PMP User Groups, Great idea BUT!

Who can administer PMP User Groups. the short answer is all PMP Administrators and this just isn’t right and I’m hoping the vendor will fix it soon.

User groups are great but…….

In setting up an area for a support team I created an AD group, imported it into PMP, set one of the new users up as a Password Admin and then provided my documentation on how to use PMP to securely store passwords.  I sat with the guy as he created a CSV file and started to import the passwords.

I showed him how to create a Resource Group using dynamic criteria so all his resources would be automatically added to the Resource Group as they were imported.  Then I showed him how to share it to all his team members using the User Group I’d setup.

Great now he creates a CSV with all the resources in, imports the CSV and PMP adds the Resources to the Resource Group and all of his team can access the passwords and it all happens in one step now that its all set up.

BUT there was a BUT in my first line!

I am not part of his team.  Currently I cannot see any Resources he added as they are not owned by nor shared to me.  BUT and here it is, I can add myself to the PMP group and BINGO I have access to his passwords.  That’s NOT secure.  Yes I can AUDIT this but the damage is done already, prevention is definitely better that the cure.

Is there a way of preventing this?

I cannot see a group owner, I’m thinking groups should be the same as Resources.  Password Admins should be able to add user groups.  They own them and can share management in exactly the same way as Resources.  That way I can set up a PMP group and then pass transfer ownership to the support team for subsequent management.  Leave the AD group security to me, this is out of scope of PMPs control and perhaps this leans me towards not using AD groups as a way of automating a Joiners Leavers Transfer process.

Right now the only solution I see is for this support team to share resources to Users not User Groups which makes the PMP User Groups useless as they present a security hole.  The downside is that for a BIG team this is going to be painfully slow for him to setup.

Thoughts?

Advertisements

Migrating from KeePass to Password Manager Pro

KeePass is a great tool for the individual but no so for the corporate user.   The problem for the corporate user is that if you have the password to the KeePass file then you have access to all the passwords in the file.

This is where a product like Password Manager Pro comes in to it’s own.  You can add in all the passwords but restrict users to see only specific passwords share out to them and more importantly you can add workflow into the mix, i.e. a user needs approval before he can see a password and that access is audited.  The latter option means you can take action as part of the leaver process and you can also use this audit data to reset passwords to ensure that they have not been written down for later use.  Add in the ability to automate password resets and you are starting to see the real power of a password management solution.

This post is to document some of the things I discovered about the process of exporting the password out of KeePass and placing them in Password Manager Pro.  I wouldn’t say you have to read this before doing this yourself but it might save you some time and heart ache when you do your own migrations.

KeePass has an export function that exports the password data to a CSV file.  The exported file will have the following columns which relate to thePMP  import columns

KeePass Column Name PMP Column
Account Resource Name
Login Name User Account
Password Password
Web Site Resource URL
Comments Notes

To import into PMP you will want to add some more information. It is also unlikely that the format used to store the data in KeePass is ideal for storage in PMP.  In my implementation I added a custom field “ResourceGroups” which allows me make use of dynamic “resource groups” to provide some order to eh accounts stored in PMP and make it easy to share out these groups to different teams.

Open the CSV file and sort the user accounts into PMP “resource types”.

A Resource can only hold one type of user account, i.e. you cannot store a user account for a web site with a user account for a windows server. This is because the resource type can only contain one user account type as the resource type specifies what fields are available for the user accounts and also if the resource has an associated RDP / SSH or Web address.

Create a new CSV file for each resource type. This has two benefits, a smaller set of accounts to import during each import which makes it easier to check that all of the accounts were imported.

The KeePass Account column will usually serve as the description column and the Comments will become the notes column in the PMP import file. Set the Resource Name column in each file to a value that will identify the resource being imported.  You can optionally add data to the Department, Location and Resource group columns.  These attributes can be used to group the imported user accounts into resource groups.

For website accounts the “web site” column in the KeePass export becomes the Resource URL in the PMP import file.

For windows, Linux and HP iLO accounts populate the Resource Name with the Windows server name and the DNS name with the FQDN or IP address of the server.

For domain accounts set the OS Type column to “WindowsDomain”

In all cases set the ResourceGroup column to the same value.  This will allow you to create a resource group in PMP and view the imported values.   It also avoids an input error where the number of populated cells in row one do not match the subsequent rows which causes an import error.

NOTE: that each row in your CSV file will hold all of the information for both the resource and the user account to be added to the resource.  The resource is for example the server and the user account might be the local admin account on that server.  Some of the columns in the row are for the resource, e.g. the DNS name and Description, others like the user account and password columns are for the user account.  It sounds obvious but it’s easy to forget and add a different description for each account and then find that this description was added to the resource and not to the accounts you add to the resource.  Use the Notes column for adding, well notes to the account :-).

Here’s a list of the columns you want in your input file:

Column Name Use
Resource Name The RESOURCE Name
User Account The USER ACCOUNT name to add to a resource
Password The USER ACCOUNT password
Description The RESOURCE description
DNS Name DNS name can be used in both USER and RESOURCE
Department The RESOURCE location
Location The RESOURCE Location
OS Type The RESOURCE Type
Resource URL The RESOURCE URL
Notes The USER ACCOUNT Notes
ResourceGroup The RESOURCE resource group – custom attribute used to group resources together

The items in bold must be present for the import to work.  You cant add a user account without a user account name.  Again this is obvious but you will probably find, like I did that the source KeePass file has lots of entries with no account name or worse no password!  You will need to add these before you can put them into PMP or delete them of course.

The import process is a little buggy and may not import all columns under certain conditions.  This usually means you need to carefully check that all of the accounts were imported successfully and there is no easy mechanism for this other than doing a count.  The quickest way of doing this, if possible is to group the resources into a new resource group and then the number of accounts will be listed.

Before you get to import the data you will also need to check for some common errors:

  • Line Feeds in any of the cells
  • Incorrect data in a cell
  • Passwords stored in the wrong column
  • User Account blank

Common issues are that the KeePass file comments or other columns may have line feed CR in them, i.e. Multiple rows of information with formatting in.

To find these rows select the top row and on the Data tab filter the data . Then sore the data on the Resource Name column.  If any rows have multiple lines of data the row size will expand.

Look for data being in the wrong column, e.g. the notes column may contain a URL or IP address – this can be moved to the DNS or Resource URL.

Sometimes the password will also be stored in the Noted column. This should be deleted.

Where a user account is blank you must add data. Some KeePass information stores data where either the data owner knew the account name or an account name is not relevant.  PMP must have an Account Name so you need to make one up if necessary.  I recommend using NOTREQUIRED as the user account name to make it obvious then the account name is not relevant to the resource.

If you think you are ready then….. wait check that file again before you do this.

All the lines in the CSV file should be consistent and have the same number of fields. CSV files having extensions .txt and .csv are allowed.  This is why I always add that extra column at the end ResourceGroups

On the Resources Menu select the resources tab if not already selected.

Click the “More Actions” button and select “import Resources”

Click “Choose file” and select the file to import and click “Next”

Select the column mapping and click “Finish”

CSVImport

Watch out this could take a long time. Once finished you will need to compare the audit log for each creation.  PMP is not going to make this easy for you sadly.

If a resource already exists then PMP will not update that resource. Unless you select the check box at the bottom of the import form Overwrite the existing resources.

Password manager Pro RDP gateway doesn’t work

Having successfully configured the web portal to use SSL and a certificate issued by my internal CA infrastructure I thought I was home and dry with this product.

The very next issue was getting the RDP gateway working.  PMP uses a web portal sitting on port 7273 to provide an RDP and SSH client to the PMP user.  It’s a great idea but when I tried to use it the tab was closed immediately.  I say immediately what happens is you get a popup message box asking if it’s OK to shut the tab. It doesn’t matter what you click it won’t work.

On the password tab there is a hyperlink “Trouble Shoot Auto Logon Issues” click this and another browser ( with no URL bar ) opens and displays a certificate error.  Unfortunately you can;’t view the cert and the error doesn’t really tell you what the problem is.  THATS USEFUL MICROSOFT!

I used Chrome and that allowed me to see the certificate.  BOOM!  it’s self signed and that’s why it’s not working.

So why oh why doesn’t ManageEngine tell you how to configure the RDP gateway to use the same certificate as the web portal?

The fix ( provided by ManagedEngine by the way ) is to edit the wrapper.conf file in the <PMP Install Directory>conf folder.

(Make a copy first in case you mess this up of course)  You need to locate the following elements and change them to reflect the certificate.

wrapper.java.additional.21=-Djavax.net.ssl.keyStore=../conf/server.keystore  change server.keystore to your .pfx file created in my other post.

wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=passtrix  and change passtrix to the password you used to secure the private key in the .pfx file.

wrapper.java.additional.23=-Djavax.net.ssl.keyStoreType=<keyType> change this to PKCS12

Restart PMP and it should all start working.  MAGIC!

Configuring SSL for PasswordManagerPro

The PasswordManagerPro web site lists the following FAQ on how to setup an SSL certificate that is signed by a trusted Certificate Authority.

https://www.manageengine.com/products/passwordmanagerpro/faq.html#ssl

However this discusses the use of either KeyTool or OpenSSL, neither of which are installed on a windows server and the article does not discuss the use of a Microsoft CA which surely is a very common deployment scenario?

I worked on this for quite a while getting quite frustrated with the poor instructions provided in the FAQ.  Once solved, the solution is amazingly easy and I thought it worth blogging about it.

Step 1: Create a certificate template that allows you to export the private key. 

Logon to the CA and launch the certificate authority MMC
launchCA

Manage the certificate templates

ManageTemplates

Duplicate template , web server certificate as a Windows Server 2008 Enterprise template and give the template a new Name, I called mine PMP in my test lab.

Edit the template security to allow the PMP server to request a certificate

permissions

On the request handling tab check “allow private key to be exported” and click OK to save the template

requesthandling

Close the “manage template” window and then publish the certificate template to the CA by right clicking in the certificate template pane and selecting  New\Certificate Template to Issue

templatetopublish1

Select the template you just created and click OK

Log off the CA

Step 2: Issue the certificate to the PMP server.

Logon to the PMP server and open a new MMC

Add the certificates template to the MMC and target the computer account.

AddCertMMC

addMMCsnapin1

addMMCsnapin2

addlocalcomp

Request a new certificate in the computers personal store

reqNewCert

Click Next on the welcome screen and Next on the enrolment screen

Select the template you created in step 1

request1

Add the Alternative name as the DNS name of the server
alternatesubname

Add a friendly name and description to help identify the certificate later when exporting it
certName

Click Enroll

enroll

Step 3: Export the certificate and it’s private key

Click next on the welcome screen and select the “Yes, export the private key” radio button and click Next.

exportkey

Accept the defaults and click next

Check the “Password” box and enter a password – this password will be used when configuring the PMP web service so make sure you record this securely.  We can even store a copy of this key in the PMP configuration of course.

export2

Set the output filename

outfilename

Click finish to export the certificate with the associated private key

summary

Step 4: Configure PMP to use the new certificate.

Stop the PMP service if it’s running

Copy the exported certificate file to the PMP/conf folder

Make a copy of the existing server.xml so you can roll back to the previous version if you need to

Edit the server.xml as follows

Locate the line keyword  keystoreFile=”conf/server.keystore” keystorePass=”passtrix”

Change it to use the certificate you exported in step 2.

keystoreFile=”conf/test22.pfx” keystorePass=”Password8″

add the keystoreType just after the keystorePass attribute

keystoreType=”PKCS12″

Save the file

Start the PMP server

If you followed the procedure correctly then the server will start and when you connect, using the DNS name of the server, the new trusted certificate will be used and you won’t see the cert error any more.

That’s all folks!