Integrating PAM360 with ManageEngine's IT Operations Management Applications

ManageEngine's IT Operations Management (ITOM) comprises diverse applications designed to optimize the management of IT infrastructure such as network devices, servers, applications, databases, and other critical components. Each application is blended with distinct capabilities such as automated monitoring, problem resolution, resource utilization optimization, and efficient incident management, enhancing operational efficiency and service reliability within organizations.

Integrating ManageEngine PAM360 with ITOM applications ensures flexible and secure management of IT infrastructure. Passwords are stored securely in PAM360 and shared as needed with the appropriate ITOM applications, streamlining access management. This integration facilitates automated password updates and enhances overall security by reducing manual handling.

This document outlines the process of integrating PAM360 with the ManageEngine ITOM application, detailing the steps required for the successful integration. It covers the following topics:

1. Prerequisites
2. Integration Steps
3. How does this Integration Work?
4. Managing the Configured ITOM Applications
5. Limitations
6. Troubleshooting Tips

1. Prerequisites

PAM360 supports communication only through SSL mode through a secure HTTPS connection. To support HTTPS connection, the identity of the ITOM application should be verified through a valid SSL certificate. Therefore, this SSL certificate should be imported into the PAM360 certificate store. Follow the steps detailed below to import the SSL certificate of an ITOM application into the PAM360's certificate store:

1. Stop the PAM360 service.
2. Open the command prompt and navigate to the "<PAM360_Installation_Folder>/bin" folder.
3. Execute the following command:
• importCert.bat <Absolute path of the certificate used by the ITOM application>
4. Restart the PAM360 service.

2. Integration Steps

When integrating an ITOM Application Server with PAM360, the configuration is bi-directional. Regardless of whether you initiate the integration from PAM360 or ITOM, the integration will reflect on both applications. This means you can choose to configure the integration from either side, depending on your workflow needs.

2.1. Integrating ITOM Application from PAM360

Follow these steps to integrate ITOM application from PAM360:

1. Log in to your PAM360 account.
2. Navigate to Admin >> Integrations >> ManageEngine.
3. On the ManageEngine Integrations page, click the Configure button below the ITOM logo.
   
4. On the ITOM Integration page, click the Add New Application button at the top-left corner of the screen.
5. In the Add New Application window that opens, enter the following details.
1. Application Server Name - Enter a name for the ITOM application server. It serves as a unique identifier for the ITOM application within the PAM360 service, enabling the mapping of multiple ITOM applications.
2. Host Name - Enter the host name of the ITOM application.
3. Port Number - Enter the port number on which the ITOM application is running.
4. Username - Select the PAM360 user account that holds the resources (irrespective of ownership or share permission) for ITOM application requirements.

Notes:

1. We recommend you to create a unique PAM360 user account for ITOM integration and share all the resources whose passwords are to be securely stored in PAM360 and shared as needed with the appropriate ITOM application servers.
2. The selected user account should not contain Super Administrator privileges.
3. Only users with Privileged Administrator and Administrator privileges, as well as custom user roles with ManageEngine Integration privileges, can integrate the ITOM application server with the PAM360 server.
5. Authentication Token - Generate an Auth Token from the ITOM application and enter it here. This token will be transmitted along with all communications to the ITOM application. The ITOM application will validate messages received from the PAM360 server using this auth token.
   
6. After entering the required details, click Enable to successfully integrate the ITOM application with PAM360.

2.2. Integrating PAM360 from ITOM Application

Follow these steps to integrate PAM360 from ITOM application:

1. Log in to your ITOM application and navigate to the PAM360 integration page.
2. Provide details such as Server IP/DNS Name, Application Server Name, and Auth Token.
1. Server IP/DNS Name: Provide HTTPS as the protocol, as PAM360 only communicates through SSL mode through a secure HTTPS connection. Enter the server name/IP and port number where the PAM360 application is hosted.
2. Application Server Name: The Application Server Name is used to link ITOM applications with the PAM360 service. It serves as a unique identifier for the ITOM application within the PAM360 service, enabling the mapping of multiple ITOM applications to the same PAM360 service.
3. Auth Token: The ITOM application accesses PAM360 APIs using this Auth Token. Generate an Auth Token and paste it into the Auth Token input field.

Note: While generating an auth token, ensure you are logged into your PAM360 server with admin account credentials.

3. Test the connection based on the provided input and save the configuration.

3. How does this Integration Work?

When integrating ITOM application with PAM360 for the first time, the ITOM application will retrieve the necessary resources from the PAM360 user account (selected during the integration process) by mapping the DNS Name/IP Address of the devices managed by the ITOM application.

After resource mapping, PAM360 will automatically update the passwords of the mapped resources to the ITOM database. This process occurs whenever the password of a mapped resource is rotated remotely via PAM360, ensuring that all credentials are consistently updated across integrated systems to maintain operational continuity.

4. Managing the Configured ITOM Applications

To view and manage the configured ITOM applications on the PAM360 console, go to the ITOM Integration page where you can view all the configured ITOM applications. You can edit or delete existing ITOM application integrations and enable or disable password synchronization for the mapped resources.

1. To edit the details of an existing ITOM application server, follow these steps:
1. Click the Edit icon beside the corresponding server.
2. On the Edit Server page, modify the application server name, host name, port number, or user account based on your requirements.
   

Note: While modifying the user account, ensure that the newly selected user account has access to the necessary privileged accounts to be managed by the ITOM application irrespective of ownership or share permission.

3. Enter the auth token generated on the ITOM application server console in the Authentication Token field.
4. Click Update to save the configured changes.
2. Toggle the synchronization switch beside the corresponding server to enable or disable password synchronization for the mapped resources. The password synchronization is enabled by default.
3. Click the Delete icon beside the corresponding ITOM application server to delete the integration with PAM360.

Note: Disabling password synchronization or deleting an application server will prevent PAM360 from updating the passwords of the mapped resources to the ITOM application server. Exercise caution while performing these actions.

4. Click the View Accounts icon beside the respective server to view the list of associated accounts.

5. Limitations

1. The DNS name should be unique for each resource shared with the ITOM application server.
2. Password change notifications to the ITOM application servers are only triggered for passwords reset using the remote password reset feature. Local password changes made directly on the PAM360 server will not trigger notifications to the mapped ITOM application server.

6. Troubleshooting Tips

1. Check if the certificates are properly imported.
2. Check the connectivity between the two machines; connectivity should be bi-directional.

If you encounter any persistent issues, please contact our support at pam360-support@manageengine.com.