ManageEngine named a Challenger in the 2024 Gartner ® Magic Quadrant ™ for Privileged Access Management. Read full report.

PAM360 Release Notes

Version 7.3 (Build-7301)

Hotfix
12th December 2024

Bug Fix

In build 7300, deployment and discovery of SSL certificates were not functioning as intended. This issue has now been resolved.

Version 7.3 (Build-7300)

Major
15th November 2024

New Features

  • Cloud Entitlements Management via PAM360

    Introducing Cloud Infrastructure Entitlements Management (CIEM) in PAM360, a centralized platform designed to enhance governance and secure cloud entitlements by unifying control over permissions and policies. CIEM in PAM360 proactively identifies risks from excessive permissions, policy violations, and misconfigurations, providing a comprehensive view of vulnerable permissions across AWS cloud environments

    With built-in detection and mitigation workflows, CIEM in PAM360 supports the achievement of Zero Standing Privileges, effectively reducing security vulnerabilities to protect cloud infrastructure from end-to-end.

    Feature Highlights
    • Enhanced Visibility: Obtain in-depth insights into cloud entitlements and permissions through a centralized platform, enabling informed decision-making.
    • Detailed Access Mapping: Visualize user permissions and entitlements for easy management and adjustments.
    • Proactive Risk Mitigation: Identify excessive privileges and vulnerable permissions and mitigate risks by leveraging inline policies for effective management.
    • Right-Size Permission Management: Implement a Just Enough Access (JEA) model by enforcing least privileges to all the accounts.
    • Compliance Assurance: Ensure continuous adherence to industry regulations with ongoing monitoring of compliance.
    • Refer to our help documentation to know more about in detail.
  • Domain Account Password Update in ADMP via PAM360

    Administrators can now associate ADManager Plus' (ADMP) privileged domain account directly with the corresponding domain account in PAM360. This integration ensures that whenever a password rotation is performed for a domain account in PAM360, the updated password is automatically synchronized in ADMP. This automation eliminates the need for manual intervention in ADMP, thus ensuring seamless access continuity for Active Directory users.

Enhancements

  • From build 7300 onwards, the PAM360 agent will get installed in the 'systemd' software suite for utilizing the parallel processing of agent installation and other agent capabilities.
  • PAM360 now offers digital signature support for the agent files, enhancing authenticity and protection against tampering.

Performance Improvement

PAM360 now features a significant improvement in overall performance, tailored for organizations that heavily depend on dynamic resource groups, delivering greater efficiency and responsiveness.

UI/UX Enhancement

In this release, we have modernized our PAM360 icons with a new design pattern, thus enhancing the user interface with a complete visual refresh for a more engaging user experience.

Security Enhancement

We have enhanced our security checks against Path Traversal, Local File Inclusion, Stored XSS, Reflected XSS, Denial of Service, Usage of Static Variables, and other few vulnerabilities.

Security Fixes

  • A stored XSS vulnerability that occurred while managing user organization access has been found and fixed.
  • We have addressed the issues that allowed unauthorized access to users for the following actions:
    • Viewing a password access request raised to an authorized administrator
    • Editing a resource without provided edit privilege
  • We have resolved a Remote Code Execution (RCE) vulnerability that allowed adversaries to execute arbitrary commands in the following scenarios:
    • Transferring files over Legacy SSH connection
    • Deploying certificates on Linux resources
    • Rotating SSH keys on Linux resources
  • An issue that caused the domain account discovery operation to fail for users with Full Access permission to Windows Domain resources has been resolved.

Version 7.2 (Build-7201)

Hotfix
14th October 2024

Bug Fix

In build 7200, the access control workflow for Windows Domain resources did not function as intended when the Domain Name field in the resource was left empty. This issue has now been resolved.

Version 7.2 (Build-7200)

Major
5th October 2024

New Feature

Transfer User Accountabilities

Introducing the Transfer User Accountabilities feature under user actions within the Users tab. This feature enables the seamless transfer of all assets and approval responsibilities from one user to a new PAM360 user. When a user leaves the organization or department, this feature ensures a smooth transition of resources, delegation of permissions, and approval privileges with just one click.

Refer to our help documentation to know more about in detail.

Custom Database Management

PAM360 now supports creating a new database resource type with a customized set of database attributes. This functionality enables users to add their uniquely configured MS SQL, PostgreSQL, Oracle DB, Sybase ASE, NoSQL, and other SQL server databases that support JDBC as new resources in PAM360. With this enhancement, users gain the flexibility to perform password management and SQL auto logon for their unique databases, tailored to their specific management needs, thus empowering users to precisely align their database resources with their day-to-day requirements.

NIS2 Compliance Report

PAM360 now provides NIS2 Compliance Reporting, enabling organizations to generate applicable comprehensive reports related to the 140+ NIS2 directives for compliance verification and reporting purposes. These reports offer detailed insights into how privileged access is managed and aligned with NIS2 standards, and they allow users to track access activities and monitor incident responses. With built-in support for privileged access tracking and incident response monitoring, organizations can ensure they meet NIS2 requirements efficiently.

New Integration

PAM360 now integrates with ManageEngine IT Operations Management (ITOM) applications for efficient IT infrastructure management. With this integration, whenever a password is changed remotely in PAM360, the updated passwords for network devices stored in the PAM360 database are automatically synced to the ITOM database. This integration ensures secure IT infrastructure management by safely storing passwords in PAM360 and sharing them as needed with the appropriate ITOM applications.

Enhancements

  • As part of our commitment to aligning with PCI DSS 4.0, which includes updates to existing requirements and the introduction of new measures to address emerging threats, we have delivered the essential PAM360 reports and information in this build to ensure compliance with the latest PCI DSS standards.
  • Starting from build 7200, PAM360 allows administrators to set up Just-In-Time (JIT) privilege elevation for Windows Domain accounts directly within the PAM360 environment in addition to the existing ADManager Plus (ADMP) integration option.
    Note: Please note that this update does not impact the existing JIT privilege elevation configurations of Windows Domain resources set up through integration with ManageEngine ADManager Plus (ADMP). However, administrators can now leverage this new configuration option while setting up further JIT privilege elevation configurations for Windows Domain resources.
  • Users can now generate audit summaries for all resource, user, and task audit trails, along with related audits for all resource and task trails. These enhancements offer a comprehensive overview of all details associated with specific audits, making it easy for users to access and review relevant information in one location. Additionally, audit summaries and related audits can be exported or emailed, providing convenient access and documentation.
  • Administrators can now use domain accounts to reset the passwords of Windows local accounts during remote password resets for both individual and bulk configurations.
  • From build 7200 onwards, the PAM360 service will get installed in 'systemd' software suite for utilizing the parallel processing of services and other service capabilities.
    Note: However, for existing users, the service will remain the same in the 'initd' process control system unless they choose to change it. If you are an existing user and want to change the service to 'systemd' software suite, follow the procedure mentioned here.
  • Administrators can now configure keyboard language for the users' remote sessions via Remote Session Management in General Settings, and further, users can opt for the desired keyboard language for their remote sessions via the Remote Session Settings provided in the My Profile dropdown.
  • Earlier, when creating a dynamic resource group or associating resources to a dynamic group, administrators could only specify criteria using either 'Match all of the following' (AND) or 'Match any of the following' (OR). From now on, administrators can specify dynamic criteria using AND and OR logic with the desired conditions and subsets in diverse combinations.
  • Earlier, when an SSH proxy was configured with a resource, it could be modified with a new resource but could not be disabled. In this build, we have introduced the option to disable the SSH proxy configured for the Remote Connect application.
  • We have introduced the Connection View page to the global search results, alongside the Detailed View tab.
  • In addition to TLS protocol version 1.1 and 1.2, PAM360 now supports TLS version 1.3 for agent and HTTPS communication.
  • Previously, transferring ownership of a resource discovered through an agent required manual updates to the configuration file to complete the process. Now, ownership can be seamlessly transferred directly through the user interface (UI), eliminating the need for configuration file updates.
  • From now onwards, the special character '-' can now be included when generating passwords, offering greater flexibility in password creation.

Behavioral Changes

  • PAM360 now supports OAuth 2.0 authentication for server-to-server interactions during remote password resets of Google Workspace resources, enhancing security. As a result, the remote password reset configuration has to be updated for such resources with a few additional inputs.
    Note: The existing remote password reset configurations for Google Workspace resources will no longer rotate passwords, and you will have to reconfigure them for seamless password rotations.
  • Starting from build 7200, user authentication tokens will now have access validity periods defined in days. To maintain access validity, users should regenerate their authentication tokens consecutively in the specified intervals. This proactive measure ensures that tokens do not expire prematurely. In cases where tokens expire, administrators can regenerate them for continued user usage.

Upgrade

The Apache Tomcat server has been upgraded from version 9.0.54 to 9.0.78.

Bug Fixes

  • Previously, when a user launched a RDP session for an resource with incorrect credentials, the session window remained open despite the authentication failure. This issue has now been resolved
  • Starting with build 6100, enabling Sync Account Deletion under General Settings >> Resource / Password Creation caused a problem where attempting to discover accounts from resources added via the PAM360 agent inadvertently deleted all existing accounts in the PAM360 repository associated with that resource. This issue has now been resolved.
  • Previously, users have experienced random connection request failures in the PAM360 application installed in the AWS environment with the application load balancer. This issue has now been addressed.
  • From build 6710, the reason field in the user audit displayed incorrect formatting for usernames containing '\n' characters, causing the '\n' to be removed. This issue has now been resolved.
  • Fixed an issue where the user audit captured upon adding a user to a user group was missing the user group name.
  • Earlier, when users attempted to launch a remote session using the logged-in AD account from the connections tab, there were some inconsistencies in the displayed remote access protocols. This issue has now been resolved.
  • In build 7100, when configuring remote password reset for a dynamic group, despite setting the password allocation to 'Assign same password to all accounts, but change during every schedule,' unique passwords were generated for each account. This issue has been resolved.
  • Previously, modifications made to the user group description were not updated, resulting in the old description being displayed. This issue has also been fixed.
  • Previously, modifying the Group Name in AD synchronization schedules occasionally resulted in a failed operation. This issue has now been resolved.
  • Previously, an issue occurred when multiple password rotations were triggered for resources added via an agent within the specified timeout interval. This has now been resolved, ensuring smoother and more controlled operations.
  • In the earlier MSP builds, when attempting to replicate audit purge settings across client organizations, there was a discrepancy in the configured number of days in the MSP and the client organizations. This issue has now been addressed.
  • An issue that prevented the rotation of the encryption key when executing RotateKey.bat in environments using RDS MSSQL as the backend database has been found and fixed.

Security Enhancement

In this release, we have eliminated the Struts framework dependencies and utilized the internal libraries for executing the operations, thereby enhancing the security of PAM360.

Security Fixes

We have addressed issues that previously allowed unauthorized access to low-privileged users for the following actions:

  • Viewing attributes, resource names, and account names of unshared resources
  • Sending password access requests to unauthorized administrators
  • Fetching resource owner details of unshared resources
  • Viewing user details, emails, and relevant user group information

 

Version 7.1 (Build-7100)

Major
5th July 2024

New Feature

PAM360 now extends its capabilities beyond service account discovery to include the discovery of privileged domain accounts, such as enterprise administrator and domain administrator accounts, within Windows Domain resources. This feature comes with customizable discovery criteria and synchronization schedules, empowering administrators to manage access to these high-level accounts efficiently. By ensuring precise administration of accounts in Windows Domain resources, this enhancement significantly streamlines the management of privileged domain accounts.

Performance Improvements

PAM360 now has a significant enhancement in the performance of the periodic password rotation, delivering up to a minimum of 10 times faster operation times under standard system environmental conditions. This improvement is particularly beneficial for organizations with extensive resources, providing critical efficiency gains, especially during emergencies requiring rapid password rotations. Notably, the enhancement significance for a few has been displayed here for a sample:

  • Rotating passwords for a resource group of 800 Linux resources now takes approximately five minutes, down from the previous 68 minutes.
  • Rotating passwords for a complex resource group of 10,000 resources (including 4,000 Windows and 6,000 Linux resources) now completes in about 39 minutes, a substantial reduction from the previous 14 to 20 hours.

This enhancement underscores the commitment to improving operational efficiency and productivity in managing password resets across diverse IT environments.

Enhancement

Users can now access a streamlined support reporting feature within the PAM360 application. This enhancement allows users to report issues directly to the support team from PAM360, providing essential details and logs efficiently.
Navigate to Profile >> Support and click Report an Issue for more details.

Version 7.0 (Build-7002)

Hotfix
21st June 2024

Bug Fixes

We have addressed and resolved two significant issues in build 7001:

  • Previously, the account details view for any resource incorrectly displayed all accounts shared with the user, irrespective of the specific resource being accessed. This has been corrected to ensure that users now see only the account details pertinent to the resource they are currently viewing.
  • For users managing multiple organizations, the favorites and recently accessed tabs within an organization were showing all accounts, regardless of the organization being managed. This issue has been fixed to display only the accounts relevant to the currently selected organization, providing a clearer and more organized management experience.

Version 7.0 (Build-7001)

Hotfix
14th June 2024

Security Fix

An SQL injection vulnerability (CVE-2024-5546) that would have allowed any authenticated user to access the database has been identified and resolved.

Version 7.0 (Build-7000)

Major
13th June 2024

New Features

  • Kubernetes Integration for TLS Secrets

    PAM360 now integrates with Kubernetes (K8s) - an open-source platform that automates containerized application deployment, scaling, and secrets management. Kubernetes secrets, a feature provided by the Kubernetes platform, facilitates a secure way of storing Kubernetes TLS secrets (certificates) within Kubernetes clusters.

    The integration aids administrators in securely fetching the Kubernetes TLS secrets (certificates) into PAM360, managing them within the single centralized repository, and rotating/updating the secrets obtained from multiple Kubernetes clusters.

    To configure and manage all your Kubernetes TLS secrets (certificates) via PAM360, navigate to 'Certificates >> Kubernetes' in the PAM360 console.

  • Private Certificate Authority (CA) / Intermediate CA

    PAM360 now offers a new feature, Private CA (Intermediate CA), that allows organizations to create and manage their certificates internally. Selected users can sign the end-user certificates for internal servers, applications, and services using the intermediate certificate, signed using the root certificate.

    With this feature, organizations can:

    • Achieve enhanced security and gain more control over their certificate management process without relying on external CAs.
    • Minimize the risk of external threats and improve their overall certificate management process.
    • Streamline the process of issuing and revoking certificates while maintaining complete control over their certificate authority, thus ensuring the certificates issued by the organization are trusted and secure, making it easier to manage and monitor all the internal certificates in one central location.
  • Azure Key Vault - TLS Secrets Management

    PAM360 now allows users to manage the TLS secrets stored in the Secrets of Microsoft Azure Key Vault - a management service offered by Microsoft. Through this integration, users can create (PFX format), renew, and manage the entire lifecycle of SSL/TLS certificates stored in the Secrets of Azure Key Vault via PAM360 by importing them into the PAM360 repository.

  • Configurable ACME

    PAM360 supports adding ACME providers for the effective automation of certificate lifecycle management. Just like its integration with renowned certificate authorities such as Let's Encrypt, Buypass Go SSL, and ZeroSSL, which offers automated SSL/TLS certificate management, PAM360 now has the flexibility to incorporate other ACME service providers, thus empowering efficient certificate management with the automated precision. To explore more about the configurable ACME, navigate to 'Admin >> SSL Certificates >> ACME Providers'.

Enhancements

  • PAM360 is enhanced with the capability of discovering certificates from the FortiGate Firewalls. Furthermore, it now facilitates the addition and administration of multiple FortiGate Firewall accounts, along with the individual deployment of certificates.
  • A new option has been provided under 'Certificates >> Certificates >> Multiple Servers' to allow users to add additional fields, such as character, date, and email, on the Multiple Servers page.
  • It is now possible to include the multiple server lists of the SSL certificates in the notification email of the SSL expiry schedule.
  • DigiCert is now added as a vendor to the SSL Store list. The previously available SSL Store vendors, which include Thawte, Geo Trust, and Rapid SSL, will now be a part of Digicert.
  • It is now possible to add an email address while configuring 'Certificate Sync Status Check' from 'Admin >> SSL Certificates >> Certificate Sync Status'. Once added with the configured recurrence time interval, the list of all the SSL certificates with their deployed servers will be sent to the given email address, with the following details: days to expire, date of expiry, serial number, and fingerprint.
  • Henceforth, while creating a Certificate Signing Request (CSR), only the Common Name, Validity, and Store Password will be the mandatory fields.
  • The following additional key sizes to the key algorithms have now been added for enhanced security strength:
    • 3072 and 4096 key sizes for RSA
    • 2048 and 3072 key sizes for DSA
  • PAM360 now supports SHA256 SSL fingerprint to encrypt the SSL certificates. Administrators can navigate to 'Admin >> SSL >> SSH/SSL Config >> SSL Fingerprint' to change their SHA values. In addition to that, all the existing certificates can also be changed to SHA256 fingerprint by enabling the checkbox provided.
  • From now onwards, the keys dashboard in PAM360 will not consider the EC certificate key size into account for the 1024-bit and lesser keys calculation.
  • New RESTful APIs: The following new REST APIs have been introduced in PAM360:
    • Import User from AD/Entra ID - To import a user from an Active Directory or Microsoft Entra ID to PAM360.
    • Fetch all SSL/SSH Audit Details - To fetch all the Keys and Certificate audits from PAM360.
    • Discover SSL in Bulk from Files - Performs SSL discovery based on the DNS names stored in the files.
    • Fetch SSL Vulnerability Count - To fetch the total number of SSL vulnerabilities.
    • Fetch SSH Key Passphrase - To fetch the passphrase of an SSH key.
    • Import CSR - To import the Certificate Signing Request (CSR) by providing valid information.
  • Previously, the CSRs were signed in REST API using MSCA. From now on, either MSCA or root CA can be used to sign the CSRs, and in addition, the API response will display the certificate serial number for further API-related use.
  • From this build onwards, additional field data can be added as a dropdown option by giving the desired values via 'Admin >> SSH/SSL Config >> Additional Fields >> Dropdown'.
  • The 'Certificate Details' will now show the additional field(s) information related to the SSL certificates in the 'SSL' tab.
  • From now on, users can create CSR by importing the KeyStore file from the PAM360's SSL repository instead of exporting them locally and importing them back for CSR creation.
  • Henceforth, all the SSL discoveries performed via public Certificate Authority (CA) integrations will be recorded in the Audit window.
  • A new PKCS 8 export type that permits additional exportation capabilities has been introduced.
  • PAM360 now supports 'DNS Made Easy' to complete domain control validation while acquiring certificates from public Certificate Authorities, alongside the available DNS support types.
  • The SSL Expiry Report data will now be sorted based on the expiry date.
  • We have introduced two additional certificate conversion formats in the Tools section, now supporting the conversion from Java KeyStore (.jks) to Privacy Enhanced Mail (.pem) and vice versa.
  • Users can now import SSH keys in bulk, provided the keys are passwordless or share the same passphrase.
  • Microsoft Entra ID Integration

    PAM360 now offers enhanced functionality for importing users from Microsoft Entra ID, including the ability to:

    • Assign roles and languages
    • Configure Two-Factor Authentication
    • Search user groups

    Additionally, the Role, Language, and Two-Factor Authentication information is now displayed on the 'Microsoft Entra ID Synchronization Schedules' page, allowing administrators to:

    • Add synchronization schedules for user import
    • Edit schedules using the 'Edit Schedule' icon under 'Actions'
    • Import users instantly using the 'Import Now' icon under 'Actions'
    • Perform bulk edit and import operations
    • Modify roles, languages, Two-Factor Authentication, and synchronization intervals for each user group configured with a user import schedule
    • Add, edit, and delete domain details
  • LDAP Integration

    PAM360 has improved its LDAP integration user-import capabilities, enabling administrators to:

    • Assign roles and languages
    • Configure Two-Factor Authentication

    These enhancements are reflected on the LDAP Server Configuration page, where administrators can now:

    • Edit schedules using the 'Edit Schedule' icon under 'Actions' for Groups and OUs
    • Perform bulk edit operations
    • Assign roles and languages and configure Two-Factor Authentication for users imported from LDAP (Group/OU/Search Filter)

Note: For both Microsoft Entra ID and LDAP, configurations applied during the initial import will be retained in subsequent schedules unless modified.

Bug Fixes

  • The SSH and SSL discovery (including scheduled discovery) results had the IP address(es) provided in the 'Exclude IPAddress' field. This issue has now been fixed.
  • In the notification policy, email notifications pre-configured by administrators for the expiry of PGP keys were sent at configured intervals without the subject or details, even when no PGP keys were present. This issue has now been fixed.
  • The IP and the DNS fields had similar entries when an IP was not resolved into DNS, thus creating duplicate entries on the multiple server pages. This issue has now been fixed.
  • Earlier, in addition to the latest version, .Net Framework version 3.5 was required for IIS binding. Following the fix, .Net Framework version above 4 will be sufficient to bind a certificate to a website in IIS.
  • When adding or updating the schedules, they relied on the client machine's date instead of the server's. This issue has now been fixed.
  • In the notification policy, email notifications pre-configured for certification expiry were sent without any subject or details at configured intervals. This issue has now been fixed.
  • An issue that led the SSL discovery to fail with an exception message - 'certificates do not conform to algorithm constraint' has been fixed.
  • An issue in fetching some columns from the ServiceNow help desk that appear under 'Admin >> Integrations >> Ticketing system' has now been fixed.
  • When an administrator tried to rediscover the certificates in an organization, it failed with an empty error message. This issue has now been fixed.
  • The revoked status of the certificates was still showing even after the renewal of revoked certificates in MSCA. This issue has now been fixed.
  • The load balancer discovery schedule failed when specified with a port number during the schedule configuration. This issue has now been fixed.
  • When signing a CSR with a certificate, SHA256 was being used as the default signature algorithm instead of the signer certificate's signature algorithm. This issue has now been fixed.
  • The Subject Alternate Name that contains a Principal Name faced a parsing error during the certificate operations. This issue has now been fixed.
  • An issue in creating certificates with multiple organizations and organization units has been fixed.
  • The IIS binding failed with SHA256 SSL fingerprint enabled. This issue has now been fixed.
  • Saving the IIS binding updated other rows with incorrect values under 'Admin >> SSL Certificates >> IIS Binding'. This issue has now been fixed.
  • The self-signed certificates that are auto-renewed accumulated over the new discovery list. This issue has now been fixed.
  • When the SAN field in the CSR request page included an IP address, it was not appearing in the SSL parser or the SSL certificate details page. This issue has been rectified in this update.
  • In previous versions, after certificate renewal, auto-deployment to MS Store failed in a few cases. This issue has now been fixed.
  • Previously, the SSH session to a target resource via landing server using domain authentication was not functioning as intended. This issue has now been fixed.
  • In build 6710, users were unable to launch RDP, SSH, and VNC connections to a target resource due to a mismatch in the gateway server settings. This issue has now been fixed.

Security Fixes

  • A stored XSS vulnerability caused by the Key Name parameter after associating a key via Public Key Association has been fixed.
  • We have fixed a Remote Code Execution (RCE) vulnerability that allowed the adversary to execute the arbitrary command on the Windows machine via the SSL agent.
  • An issue that allowed an unauthorized access to a user to add the user of an MSP organization to the client organization's user group has been found and fixed.
  • A stored XSS vulnerability, which occurred while importing the IdP certificate file from the File Store or Key Store in PAM360 has been identified and fixed.
  • An issue that allowed an API user with administrative privileges to perform the following unauthorized accesses has been found and fixed.
    • To reject a password access request raised to an authorized administrator
    • To check-in the password access request approved by an authorized administrator
  • An issue that allowed a low-privileged user to access the command history of an active legacy SSH session has been fixed.

Version 6.7 (Build-6710)

Minor
9th May 2024

Enhancement

PAM360 now supports SSH proxy for the native PAM360 Remote Connect application. For more details, refer to the Remote Connect release notes.

Behavioral Change

We have limited the SFTP download size to 6GB due to performance issues with large downloads in user environments. Please contact our support team for more information on customizing the download limit.

Bug Fixes

  • Previously, the reminder mail prior to the password access time was not sent to the users for the resources configured with auto-approved access control. This issue has now been resolved.
  • From build 6600 with MS SQL as the backend database, users accessing the PAM360 application via a browser extension or mobile application could not view web accounts stored in the personal tab. This issue has now been resolved.

Version 6.7 (Build-6700)

Major
4th May 2024

New Feature

PAM360 SDK

Introducing the latest addition to our PAM360 suite: the PAM360 Software Development Kit (SDK). The SDK opens up new pathways for developers and administrators, offering seamless integration of PAM360 functionalities within DevOps, CI/CD platforms, or any other microservices/software across organizations. By leveraging the SDK, developers can efficiently embed privileged access management capabilities into their applications, ensuring robust security and seamless functionality within the PAM360 environment.

Key Highlights of PAM360 SDK

  • Java and Python Support: Our SDK comes fully equipped with support for Java and Python, ensuring flexibility and compatibility with diverse programming environments.
  • Secured Ease of Use: Eliminate the hard-coded PAM360 data in the client applications by leveraging the appropriate PAM360 APIs across your applications/environments using our SDK.
  • Effortless Data Exchange: With our SDK, exchange data seamlessly between PAM360 and client applications, streamlining processes and enhancing efficiency.
  • Simple Integration: Declare and define PAM360 APIs as simple methods/functions within your Java/Python applications, simplifying the integration process and reducing development overhead.
  • Data Transfer Capability: Push data effortlessly into PAM360 from any other application by leveraging the appropriate APIs, ensuring smooth and real-time data synchronization.

For detailed information on configuring and managing PAM360 SDK, please refer to our comprehensive help documentation.

Enhancement

Now, administrators can tailor diverse access permissions during PAM360 user account creation, offering a spectrum of options, including Web Access, REST API Access, and SDK Access for a single user account. This update empowers administrators to finely tune user privileges according to specific organizational requirements, ensuring precise allocation of PAM360 access to the users as desired. Notably, existing REST API-only user creation remains unchanged, with the added benefit of providing SDK access.

Note: Please note that this update does not impact the roles and functionalities of existing user accounts. However, administrators can now leverage these new access levels while modifying the existing user accounts.

Behavioral Changes

  • Users with Super Administrator privileges will no longer have access to the REST API. Existing user accounts with this level of access need to be modified for continued PAM360 accessibility:
    • Revoke Super Administrator privilege for continued REST API access.
    • Alternatively, provide Web access for continued Super Administrator privilege.
  • Authentication tokens for API users will now expire after 365 days, ensuring improved security compared to tokens that previously never expired.

Bug Fixes

  • Starting from build 6451, even though a resource group is set up for periodic password reset and the reset successfully takes place as expected, the resources within the resource group may appear disabled in the View Selected Resources for periodic password reset operation. This issue has now been fixed.
  • Previously, RDP and SSH sessions for access control configured resources persisted beyond the configured access time limit in the client organizations. This issue has now been fixed.

Version 6.6 (Build-6611)

Hotfix
26th April 2024

Security Fix

In build 6610, we encountered a Reflected XSS vulnerability (CVE-2024-27313) at few PAM360 URLs. This issue has now been resolved.

Version 6.6 (Build-6610)

Minor
13th April 2024

New Feature

PAM360 now supports SCIM 2.0 (System for Cross-domain Identity Management) to exchange user data between SCIM-supported Identity Providers and the PAM360 application. The Identity Provider's SCIM provisioning agent installed within the PAM360 server network helps administrators easily synchronize user and user group details between their existing identity management systems and the PAM360 application using the provided SCIM APIs.

Feature Highlights

  • Automated User Lifecycle Management - SCIM 2.0 support ensures seamless synchronization of user data, aligning with organizational policies.
  • Enhanced Security - SCIM support enhances security by reducing the manual intervention of user data.
  • Simplified Integration - PAM360's SCIM 2.0 support facilitates easy integration with external identity providers, improving system compatibility.

Refer to the help documentation for more insights on PAM360's SCIM APIs and the sample configuration of SCIM provisioning in Microsoft Entra ID.

New Integration

PAM360 now integrates with ServiceDesk Plus Cloud for secured and seamless remote access to SDP technicians for privileged resources within PAM360. With this integration, administrators can now grant remote access to authorized personnel without compromising security and with session recordings for traceability. Technicians can now securely access target machines for raised requests directly from the SDP portal, eliminating the hassle of switching between interfaces for remote sessions.

Security Fix

  • A stored XSS vulnerability that occurred while viewing the Schedule Info of a custom report on the 'User Created Schedules' page has been found and fixed.
  • An issue that allowed an unauthorized access to the user to get the resource name and its owner name has been fixed.

Version 6.6 (Build-6601)

Hotfix
10th April 2024

Security Fix

In build 6600, we have identified a vulnerability (CVE-2024-27312) that allowed low-privileged users to perform certain privileged operations by sending crafted URL requests to the PAM360 server. This issue has now been fixed.
Note: Users who have downloaded the PAM360 build 6600 are strongly advised to use the latest 6601 build and SHA256 checksum hash value to ensure security measures and mitigate the risk of unauthorized access.

Version 6.6 (Build-6600)

Major
1st April 2024

New Feature

Time-Based One Time Password (TOTP)

Introducing TOTP support in PAM360 for accounts utilizing TOTP as the form of Two-Factor Authentication (2FA). This feature allows administrators to utilize the shared TOTP secrets in accounts for further TOTP code generation, particularly for website accounts configured with 2FA. Once configured, users can directly access such privileged accounts from the PAM360 interface, facilitating the generation of TOTP codes for 2FA alongside the shared passwords. This ensures a streamlined end-to-end process for setting up, validating, and authenticating users to utilize shared accounts configured with password and 2FA, enhancing overall security posture and user experience.

Enhancement

Earlier, PAM360 lacked a setting to specify custom connection properties when changing or migrating the backend database from PostgreSQL to MS SQL. From now on, custom connection properties can be added, thus providing users with greater flexibility to connect to their MS SQL server when changing or migrating the backend database.

Upgrade

The PostgreSQL server has been upgraded from version 10.18 to 14.7.

Bug Fixes

  • When a user is provided with the access control approval privilege via user groups and not directly from the user level, and if the user tries to approve an access control request via the PAM360 mobile application, it fails with an error message of unauthorized access. This issue has now been resolved.
  • Ticketing settings configurations at Resource Group could not be saved in some instances. This issue has been fixed.
  • From build 6400 onwards, users could not take SQL remote sessions for MS SQL resource types with the instance name. This issue has been fixed.
  • From build 6400 onwards, users could not migrate to an MS SQL server using a custom instance name and port. This issue has been fixed.
  • Fixed an issue where changing a password using an API failed if the new password had the '[' character, which was not recognized as a special character for a strong password policy.
  • Fixed an issue that restricted the intended operation of the users with the custom role privilege of 'Lock / Unlock Users'.
  • We have resolved the remote connection failure that occurred for the accounts in the MySQL resources in both SSL and Non-SSL connection modes.

Version 6.5 (Build-6541)

Hotfix
1st March 2024

Bug Fix

From build 6530 onwards, fetching the Organizational Units from the Active Directory instances failed due to a change in the memory management process. This issue has now been resolved.

Version 6.5 (Build-6540)

Minor
15th February 2024

New Feature

Endpoint Privilege Management via Application Control in PAM360
PAM360 now enhances its endpoint privilege management capabilities using Application Control, powered by ManageEngine's Application Control Plus. The feature offers robust endpoint privilege management, allowing administrators to regulate application usage on organizational endpoints across PAM360 efficiently. With customizable rules, administrators can create and manage allowlists and blocklists directly from the PAM360 interface, ensuring precise control over application access. Additionally, at break-glass scenarios, administrators can temporarily authorize applications on the blocklist, enhancing security and simplifying application access management for users.

Feature Highlights

  • Endpoint Privilege Management - Control privileged application access based on user requirements.
  • Controlled Application Access - Establish detailed allowlists and blocklists for authorized users and applications.
  • Simplified Access Management - Simplify user permissions through application discovery and access allocation.
  • Just-in-Time Application Access - Enable temporary privileged application access during critical situations.
  • Bolstered Security and Efficiency - Mitigate risks and optimize endpoint management with improved application access control.

Unlock advanced application management capabilities with your existing ManageEngine Application Control Plus license and experience secure and efficient endpoint management within the PAM360 environment with version higher than 11.3.2404.1. If you are new to Application Control, download Application Control Plus now for free management of up to 25 Windows devices.

Refer to the help documentation to know more about the Application Control in detail!

UI/UX Enhancement

We have updated a few UI text elements in the user dashboard to avoid misinterpretation between the total number of users and active users.

Bug Fixes

  • When utilizing the search bar in the Operation Types of the Audit section, the search list would display results in the resource's base language where the PAM360 was installed. Following the fix, the search list will present items in the user's language as set in the Personalize section.
  • In certain cases, the agent installation on Linux machines located outside the domain network failed, displaying a domain-related error message. This issue has now been resolved.
  • In the MSP version of PAM360, previously, updating the access URL via Mail Server Settings did not reflect the changes in the Login URL of the client organizations. This issue has been resolved, and now the client login URLs are updated accordingly.
  • The password administrator could not access the user group list when attempting to share resources via the user group within the client organization. This issue arose with user groups replicated from an MSP organization. We have now resolved this issue.
  • Previously, when the administrator required a reason for retrieving a password for an account containing special characters, there was a discrepancy between the old password copied from the Password History section. This issue has now been rectified.
  • Previously, if the Passphrase of the Periodic Password Export in the Resource Groups contained an angle bracket, the configuration would fail, accompanied by an invalid error message. This issue has been rectified.

Version 6.5 (Build-6530)

Minor
25th January 2024

Enhancements

  • From now on, users can perform the following actions while importing resources or users from the Active Directory:
    For resources:
    • Assign password policy
    • Search groups
    • View the selected groups
    For users:
    • Assign roles and languages
    • Enable or disable Two-Factor Authentication
    • Search groups
    • View the selected groups
    The settings applied during the initial import will be followed through the subsequent schedules unless modified.
  • Concerning the above, we have also displayed the same (Role, Language, and Two-Factor Authentication) on the 'Active Directory Synchronization Schedules' page. Furthermore, users can now execute the following actions directly on the same page:
    • Edit schedules using the 'Edit Schedule' icon under 'Actions'
    • Import schedules instantly using the 'Import Now' icon under 'Actions'
    • Modify the schedule owner in the 'Edit Schedules' window
    • Assign password policies for the scheduled resources from the Active Directory
    • View the selected groups or organizational units, assign roles, and enable/disable Two-Factor Authentication
  • PAM360 now supports Secure File Transfer Protocol (SFTP) sessions with private key authentication. For an account to use this authentication method, it should possess a valid SSH key with the 'Use Private Key for Login' option enabled.
  • Henceforth, PAM360 supports SFTP for remote resources configured with the landing servers.
  • From now onwards, with an active ticketing system integration in PAM360, the users should provide a valid ticket ID for the SFTP session.
  • To get the list of users enabled/disabled with remote connect access, we have introduced the following query reports:
    • Users with Remote Connect Access
    • Users without Remote Connect Access
  • We have removed the minutes' field in the 'Synchronization Interval' setting to maximize the sync interval, and the configured existing intervals with minutes will continue to synchronize at the same unless modified.

UI/UX Enhancements

  • A new column - 'Description' has been introduced in the 'Passwords' tab.
  • The account attribute - 'Notes' has been renamed to 'Description'.

Bug Fixes

  • An issue related to updating secondary domain controller information in the 'Domain Details' window under 'Active Directory Synchronization Schedules' has been found and fixed.
  • The password reset listener failed to perform its intended functionality during the password reset action. This issue has been fixed.
  • The user-created schedules failed to carry out the operations in the Application Scaling model with an external PostgreSQL server as its backend database. This issue has now been fixed.
  • The remote session to the MS SQL server using the domain account fails when the MS SQL server and the PAM360 server reside in a distinct network. This issue has now been fixed.
  • When users tried to discover accounts for the VMware ESXi resource types, the account discovery failed. This issue has now been fixed.
  • From build 6000, users could not pause, play, or seek the playback of the recorded sessions. This issue has now been fixed.

Security Fixes

  • A stored XSS vulnerability that occurred while fetching groups and organization units from Active Directory has been found and fixed.
  • An OpenSSH vulnerability (CVE-2023-48795), which might have allowed unauthorized access and data manipulation, has been prevented by updating third-party jars.
    Note: PAM360 users are strongly advised to upgrade their OpenSSH servers, OpenSSH clients and PuTTY or other similar SSH tools installed in the environments to the latest versions for enhanced security.

Version 6.5 (Build-6520)

Minor
1st December 2023

New Feature

Security Hardening Dashboard
Introducing the Security Hardening Dashboard—an innovative feature designed to offer comprehensive insights into the security postures of both the PAM360 application and server, bolstered by a dynamic security score. This centralized dashboard acts to administrators as a powerful tool to swiftly implement the best practices, fortifying the entire PAM360 environment. Encompassing application, server, user status reports, and security hardening scores, this all-in-one toolkit serves as a valuable resource for maximizing the security potential of PAM360.
Refer to the help documentation to know more about the dashboard in detail!

Enhancement

PAM360 now supports the Hebrew language.

Behavioral Change

In previous versions, periodic password export schedules persisted in Resource Groups despite specific scenarios, such as when the option to export passwords to an encrypted HTML file was disabled globally or for specific users, or when password export was disabled for 'Resource Groups' in 'Export/Offline Access'. With the 6520 upgrade, this behavior will be rectified to align with its intended functionality. After the upgrade, if the mentioned export choices are enabled, users must enable the corresponding schedule through the 'User Created Schedules' window to restart the schedule.

Bug Fixes

  • Updating the Read-Only server's web server certificate prevented user login in the Read-Only server. This issue has now been fixed.
  • Earlier, when a resource of resource types - File Store, Key Store, and License Store was configured with access control, the newly added accounts post-configuration did not inherit the configured access control. We have now resolved this issue.
  • Users imported from Microsoft Entra ID were locked after the scheduled synchronization. This issue has now been fixed.
  • In previous builds, though administrators and users were disabled from exporting passwords to an encrypted HTML file from Resource Groups, the scheduled periodic password export remained enabled. This issue has now been fixed.
  • MSP Edition
  • Previously, in some instances, the custom user roles were not replicated to the client organization from the MSP organization. This issue has now been fixed.
  • In a few instances, with the user groups replicated from an MSP organization, the bulk addition/removal of client organization users to/from the replicated user groups has failed. This issue has now been fixed.
  • User groups replicated from an MSP organization turn empty in the client organization. We have resolved this issue now.

Security Fixes

  • We have resolved the security vulnerabilities that allowed the following unauthorized access to the users:
    • Fetch the statistics from the Password and User dashboards
    • Fetch the live feeds of resource and user audits from the dashboards
    • Delete a recorded session's playback without administrator's approval
    • Generate the 'Password Inventory' report
  • An issue that enabled Two-Factor Authentication (TFA) without mail server configuration has been found and fixed.
  • The security issue (CVE-2023-6105) that could have led to the inadvertent exposure of sensitive information to low-privileged OS users with access to the host through improperly configured installation directory permissions has been discovered and resolved.
  • Cross-Site Scripting (XSS) vulnerabilities found while performing the below actions have been addressed and resolved:
    • Viewing the account details
    • Configuring access control for an account
    • Configuring access control for a resource
    • Accessing the snapshot of a resource
    • Transferring the ownership of a resource
    • Transferring the ownership of a static resource group
    • Finding the out-of-sync passwords of a resource group
    • Transferring the access control approver privilege of a user
    • Transferring ownership of an administrator to another administrator
    • Searching the resources for associating them in a dynamic resource group
    • Discovering accounts from a resource

Version 6.5 (Build-6510)

Minor
16th November 2023

Enhancements

  • Previously, administrators could transfer ownership of only the static resource groups. From now on, they can reassign the ownership of dynamic resource groups, while the super administrators can perform bulk ownership transfers for both static and dynamic resource groups.
  • In addition to the existing 'Schedule Name' search filter in 'User Created Schedules', users can now utilize the 'Operated By' search filter to list out the schedules based on the operator name.

Bug Fixes

  • In previous versions, removing a criteria from an existing dynamic group resulted in the removal of all criteria beneath it. This issue has now been fixed.
  • Earlier, in the 'Resource Groups' tab, users could not find resource groups by specifying their owner names in the 'Owner' search filter. This issue has been fixed.
  • Previously, the password verification process via PKI authentication for Linux accounts failed to identify incorrect passwords that had been synced. This issue has been addressed and fixed.
  • From build 6310, SSH connections using currently logged-in AD accounts failed to establish. This issue has now been fixed.
  • In prior versions, notification about Super Administrator information was displayed to users created with user-type roles. This issue has now been fixed.
  • Previously, during the password check-in process, the Password column displayed as Null value for the Microsoft Azure resource type when configured incorrectly with remote password reset. This issue has now been fixed.
  • From build 6400, users inadvertently got removed from their user groups during AD synchronization. This issue has been fixed.
  • Previously, while adding a resource to an existing resource group, the 'Group Name' field on the 'Add Resource' page failed to auto-populate the resource group selected by the user. This issue has now been fixed.
  • Earlier, changes made in the Edit Group Attributes description could not be saved when the user Group Name contained special characters. This issue has now been fixed.

Version 6.5 (Build-6501)

Hotfix
01st November 2023

Security Fixes

  • We have upgraded the json.jar component in the PAM360 library to the latest version (json-20231013), thereby fortifying our defenses against potential Denial-of-Service (DoS) attacks (CVE-2023-507).
  • We have fixed an issue that allowed users to view unshared SSH key group information.
  • We have addressed an issue where users could view the description of unshared PGP keys.
  • We have found a vulnerability that allowed a user to edit the landing server configuration that was created by other users.
  • An issue that allowed users with the password auditor privilege to terminate the user sessions has been found and fixed.
  • The following stored Cross-Site Scripting (XSS) issues have been found and fixed:
    • Resolved vulnerabilities in the role properties located on the custom role edit page.
    • Addressed an issue in the Message Board attributes.
    • Rectified a vulnerability identified while adding a new resource type.
    • Prevented a potential vulnerability that could affect a user in an SQL session initiated by another user.
    • Addressed a vulnerability observed while playing back the SQL session recording under 'Recorded Connections' in the 'Audit' tab.
    • Addressed the issues occurred in the following areas of the PAM360 web console - Lock User dialog box, Connections tab, Edit Web Account dialog box, and Edit Accounts dialog box.

Version 6.5 (Build-6500)

Major
6th October 2023

New Feature

Smart Login
We have introduced a convenient login method in PAM360: Smart Login via QR code. The feature allows effortless login to PAM360 by scanning the QR code displayed on the PAM360 webpage using the PAM360 mobile application (Settings >> Smart Login). This direct login method streamlines the process with a passwordless authentication, thus significantly reducing login effort.

Note: To use this functionality, users should upgrade PAM360 web and mobile applications to the following versions as applicable.

  • Web application - Version 6500
  • Android application - 2.6.0
  • iOS application - Version 2.5

New Integration

Integrate PAM360 with 800+ Business Applications Now via Zoho Flow!
PAM360 integration with Zoho Flow empowers users to deploy workflow automation across 800+ business applications, majorly focusing on HR and IT Service Management (ITSM). The integration lets swift user onboarding/offboarding of users to/from recruitment/ATS systems to PAM360, thus seamlessly bridging the HR and ITSM functionalities of an organization.

With this integration, a designated PAM360 REST API user can effortlessly craft custom workflows in Zoho Flow, connecting PAM360 to an extensive range of applications within Zoho Flow using its dedicated APIs, which perform pivotal actions such as user creation, group management, account control, and privileged resource sharing in automated workflow triggers.

Read our help documentation to know more about this integration, and real-time scenarios in detail.

Enhancements

  • Users can now generate session query reports using the latest version of PAM360. These reports fall under the new 'Recorded Session' category and include the following lists:
    • All recorded sessions
    • Deleted session recordings
    • Recorded RDP sessions
    • Recorded SSH sessions
    • Recorded VNC sessions
    • Recorded SQL sessions
    • Recorded telnet sessions
    • Recorded remote desktop sessions
  • Users with the administrator role can terminate user sessions initiated through add-ons and the PAM360 mobile application.
  • With this latest update, we have introduced a new custom role option - Terminate User Session, which, when enabled, empowers users to conclude active sessions promptly as needed.

Bug Fixes

  • Previously, the remote password reset for the Microsoft Azure accounts failed if the UPN suffix (domain.com) of a user account and the DNS of a resource differed. This issue has now been fixed.
  • Previously, in the Auto Approval scenario for access control, the password was not checked-in back within the specified period, even after the approval time, until the user checked it out manually. This issue has now been rectified.
  • Previously, when the administrator required a reason for retrieving a password for an account containing special characters, there was a discrepancy between the old password copied from the Password History section. This issue has now been rectified.
  • HTTPS Gateway Server-Related Fixes
    • In this release, we have resolved an issue that restricted the authentication of a few ManageEngine application URLs via the HTTPS gateway server due to a set of common cookie names.
    • Previously, the HTTPS gateway server encountered difficulties in decoding responses from certain resource URLs sent to the PAM360 server. This issue has now been successfully rectified.
    • Starting from build 6010, a few HTTPS gateway sessions resulted in bad requests due to case-sensitive modifications in the session URL (for instance, from https://ipaddress:port/GS_6b86b273ff34fce1_ to https://ipaddress:port/gs_6b86b273ff34fce1_). We have now addressed it.
    • Some URLs accessed via the HTTPS gateway server were experiencing bad request errors when the redirection URL of the HTTPS gateway server contained / or // at the end of the URIs. This issue has now been resolved.
    • Before build 6010, if a redirection URL from the HTTPS gateway server included a hostname and port number instead of a Fully Qualified Domain Name (FQDN), connections to certain URLs would fail. This issue has been resolved, and from now on, it will work as expected.

Security Fix

  • An issue that allowed the users with the password auditor privilege to terminate the user session has been found and fixed.
  • An issue in build 6100 that allowed the privileged users to add/edit/delete the conditions in the unshared access policy (Zero Trust) has been found and fixed.

Version 6.4 (Build-6400)

Major
4th September 2023

Enhancements

  • New Resource Type
    A new resource type, RabbitMQ, has been introduced in this release to facilitate the proficient administration of RabbitMQ server passwords.
  • From now onwards, users with administrative privileges can filter out the most active users' data based on password access count for a specific date range, such as Last 7 days, Last 30 days, and custom range in User Dashboard.
  • Importing Users, Resources, Organizations, and Passwords from Excel file formats like '.xls' and '.xlsx' are now supported.
  • Previously, after importing users, resources, organization details, and personal passwords as files, column mapping required manual intervention. Now, columns will be automatically mapped with the form fields, provided the files imported have the same column names.
  • Earlier, during bulk editing of resources, the resource and account additional fields were accessible only after selecting the resource type. However, from build 6400, these additional fields will be available without specifying any resource type. Additionally, it is possible to bulk edit RDP, SSH, and Telnet session recording, password reset, and resource type.

Bug Fixes

  • From build 6000 onwards, a few placeholders got encoded after saving the email templates and message templates. This issue has been fixed.
  • In earlier versions, the session recordings of SSH and Telnet sessions failed to export when the resource name contained special characters. This issue has been fixed.
  • From build 5700, the PAM360 Windows Domain agent failed to verify the domain account passwords through the password verification feature. This issue has been fixed.
  • From build 6100, the Agent Update command failed to work as expected while reinstalling the PAM360 Agent via the command line. This issue has been fixed.
  • In PAM360 with MSSQL backend, the search in the 'Resource Name' column of the 'Passwords' tab failed under the following two circumstances:
    • When the resource name exceeded 30 characters.
    • When the resource names were searched using their sub strings.
    This issue has been fixed.
  • The CPU spike caused by the PAM360 dashboard has been fixed.
  • From build 6100, users could not save edits to dynamic resource group attributes. This issue has been fixed.

Security Fix

A custom audit filter created by one user could be deleted by other users due to a security vulnerability, which has been fixed in this release.

Version 6.3 (Build-6320)

Minor
11th August 2023

Enhancements

  • Earlier, it was mandatory to enforce a password when creating a new user via the 'Create a New User' API. From build 6320 onwards, the API grants the flexibility to create users without the obligatory enforcement of a password.

REST API

  • New RESTful APIs: The following five new RESTAPIs have been introduced in this release:
    • Fetch All Users - To fetch all the users' details.
    • Fetch All User Groups - To fetch all the user groups' details.
    • Bulk Share Resource Groups to Users or User Groups - Sharing resource groups to users or user groups in bulk.
    • Bulk Share Resources to Users or User Groups - Sharing resources to users or user groups in bulk.
    • Bulk Share Accounts to Users or User Groups - Sharing accounts to users or user groups in bulk.

Bug Fix

  • PAM360 MSP edition installed in the server using non-English languages failed to work in the browser extension. This issue has been fixed.

Version 6.3 (Build-6310)

Minor
16th July 2023

Enhancement

  • Multiple LDAP Domain Support with Advanced User Import Methodologies
    We have introduced enhanced functionality to support multiple LDAP domains in this release. This improvement includes a simplified process for importing users from LDAP, allowing for importation based on specific Organizational Units (OUs) and Groups in addition to the existing search filter method. Not only can individual users be imported, but now users can also be imported in bulk into PAM360, thus providing greater flexibility and control during the LDAP user import process.
  • Earlier, users could auto-logon to resources using the logged-in AD account and Azure AD user accounts. From now on, auto-logon is possible through the LDAP user accounts as well.

Behavioral Changes

When implementing the LDAP user import enhancement, several behavioral changes occur:

  • The format of the LDAP usernames will be modified to 'domain\username' (e.g., pam360.com\lisa). Consequently, the RADIUS, DUO, and RSA Two-Factor Authentications (2FA) need to be reconfigured for LDAP users to accommodate this new format in the 2FA servers.
  • The names of existing LDAP synchronized groups will be updated to the 'domain\Groupname' format (e.g., pam360.com\administrators).
  • The agents installed by LDAP users from PAM360 should be downloaded and reinstalled again on their respective resources.
  • Schedules that were previously configured with a specific number of days (n) will be changed to daily schedules.

Bug Fixes

  • In this release, a problem that prevented the Active Directory's Connection Mode from getting saved in the 'Discover Resources' and 'Import from Active Directory' pages when it was set to SSL has been identified and resolved.
  • From build 6010, connection taken via HTTPs gateway server failed with a CSRF validation error for a few websites that use cookies for login. This issue has now been fixed.

Version 6.3 (Build-6300)

Major
21st June 2023

New Feature

Application Scaling using External PostgreSQL Cluster
For continuous and uninterrupted workflow with a day-to-day growing user base, increased API workloads, user traffic, etc., we introduce an additional scalability function in PAM360 by which users can use their external PostgreSQL cluster as the backend database.

Feature Highlights

  • Uninterrupted Access: We can add up to five servers to the database cluster, with one acting as the main node and others as subnodes. In case of main node downtime, any subnode can seamlessly be changed into a main node, ensuring uninterrupted service.
  • Improved Performance: Distribute data operations across configured subnodes, thus enhancing application performance and responsiveness.
  • Application Scaling Dashboard: Once configured, the Application Scaling dashboard displays detailed information about the nodes, including Host Name, DNS Name, Last Activity, Type, Status, and Active Sessions.
  • Node-based Audits: Perform audits specific to Application Scaling under the 'Audit' tab. The 'Resource Audit' and 'User Audit' sections display comprehensive audit trails for each configured node.

Enhancements

  • From now onwards, you can apply PPM to the Read-Only server(s) configured in your organization.
  • PAM360 now allows users to use SSL connection mode for remote password resets of domain accounts that are part of the "Windows Domain" resource type.
  • PAM360 now supports SHA-256 hashing algorithm for SAML Single Sign-On.
  • From this version of PAM360, users can generate the following query reports that are available under the Users, Resource Groups, and User Groups categories:
    1. Users without shared accounts
    2. Last login details of the users
    3. Resource groups with recent password changes
    4. User groups with shared accounts
    5. User groups with shared resources
    6. User groups with shared resource groups
  • PAM360 now supports remote connections using domain account for SSH based resources.

Upgrade

The JRE (Java Runtime Environment) used in PAM360 has been upgraded from version 1.8.0_252 to 1.8.0_372.

Bug Fixes

  • An issue was discovered in a Windows Domain environment that involved a secondary domain controller. During a period when the primary domain controller was offline, the password verification sync incorrectly indicated that the password was in sync, even though it was incorrect. This problem has been resolved.
  • We have fixed an issue where the displayed serial number of the IdP certificate on the SAML configuration page did not match the imported certificate.

Security Fixes

  • In this release, we have resolved a security vulnerability that allowed unauthorized users to access the resource details of other users' resource groups. This included information such as resource name, account name, resource type, etc. We have taken the necessary measures to fix this issue and ensure that unauthorized access is no longer possible.
    Note: This vulnerability did not pose a risk to passwords and sensitive data, as they remained secure and inaccessible to unauthorized users.
  • In this build, issues that allowed the following unauthorized access to the users have been found and fixed:
    • To view the connection settings of unshared accounts
    • To modify the connection settings of unshared accounts

Version 6.2 (Build-6210)

Minor
9th June 2023

Enhancement

Earlier, during bidirectional transfer of files through SFTP in PAM360, connections could be established through local accounts only. Hereafter, users can utilize the domain account or the logged-in account (AD/Azure AD) credentials to establish the connections. This enhancement paves way for flexible and secure file transfers.

Version 6.2 (Build-6200)

Major
26th May 2023

New Features

  • Certificates Synchronization Status Check
    From now on, PAM360 allows you to perform regular checks on the synchronization status of SSL certificates deployed to multiple servers directly. Additionally, you can schedule the synchronization check and generate a 'Certificate Sync Status' report based on the results.
  • New Tools Category
    PAM360 now comes with a 'Tools' category that will allow users to independently perform certificate conversion, SSL/CSR parsing, and vulnerability scanning without adding certificates into the PAM360 repository.
    • Certificate Signing Requests (CSR) and SSL Parser - The parser tool allows users to upload certificates or their contents directly to the interface and sort the attributes into a readable format.
    • Certificate Format Converter - The converter tool supports one-click conversion for a wide range of certificate formats.
    • Scan Vulnerabilities - The scanner tool allows users to scan any domain for vulnerabilities by entering the domain name and port directly. Unlike the SSL Vulnerability scan, this tool checks for vulnerabilities in any domain, without adding the certificate to the repository.
  • Integration with AWS Certificate Manager
    PAM360 now supports integration with AWS Certificate Manager (ACM) - a trusted certificate authority and certificate manager. This integration enables users to request, acquire and deploy certificates from PAM360 to AWS ACM and renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued and managed by ACM directly from the PAM360 web interface.
  • Managing MSCA Certificates
    Users can now manage the entire lifecycle of MSCA certificates and perform operations such as discovery and renewal from one place. In addition, two new options, 'Revoke' and 'Delete' have been added to the MSCA tab.
  • PAM360 - Azure Key Vault Integration
    PAM360 now supports integration with Microsoft Azure Key Vault - an SSL certificate management service offered by Microsoft. Through this integration, users can request, renew, and manage the entire lifecycle of SSL/TLS certificates stored in the Azure Key Vault by importing them into the PAM360 repository.
  • Integration with Sectigo Certificate Manager
    PAM360 now integrates with Sectigo Certificate Manager - a PKI management platform built to manage SSL/TLS certificates, SSH keys, and other digital identities. The integration facilitates users to request, acquire, import, deploy, and renew certificates issued by Sectigo and automate their end-to-end lifecycle management of SSL/TLS certificates directly from the PAM360 web interface.
  • Importing Certificate Details
    Besides adding certificate objects in different formats, PAM360 now allows users to add certificate details into the PAM360 repository manually and manage them along with other certificate objects. This feature is beneficial when a user has the details of an SSL certificate that resides in a demilitarized zone and therefore, cannot be added to PAM360 as an object through discovery. In this case, users can create a CSV file with the specified certificate details and upload them to PAM360. Furthermore, users can also set up expiry notifications for certificate details.
  • Certificate Deployment to Citrix ADC Load Balancer
    Users will now be able to deploy SSL certificates to the Citrix ADC load balancer directly from the PAM360 interface. Users can add and manage multiple Citrix accounts and deploy certificates to them individually.

Note: If you are already using an SSL agent for SSH/SSL-related operations, it's required to reinstall the agent for these new integrations to work seamlessly.

Enhancements

  • From this build onwards, after certificate renewal, the expired certificate's details can be sent via email. Configure the required setting under 'Admin >> SSL Certificates >> Certificate Renewal'.
  • From now on, PAM360 will display the hosted SSL certificate's CommonName, Serial number, and SyncStatus with the managed servers and include them in the 'Deployed Servers' report.
  • From build 5800, scheduled tasks were performed only during the scheduled time. From build 6200, scheduled tasks can be performed anytime by using the 'Execute Now' button available under the 'Schedules' tab.
  • From build 6200, PAM360 allows you to check the SyncStatus using SSL Agent. For this to work, the SSL agent should also be updated to version 6200.
  • Earlier, certificates were managed based on their Serial Number. Now, certificates having the same common name and different serial numbers can be grouped by enabling it under 'Manage Certificate History' under 'Admin >> SSL Certificates >> Certificate History'.
  • From now on, the old certificate will be listed under 'Certificate History' after the certificate renewal.
  • From now on, PAM360 allows you to add additional properties to CSR while signing with root by using the 'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties and add them to the new certificate. Examples of the Key Usage properties include; Digital Signature, Decipher Only, Encipher Only, and Certificate Sign.
  • It is now possible to import PGP keys created using third-party tools.
  • Earlier, during certificate deployment using IIS Binding, users could deploy it to a single server or agent only. From now on, users will be able to deploy certificates to multiple servers as well.
  • Henceforth, users will be able to export the private key from the Microsoft Certificate store after certificate deployment.
  • From now on, besides deploying to the computer account, PAM360 allows you to deploy certificates to the Microsoft certificate store user account using the SSL agent. The latest version of the SSL agent should run in the user account to which the certificates are to be deployed.
  • 'Organization' and 'Organization Unit' has been added to the 'Column Chooser' on the 'SSL Certificates Report' page.
  • From now onwards, users can choose to exclude automatically renewed certificate(s) from email notifications.
  • Users can now bypass proxy server settings while performing Citrix Load Balancer certificate discovery using the 'Use REST API (By default PAM360 uses CLI commands for discovery and fetching certificates)' option available in the UI. Using this option, PAM360 can bypass the proxy server and directly perform online certificate discovery. This option is also available during scheduled certificate discovery.
  • PAM360 now provides an option to import issuer certificates into the repository and form a complete certificate chain. Users can store and export the complete certificate package in JKS, PKCS, and PEM formats.
  • In addition to server certificates, PAM360 now allows users to import client certificates from DigiCert and manage them in the PAM360 repository.
  • Users can now create a scheduled task for AWS certificate discovery.
  • PAM360 now comes with an option that mandates users to include 'Server Name Indication' while configuring and updating IIS Binding.
  • Users can now rediscover the expired and about-to-expire certificates from the 'Certificate Expiry' widget in the Keys Dashboard.
  • PAM360 will allow users to import the keys created using OpenSSL version 3.0 onwards.
  • Users can now import WebSphere certificates into the PAM360 repository.
  • PAM360 now allows users to group their certificates based on the 'Expiry Notifications Email' while creating a certificate group.
  • From now on, under Multiple Servers, the users will be able to reassign the Primary server from the list of available servers while attempting to delete the existing Primary server.
  • A new RestAPI to 'fetch PGP keys' has been added.
  • From now on, while configuring ServiceDesk Plus as the ticketing system in PAM360, users can retrieve pre-existing templates from ServiceDesk Plus and utilize them to create tickets that will be displayed in ServiceDesk Plus.
  • Henceforth, users will be able to associate columns from ServiceNow with the columns from the Certificates tab to add additional information to the tickets.
  • Earlier, DigiCert users were able to add only one API key to PAM360. Henceforward, they can add multiple API keys to PAM360.
  • Two new RestAPIs to 'To get Certificate in different file formats' and 'To Export an SSH Key in a specific Key Type' have been added.
  • PAM360 now supports file-based certificate discovery for the Microsoft Certificate Store. This feature allows you to import a text file with a select list of hostnames/IP addresses that are accessible to PAM360, using which the remote machines are scanned and certificates are discovered. After a successful discovery, PAM360 will consolidate the newly-discovered SSL certificates in its certificate repository. In addition, the scheduled discovery of Microsoft Certificate Store certificates now comes with two new options: discovery using IP range and via a text file.

Upgrade

The java script framework - jQuery used in PAM360 has now been updated to version 3.6.0.

Behavior Change

Users can now maintain the following certificates at a count of five in the PAM360's centralized SSL repository without affecting the available number of keys in the license:

  • Server certificates that are used to secure the communication of the PAM360 server
  • Certificates that are internally used in PAM360

Bug Fixes

  • Earlier, certificate order creation for GoDaddy's 100 UCC SAN SSL certificates was failing. This issue is fixed now.
  • In PAM360 build 5800, while importing SSL certificates from the GoDaddy portal, PAM360 failed to import some of the certificates. This issue has been fixed in this build.
  • Previously, when an MSCA certificate was discovered from a different domain, the 'MSCA' type certificate was changed to the type 'Domain', which caused the auto-renewal process to fail. This has now been fixed.
  • Previously, ServiceDesk Plus (SDP) ticket creation failed due to the API rate limit set by SDP. This has now been fixed.
  • Earlier, the root certificate-based signing failed if the 'SAN' field contained a wildcard. This issue has been fixed.
  • In PAM360 build 5800, while discovering certificates using MSCA, certificate discovery failed if the language of the templates was not English. This issue has been fixed in this build.
  • Previously, Load Balancer discovery failed when the certificates were discovered using the 'Discover certificate list' page. This has now been fixed.
  • In Linux installations, the certificate discovery failed while discovering certificates from Shared Path using the certificate list. This issue has been fixed.
  • Operator users were unable to view the details of the certificates that were part of a certificate group created using additional fields as the grouping criteria. This issue has been fixed.
  • Administrator users were unable to edit the value of additional fields for certificates that are a part of certificate group created using any criteria. This issue has been fixed.
  • Earlier, the users were unable to edit the wildcard certificate details after navigating to the Certificate Details page. This issue has been fixed.
  • Earlier, when a certificate that was part of a certificate group expired, the expiry notification email was sent to all groups in PAM360 instead of to only the groups to which the certificate belonged. This issue has been fixed.
  • Load Balancer discovery and Shared Path discovery did not work for some users. This issue has been fixed.
  • Bulk certificate sync with ServiceDesk Plus failed for some certificates. This issue has been fixed.
  • Previously, when users tried to add a new SSL certificate with the same common name as another certificate that was already available in PAM360, the new certificate was not added to the repository. This issue has now been fixed.
  • An issue that led the Aruba ATP and ASA Firewall password reset to fail has been found and fixed.
  • In build 6100, the auto logon operation performed using the generated ticket ID failed. This issue has now been fixed.

Security Fixes

  • A stored XSS vulnerability caused by HTML tags in certificate attributes during SSL certificate import, CSR import, and SSL and CSR parse operations has been fixed.
  • Path Traversal Vulnerability, Remote Code Execution (RCE), and SSL validation vulnerabilities have been found and fixed.

Version 6.1 (Build-6100)

Major
9th May 2023

New Feature

Policy-Based Access Privilege Using Zero Trust Approach
Introducing our Policy-Based Access Privilege feature - an advanced security model designed to minimize the risk of cyber-attacks and data breaches by eliminating the concept of trust. This is achieved by calculating the trust scores of users and resources continuously in a dynamic manner using conditional and predefined parameters with an assist from respective installed agents. This decisive action ensures that only authorized users/devices have access to the critical privileged resources in an organization.

How Does this Feature Work in Real-Time?
This new feature allows administrators to implement policy-based access privileges based on the trust score methodology. It is achieved by installing user/resource agents on relevant devices, defining parameters and weightage values, and creating access policies for the respective user/resource group. Post the access policy configuration, the access policies are associated with the respective resource groups via static resource groups. Further, with the above configuration, access privileges are granted to the users or restricted based on the configured access policy conditions and criteria.

Salient Feature Highlights

  • The feature provides a fine-grained layer of security through the use of access policies that are carefully crafted and derived to ensure that only authorized users can access your organization's resources, regardless of any evolving threats that may arise.
  • Access policies ensure that access is granted in an automated, policy-based manner, eliminating the need for manual intervention.
  • With this approach, one can maintain complete control over the organization's resources and minimize the risk of unauthorized access.

 

Read our help documentation to know more about this feature, configurations, and real-time scenarios in detail.

Bug Fixes

  • Previously, an issue that intended the super administrator to raise a password request for the resource configured with access control instead of allowing direct connection in the connections tab has been found and fixed.
  • Previously, the accounts discovery failed in the resources added via the Linux agent. This issue has been fixed now.
    Note: The existing users with installed Linux agents should reinstall their agents to proceed with further account discovery.
  • Earlier, password resets were performed on the disabled resources imported via Active Directory. This issue has now been fixed.

Security Fixes

In this build, issues that allowed the following unauthorized privileged access to the users have been found and fixed:

  • Delete the IIS binding
  • Trigger a certificate discovery
  • Deploy the certificate groups
  • Rotate the unowned SSH keys in a key group
  • Create a schedule for SSH keys etc.,

Similar to the above fixes, we have fixed 16 such issues that led to unauthorized privileged access.

Version 6.0 (Build-6011)

Hotfix
19th April 2023

Bug Fixes

  • During the password access request for a Windows domain account configured with access control, irrespective of whether the access request was for 'All Resources' or a specific resource, access was granted only to the selected Windows domain resource and not to the domain member resources. This issue has been fixed now.
    Note: Password access requests raised for Windows domain accounts in 6010, though valid, cannot be used to take remote connections for the domain member resources. Users will have to re-request access to those accounts after upgrading to 6011.
  • The global search issue in build 6010 has been identified and fixed.

Version 6.0 (Build-6010)

Minor
7th April 2023

New Feature

HTTPS Gateway Server
We have introduced HTTPS Gateway Server, a feature that allows users to launch privileged HTTPS connections to internal and external websites that are not directly accessible from the end-user devices. PAM360 acts as an intermediary proxy and establishes connections with those devices.

The feature works by adding HTTPS-based web links to the resources configured under HTTPS Gateway in Auto Logon Helper. Once configured by the administrators, users can access those websites directly from the PAM360 interface via HTTPS Gateway connection, thus allowing organizations to provide secure privileged access to the internal or external web applications. The relevant details are captured under the Audit section.

See our documentation for more details about this feature and its configuration.

Enhancement

Security Notification
The PAM360 web console will display an in-product notification after each security release reminding the administrators to upgrade the product.

Version 6.0 (Build-6000)

Major
22nd March 2023

New Feature

Support for New Two-Factor Authenticators
We have introduced the following authentication services in PAM360:

  • Zoho OneAuth Authenticator - A comprehensive multi-factor authentication application that helps you secure your online accounts, thus enhancing your business security. It is available for download on multiple devices - iOS, Android, iPad, macOS, watchOS, and Windows platforms and can be installed at your convenience.
  • Oracle Authenticator - A multi-factor authentication application that provides an additional layer of security by prompting a second factor of authentication during login. The following devices support its download and installation: iOS 12.0+, Android 5.0+, smartphones, and tablet devices.

 

Enhancements

  • The PAM360 application user interface is now available in the following user languages - Russian, Italian, and Dutch.
  • Unlike earlier, users can now reset their personal passphrases from the Personal tab, wherein the action will permanently remove all the stored passwords.
  • Previously, audits and reports reflected the IP address of the load balancer/proxy server through which the user requests were forwarded. Now, the new admin option - Remote Host Header makes it easier for organizations using load balancers or proxy servers to display the actual IP information of their users instead of the load balancers' or proxy servers'. This allows recording and keeping track of the exact user access details.
  • Hereafter, users can configure expiry notifications for Annual Maintenance & Support (AMS) license expiry.
  • It is now possible to manage application tokens for azure applications.

MSP Edition

  • Henceforth, users can generate reports for client organizations individually under 'Admin >> Organizations >> Organizations'. The report spotlights the details of users/user groups with access to the selected organization.
  • In this version of PAM360, we have enhanced the access and approval process for the client organization. The 'Actions' menu under each organization in the list view now includes new options that follow to manage user/user group organization access and user/user group organization access requests:
    • Manage User Organization Access
    • Manage User Group Organization Access
    • User Organization Access Requests
    • User Group Organization Access Requests

REST API

  • New RESTful APIs: This version of PAM360 comes with a new set of REST APIs that follow:
    • Generate and fetch agent key - Fetch the available agent key or generate and fetch the new agent key.
    • Fetch HA status - Fetch the status of the configured High Availability server.
    • Fetch all resource groups - Fetches all owned and shared resource groups of a user.
    • Password validator - Validates passwords based on the password policy.
    • Delete user group - Deletes user groups from specific organizations.
    • Remove a user from the user group - Removes a user from a user group in a specific organization.
  • Previously, the 'condition_*' parameter in the 'Create Dynamic Resource Groups' API accepted only the default attributes of a resource, such as RESOURCENAME, DNSNAME, LOGINNAME, etc. The custom field attributes will now be accepted alongside the default attributes in the 'condition_*' parameter.
  • Users can now enter custom field values in addition to the default values ACCOUNTNAME, PASSWORD, ACCOUNTPASSWORDPOLICY, and NOTES while creating accounts using the 'Create Accounts under a Specific Resource' API.
  • Users can now change all account parameters besides the default values ACCOUNTNAME, PASSWORD, ACCOUNTPASSWORDPOLICY, and NOTES while modifying accounts using the "Edit an Account under a Specific Resource" API.

Behavior Changes

  • From now on, PAM360 will support only the App-Only Access Token method to import/sync users from Azure AD, and the User Access Token method will not be available.
    Note: For the existing users, the User Access Token method will continue to work (without further import/sync) until Microsoft deprecates its API services.
  • User authentication-based password reset will no longer be applicable for Microsoft Azure resources. Henceforward, an Azure App and a privileged account will be required to perform remote password reset for those resources.
    Note: The existing users can reset their passwords using the user authentication method until Microsoft deprecates its API services.

Upgrade

This version of PAM360 comes with the upgraded third-party framework used for HTML5-based RDP and SSH gateway features.

Bug Fixes

  • Previously, when there were more than thirty-two thousand passwords in the export list, the export passwords as plain-text (.xlsx) requests failed. This issue has now been fixed.
  • Earlier in the MSP edition, the user had access to the client organization, even when the user was removed from the user group that mapped with a client organization. This issue has been fixed now.
  • An issue that led users to use the Clipboard option in the remote sessions despite disabling it under 'Connection Settings' has been fixed.
  • From build 5500 onwards, users could not view the Private Key Passphrase for the user accounts whose name contained special characters. This issue has now been fixed.
  • From build 5800 onwards, users could not download files using the Secure File Transfer method from Linux resources. This issue has now been fixed.
  • An issue that restricted users from taking remote connections using domain accounts from the Resources tab (for the resources with no local accounts) has been fixed.
  • From build 5900 onwards, during RDP sessions, an issue was encountered when users tried to copy files from remote machines to user machines, which resulted in session failure. We have fixed this issue in this version.
  • Previously, while creating Active Directory synchronization schedules, when the synchronization interval was set to 0, all existing schedules got deleted. This issue has now been fixed.

Security Fix

Prior to this version, the PAM360 agent communicated with the PAM360 server without determining the validity of its SSL certificate in the following aspects, thus increasing the risk of external exploitation:

  • If the installed SSL certificate is still valid
  • If the SSL certificate is issued by a reliable CA
  • If the SSL certificate's name and the site's name are the same

From now on, the PAM360 agent will check if a valid SSL certificate is installed on the PAM360 server before initiating communication, thereby boosting security.

Version 5.9 (Build-5951)

Hotfix
9th February 2023

Bug Fixes

  • In build 5950, Self-Service Privilege Elevation for Windows and Windows Domain did not work properly due to an invalid response from the PAM360 server. The issue has been fixed now.
  • An issue in build 5950 that allowed the Connection User role to count as an administrator, causing further restrictions on adding new administrators, has been fixed.

Version 5.9 (Build-5950)

Major
6th February 2023

New Feature

Self-Service Privilege Elevation for Linux
We are glad to introduce Self-Service Privilege Elevation (agent-based) for the Linux resources in PAM360. This feature allows administrators to configure privileged commands, thus allowing non-privileged users to execute them with an elevated privilege. The privileged commands can be associated with specific accounts and resources as configured by the administrator.

Feature Highlights:

  • Administrators with the 'Self-Service Privilege Elevation - Linux' role can configure a set of privileged commands for their owned and managed accounts and resources.
  • Non-privileged users can execute the privileged commands in the Linux endpoints without the need for a super user account such as root.
  • Provides adequate reports and audits that include:
    1. Accounts and resources with Self-Service Privilege Elevation
    2. Unauthorized execution of privileged commands

Key Benefits:

  • Provides greater control over the commands elevated and actions performed in the endpoints through the agent-based mechanism.
  • Assured intended execution of privileged commands by the non-privileged user without needing access to the privileged accounts.

Please go ahead and read our help documentation to know more about Self-Service Privilege Elevation capabilities in Linux.

Bug Fix

In build 5900, users could not launch remote connections to endpoints using the AD and Azure AD account credentials. This issue has now been fixed.

Security Fix

In build 5900, a stored XSS issue occurred via the commands added in command groups while accessing query reports. This issue has been fixed in this build.

Version 5.9 (Build-5900)

Major
30th January 2023

New Feature

SSH Command Control (Filtering)
We are delighted to announce SSH Command Control (Filtering) in the SSH-privileged remote sessions of PAM360. This feature allows administrators to configure authorized command sets for the end users to use in their SSH-privileged remote sessions. The command sets can be associated with specific accounts, resources, and resource groups that get delegated to end users.

Feature Highlights:

  • Ability for the administrators to define fine-grained permissions by configuring specific set of commands for selected users, launching privileged SSH sessions to specific devices.
  • Well-designated command lists that can be associated with specific accounts, resources, and resource groups.
  • Users can execute only the authorized specific commands, regardless of the account capabilities of the logged-in account.
  • Similar to the remote app feature for Windows, which allows users to access only specific applications, this SSH command control feature will allow users to execute only the authorized set of commands.

Key Benefits:

  • Adequate control by administrators over the execution of commands by users on the remote SSH devices.
  • Controlled command executions to avoid unwanted privilege elevations.
  • Additional protection in SSH sessions on top of the accounts' specific permissions delegated to users.
  • Effective control over privileged activities carried out by users in servers via SSH remote sessions.

Excited to know more about configuring and using this feature? Please go ahead and read our help documentation.

Bug Fixes

  • Previously, when administrators performed password reset for domain accounts, in some customer environments, the passwords were updated in Active Directory but not in the PAM360 database. This issue has now been fixed.
  • From build 5500, if the option to execute 'pwdadm' command was enabled for resources of the IBM AIX resource type, then password reset failed for the accounts in the selected resource. This issue has been fixed.

Version 5.8 (Build-5810)

Minor
13th January 2023

Enhancement

PAM360 now supports OAuth 2.0 authentication for SMTP-based email communications using Microsoft Exchange Online to provide a secure channel for the outbound emails from PAM360. Users can configure Microsoft Exchange Online as the mail server through which PAM360 sends email notifications. During the setup, PAM360 verifies the connection with Microsoft Exchange Online using the Tenant ID, Client ID, and Client Secret value taken from the Microsoft Azure portal. This mechanism eliminates the need for users to provide account credentials to authenticate the notification emails. Users can choose Microsoft Exchange Online under 'Admin >> Settings >> Mail Server Settings' to activate OAuth 2.0 authentication for all emails sent from PAM360.

Version 5.8 (Build-5801)

Hotfix
28th December 2022

Security Fix

A SQL injection vulnerability (CVE-2022-47523) in our internal framework, which would have allowed all PAM360 users to access the backend database, has been addressed and fixed.

Version 5.8 (Build-5800)

Major
25th November 2022

New Features

  • Integration with a container platform: Kubernetes
    PAM360 now integrates with Kubernetes, an open-source container orchestration tool that facilitates software deployment automation and helps to scale and manage applications effectively. The integration is of great help to administrators in fetching, managing, and periodically rotating secrets obtained from multiple Kubernetes clusters via API responses. PAM360 records extensive audit trails for all operations performed on the secrets stored in the repository.
  • Integration with a new SIEM tool: Microsoft Sentinel
    In addition to the already available integrations with SIEM tools, such as Splunk, ManageEngine EventLog Analyzer, and Sumo Logic, PAM360 now integrates with Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution by Microsoft. PAM360 gathers detailed audit logs for the operations performed on resources and passwords, along with the user details in real-time. Through this integration, PAM360 sends detailed logs to Microsoft Sentinel syslogs, enabling users to view PAM360 audit trails from the Microsoft Sentinel interface.

Enhancements

  • Earlier, during SFTP file transfer, it was possible to download only a single file from a single directory path. From this build onwards, users can select multiple files from a single directory path and download them together as a compressed file.
  • This version of PAM360 comes with two new default query reports under the 'Resource Group' and 'User Group' categories:
    1. Static resource groups and their resources
    2. User groups and their users.

Upgrade

The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and bolster overall security.

Bug Fixes

  • From build 5510 onwards, during a remote MSSQL session, users were unable to switch the connection to a different database. This issue has been fixed now.
  • From build 5000 onwards, during file upload operation, PAM360 failed to delete the uploaded file that was temporarily stored in a temp folder within the PAM360 installation directory. This issue has been fixed.
  • From build 5510 onwards, users were unable to execute the Insert, Update, and Delete queries during a remote session launched to any SQL database. This issue has been fixed now.
  • Earlier, some email notifications sent to users did not contain the PAM360 login URL if their respective email templates had been edited in the PAM360 interface. This issue has been fixed.
  • Earlier, administrators could not integrate PAM360 with ServiceDesk Plus Cloud due to an internal upgrade. This issue has been fixed.
  • From build 5700 onwards, administrators could not save the edited email templates if the message contained a hyperlink tag. This issue has been fixed.

Version 5.7 (Build-5713)

Hotfix
07th November 2022

A third-party library has been upgraded in PAM360.

Version 5.7 (Build-5712)

Hotfix
27th October 2022

Some bug fixes and enhancements have been done.

Version 5.7 (Build-5711)

Hotfix
22nd October 2022

Upgrade

The Apache Commons Text jar has been upgraded from version 1.8 to 1.10.0.

Security Fixes

  • We identified SQL injection vulnerabilities (CVE-2022-43672, CVE-2022-43671) in the Resource Audit configuration page and password notifications for user groups that had occurred due to improper user input validation. These issues have been fixed.
  • Earlier, when users locally exported their personal data as PDF or XLS files from the Personal tab, copies of the exported files were stored in the PAM360 server. Due to this, anyone who had access to the server could view the exported copies of personal data. This issue has been fixed.

Bug Fix

Earlier, the Search function failed to work when multiple text filters were added. This issue has been fixed.

Behavior Change

PAM360 will no longer support both the 32 and 64-bit versions of the C++ agent for Windows and Windows Domain systems and the C Agent for Linux. The C and C++ agents will still be functional in the older versions of PAM360 past this date. But, we highly recommend using the C# agent for Windows and Windows Domain machines and the Go agent for Linux machines, as they come with additional features, such as password reset listeners, dynamic account filtering, and self-service privilege elevation in Windows. Refer to the forum post to learn more about the end of support announcement.

Version 5.7 (Build-5710)

Minor
1st October 2022

Enhancements

  • PAM360 will now display the list of agents mapped to the resources under 'Admin >> PAM360 Agents >> Manage Agents'. Resource owners can view, associate, disassociate, and delete their respective agents from the 'Manage Agents' page. Also, if an existing resource is deleted accidentally, the administrator can remap an agent to the resource with the same DNS name as the agent.
  • Earlier, PAM360 allowed the administrators to execute the scripts post password reset in agentless mode only. Now, the administrators can execute the scripts both with and without the agent before and after the password reset. Also, administrators can use the pre or post-password reset action in agent mode to run the scripts using the agent in the agent-installed resource. The existing password reset listeners will be called as the Agentless Post Password Reset Listeners.

Bug Fixes

  • From build 5500, while modifying domain details in the Active Directory Synchronization schedule, when a resource name with a special character was selected, the 'Domain Details' window failed to load. This issue has been fixed.
  • In MSP org, the users imported through AD sync to user groups, managing client org(s), were not replicated to the client org(s). This issue has been fixed.
  • From build 5600, users could not export resources and resource groups as Encrypted HTML from the Resources and Groups tabs. This issue has been fixed.

Version 5.7 (Build-5700)

Major
19th September 2022

New Feature

Intending to provide uninterrupted access to passwords, we have introduced another functionality - the Read-Only (RO) server for the PostgreSQL database. Unlike the concept of High Availability, where there will be one Primary server and one Secondary server, the Read-Only server can be configured in multiple. The Read-Only servers function as mirror servers, synchronizing all of the Primary server's operations. In the event of the Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server. Read-Only Servers can be configured from 'Admin >> Configurations >> Read-Only Server.'

Version 5.6 (Build-5600)

Major
11th September 2022

New Feature

PAM360 Remote Connect - a Native Desktop Client for Remote Access
Introducing PAM360 Remote Connect—an independent desktop client for Windows, designed to facilitate direct remote access to Windows and SSH-based target resources without the need for multiple remote clients or web browsers. PAM360 Remote Connect harnesses the ability of Windows' native Remote Desktop client and the SSH Putty client to launch RDP and SSH-based connections from a centralized console. The lightweight desktop client directly leverages the PAM360 web application's privilege access governance to regulate remote access to the critical assets in your environment. It offers enhanced ease of use and a superior user experience with its faster and smoother RDP and SSH-based remote connections. Besides, it has auditing capabilities—the session audit trails are recorded in PAM360's web application. PAM360 Remote Connect is compatible with PAM360 build 5600 and above. To learn more and to download PAM360 Remote Connect, click here.

Bug Fixes

From build 5500 onwards, administrators were unable to delete a user profile if the user had created any type of resource discovery task. Also, if the user owned a discovery schedule, administrators were unable to transfer the schedule ownership to another user from 'Discovery >> Schedule.'

Security Fix

We identified several SQL injection vulnerabilities in the Search and Resource Group export operations that were caused by improper user input validation. These issues have been fixed.

Version 5.5 (Build-5550)

Minor
27th August 2022

Enhancement

Integration with Entrust nShield Hardware Security Module (HSM)
PAM360 now offers a new data encryption method—Entrust nShield HSM. Through this integration, users can switch from PAM360's native encryption method to Entrust nShield's hardware-based data encryption for the privileged identities and the personal passwords stored in PAM360. Users can secure their data encryption key within the HSM to safeguard it locally in their environment.

Bug Fixes

  • From build 5510 onwards, super admin users were unable to view the list of domain accounts displayed in the 'Other Domain Accounts' section under the Connections tab. This issue has been fixed.
  • From build 5400 onwards, password administrators were unable to view the user group details window while sharing a resource to a user group from the Resources tab. This issue has been fixed.
  • Earlier, the Analytics Plus integration had failed to work due to a communication issue between the PAM360 and Analytics Plus servers. This issue has been fixed.

Version 5.5 (Build-5540)

Minor
18th August 2022

Enhancements

  • We have fully enriched the Application Scaling dashboard to provide brief insights on the nodes. Earlier, the dashboard displayed only the basic information about the nodes, such as the host name, type, and product version. Henceforth, the dashboard will display additional insights, such as the DNS Name, Last Activity, Status, and Active Sessions alongside each node. Users can enable/disable the sub-nodes from the dashboard, and also restore the deleted sub-nodes from the dashboard using the main node.
  • From now on, PAM360 will display node-based audits for Application Scaling under the 'Audit' tab. The 'Resource Audit' and 'User Audit' sections of the Audit tab will display individual columns with the detailed audit trails for the main node and each sub-node.
  • Henceforward, users with the custom role having the 'Reset Two-Factor Authentication' permission will be able to reset Two-Factor Authentication for other users.

Version 5.5 (Build-5530)

Minor
11th August 2022

New Feature

Folders
We have introduced a new feature - Folders in PAM360, which allows the users to organize the resource accounts stored in PAM360 under various custom folders. The 'Folders' option is available for the Resources and Connections tabs. Administrators can enable or disable the Folders' option from 'Admin >> Settings >> General Settings >> Miscellaneous'. This system of organizing the accounts based on personal preferences will allow users to manage them effortlessly.

Bug Fix

In Linux, when users tried to discover accounts using a root user account when direct login access is disabled, the account discovery failed. This issue has been fixed.

Version 5.5 (Build-5520)

Minor
22nd July 2022

New Feature

Integrating with a new Ticketing System: BMC Helix Remedyforce
PAM360 now integrates with the BMC Helix Remedyforce. This integration ensures automatic validation of service requests related to privileged access. Through this integration, administrators can mandate users to provide valid ticket IDs to gain authorized access to privileged passwords. The integration helps in granting approvals to access requests through automatic validation of the corresponding service requests in the ticketing system.

Enhancement

Two new fields - PAM360 User Full Name and PAM360 User Email Id have been added to the 'Column Name' drop-down under 'Ticketing System >> Advanced configurations'. This will allow administrators to configure the ticketing system to validate tickets based on User Full Name and Email Id.

Behavior Change

  • The authentication mechanism of the Jira Service Desk has been updated from the older Authtoken-based method to OAuth 2.0.
    Note: If your current ticketing system is Jira Service Desk, this upgrade pack will disable the integration and delete the entire integration data. As a result, you will have to reconfigure the ticketing system. We recommend you save a copy of the advanced configuration details as screenshots for future reference.
  • Microsoft NTLM Single Sign-on (SSO) will no longer be supported by PAM360 because we are formally ending support for it. Despite the fact that NTLM SSO might have functioned in earlier versions of PAM360, we recommend switching to the other authentication methods such as SAML SSO that we will continue to support.

Bug Fix

From build 5500, elevation of applications using Self-Service Privilege Elevation failed due to an invalid response from the PAM360 server. The issue has been fixed.

Version 5.5 (Build-5510)

Minor
23rd June 2022

Enhancements

The Connection tab comes with the following improvements:

  • The Connection tab now offers a user-specific view that displays the Local and Domain accounts shared with the users under two separate tabs to improve usability.
  • Henceforth, the option to log into remote resources via the user's current AD/Azure AD/LDAP credentials will be accessible directly from the Connection tab.
  • Hereafter, like Local accounts, Domain accounts will also be equipped with multiple logon options for the applicable resource types.

Security Fixes

  • An authentication bypass vulnerability (CVE-2022-35404) that allowed an adversary to create arbitrary directories and aplenty of small-sized files in the PAM360 server has been fixed.
  • A remote code execution vulnerability (CVE-2022-35405) that allowed an adversary to exploit the host via XML-RPC has been fixed.

Version 5.5 (Build-5500)

Major
13th June 2022

New Feature

PAM360 now supports creating schedules for automatically discovering new privileged accounts during Linux, Network Devices, and VMware discovery.

Enhancements

  • Earlier, users could configure SAML only for the Primary server. From now on, the users can configure SAML for the Secondary server also and access it when the Primary server is down/unavailable.
  • The Dropbox SDK has been updated from 3.0.3 to 5.0.0. And, a short-lived access token will be utilized from now on.
  • We have enhanced our security checks against Path Traversal, Local File Inclusion, Stored XSS, Reflected XSS, and DOM XSS vulnerabilities.
  • PAM360 now communicates with agents using TLS 1.2 protocol, in addition to TLS 1.1 protocol.
  • New Query Reports:

  • The new query report 'Personal Passwords Encryption' shows the encryption type of personal passwords and lets admins and admin privileged users know the encryption type (PAM360 key, Own key with storage, Own key without storage) used by different users.
  • The new query report 'All Admin Users', in addition to the administrator user details, holds the details of custom user roles with administrator privileges.

Bug Fix

From build 5400, administrators were unable to import users through AD. The issue has been fixed.

Version 5.4 (Build-5401)

Hotfix
15th April 2022

Security Fix

An authentication bypass vulnerability (CVE-2022-29081) affecting ManageEngine PAM360 builds from 4001 to 5400, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:

  1. Restart the service.
  2. Apply server certificates.
  3. Access the dashboard details.
  4. Get existing license details.
  5. Apply new license to the product.
  6. Fetch event logs.
  7. Set up synchronization schedules.
  8. Create new server certificates.
  9. Create and download server CSR.
  10. Terminate RDP sessions initiated via the ManageEngine ServiceDesk Plus integration in the product.

Version 5.4 (Build-5400)

Major
4th April 2022

Enhancements

  • To validate the authenticity of the upgrade pack downloaded from our website, we have implemented a patch integrity verification, which will henceforth require importing an SSL certificate (available as a downloadable file) whenever the product is upgraded using the PPM file. It is only a one-time operation.
  • From now on, PAM360 administrators can add filtered domain or service accounts into Windows Domain resources using the Windows Domain agent. Account filtering is achieved through regex patterns. For example, if you have a few service accounts in the AD with the name "sqlservice," the regex pattern of this account can be provided in the format: '*^sqlservice.' This operation will filter and import only the accounts with the name "sqlservice" into PAM360.
  • Henceforth, if an administrator restricts the users from setting up the encryption passphrase for their personal passwords (under 'Admin >> General Settings'), the users can set up an 'encryption key' for their personal passwords from the 'Personal' tab. They are also free to choose between whether to store or not store the encryption key or use PAM360's encryption key.
  • It is now possible to move the RESTAPI users to the client, wherein the RestAPI users can manage resources and accounts in all client organizations with complete access. Please note that this feature is applicable only for the MSP edition.
  • The six system-created audit schedules - 'Resource Audit Purge Schedule', 'Resource Audit Digest Schedule', 'UserAudit Purge Schedule', 'UserAudit Digest Schedule', 'TaskAudit Purge Schedule', and 'TaskAudit Digest Schedule' have been merged into a single schedule - 'Audit Purge and Digest' Schedule.
  • The system-created scheduled task 'Audit Update Schedule' has been renamed as 'Dashboard Chart Activity Schedule'. It is available under 'Admin >> Manage >> Scheduled Tasks.'
  • Previously, when the 'Purge Audit Records' option was enabled, all the audit records older than the specified number of days were purged. From build 5400 onwards, users can choose to retain or delete audit records based on the operation type.
  • From now on, MSP admins will be able to replicate audit operation type settings and audit purge settings across all client organizations.
  • This release comes with a new set of RESTAPI functionalities as listed below:
    1. Associate a resource to a resource group.
    2. Dissociate a resource from a resource group.
    3. Fetch resource groups associated with a resource.
    4. Delete a resource group.
    5. Fetch ResourceGroupID.
    6. Reset Two-Factor Authentication.
  • The database password for the HA setup, previously stored as plain text in the 'pmp_rr.conf' file, is now stored in an encrypted format.
  • From now on, users can choose to disable the display of security-related notifications within the product. This can be done by administrators in the PAM360 interface under 'Admin >> General Settings.'
  • While creating a custom report, users can now choose 'Previous Month' as a duration from which PAM360 must collect audit records.
  • Earlier, in the Download File API, Resource ID and Account ID were passed as parameters via the URL. From now on, they can be passed in the input data.
  • From this version onwards, DISABLEPASSWORDRESET can be added as a parameter in the 'Edit Account' API to disable the password reset option for accounts.
  • From PAM360 build 5400 onwards, for additional security during self-service privilege elevation, the added applications/files will be verified using SHA256SUM.
    Also, we have separated the list of applications/files allowed for self-service privilege elevation under 'Admin >> Manage >> Allowed Apps/Scripts'.

Upgrades

  • The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and improve overall security.
  • The bundled PostgreSQL server has been upgraded from version 9.5.21 to 10.18.
  • The Apache Tomcat server has been upgraded from version 8.5.32 to 9.0.54.
  • The Rubyrep tool used for PostgreSQL replication has been upgraded from version 1.2.0 to 2.0.1.
  • The Java platform used by PAM360 has now migrated from Oracle to the OpenJDK platform version 1.8 .0_252.
    In addition to supporting the JTDS JDBC driver to connect to the SQL server, PAM360 now supports the Microsoft JDBC driver, version 8.4.1.
  • Apache Log4j has been upgraded to the latest version 2.17.2.

Bug Fixes

  • From build 5200, when proxy server configuration was enabled, users using the latest version of Duo TFA experienced a premature authentication time-out during the second-factor authentication. This issue has been fixed.
  • Earlier, users were unable to import empty user groups as both main and subgroups from the Active Directory (AD) and add AD sync schedules. This issue has been fixed.
  • Earlier, during an active RDP session, when a user tried to drag and move the Ctrl+Alt+Del button within the RDP window, the Ctrl+Alt+Del command was executed. This issue has been fixed.
  • Earlier, when file transfer during an RDP session was disabled, the folder drag arrow was visible in the RDP session window. This issue has been fixed now.
  • Earlier, when a resource or an account is shared to a user, their username was printed as N/A in the syslog records. From now on, the syslog records will include the username of the user to whom the account or resource has been shared.
  • Earlier, Azure AD users were unable to change the interface language when choosing Japanese as the default user language. This issue has been fixed.
  • Earlier, users were unable to perform key rotation in the MSSQL database when the database backup path was set to any location other than the default backup location. This issue has been fixed.
  • Earlier, a copy of the MSSQL database backup got saved in the default backup location, in addition to the backup file saved in the folder path specified by the user. This issue has been fixed.
  • From build 5306, the 'Record SSH/Telnet Sessions' checkbox was not available for the 'Windows Domain' sync type. This issue has been fixed now.
  • From build 5306, the 'SSH Port For Auto Logon' option was not visible in the 'Edit Resource' wizard for Network resource types such as Fortigate, VMware Vcenter, and Brocade. This issue has been fixed now.
  • From build 5306, when the 'Windows Remote Desktop' option was disabled under 'Auto Logon Helper' for a particular resource type, the 'Record RDP Sessions' checkbox did not appear in the 'Add/Edit Account' wizard even when the 'RDP Console Session' option was enabled for that resource type. This issue has been fixed.

Behavior Change

The API handling code which earlier responded to the V1 API format of ServiceDesk Plus MSP will henceforth respond to their V3 API format.

Version 5.3 (Build-5306)

Minor
11th February 2022

New Feature

Integration with the Cortex XSOAR RPA Tool
ManageEngine PAM360 integrates with Cortex XSOAR, a Robotic Process Automation (RPA) tool that allows users to build standardized responses through commands to facilitate the automation of software processes. PAM360 provides various commands that cover a wide range of automation tasks to perform operations, such as creating resources and accounts, fetching passwords, updating resource and account details, wherein the commands can be combined to create a complete endpoint management workflow.

Version 5.3 (Build-5305)

Minor
13th January 2022

Enhancements

  • Earlier, PAM360 did not have any approval process for VNC passwords. Hereafter, PAM360 will allow validations, such as Access Control and Helpdesk for VNC passwords.
  • From build 5305, the PAM360 administrators can modify the messages in access control workflow dialogues using message templates.
  • Earlier, users could auto-logon to resources using the logged-in AD account alone. From now on, auto-logon is possible through the logged-in Azure AD user accounts as well.

Behavior Change

Before the upgrade, if the 'Autofill' option was enabled in the user's browser, there is a chance for the browser data to get auto-populated in the 'VNC Passwords' field. Now, with the 5305 upgrade, all the VNC resource passwords will be added to an account called '_VNCACCOUNT_' under their respective resources.

Attention: When the users take VNC connections directly from the '_VNCACCOUNT_' of the relevant resources, with the autofill option enabled in the user's browser, the VNC passwords of the resources may be visible to users along with their shared resources. So, we strongly recommend you verify the VNC passwords field in Windows resources before upgrading to this build.

 

Version 5.3 (Build-5304)

Minor
29th December 2021

Feature

Self-Service Privilege Elevation
Using the Self-Service Privilege Elevation feature, an administrator can allow a user to run a specific application(s) with elevated privileges without sharing the privileged account passwords. With this feature, it is possible to perform administrative functions on an endpoint without the need for the administrators to share the account passwords. The passwordless strategy used to run applications with elevated account privileges assures that only the intended administrative tasks are performed by a user without entering administrator credentials.

Enhancements

  • MFA Reset Option for Privileged Administrators
    From build 5304, administrators can reset Multi-Factor Authentication (MFA) and also provide access to other users to reset MFA.
  • SAML Single Logout
    PAM360 now supports SAML Single Logout that allows automatic logout of all related sessions established during SSO once the user logs out from a single SSO session.

Security Fix

A SQL injection vulnerability that allowed users to access the restricted tables in 'Query Reports' has been fixed.

Version 5.3 (Build-5303)

Minor
4th December 2021

Security Fix

An authentication bypass vulnerability (CVE-2021-44525) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.

Version 5.3 (Build-5302)

Minor
24th November 2021

Enhancement

Administrators can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.

Version 5.3 (Build-5301)

Minor
12th October 2021

Enhancement

New Agents
This release comes with two new agents - C# agent for Windows/ Windows Domain and Go agent for Linux. Henceforth, it will be possible to restrict user accounts that are added via agents (the new agents only) during account discovery, using regex patterns.

Bug Fixes

  • Earlier, it was possible to set the agent key validity up to 24 hours only. From now on, one can set the agent key validity up to 999 hours.
  • Previously, multiple agent discovery was prevented by Windows Firewall settings. This issue has been fixed now.
  • Earlier, while choosing the database, lengthy database connection names were not fully visible in the UI. This issue has now been fixed by adding a tooltip with the full database name.
  • From build 5200, users imported via AD were unable to login into PAM360 using local authentication. This issue has been fixed.
  • Earlier, operations such as account creation and placing certificate requests performed through 'Let's Encrypt CA' failed. This issue has been fixed.
  • The password generator in the 'Create Certificate / Create CSR' wizards failed to generate a new password if 'strong password policy' was removed from 'Admin >>Password policies'. This issue has been fixed now.

Version 5.3 (Build-5300)

Major
3rd September 2021

New Features

  • On-Demand Renewal of Certificates
    A 'Renew' option has been newly added under 'Certificates >> Certificates' that allows users to initiate the renewal of Self Signed, Root Signed, Microsoft CA Signed, and Agent-signed certificates, and also the certificates issued by third-party CAs. The renewed certificates will automatically inherit the deployed servers and their credentials.
  • Certificate Discovery from UNC Shared Path for Windows, Linux, and Mac OS
    PAM360 now supports SSL certificate discovery from UNC (Universal Naming Convention) shared paths for Windows, Linux, and Mac OS machines. This feature allows users to discover SSL certificates stored in a folder path within a server, accessible by PAM360. After the discovery, PAM360 will consolidate the newly-discovered SSL certificates in its certificate repository. This option is also available during scheduled certificate discovery.
  • Certificate Discovery in DMZ Machines using the KMP Agent
    It is now possible to discover the SSL certificates from directories in remote machines that are not directly accessible by PAM360—all through the KMP Agent. This option is also available during scheduled certificate discovery.
  • Browser Deployment of Certificates
    From now on, deploying SSL certificates in browsers is possible from PAM360 for the following server types: Windows, Linux, and MacOS.
  • SSH Key Association using "Elevate to root user" Option
    The new "Elevate to root user" option allows restricting users from directly accessing root users by disabling the root user login as a security measure. Enabling this option elevates a user login from a non-root user to a root user and associates keys to all other users on the server.
  • New REST API
    The new REST API 'Deploy Certificate' has been added.
  • SSL Certificate Rediscovery
    PAM360 now allows users to rediscover SSL certificates from the same source using the server details entered during the previous discovery operation.
  • Integration with Buypass Go SSL and ZeroSSL
    PAM360 now integrates with Buypass Go SSL and ZeroSSL— two certificate authorities that use the Automatic Certificate Management Environment (ACME) protocol to provide free, secure SSL certificates. Users can now request, acquire, create, deploy, renew, and automate the end-to-end management of SSL/TLS certificates issued by Buypass Go SSL and ZeroSSL, all directly from the PAM360 web interface.
  • Integration with ManageEngine Mobile Device Manager (MDM) Plus
    PAM360 now integrates with ManageEngine Mobile Device Manager (MDM) Plus to discover and deploy SSL certificates to and from the mobile devices managed by your MDM server, all using ManageEngine MDM APIs. PAM360 then lets you filter the discovered SSL certificates based on the OS type such as iOS, Android, Windows, Chrome OS, Mac OS, and Apple tvOS. It is also possible to export reports of the MDM certificates managed in the PAM360 repository within a selected period. Additionally, you can schedule periodic generation of MDM certificate reports.
  • PAM360 allows you to globally modify the access level of the shared certificates.
  • New REST API's, 'Share SSL Certificate to User', 'Share SSL Certificate to User Group', 'Share SSL Certificate Group to User', 'Share SSL Certificate Group to User Group', 'Revoke SSL Certificate from User', 'Revoke SSL Certificate from User Group', 'Revoke SSL Certificate Group from User', 'Revoke SSL Certificate Group from User Group', 'Create SSL Certificate Group', 'Delete SSL Certificate Group', 'Edit SSL Certificate Group', 'Generate an Agent Install Key', have been added.

Enhancements

  • MSCA Discovery with KMP Agent using Multiple Templates
    Users can now select up to five certificate templates while performing agent-based certificate discovery of local CA certificates. Before using this enhancement, please ensure the KMP Agent is upgraded to version 5300.
  • Search-Enabled Custom Columns
    From build 5300 onwards, PAM360 allows you to search within custom columns for SSL Certificates and SSH keys.
  • Multiple Servers List
    Now you can include multiple servers for certificates in SSL certificate expiry notifications.
  • GoDaddy Certificates Import
    From now on, users can directly import the existing certificates from their GoDaddy account into the PAM360 repository.
  • Local Disassociation of Keys
    It is now possible to dissociate keys locally if remote dissociation fails for users whose access has been discontinued.
  • APIs - Serial Number as the Mandatory Field
    Earlier, the Serial Number field, which was optional in the below APIs, has now been made mandatory; To get a certificate, To get certificate keystore, and To delete a certificate.
  • Serial Number in the getCertificateDetails Rest API
    In the getCertificateDetails Rest API, Serial Number has been added as an optional field; filling it fetches the details of that particular certificate alone.
  • Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under 'Certificates >> Certificates >> Windows Agents'.
  • Now, users can discover certificates issued by a particular Microsoft Certificate Authority just by entering the MSCA name in the text box provided, during discovery. Remember, this additional option will be available for PAM360 installations in Windows server machines only.
  • Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
  • Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Admin >> SSH/SSL Config >> Notification Settings' will be applied to the emails sent via email addresses in the additional fields as well.
  • PAM360 now supports scheduled SSL discovery and MS Certificate Store Discovery tasks with the KMP agent.
  • Previously, the certificates due for expiry in 10 days or less got automatically renewed. Now, users will be able to customize the number of days to auto-renew the certificates before they expire.
  • From now on, during CSR signing of SSL certificates using the KMP agent, it is possible to specify the Agent timeout value, in seconds.
  • Henceforth, users will be able to select specific Certificates or Certificate Groups while generating the 'SSL Certificates Report' Schedule type (under 'Admin >> SSH/SSL Config >> Schedules >> Add Schedule').
  • Users will now be able to add and edit the deployed servers list under 'Certificates >> Certificates >> Multiple Servers (icon)'. Newly added servers will be mapped with the latest certificate version in the certificate repository.
  • PAM360 now supports IP range discovery for MS Certificate store discovery ('Certificates >> Discovery >> MS Certificate Store') using the PMP service with the domain Admin account. This allows administrators to discover certificates across networks.
  • PAM360 now supports 'Load Balancer' Certificates discovery for Citrix devices. From build 5300 onwards, PAM360 also supports scheduled certificate discovery from Linux-based load balancers such as BIG-IP F5, Nginx, and Citrix.
  • Certificates and CSR generation pages have been enhanced with the Random Password generation feature.
  • Users can now select up to five certificate templates while performing template-based SSL certificate discovery.
  • Users can now bypass proxy server settings while performing SSL certificate discovery. If this option is selected, PAM360 will bypass the proxy server and directly perform online certificate discovery. This option is also available during scheduled certificate discovery.
  • Earlier, after certificate renewal, users will have to deploy MSCA/-self-signed certificates manually. Now, it is possible to deploy these certificates automatically if the user credentials are available.
  • Users will now be able to choose the 'Certificate type' [CER/DER/P7B/CRT] and 'Keystore type' [JKS/PKCS/PEM/KEY] while deploying certificates to Windows and Linux machines and while exporting certificates.
  • Now, it is possible to renew MSCA type Certificates with a new private key if a private key not available already.
  • Support for ClouDNS to complete domain control validation while acquiring certificates from public Certificate Authorities.
  • Support for AES256-encrypted PKCS12 Keystores while adding certificate Keystores.
  • Henceforth, the SSL certificates can be manually mapped with deployed servers list to any server directly from Certificates >> Certificates >> More >> Add Deployed Server'.
  • From now on, certificates/CSRs/certificate groups will have an email field to which the SSL expiry email notifications can be sent, where the expiry notification email address can be provided while creating the Certificate and CSR.
  • A new option - Deploy to Microsoft certificate store user account, has been added, which facilitates the deployment of the Microsoft Store deployed certificates to the respective user accounts, besides deploying to the computer accounts.
  • The SSL Certificate Expiry notification, set up under 'Admin >> SSH/SSL Config >> Notifications Settings >> Expiry', will now include Issuer, FingerPrint, and Serial Number fields in the Certificate Expiry email.
  • From build 5300, the 'Certificates Audits' tab will be available under the 'Audits' tab, where, all the certificates audit related to all the users will be displayed. New REST APIs 'Get Password Policies' and 'Get Resource Types' have been added.

Behavior Change

From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab. However, the existing users can manage their already added certificates from the History section, which has now been moved under the 'Column Chooser'.

Bug Fixes

  • The KMP agent got duplicated when re-installed from a different IP address. This issue has been fixed.
  • The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
  • The issue in MSCA auto-renewal with the EC key has been fixed.
  • Get Templates issues that existed with the non - English languages have been fixed.
  • Under 'Admin >> SSL Certificates >> IIS Binding', binding list retrieval failed for bindings with a protocol other than HTTP/HTTPs. This issue has been fixed.
  • Earlier during Digicert import, PAM360 failed to import client/personal certificates into PAM360. This issue is now fixed.
  • Earlier, the date format had the month as a part of the value, due to which sorting did not work. Now, this issue has been resolved by modifying the date format in the CSV file to be the standard date format.
  • Earlier, while discovering certificates using a load balancer, there were problems with commands other than the standard Linux commands. This issue has been fixed.
  • Get templates issue has been fixed for CA name-based fetch.
  • Previously, the proxy configuration was not supported in GlobalSign integration, due to which users with proxy were unable to use the integration. This issue has been fixed now.
  • Earlier, it was possible to add or modify IISBinding only by giving the 'hostname'. This issue has been fixed, and now 'hostname' is not mandatory to create or update IISBinding.
  • Earlier, MSCA templates showed the OID instead of the template name. This issue is fixed.
  • During SSL discovery, discovery from servers with mutual authentication failed. This issue has been fixed now.
  • MSCA discovery, when carried out using an agent without any filter, failed. This issue is fixed now.
  • There was an issue in exporting the certificates as password-protected zips when password protection for exports was enabled under 'Privacy Settings'. This issue has been fixed now.
  • There was a failure in Linux deployment from the ServiceDesk Plus request. This issue has been fixed now.
  • Earlier, when the custom settings option 'View Support Information' was enabled for a custom user role, the users with that role were unable to access the 'Support' option from the profile drop-down. This issue is fixed now.
  • Earlier, when a new category was created from the 'Personal' tab with an existing category name, the product did not display an error message. This issue is fixed now.
  • Earlier, if the category name seen from the 'Personal' tab contained the special character '&', the category details were not shown in the display area. This issue is fixed now.
  • Earlier, when a new resource was created using the 'Create Resource' API, and the 'Resource URL' field was left blank, users could not edit the resource attributes in the PAM360 UI. This issue is fixed.

Security Fixes

  • An XSS vulnerability (ZVE-2021-0956) that occurred during Load Balancer discovery has been fixed.
  • A SQL injection vulnerability identified in the PostgreSQL password reset functionality is fixed.
  • A path traversal vulnerability identified in the role report section is fixed by adding proper validation steps for the download file path of the report.
  • Earlier, users could reopen a closed remote SSH session window from the browser history page and reinitiate the remote connection without requesting for the password of the resource again. This issue is fixed.

Version 5.2 (Build-5200)

Major
19th July 2021

Enhancements

  • Password Reset - From Multiple Wizards
    Users will hereafter be able to reset passwords, both individually and in bulk, from 'Resources >> Password Explorer >> Admin Actions'; Expired Passwords, Conflicting Passwords, and Policy Violations.
  • SAML SSO configuration for Client organizations
    The SAML SSO configuration, which was earlier available for MSP organizations alone, is now available for Client organizations as well, thereby allowing client organizations to build their own SAML setups.
  • New Authentication mode of Azure AD user import
    Previously, during the 'User Access Token' method of Azure AD user import, the 'Oauth' token could not be fetched when TFA was enabled. As a resolution to this, we have introduced a new Authentication mode of Azure AD user import - 'App-Only Access Token'.
  • Enhanced Password Policy
    The existing password policy has been enhanced by introducing new constraints and additional features, such as improved default attributes for Strong and Medium password policies, the introduction of password limit, the addition of new attributes, such as password similarity and sequences, the ability for Admins to add and manage up to 5 dictionaries, Dictionary word check, Obvious Substitution (LEET) word check, Password Strength Meter, Sample Password Generator, New Password Generator, etc. These would be of great help to administrators in setting highly secure password policies.
  • Access Control & Domain Account Restrictions
    Earlier, a user with access to a domain account can log into any resource shared with them using the domain account. Henceforth, Domain account restrictions can be implemented for target resources, i.e., Windows domain account users can be granted access to specific resources alone, which they originally want to access, instead of all resources shared with them. Also, please note, from this release, we have blocked the Password Request API for domain accounts alone.
  • Portuguese Language Support
    PAM360 is now available in the Portuguese language.
  • Duo-TFA SDK Update
    The third-party Two-Factor Authentication software Duo Security is now upgraded from v2 to v4. Once PAM360 is upgraded to build 5200, the Duo Security update will be applied automatically to the existing integration.
  • Additional Query Reports
    Two new default query reports for users having access to the browser extension and users who don't have access to the browser extension have been added.
  • New Resource Type
    A resource type, Cisco Nexus OS, has been introduced in this release.

Behavior Changes

  • The API handling code which earlier responded to the V1 API format of ServiceDesk Plus On- Premises and ServiceDesk Plus Cloud will henceforth respond to their V3 API format.
  • The Authentication mechanism of ServiceDesk Plus Cloud has been updated from the older Authtoken based method to OAuth 2.0. Additionally, hereafter, the entries in the ticketing system columns can be validated against the entries in PAM360 to check for any inconsistencies. Earlier, it was possible to check the entries in PAM360 only.

Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you save a backup of the advanced configurations in the form of screenshots for reference.

Bug Fixes

  • In build 5000, when the Admin users from the MSP org scheduled reports in the Client org, they received Zero bytes reports. This issue has been fixed now.
  • From build 5000, Additional fields were missing from the Bulk edit page of resources. This issue has been fixed now.
  • From build 5000, users with the Password Administrator role were unable to perform 'change role' or 'delete user' operation - to change to a Password user or a Password Auditor, even when no resources or accounts were present under 'Transfer Approver privileges. This issue has been fixed now.
  • Earlier, in schedules, created for AD groups during resource or user discovery, groups with an ampersand (&) in their names could not be edited. This issue has been fixed.
  • In earlier builds, the PAM360 dashboard froze and the server ran out of memory due to the overload of audit data. This issue has been fixed.
  • In build 5000, in the 'Account Addition' password field, the character & was displayed as &. This issue has been fixed.
  • From build 5000, users could not create the Password reset Listener. This issue has been fixed now.
  • Earlier, users faced an issue with the mouse scroll during RDP and VNC remote sessions initiated through Google Chrome version 89. This issue has been fixed.
  • Earlier, when password synchronization was enabled for any organization (MSP or a Client ORG), PAM360 executed the task only for the organizations under MSP. This issue has been fixed now.
  • Earlier, users were unable to use the operators >= and <= in the LDAP search filter queries during user import from an LDAP domain. This issue has been fixed.
  • When the PAM360 and KMP agents were installed in the same machine, the data used for the agents' authentication was stored in the same place in the registry, causing the overwriting of the agents' data, thereby making the agents non-functional. This issue has been fixed.
  • The automated scheduled task introduced for dashboard optimization caused the database connections to become unavailable, for some time, for a few users. This issue has been fixed now.
  • When Two-Factor Authentication was enabled, the legal banner and the privacy policy banner links in the Login page (enabled from the 'Rebrand' wizard) did not show up/work. We have resolved this issue.
  • Earlier, for some users, after configuring Duo TFA, the requests that were supposed to be sent to the PAM360 access URL were directly sent to the PAM360 server. This issue has been fixed now.
  • Earlier, the 'Edit User' action did not work for certain users. We have resolved this issue.
  • Previously, the password entered in 'Importing users from AD wizard >> specify the user name and password manually' did not get saved due to a password encoding issue. This issue has been fixed.
  • Earlier, users were able to export offline passwords even when the export password was disabled using the export URL. This issue has been fixed now.

Security Fixes

  • When users configured X-Forward-For in PAM360, there was a possibility to bypass web access restriction by setting the X-Forward-For header manually. This issue has been fixed now.
  • A Cross-Site Scripting (XSS) issue found in the edit LDAP server details page has been fixed.
  • There existed a vulnerability from version 4.0.0 that permitted the retrieval of masked non-website resource type passwords as clear-text, by capturing the API call of the PAM360 browser extension and replacing the password ID of website account passwords. This vulnerability occurred under any or all of the following circumstances; with the user type roles only, with the password masking option enabled by the Admin under 'General Settings', and only to the shared passwords. This issue reported by Sandeep Saxena (CVE-2021-31857), has been fixed.
  • A user enumeration issue has been fixed.
  • Users with access to the PAM360 server, running in a machine with a few policies configured, were able to view the IIS web.config passwords as cleartext in the event log.

Version 5.1 (Build-5100)

Major
22th May 2021

Enhancements

  • We have introduced four new RESTAPIs: Fetch UserGroupID, Configure Remote Password Reset for Linux resources, Share Resource and Share account to User Group.
  • Henceforth, remote connections initiated using SSH key-based authentication, and remote authentication using the domain account or using the 'Currently Logged in AD account' option will work with the new SSH terminal.
  • Previously, it was possible to initiate remote connections using the Auto Logon Gateway feature to Windows, Windows Domain, Linux, and Cisco resources only. From build 5100 onwards, it is possible to initiate remote connections to all SSH-based resources.
  • In earlier builds, the upload file size limit for SSH File Transfer Protocol-based (SFTP) file transfer was 300 MB, which was inadequate. Now, the file size limit has been upgraded to 6 GB.

Bug Fixes

  • When Two-Factor Authentication was enabled, the legal banner and the privacy policy banner links (enabled from the 'Rebrand' wizard) in the Login page did not show up/work. This issue has been fixed.
  • The SSH terminal page was unresponsive when ALT+Tab keys were used to switch to Windows and return to the Terminal. This issue has been fixed now.
  • When a user with Administrator or Connection user privileges tried to initiate an RDP session to a Windows resource, or an account is shared with them at the resource group level, the system threw a password inaccessible error, which has been resolved.
  • Shared resources and accounts, with 'Manage' level permission, viewable from the Resources and the old Connections views, were not visible from the new Connections tab. We have fixed this.

Version 5.0 (Build-5004)

Hotfix
13th May 2021

Security Fix

  • We have fixed a vulnerability that allowed the retrieval of masked non-website resource type passwords as clear-text, by capturing the API call of the PAM360 browser extension and replacing the password ID of website account passwords. This was encountered with any or all of the following; the user type roles only, the password masking option enabled by the Admin under 'General Settings', and the shared passwords only.

Enhancement

  • As an extension to the above fix, a new option has been introduced under 'General Settings >> Password Retrieval', which allows Autologon for URL-configured non-website resources via the browser extension, even if the plain text view of passwords is disabled. With this, users will have the flexibility to enable or disable the Autologon functionality carried on via the browser extension for which the URL is configured.

Version 5.0 (Build-5003)

Minor
9th April 2021

Security Fixes

  • A security vulnerability allowed unauthorized personnel to pull the Super Admin's email address by accessing the URL - /SuperAdminAlertList.ec, through API. This has been fixed.
  • Cross-Site Scripting (XSS) issues found in the Query report description and Edit LDAP server details page have been fixed.
  • A Cross-Site Scripting (XSS) issue found in the User Password Change page has been fixed by ensuring proper output encoding for the password policy.
  • We have rectified a stored XSS issue that occurred via the ResourceURL while accessing: /InvokeResourceURL.cc in PAM360.

Version 5.0 (Build-5002)

Minor
16th March 2021

Security Fix

  • A Cross-Site Scripting (XSS) issue that occurred in the web app connection page has been fixed.

Version 5.0 (Build-5001)

Minor
23rd November 2020

New Features

  • PAM360 - Log360 UEBA Integration
    ManageEngine PAM360 now integrates with ManageEngine Log360 UEBA, a machine learning-based tool that analyzes audit logs and detects unusual behavior using score-based risk assessment, anomaly trends, and audit reports. On the whole, the integration helps you to consolidate the extensive resource and user audit trails recorded by PAM360 and render them into fully visualized anomaly reports, interpreted using patterns and user behavior, all from the PAM360 console.

Bug Fixes

  • In the build 5000, there was an issue due to the broken "Your Position" hyperlink in the Windows File Transfer client. This issue has been fixed by upgrading our RDP engine.
  • In build 4101, during AD sync, the resource or user removed from an AD resource/user group still showed up in the PAM360 resource/user group. This issue has been fixed now.

Version 5.0 (Build-5000)

Major
24th October 2020

New Features

  • Connection Settings
    PAM360 now offers advanced configuration settings for remote connections added to the product, which are customizable for SSH, RDP, and VNC connections, thereby improving the overall user experience while initiating connections from PAM360 to the respective remote resources. Some of the advanced settings include changing the SSH terminal type, modifying the desktop composition for RDP connections, changing the encoding type of VNC connections, etc.
  • Secure File Transfer
    PAM360 now allows bi-directional file transfer between two systems through the SSH File Transfer Protocol (SFTP). Users can accomplish this by installing the SFTP server in the target remote systems. There is no proposed size limit for file transfer through the secure file transfer mechanism, therefore allowing PAM360 to authenticate the connection and transfer large files without the risk of security breaches. Besides file transfer, PAM360 permits bi-directional upload and download of files between the user's machine and the remote connection they have established, without the need for a remote session. This upload and download mechanism is made possible through the Secure Copy Protocol (SCP).
  • Enhanced Connections
    This release comes with a more polished 'Connections' tab that serves as a one-stop platform to view all the added Connections, Favorites, and Connection Groups. The tab holds some useful options, such as a new secure file transfer option, and a new search filter that facilitates the search of resources within the tab using Name, DNS name, or type of OS. All the connections have the following quick access control buttons; Connect, Request, Checkin, Checkout, Remote App, and Upload/Download files.
  • Remote App
    PAM360 now allows you to connect to specific applications, already configured as 'Remote Apps', in target systems. Adding Remote Apps to RDP connections increases accessibility and ease of use when connecting to remote machines. Remote Apps are of great utility to IT admins in making the privileged sessions easier to control, as they limit users' access to selected applications.
  • Gateway Settings
    From this release, users can customize 'Gateway settings' in PAM360, under 'Admin >> Connections'. Users can edit and control the cipher suites used for SSL communication, set up a different port, choose SSL protocols to be used for securing remote connections initiated from the product, customize HTTP header log settings, etc.
  • New SSH Terminal
    From this release, users can avail of a new lag-free SSH Terminal that uses the WebSocket API and is faster and more responsive.
  • Landing Server for Windows
    Provision to launch secure, one-click RDP access to remote devices in data centers with complete password management. Administrators can now configure landing servers and their login credentials and associate them with the resources managed by PAM360. They can then launch one-click connections with the remote resources, without worrying about the intermediate hop, thus providing them the same experience as the direct connection.
  • Azure MSSQL Support
    PAM360 now supports Azure MSSQL as the backend database. It also allows PostgreSQL to Azure MSSQL instance migration.
  • New Certificate Format - PEM
    A new certificate format, Privacy Enhanced Mail (PEM), has been added, in addition to the already available certificate export formats, Keystore and PFX, where the PEM format is used for digital certificates and keys, deployed in web server platforms (e.g., Apache).
  • Support for GoDaddy DNS
    PAM360 now supports GoDaddy DNS to complete the domain control validation procedure while acquiring certificates from public Certificate Authorities, along with the already available DNS support types, Azure DNS, Cloudflare DNS, Amazon route 53, and RFC2136 Update. Using GoDaddy DNS, users can update the DNS record for GoDaddy domain validation from the PAM360 portal itself.

Enhancements

  • Previously, it was possible to configure access control settings at the resource level only, which were applicable for all the accounts under the resource. Now, it is possible to set password access control independently for each account under a resource, without affecting the access control configurations of other accounts in the resource. This ability to set unique configurations for each account helps users maintain unparalleled security levels for each account, based on requirements. Remember, the account-level access control configuration takes higher precedence over the resource-level access control configuration.
  • This release comes with an exclusive page for 'Windows Agents', accessible from the SSL tab, from where users will be able to perform all agent-specific operations such as SSL Discovery using agent, deployment of SSL certificates in certificate groups using agent and CSR Signing with MSCA agent.
  • Certificate deployment in multiple servers has now been made simpler by using an agent, provided the agent is running in the server to be deployed, and both the agent name and the server DNS name are the same.
  • Now, auto-renewal of certificates is possible for the 'MSCA using agent' sign type as well, from 'Settings >> SSL >> Certificate Renewal'.
  • The 'Certificate Sign Report' comes with the following MSCA/Third party CA signing details; Certificate Authority, Certificate Template, Sign Type column.
  • The 'Certificate Renewal report' comes with the 'Renewed By' column relevant to MSCA and 3rdPartyCA renewal details.
  • A new option 'Reissue Certificate' has been added under 'SSL >> GlobalSign' that allows users to request GlobalSign to reissue an SSL certificate.
  • The new 'GlobalSign Orders Report' allows the GlobalSign orders to be added as individual reports, which provide a detailed view of certificate orders requested from the GlobalSign CA
  • From now on, users can add a "Key Comment' while importing a new SSH key and editing an existing key from the repository. Also, users can avail the checkbox "Update comment in associated users" to update the Key comment to the associated end servers automatically.
  • Now, it is possible to add additional properties to a certificate while creating it, by using the 'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties, and add them to the new certificate. Examples for the Key Usage properties include; Digital Signature, Decipher Only, Encipher Only, and Certificate Sign.
  • The DigiCert CA page has been enhanced with a new menu 'Show' that has four options, Expired, Revoked, Rejected, and Others, used to filter the DigiCert CA list view.
  • Now, while adding or modifying the Certificate Groups, it is possible to set 'additional fields' also as one of the 'By Criteria' filters for certificates.
  • While creating an additional field, users are allowed to choose if it is applicable for SSH/SSL/both. The 'Additional fields' option is now available under 'Settings'.
  • New REST APIs 'GET CSR list' and 'Sign CSR' have been added.
  • The 'Expiry Notification' has been enhanced with the custom mail content, 'Title' and 'Signature'.
  • The 'Certificate Renewal Report' page under the 'Reports' tab now comes with a column chooser.
  • Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under 'SSL >> Windows Agents'.
  • Now, users can tailor schedules by adding custom email content and a unique signature.
  • Now, users can discover certificates issued by a particular 'Microsoft Certificate Authority' just by entering the MSCA name in the relevant text box during discovery. Remember, this additional option will be available in PAM360 installations running in Windows machines only.
  • Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
  • Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Notification' and 'Schedule' tabs will be applied to the emails sent via email addresses in the additional fields as well.

Bug Fixes

  • An issue in Download file API has been fixed.
  • Server certificate update failed in case of Key Store with multiple alias names. This has been fixed.
  • The root and intermediate certificates of PEM format got added as separate entries in the certificates repository. This has been fixed now.
  • Agent got duplicated when re-installed from a different IP address. This has been fixed.
  • The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
  • The issue in MSCA auto-renewal with the EC key has been fixed.
  • Get Templates issues that existed with the non - English languages have been fixed.

Security Fixes

  • A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the Resource name while masking password, theme type, skin color, Category name of the Personal tab, web app connections, and user sessions of the Audit tab has been fixed.
  • The TLS of the SSL agent in PAM360 has been upgraded to version 1.2 and is configurable in 'Agent.conf '.
  • Earlier, during API calls, the Authentication token was passed as a request parameter. Hereafter, each API call made to the application requires the Authentication token to be passed in the request header.
  • Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain optimal security.
  • A local File Intrusion issue that occurred during the MS store discovery has been fixed.

Version 4.5 (Build-4501)

Hotfix
16th May 2020

Security Fix

  • An unauthenticated servlet vulnerability found in our internal framework that posed the risk of less-impactful entries getting inserted in the integration system configurations table, remotely, has been fixed.

Version 4.5 (Build-4500)

Major
6th May 2020

New Features

  • Expiry Notifications for SSL Certificates
    PAM360 now enables users to discover, import, and configure expiry notifications for SSL certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM).
  • Self-signed Certificates Auto Renewal
    PAM360 now supports automated renewal of self-signed certificates along with Microsoft CA certificate renewal.
  • SSL Certificate Deployment and Binding - IIS Server
    From now on, you can both deploy a certificate to the IIS server and also bind it to the desired website in the IIS, all from the PAM360 interface itself, without the need to access the IIS server separately. Also, an option has been provided to automatically restart the IIS server for the deployment and binding to take effect, thereby eliminating the need for the manual restart from the IIS end.
  • Additional Fields PAM360 now brings you the 'Additional Fields' feature, configured from 'Admin >> SSH/SSL' that is used to include any additional information about SSH keys and SSL certificates, stored in the repository. There are four different categories to add the additional fields: character, numeric, date and email. Users can choose to add or remove the additional fields from SSH and SSL views.
  • Column Chooser
    This version of PAM360 comes with the 'Column Chooser' feature that allows users to show or hide columns at runtime, and also rearrange the columns from the current view via drag-and-drop.
  • Pretty Good Privacy (PGP) Keys
    PGP encryption is used to enhance cryptographic privacy and authentication for online communication by encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression, hashing, and public-key cryptography to boost confidentiality. Now, PAM360 brings you this PGP functionality in the form of PGP key generation, where the keys are used to encrypt the data like emails, texts, etc. Create, store and manage PGP keys under 'Admin >> SSH/SSL'. Modify the key description anytime, export private/public keys, export keys to multiple email ids, and generate, view, and schedule reports. You can also send expiry notification emails to admins. This feature allows you to share and collaborate information securely among your trusted groups of users and businesses.
  • GlobalSign
    PAM360 now supports integration with GlobalSign SSL—a trusted Certificate Authority and a leading cloud-based PKI solutions provider. This integration enables users to request, acquire, import, deploy, renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by GlobalSign, directly from the PAM360 web interface.
  • Certificate Deployment using Agent
    PAM360 can already deploy and bind certificates to IIS servers belonging to the domain, where PAM360 also resides. Now, PAM360 can also deploy certificates to IIS servers in demilitarized zones and also bind them to websites in IIS, all using an agent. This makes PAM360 more scalable, as it can deploy and bind certificates in IIS servers, irrespective of whether they are in the same or different domain.
  • CSR Signing using Agent
    In addition to the already available two sign types, namely, 'MS Certificate Authority' and 'Sign with Root', used to sign certificates from PAM360, a third sign type 'MS Certificate Authority with Agent' has been introduced. This new sign type is mainly used to sign certificates originating from a distinct domain, i.e., other than the domain to which PAM360 belongs.
  • Integrating with Ticketing Systems
    PAM360 now integrates with enterprise ticketing systems namely ServiceDesk Plus (on-premise) and ServiceNow. This integration ensures that automatic service requests are created in the ticketing environment to notify administrators of SSL certificates that are at the risk of expiring and certificates that are deemed vulnerable after a vulnerability scan in PAM360. Users can set notification policies to govern the frequency of service request creation for expiring and vulnerable tickets.

Enhancements

  • PAM360 now provides additional insights on agent activity such as heartbeat interval, latest response time and operation performed.
  • For scheduled SSL expiry tasks, users now have the option to choose whether or not, to receive email notifications when no certificates in that particular schedule are nearing expiration.
  • PAM360 offers automatic bundling of individual private key (.key) files and certificate files (.cer/.pem) into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
  • Two extra categories have been added to the criteria-based certificate group creation: AWS service and Certificate template.
  • Now, it is possible to use the PAM360 service account credentials for authentication while deploying certificates in Windows servers.
  • Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and minutes) to the certificates created, after which the certificate auto-expires. This eliminates the need for compulsory permanent access credentials to access target systems and also explicit access repeal.
  • It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address combination.
  • The option to filter certificates based on the key length and signature algorithm within specific expiry days has been added to the 'getAllSSLCertificates' Rest API.
  • It is now possible to customize notifications and their intervals. Users can now choose not to receive notifications regarding the expired certificates, and send a separate email and customized subject per certificate, from 'Admin >> SSH/SSL >> Notification Settings'. The same actions can be done while creating new schedules under 'SSH/SSL >> Schedules >> Add Schedule', where you have to select the Schedule Type as 'SSL Expiry'.
  • Earlier, PAM360 allowed signing and deployment of certificates only from Windows systems. Now, it is possible to perform certificate signing and deployment to Windows systems from Linux installations through agents.
  • It is now possible to provide customized subjects in 'Schedules'.
  • In RestAPI, the fetch details format is modified is such a way that the "details" attribute holds all the data. The following is the modified API list; GetCertificateDetails, getallsslcertificates, getAllSSLCertsExpiryDate, sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey, GetSSHKeysForUser and GetAllAssociatedUsers.

Bug Fixes

  • Previously, certificate deployment failed if the field "Store Password" contained a space character while creating certificates from 'Certificates → Create'. This has now been fixed.
  • Previously, when performing bulk operations, the "Create and Deploy" action failed when executed on SSH user groups, for RSA and DSA signature algorithms. This has now been fixed.
  • Previously, when there was a "space" character present in a certificate group name, attempting to fetch the SSL certificates report pertaining to that group from the Reports tab threw the following error: "Invalid field format". This has now been fixed.
  • Previously, even after the certificate private key was imported and attached to a certificate in PAM360' certificate repository, the "Export Keystore/PFX" was still disabled. This has now been fixed.
  • During all AD-related operations performed from the PAM360 interface, the 'Connection Mode' got saved as 'No SSL' only, even if the 'SSL' mode was chosen. This issue has been fixed now.
  • Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be supported by MSCA signing. During certificate creation, all values entered in the SAN field were all together categorized as 'DNS' only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
  • When a set of resources is shared with a user(s) with varying access permissions, and when different access permission is granted for one of those resources, the access permission of all the other resources also got changed. This issue has been fixed now.

Security Fixes

  • A SQL injection vulnerability identified in 'Audit Reports' has been fixed.
  • A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the user input has been fixed.
  • Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain optimal security.

Version 4.1 (Build-4101)

Minor
1st April 2020

Enhancement

  • Just in Time (JIT) Privilege Elevation for Local Accounts
    Now, a PAM administrator can provide just-in-time (JIT) privilege elevation to Windows local accounts in PAM360 with short-term access to a sensitive application or a service, for a defined period, say 30 minutes. In other words, the administrator can use this feature to temporarily elevate an account's privilege to be a Windows Administrator or any other privileged user, and accomplish the required privileged functions. This is useful in scenarios where users do not need continual privilege access but only a temporary, on-demand privileged access to certain applications or tasks.

Version 4.1 (Build-4100)

Major
3rd February 2020

New Features

  • AWS EC2 Discovery
    This build comes with the option to discover AWS EC2 instances and their associated privileged accounts, in addition to the already available Windows, Linux, VMware and Network device discovery. Discover the AWS EC2 instances by providing the access key and secret key of AWS IAM users. Discover the privileged accounts associated with each AWS EC2 instance by providing the SSH private key (.pem) of the relevant instance at the time of discovery. You can also discover AWS EC2 instances from multiple regions.
  • Integration with the Automation Anywhere RPA Tool
    ManageEngine PAM360 integrates with Automation Anywhere, Robotic Process Automation (RPA)-powered platform that automates software processes using bots. PAM360 renders a bot that helps you automatically fetch passwords from the PAM360 secure vault without manual intervention. This bot is capable of working in combination with other bots in Automation Anywhere to create a complete endpoint management workflow.

Enhancement

  • Periodic Password Integrity Check
    For resource groups, an option is already available to check if the passwords stored in the PAM360 database are in sync with the passwords in the target devices. Now, a new option 'Periodic Integrity Check' is added that allows you to schedule tasks to run on a specific day/time, or at regular intervals of the specified day(s), or on a specific day of a month. The password integrity check will happen periodically based on the schedule set. Unlike the former option, you can use the new option to check the integrity of the passwords in the desired groups at your convenient schedules.

Bug Fixes

  • During RDP sessions, it was not possible to copy texts using the keyboard shortcut 'Ctrl+C'. This was due to a breakage in the content security policy header enabled in PAM360 build 4000. This issue has been fixed.
  • From build 4000, while updating LDAP details, LDAP users alone got removed from the user group. This issue is fixed now.
  • From build 4000, SSH sessions did not get recorded when the option 'Enable splitting of SSH and Telnet session recordings into multiple files' was enabled under 'General Settings--> Miscellaneous'. This issue occurred in FQDN servers or when the DNS name contained IP address. This issue has been fixed.

Version 4.0 (Build-4002)

Minor
14th January 2020

Security Enhancement

Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally authenticated users. Now, as a security practice, we have exerted the following measures, applicable for installations under the 'Program Files' directory:

  • No inherited permissions are allowed for data and configurations directories.
  • "Authenticated Users" permission has been excluded entirely.
  • Only the CREATOR OWNER, SYSTEM, Installation User, NT AUTHORITY\Network Service and Administrators groups will have the Full Control over the directories and also can start PostgreSQL.

Version 4.0 (Build-4001)

Minor
13th November 2019

New Features

  • Integration with DigiCert SSL
    PAM360 integrates with DigiCert—a leading TLS/SSL, IoT and various other PKI solutions provider. Users can request, acquire, create, deploy, renew and automate the end-to-end management of SSL/TLS certificates issued by DigiCert, all directly from the PAM360 portal.
  • CSR Templates
    It is now possible to create and use predefined templates for CSR (Certificate Signing Request) generation from PAM360.
  • Option to Exclude Certificates
    Users can now choose to ignore certain certificates during the SSL discovery or manual addition of certificates into the PAM360 repository. A new option is added under 'Admin >> SSH/SSL >> Exclude Certificate', which you can utilize to add the certificates to be excluded, by specifying their Common Name and Serial Number.
  • Support for RFC2136 DNS Updates
    PAM360 now supports RFC2136 DNS updates to complete domain control validation while acquiring certificates from public certificate authorities (CAs).
  • Support for Browser Extensions
    From build 4001, support is enabled for browser extensions (Chrome and Firefox), which allows you auto-fill passwords to websites and web applications, and set up Auto-Logon gateway to launch RDP and SSH sessions. Additionally, the add-on allows you to view all passwords, resource groups, favorites, etc., and access existing passwords and add new ones - all into a single platform accessible through a central console.
  • Option to modify the email id of the Let's Encrypt account, used by Let's Encrypt to send email alerts of expiring certificates.

Enhancements

  • From the PAM360 build 4001, an option is provided for Linux resource types that users can opt to force map SSH keys to user accounts, even if the target systems are not reachable.
  • Users can now use PAM360 to sign CSRs (either using your internal Microsoft CA or a root certificate) as and when they are generated.
  • PAM360 now supports file-based discovery for scheduled SSH and SSL discovery tasks.
  • A new dashboard widget to provide data about SSL configuration vulnerabilities has been added.
  • Support is enabled for the discovery of SSH keys with ECDSA and ED25519 signature algorithms.
  • A new REST API to view the private key passphrase of SSL certificates has been added.

Bug Fix

In PAM360 build 4000, while trying to integrate with ServiceDesk Plus, the "Invalid API key" error was encountered. This issue has been fixed in this build.