PMP User Groups, Great idea BUT!

Who can administer PMP User Groups. the short answer is all PMP Administrators and this just isn’t right and I’m hoping the vendor will fix it soon.

User groups are great but…….

In setting up an area for a support team I created an AD group, imported it into PMP, set one of the new users up as a Password Admin and then provided my documentation on how to use PMP to securely store passwords.  I sat with the guy as he created a CSV file and started to import the passwords.

I showed him how to create a Resource Group using dynamic criteria so all his resources would be automatically added to the Resource Group as they were imported.  Then I showed him how to share it to all his team members using the User Group I’d setup.

Great now he creates a CSV with all the resources in, imports the CSV and PMP adds the Resources to the Resource Group and all of his team can access the passwords and it all happens in one step now that its all set up.

BUT there was a BUT in my first line!

I am not part of his team.  Currently I cannot see any Resources he added as they are not owned by nor shared to me.  BUT and here it is, I can add myself to the PMP group and BINGO I have access to his passwords.  That’s NOT secure.  Yes I can AUDIT this but the damage is done already, prevention is definitely better that the cure.

Is there a way of preventing this?

I cannot see a group owner, I’m thinking groups should be the same as Resources.  Password Admins should be able to add user groups.  They own them and can share management in exactly the same way as Resources.  That way I can set up a PMP group and then pass transfer ownership to the support team for subsequent management.  Leave the AD group security to me, this is out of scope of PMPs control and perhaps this leans me towards not using AD groups as a way of automating a Joiners Leavers Transfer process.

Right now the only solution I see is for this support team to share resources to Users not User Groups which makes the PMP User Groups useless as they present a security hole.  The downside is that for a BIG team this is going to be painfully slow for him to setup.

Thoughts?

Advertisements

Configuring SSL for PasswordManagerPro

The PasswordManagerPro web site lists the following FAQ on how to setup an SSL certificate that is signed by a trusted Certificate Authority.

https://www.manageengine.com/products/passwordmanagerpro/faq.html#ssl

However this discusses the use of either KeyTool or OpenSSL, neither of which are installed on a windows server and the article does not discuss the use of a Microsoft CA which surely is a very common deployment scenario?

I worked on this for quite a while getting quite frustrated with the poor instructions provided in the FAQ.  Once solved, the solution is amazingly easy and I thought it worth blogging about it.

Step 1: Create a certificate template that allows you to export the private key. 

Logon to the CA and launch the certificate authority MMC
launchCA

Manage the certificate templates

ManageTemplates

Duplicate template , web server certificate as a Windows Server 2008 Enterprise template and give the template a new Name, I called mine PMP in my test lab.

Edit the template security to allow the PMP server to request a certificate

permissions

On the request handling tab check “allow private key to be exported” and click OK to save the template

requesthandling

Close the “manage template” window and then publish the certificate template to the CA by right clicking in the certificate template pane and selecting  New\Certificate Template to Issue

templatetopublish1

Select the template you just created and click OK

Log off the CA

Step 2: Issue the certificate to the PMP server.

Logon to the PMP server and open a new MMC

Add the certificates template to the MMC and target the computer account.

AddCertMMC

addMMCsnapin1

addMMCsnapin2

addlocalcomp

Request a new certificate in the computers personal store

reqNewCert

Click Next on the welcome screen and Next on the enrolment screen

Select the template you created in step 1

request1

Add the Alternative name as the DNS name of the server
alternatesubname

Add a friendly name and description to help identify the certificate later when exporting it
certName

Click Enroll

enroll

Step 3: Export the certificate and it’s private key

Click next on the welcome screen and select the “Yes, export the private key” radio button and click Next.

exportkey

Accept the defaults and click next

Check the “Password” box and enter a password – this password will be used when configuring the PMP web service so make sure you record this securely.  We can even store a copy of this key in the PMP configuration of course.

export2

Set the output filename

outfilename

Click finish to export the certificate with the associated private key

summary

Step 4: Configure PMP to use the new certificate.

Stop the PMP service if it’s running

Copy the exported certificate file to the PMP/conf folder

Make a copy of the existing server.xml so you can roll back to the previous version if you need to

Edit the server.xml as follows

Locate the line keyword  keystoreFile=”conf/server.keystore” keystorePass=”passtrix”

Change it to use the certificate you exported in step 2.

keystoreFile=”conf/test22.pfx” keystorePass=”Password8″

add the keystoreType just after the keystorePass attribute

keystoreType=”PKCS12″

Save the file

Start the PMP server

If you followed the procedure correctly then the server will start and when you connect, using the DNS name of the server, the new trusted certificate will be used and you won’t see the cert error any more.

That’s all folks!