7.7. Accounts

This chapter describes the accounts page and how the accounts can be managed. The following topics are included in this chapter:

7.7.1. Manage accounts

The Manage accounts page contains a list of accounts separated into a number of tabs depending on the account type:

  • Device accounts: accounts that exist locally on each of the provisioned devices within PxM.

  • Active Directory accounts: lists the accounts that exist on the Active Directory that is being used by PxM as as the user authentication service.

    Note

    The accounts listed may be limited to a number of Groups of interest depending on how your Active Directory settings have been configured. See Adding an Active Directory.

  • Static accounts: are the accounts that have been stored in the PxM static vault. See Manage static vaults.

  • Service accounts: are accounts that have been configured on an Active Directory Authentication service and are being actively used by member servers.

Note

The account marked as the control account will be used by PxM for day-to-day interactions with the device, for which the credentials will be stored in PxM.

When devices are provisioned, PxM audits the accounts that exist on the device and lists them here. After the initial provisioning, device accounts can be audited through the following methods:

  • Scheduling a device audit task through a profile.
  • Executing the device audit task against an individual device.
  • Adding or removing a device from a profile.

During the device audit, the account is given a state. Use the account state to review, assess and tidy up the accounts that exist on the device. Device accounts that are still operational should have their state changed appropriately (see Changing states) and any unused or potential rogue accounts should be removed.

The table below provides a description of what the individual device states mean and the options available for managing them.

  Fully managed Unapproved Approved Known Managed
State can be changed (only if it is not a control account)   X X X X
Account already exists on the device   X X X X
Account created by PxM X        
PxM knows about the account as it is either listed in the device template, marked as a control account or created by PxM. X   X X X
Credential refresh can be scheduled through a profile using the ‘Device Credentials Regeneration task’ X       X
Individual device credentials can be updated using the ‘Force credentials refresh’ task. X       X
Account can be reprovisioned. X        
Account can be locked (only if it is not a control account)* X X X X X
Account can be unlocked* X X X X X
Delete a local account (only if it is not a control account)* X X X X X
Delete a local account which is using an Authentication service          

Note

Only applies if the device includes a command in the device template that performs the task.


7.7.1.1. Changing states

When updating device account states, the following rules will apply.

From To What happens
Unapproved Approved The account is marked as Approved.
Unapproved/Approved Known The account credentials are supplied to PxM. PxM stores the credentials without changing them.
Known Managed PxM will change the existing credentials of the account on the device and will now manage the credentials. Users will no longer know the credentials.
Any Fully managed N/A – only accounts created by PxM can be Fully managed.
Fully managed Any N/A – only accounts created by PxM can be Fully managed.
Managed Known PxM will prompt the user to enter new account credentials. These credentials are then set on the device and stored in PxM. The credentials will no longer be managed by PxM.
Known Unapproved/Approved The account is marked as unapproved/approved and will not be used by PxM.
Managed Unapproved/Approved User resets the credentials, which are set on the device. PxM loses the ability to use the device account.

7.7.2. Creating an account

This functionality allows you to create a PxM control account or breakglass account for devices with local accounts. To create an account for a static vault see Creating an account in the static vault.

A control account should only be created if the device currently has a Known or Managed control account, and no PxM management accounts (osirium1 or osiriumbg) exist on the device.

To create a PxM managed account on the device:

  1. Within the Manage accounts page, click on the Device accounts tab.

    Webui Device accounts tab

  2. Click on the Plus iconCreate account button.

    WebUI Create account window

  3. Within the Create account window, fill in the following details:

    Heading Description
    Device:

    Select a device from the devices provisioned in PxM.

    Note

    PxM will audit local accounts of member servers if they are not managed by Active Directory. Active Directory managed member servers will not be listed in the device list.

    Create new:

    Select the account type which will be created on the device:

    • control account: creates a Fully managed account on the device called osirium1.

      The account will be marked as the control account, and used by PxM to manage the device.

    • breakglass account: creates a PxM breakglass account on the device called osiriumbg.

      The breakglass account will be listed when you generate a breakglass PDF, along with any other Known and Managed accounts on that device.

    State: Default state is “Fully managed” and cannot be changed.
    Provision using:

    Select the account that will be used by PxM to create the account on the device:

    • current control account: This is the account PxM is currently using to manage the device. It will be marked on the Manage accounts page as a control account.

    • specified account: Selecting this option will prompt you to enter the credentials of an account that exists on the device. PxM will use these credentials to create the new account.

      Note

      This option is NOT available when creating a breakglass account.

  4. Click Create.

    • The account will be queued for creation (Create control account / breakglass). The task will be visible in the System Queue.

    • The created account will appear in the Manage accounts page list.

    • The account’s state will be Fully managed.

      Webui Created device accounts


Reprovisioning

Only Fully managed accounts can be reprovisioned. This option can be used if PxM has lost control of the account.

To reprovision a control account, you will need to provide details of an account on the device which can perform the reprovision. The reprovision account task is then run.

Reprovisioning a Fully managed account that is not a control account does not require you to provide details of an account, as the control account will be used to logon to the device and reprovision the selected accounts.

7.7.3. Active Directory accounts

The Active Directory accounts tab displays all the accounts that exist on the Active Directory you have provisioned in PxM.

Note

If your Active Directory has Groups of interest listed, then only the accounts belonging to the groups of interest will be listed.

If no Groups of interests are listed, then all accounts that exist in the Active Directory Users container will be listed.

PxM communicates with the Active Directory and mirrors the status of the account as it is in Active Directory. PxM cannot modify or delete the account.

If a change is made in the Active Directory then the changes will be reflected in PxM during the next sychronise cycle.

Note

Only accounts with a state of Known or higher can be made a control account.

Heading Description
Service control account

If discovered, will be marked with a Checked box icon and used by PxM to:

  • Create and delete PxM accounts/groups on the Active Directory Service.
  • Refresh passwords on the Active Directory.
Device control account Will be marked with a Checked box icon and used by PxM to run tasks on the member servers.
State

A State is set for each of the accounts discovered when a DeviceAudit task is run.

See Manage accounts.

Active Directory The name of the Active Directory on which the account exists.
Account Name of the account that exists on the Active Directory.
Display name Display name that exists on the Active Directory.
User logon name Is the UPN (User principle name) format which consists of the UPN prefix (user account name) and the UPN suffix (the FQDN) of the Active Directory.
sAMAccountName Pre-Windows 2000 logon name that exists on the Active Directory.
Locked Reflects the account status (disabled/enabled) as indicated on the Active Directory. Active Directory accounts cannot be locked/unlocked in PxM.
Credential(s) changed Timestamp of when the account credential(s) were last changed.
Failed logon Timestamp of the last failed logon attempt made when the account is used to connect to Active Directory or device through PxM.
Linked to user The PxM user to which the account is linked.

7.7.3.1. Trigger audit button

Note

Only available for Active Directory accounts.

When the Trigger audit button is clicked, PxM runs the Audit Authentication Service and Audit Service Accounts tasks.

These tasks allow PxM to contact the Active Directory over LDAPS and update the Active Directory account information and the service accounts displayed in PxM.


7.7.4. Static accounts tab

The static accounts tab lists all the accounts that have been stored in the PxM static vault.

Heading Description
Device control account Will be marked with a Checked box icon if the account stored has been used to provision a device.
State

A State is set for each of the accounts discovered when a DeviceAudit task is run.

See Manage accounts.

Static vault The name of the static vault the account belongs to.
Account Lists the name of the accounts stored in the static vault.
Locked Reflects the account status (disabled/enabled).
Credebtial(s) changed Timestamp of when the account credential(s) were last changed.
Failed logon Timestamp of the last failed logon attempt made when the account is used to connect to a device through PxM.
Linked to user The PxM user to which the account is linked.

7.7.5. Service accounts tab

Service accounts that have been configured on an Active Directory and that are being actively used by member servers can be audited and managed here.

Before the service accounts can be seen, the following needs to happen:

  1. The Authentication service device needs to be provisioned in PxM. See Active Directory.

  2. The member server device(s) needs to be provisioned in PxM. See Adding an Active Directory member device using an Authentication service.

  3. On the Manage accounts page, click on the Active Directory accounts tab.

  4. Click the Trigger audit button. The Choose service window appears.

  5. On the Choose service window, select an Active Directory.

  6. Click Proceed.

    The following tasks will be run:

    • Audit Authentication Service: audits the accounts on the provisioned Active Directory. The accounts discovered will then be listed on the Manage accounts > Active Directory accounts tab.

    • Audit Service Accounts: connects to each provisioned member server and audits every service running under a domain account (not local service or local system accounts). The services and accounts being used are then visible on the Manage accounts > Service accounts tab.

      The following information is presented in the Service accounts table:

      Heading Description
      Service Name of the service the account is managing on the member server.
      Account Name of the account the service is using.
      State

      A State is set for each of the accounts discovered when a DeviceAudit task is run.

      See Manage accounts.

      Device The name of the device that the service was discovered.
      Service last updated Reflects the date when the service was last updated by the Service Accounts Scan and Update Service Password tasks.

7.7.5.1. Managing Service account passwords

Another feature of Service Accounts is auditing and updating service account passwords. Service account passwords for all provisioned member servers can be managed from one central location. Schedules can also be created to manage password refreshes in accordance with your company’s password policy.

Before service account passwords can be managed, the correct tasks are required in the template.

The tasks are:

  • Discover Service accounts: This task will find all the services on each member server and return a list of service names. Each service is then individually queried by name and logon account found. If a logon account matches an account we have audited from the authentication service, that account will be added to the service accounts tab. This task can be scheduled to run within a profile.
  • Service Accounts Scan: This task scans the PxM database to determine which service device account passwords are managed by PxM. This task can be scheduled through a profile or run as a user task.

Service Accounts template manage password tasks

Therefore, to manage service account passwords:

  1. Provision an Authentication service and then provision your member server device(s).
  2. Trigger an Authentication service audit on the Manage accounts > Authentication Service accounts tab.
  3. On Manage accounts > Authentication Service accounts tab, set the State of the account accordingly.
  4. Create a profile and add your member server device(s) for which you want to manage the service account passwords.
  5. Add the tasks Discover Service Accounts, Regenerate passwords for all devices attached to profile and Service Accounts Scan, and select a schedule for each. Ensure that schedules are at least 15 mins apart in the order listed. New schedules can be created on the Creating a schedule page.

Note

In order for PxM to successfully manage service account passwords, every member server device that uses the service account must be provisioned within PxM. Otherwise, when PxM updates the service account password on the Active Directory and on the service configuration on each member server device, any unprovisioned devices using the service account password will have the old password saved and the service will fail to stop/start.


7.7.6. SSH keys in PxM

7.7.6.1. What is SSH key authentication and how does it work in PxM?

SSH key authentication provides cryptographically stronger device protection than using long, complex passwords. SSH key authentication involves using of a pair of SSH keys, a public key copied to the server and a private key held by the connecting client. For PxM-managed accounts, PxM is the only holder of the private key.

Note

SSH keys on PxM are imported as RSA private keys in PEM format, with bit length <= 8K. PxM exports and manages public keys in the OpenSSH format.

PxM allows devices with templates supporting SSH keys to be provisioned using SSH keys instead of, or alongside, passwords. When provisioning such a device, PxM allows you to authenticate the test connection account using an SSH private key. If the private key is encrypted, a passphrase should also be provided.

WebUI Device access details

After adding a managed user to the device, PxM creates an authorized_keys file in the user’s home directory, where the public key is stored. A private key is also generated and held by PxM. Password authentication is available for these users.

WebUI Device accounts

Where available, SSH key authentication takes precedence over password authentication. Therefore, password authentication can be switched off on the device, if desired, provided that the control account is configured for SSH key authentication.

The Reveal Credentials tool displays account passwords, SSH private keys and SSH key passphrases for encrypted keys through the web UI and the PxM Client.

WebUI Reveal credentials tool

Static accounts exist within static vaults. These accounts can also be provisioned with SSH private keys, as well as passwords.

WebUI Create static account

SSH keys on managed accounts are rotated in the same way as passwords, so the Regenerate Account Credentials task also regenerates the account’s SSH key and SSH key passphrase.

SSH key support works on a per-template basis. To see which devices currently have templates with SSH key support, refer to the Latest Template Package on the Osirium Support portal.

7.7.7. Troubleshooting account passwords

In case of network failure between PxM Virtual Appliance and a device, breakglass can be used to reveal the password of an account stored in PxM. This can then be used to access the device directly.

There are a number of ways a breakglass password can be revealed:

  • Breakglass PDF
  • Breakglass KeePass file
  • Reveal Credentials tool
  • PxM Virtual Appliance Web Management Interface window

Note

When logging password reveals, PxM highlights if a password was revealed outside of the PxM Client on the Web Management Interface.

7.7.7.1. Generate breakglass PDF or KeePass file

The breakglass PDF can be generated by a SuperAdmin, encrypted and stored periodically for cases when the virtual appliance console may not be accessible.

You can breakglass the passwords of any account which is:

  • A control account
  • In the Known state
  • In the Managed state

The PDF generated will include all the account passwords for all the devices managed by the PxM Virtual Appliance and which exist in the keystore database. The information will be grouped by device and will only be valid at the time of generation.

Alternatively, you can generate an encrypted KeePass file, which can be opened using the KeePass application and a password. This file contains SSH private keys and passprases, as well as account passwords.

To generate a breakglass report:

  1. In the left-hand menu, in the MANAGE section, click Accounts.

  2. On the Manage accounts page, click PDF iconGenerate breakglass. The Generate breakglass PDF window appears.

    WebUI Generate breakglass PDF window

  3. Within the Generate breakglass PDF window, enter the following:

    Heading Description
    Format

    Select one of the following breakglass file formats:

    • PDF
    • KeePass
    My password Your PxM logon password.
    File password

    The password that will be used to encrypt the breakglass file.

    Note

    If a password policy has been configured then this password must conform to the policy settings. See PxM Platform Password Policy.

    File password again Confirm the above.
  4. Click Generate. Wait while your credentials are verified and the file is downloaded.

  5. If you are generating a PDF:

    • A browser window will open and you will be asked to enter your PDF password to open the document.

      PDF Viewer password required

    • Click SUBMIT. The breakglass PDF appears.

    If you are generating a KeePass file:

    • The KeePass file will download.
    • Open the KeePass file and follow the on-screen steps.

    Note

    All SuperAdmins can use the Reveal Credentials functionality to reveal individual account credentials. See Reveal Credentials then you will see an Action notification window with the following message.

    WebUI Action unsupported screenshot

  6. If the template does support locking of device accounts then the task will be queued. Click Acknowledge in the Action notification window.

    WebUI Lock task queued screenshot


7.7.7.2. Reveal Credentials

Allows you to reveal the account credentials (passwords and SSH keys).

  1. On the Manage accounts page, right-click an account on the table and click Reveal credentials.

    Note

    Credentials can be revealed for Fully managed, Known and Managed accounts only.

  2. Within the Reveal credentials note window, click Yes to decrypt the account credentials.

  3. Account credentials can now be revealed by moving the mouse over the relevant credential field or pressing CTRL+C to copy the credential. The credential is visible for 30 seconds.

    WebUI Reveal Credential

  4. Once you have retrieved the account credentials, click Close.

7.7.7.3. Virtual Appliance console window

Using the console window:

  1. Logon to your environment and open PxM.

  2. Within the PxM Virtual Appliance Console window, use the arrow keys to navigate to Retrieve Passwords option and hit ENTER.

    Console retrieve passwords screenshot

  3. Enter the Master Encryption Key.

    Console master encryption key screenshot

  4. Use the arrows to navigate and select OK.

  5. Use the arrow keys to scroll through the list of devices. Select the one you want and then hit ENTER.

  6. Use the arrow keys to select the account you wish to breakglass, and hit ENTER.

  7. The credentials are revealed.

7.7.7.4. Update stored credentials

If the stored credentials for a control account, either Managed or Known, have changed on the device, and there are no other accounts on the device that have the same administrator rights, PxM would no longer be able to communicate with the device.

The Update stored credentials task in this circumstance could be used to update the account which is currently stored in PxM to the new account credentials.

To update account credentials stored in PxM:

  1. Right-click an account and select Update stored credentials from the context menu. The Enter account credentials window appears.

    Update stored password

  2. Provide the new credentials.

    To provide a new password:

    • In the Existing password field, type the new password.
    • In the Password again field, type the new password again to confirm.

    To provide a new SSH private key:

    • Click the SSH private key field. The Edit value window appears.
    • In the Edit value window, click Choose file.
    • Locate the SSH private key and click Open.
    • In the Edit value window, click Upload.
    • If necessary, type a new SSH key passphrase in the SSH key passphrase field.
  3. Click Proceed. The Action queue window appears.

  4. When the task completes, click Done.

Note

To remove account credentials, select the checkbox to the left of the credential field and click Proceed.

7.7.7.5. Account history

The account history starts from when the account was first audited. All PxM generated historical credentials and account states are viewable here.

To view the account credentials history:

  1. On the Manage accounts page, right-click an Account and click Account history.

    Note

    Credentials can be revealed for Fully managed, Known and Managed accounts only.

    Manage account history

  2. Within the Account history for window, you will see the following information.

    Heading Description
    Active from The date/time the credentials were active from.
    State The account state at the time the credentials were used.
    Password The password used.
    SSH private key The SSH private key used. Hover over to view or press CTRL+C to copy.
    SSH key passphrase The SSH key passphrase used, if any. Hover over to view or press CTRL+C to copy.
    Used for The duration the credentials were used.
  3. Once you have finished, click Close.