.
- Open the command prompt and navigate to <PAM360-Installation-Folder>/bin directory. Execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
- Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete.
- Start the PAM360 server once you see the confirmation message.
5.3 Steps to rotate the encryption key (if you are USING High Availability)
- Navigate to Admin >> General >> High Availability in the PAM360 web interface. Make sure High Availability and Replication Status are alive.
- Check if the current encryption key (pam360_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PAM360 gets the read/write permission when accessing the pam360_key.key file.
- Stop the PAM360 Primary server and make sure PAM360 Secondary server is running.
- Open the command prompt in the PAM360 Primary installation, navigate to the <PAM360-Installation-Folder>/bin directory and execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
- Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete. You will see confirmation message ons successful completion of the rotation process.
- Copy the new encryption key from the Primary installation and paste it in the location, as specified in the manage_key.conf file. This is the location from where the Standby will fetch the pam360_key.key file.
- Now, start the Primary and the Standby servers.
6. Updating Web Server Certificates using PAM360 Web Console
If you want to use PAM360 web console to update the web server certificates, follow the below steps:
- Navigate to Admin >> Configuration >> PAM360 Server.
- In the PAM360 Server page that opens, install your keystore file belonging to the SSL certificate and/or change the default PAM360 server port.
- To update your SSL certificate, select the type of the keystore file (JKS, PKCS12 or PKCS11) from the Keystore type drop down menu.
- Browse the keystore file from your system and upload it in the Keystore Filename field.
- Enter the password of your keystore file beside the Keystore Password field.
- If you want to change the default PAM360 server port, enter the port number against the Server Port field.
- Click Save.
- Restart PAM360 after saving the changes.