Skip to content

Managing accounts

This section describes the accounts page and how the accounts can be managed. The following topics are included in this section:

Manage accounts

The Manage accounts page contains a list of accounts separated into a number of tabs depending on the account type:

  • Device accounts: accounts that exist locally on each of the provisioned devices.

  • Active Directory accounts: lists the accounts that exist on the Active Directory that is being used as the user account source.

Note

The accounts listed may be limited to a number of Groups of interest depending on how your Active Directory settings have been configured. See Adding an Active Directory.

  • Static accounts: are the accounts that have been stored in the Osirium PAM static vault.
    See Manage Static Vaults.

  • Service accounts: are accounts that have been configured on an Active Directory Account source and are being actively used by member servers.

Note

The account marked as the control account will be used by Osirium PAM for day-to-day interactions with the device, for which the credentials will be stored in Osirium PAM.

Manage accounts table

When devices are provisioned, Osirium PAM audits the accounts that exist on the device and lists them here. After the initial provisioning, device accounts can be audited through the following methods:

  • Scheduling a device audit task through a profile.
  • Executing the device audit task against an individual device.
  • Adding or removing a device from a profile.

During the device audit, the account is given a state. Use the account state to review, assess and tidy up the accounts that exist on the device. Device accounts that are still operational should have their state changed appropriately (see Changing States) and any unused or potential rogue accounts should be removed.

The table below provides a description of what the individual device states mean and the options available for managing them.

Fully managed Unapproved Approved Known Managed
State can be changed (only if it is not a control account) X X X X
Account already exists on the device X X X X
Account created by Osirium PAM X
Osirium PAM knows about the account as it is either listed in the device template, marked as a control account or created by Osirium PAM X X X X
Credential refresh can be scheduled through a profile using the Device Credentials Regeneration task X X
Individual device credentials can be updated using the Force credentials refresh task X X
Account can be reprovisioned X
Account can be locked (only if it is not a control account) X X X X X
Account can be unlocked X X X X X
Delete a local account (only if it is not a control account) X X X X X
Delete a local account which is using an Account source

Note

Only applies if the device includes a command in the device template that performs the task.

Changing states

When updating device account states, the following rules will apply.

From To What happens
Unapproved Approved The account is marked as Approved.
Unapproved/Approved Known The account credentials are supplied to Osirium PAM. Osirium PAM stores the credentials without changing them.
Known Managed Osirium PAM will change the existing credentials of the account on the device and will now manage the credentials. Users will no longer know the credentials.
Any Fully managed N/A – only accounts created by Osirium PAM can be Fully managed.
Fully managed Any N/A – only accounts created by Osirium PAM can be Fully managed.
Managed Known Osirium PAM will prompt the user to enter new account credentials. These credentials are then set on the device and stored in Osirium PAM. The credentials will no longer be managed by Osirium PAM.
Known Unapproved/Approved The account is marked as unapproved/approved and will not be used by Osirium PAM.
Managed Unapproved/Approved User resets the credentials, which are set on the device. Osirium PAM loses the ability to use the device account.

Reprovisioning

Only Fully managed accounts can be reprovisioned. This option can be used if Osirium PAM has lost control of the account.

To reprovision a control account, you will need to provide details of an account on the device which can perform the reprovision. The reprovision account task is then run.

Reprovisioning a Fully managed account that is not a control account does not require you to provide details of an account, as the control account will be used to logon to the device and reprovision the selected accounts.

Active Directory accounts

The Active Directory accounts tab displays all the accounts that exist on the Active Directory you have provisioned in Osirium PAM.

Note

If your Active Directory has Groups of interest listed, then only the accounts belonging to the groups of interest will be listed.

If no Groups of interests are listed, then all accounts that exist in the Active Directory Users container will be listed.

Osirium PAM communicates with the Active Directory and mirrors the status of the account as it is in Active Directory. Osirium PAM cannot modify or delete the account.

If a change is made in the Active Directory then the changes will be reflected in Osirium PAM during the next sychronise cycle. Synchronisation of accounts is done with diacritic (accents added to words) insensitivity and case insensitivity to ensure duplicate accounts are not created in Osirium PAM and mapped to the same Active Directory account.

Note

Only accounts with a state of Known or higher can be made a control account.

Heading Description
Service control account If discovered, will be marked with a Checked box icon and used by Osirium PAM to:
- Create and delete Osirium PAM accounts/groups on the Active Directory Service.
- Refresh passwords on the Active Directory.
Device control account Will be marked with a Checked box icon and used by Osirium PAM to run tasks on the member servers.
State A State is set for each of the accounts discovered when a DeviceAudit task is run.
Active Directory The name of the Active Directory on which the account exists.
Account Name of the account that exists on the Active Directory.
Display name Display name that exists on the Active Directory.
User logon name Is the UPN (User principle name) format which consists of the UPN prefix (user account name) and the UPN suffix (the FQDN) of the Active Directory.
sAMAccountName Pre-Windows 2000 logon name that exists on the Active Directory.
Locked Reflects the account status (disabled/enabled) as indicated on the Active Directory. Active Directory accounts cannot be locked/unlocked in Osirium PAM.
Credential(s) changed Timestamp of when the account credential(s) were last changed.
Failed logon Timestamp of the last failed logon attempt made when the account is used to connect to Active Directory or device through Osirium PAM.
Linked to user Osirium PAM user to which the account is linked.

Trigger audit button

Note

Only available for Active Directory accounts.

When the Trigger audit button is clicked, Osirium PAM runs the Audit Account Source and Audit Service Accounts tasks.

These tasks allow Osirium PAM to contact the Active Directory over LDAPS and update the Active Directory account information and the service accounts displayed.

Static accounts tab

The static accounts tab lists all the accounts that have been stored in the static vault.

Heading Description
Device control account Will be marked with a Checked box icon if the account stored has been used to provision a device.
State A State is set for each of the accounts discovered when a DeviceAudit task is run.
Static vault The name of the static vault the account belongs to.
Account Lists the name of the accounts stored in the static vault.
Locked Reflects the account status (disabled/enabled).
Credential(s) changed Timestamp of when the account credential(s) were last changed.
Failed logon Timestamp of the last failed logon attempt made when the account is used to connect to a device through *Osirium PAM.
Linked to user Osirium PAM user to which the account is linked.

Service accounts tab

Service accounts that have been configured on an Active Directory and that are being actively used by member servers can be audited and managed here.

Before the service accounts can be seen, the following needs to happen:

  1. The Account source device needs to be provisioned in *Osirium PAM. See Active Directory Integration in Osirium PAM.

  2. The member server device(s) needs to be provisioned in *Osirium PAM. See Adding an Active Directory.

  3. On the Manage accounts page, click on the Active Directory accounts tab.

  4. Click the Trigger audit button. The Choose service window appears.

  5. On the Choose service window, select an Active Directory.

  6. Click Proceed.

    The following tasks will be run:

    • Audit Account Source: audits the accounts on the provisioned Active Directory. The accounts discovered will then be listed on the Manage accounts > Active Directory accounts tab.

    • Audit Service Accounts: connects to each provisioned member server and audits every service running under a domain account (not local service or local system accounts). The services and accounts being used are then visible on the Manage accounts > Service accounts tab.

    The following information is presented in the Service accounts table:

    Heading Description
    Service Name of the service the account is managing on the member server.
    Account Name of the account the service is using.
    State A State is set for each of the accounts discovered when a DeviceAudit task is run.
    See Manage Accounts.
    Device The name of the device that the service was discovered.
    Service last updated Reflects the date when the service was last updated by the Service Accounts Scan and Update Service Password tasks.

Managing service account passwords

Another feature of Service Accounts is auditing and updating service account passwords. Service account passwords for all provisioned member servers can be managed from one central location. Schedules can also be created to manage password refreshes in accordance with your company's password policy.

Before service account passwords can be managed, the correct tasks are required in the template.

The tasks are:

  • Discover Service accounts: This task will find all the services on each member server and return a list of service names. Each service is then individually queried by name and logon account found. If a logon account matches an account we have audited from the authentication service, that account will be added to the Service accounts tab. This task can be scheduled to run within a profile.

  • Service Accounts Scan: This task scans the database to determine which service device account passwords are managed by Osirium PAM. This task can be scheduled through a profile or run as a user task.

Service Accounts template manage password tasks

Therefore, to manage service account passwords:

  1. Provision an Account source and then provision your member server device(s).

  2. Within the Manage Account window click the Service accounts tab.

  3. The Service accounts tab is displayed. Trigger an Account source audit.

  4. On the Service accounts tab, set the State of the account accordingly.

  5. Create a profile and add your member server device(s) for which you want to manage the service account passwords.

  6. Add the tasks Discover Service Accounts and Regenerate passwords for all devices attached to the profile and Service Accounts Scan, and select a schedule for each.

    Ensure that schedules are at least 15 mins apart in the order listed. New schedules can be created on the Manage Schedules page.

    Note

    In order for Osirium PAM to successfully manage service account passwords, every member server device that uses the service account must be provisioned within Osirium PAM.

    Otherwise, when Osirium PAM updates the service account password on the Active Directory and on the service configuration on each member server device, any unprovisioned devices using the service account password will have the old password saved and the service will fail to stop/start.

SSH keys in Osirium PAM

What is SSH key authentication and how does it work in the Osirium PAM?

SSH key authentication provides cryptographically stronger device protection than using long, complex passwords. SSH key authentication involves using of a pair of SSH keys, a public key copied to the server and a private key held by the connecting client. For Osirium PAM managed accounts, Osirium PAM is the only holder of the private key.

Note

SSH keys on Osirium PAM are imported as RSA private keys in PEM format, with bit length <= 8K. Osirium PAM exports and manages public keys in the OpenSSH format.

Osirium PAM allows devices with templates supporting SSH keys to be provisioned using SSH keys instead of, or alongside, passwords. When provisioning such a device, Osirium PAM allows you to authenticate the test connection account using an SSH private key. If the private key is encrypted, a passphrase should also be provided.

Device access details

After adding a managed user to the device, Osirium PAM creates an authorized_keys file in the user’s home directory, where the public key is stored. A private key is also generated and held by Osirium PAM. Password authentication is available for these users.

Device account management tab

Where available, SSH key authentication takes precedence over password authentication. Therefore, password authentication can be switched off on the device, if desired, provided that the control account is configured for SSH key authentication.

The Reveal Credentials tool displays account passwords, SSH private keys and SSH key passphrases for encrypted keys through the UI.

Reveal credentials tool

Static accounts exist within static vaults. These accounts can also be provisioned with SSH private keys, as well as passwords.

Create static account

SSH keys on managed accounts are rotated in the same way as passwords, so the Regenerate Account Credentials task also regenerates the account’s SSH key and SSH key passphrase.

SSH key support works on a per-template basis. To see which devices currently have templates with SSH key support, refer to the Latest Template Package on the Osirium Support portal.

Troubleshooting account passwords

In case of network failure between the server and a device, breakglass can be used to reveal the password of an account stored in Osirium PAM. This can then be used to access the device directly.

There are a number of ways a breakglass password can be revealed:

Note

When logging password reveals, Osirium PAM highlights if a password was revealed outside of the UI on the Admin Interface.

Generate Breakglass PDF or KeePass file

The breakglass PDF can be generated by a superadmin, encrypted and stored periodically for cases when the server console may not be accessible.

You can breakglass the passwords of any account which is:

  • A control account
  • In the Known state
  • In the Managed state

The PDF generated will include all the account passwords for all the devices managed and which exist in the keystore database. The information will be grouped by device and will only be valid at the time of generation.

Alternatively, you can generate an encrypted KeePass file, which can be opened using the KeePass application and a password. This file contains SSH private keys and passphrases, as well as account passwords.

To generate a breakglass report:

  1. In the left-hand menu, in the Manage section, click Accounts.

  2. On the Manage accounts page, click PDF icon Generate breakglass. The Generate breakglass PDF window appears.

    Generate breakglass PDF

  3. Within the Generate breakglass PDF window, enter the following:

    Heading Description
    Format Select one of the following breakglass file formats:
    - PDF
    - KeePass
    My password Your Osirium PAM logon password.
    File password The password that will be used to encrypt the breakglass file.

    NOTE If a password policy has been configured then this password must conform to the policy settings.

    See PAM Server Local Password Policy.

    File password again Confirm the above.
  4. Click Generate. Wait while your credentials are verified and the file is downloaded.

  5. If you are generating a PDF:

    • A browser window will open and you will be asked to enter your PDF password to open the document.

      PDF Viewer password required

    • Click SUBMIT. The breakglass PDF appears.

    If you are generating a KeePass file:

    • The KeePass file will download.

    • Open the KeePass file and follow the on-screen steps.

    Note

    All SuperAdmins can use the Reveal Credentials functionality to reveal individual account credentials.
    See Reveal Credentials.

    If the task is not supported by the device then you will see an Action notification window with the following message.

    Action unsupported.

  6. If the template does support locking of device accounts then the task will be queued. Click Acknowledge in the Action notification window.

    Lock task queue

Reveal credentials

Allows you to reveal the account credentials (passwords and SSH keys).

  1. On the Manage accounts page, right-click an account on the table and click Reveal credentials.

    Note

    Credentials can be revealed for Fully managed, Known and Managed accounts only.

  2. Within the Reveal credentials note window, click Yes to decrypt the account credentials.

  3. Account credentials can now be revealed by moving the mouse over the relevant credential field or pressing CTRL+C to copy the credential. The credential is visible for 30 seconds.

    Reveal Password

  4. Once you have retrieved the account credentials, click Close.

PAM Server console window

Using the server console window:

  1. Logon to your environment and open console.

  2. Within the PAM Server Console window, use the arrow keys to navigate to Retrieve Passwords option and press ENTER.

    Console retrieve passwords

  3. Enter the Master Encryption Key.

    Console master encryption key

  4. Use the arrows to navigate and select OK.

  5. Use the arrow keys to scroll through the list of devices. Select the one you want and then press ENTER.

  6. Use the arrow keys to select the account you wish to breakglass, and press ENTER.

  7. The credentials are revealed.

Update stored credentials

If the stored credentials for a control account, either Managed or Known, have changed on the device, and there are no other accounts on the device that have the same administrator rights, Osirium PAM would no longer be able to communicate with the device.

The Update stored credentials task in this circumstance could be used to update the account which is currently stored in Osirium PAM to the new account credentials.

To update account credentials stored in Osirium PAM:

  1. Right-click an account and select Update stored credentials from the context menu. The Enter account credentials window appears and will differ depending on the account type you are looking at.

    Update stored password

    Update AD stored password

  2. Provide the new credentials.

    To provide a new password:

    • In the Existing password field, type the new password.
    • Ensure the checkbox to the left of Existing password is selected.
    • In the Password again field, type the new password again to confirm.

    To provide a new SSH private key:

    • Click the SSH private key field. The Edit value window appears.
    • In the Edit value window, click Choose file.
    • Locate the SSH private key and click Open.
    • In the Edit value window, click Upload.
    • Ensure the checkbox to the left of SSH private key is selected.
    • If necessary, type a new SSH key passphrase in the SSH key passphrase field.
  3. Click Proceed. The Action queue window appears.

  4. When the task completes, click Done.

    Note

    To remove credentials, select the checkbox to the left of one or both empty credential fields and click Proceed.

Account history

The account history starts from when the account was first audited. All Osirium PAM generated historical credentials and account states are viewable here.

To view the account credentials history:

  1. On the Manage accounts page, right-click an Account and click Account history.

    Note

    Credentials can be revealed for Fully managed, Known and Managed accounts only.

    Account history

  2. Within the Account history for window, you will see the following information.

    Heading Description
    Active from The date/time the credentials were active from.
    State The account state at the time the credentials were used.
    Password The password used.
    SSH private key The SSH private key used. Hover over to view or press CTRL+C to copy.
    SSH key passphrase The SSH key passphrase used, if any. Hover over to view or press CTRL+C to copy.
    Used for The duration the credentials were used.
  3. Once you have finished, click Close.