System Configuration

The System configuration page provides information relating to the PxM Platform and allows you to configure a number of different settings.

The following tabs are available:

System Config tabs

Licencing Tab

The licencing page provides an overview of the licence you have bought and the features that have been activated as part of your licence.

It can help you manage your allowance limits against your current configurations and when you are in need of an upgrade to your licence limits.

Licencing tab

The following information is presented in the page:

Heading Description
Product usage PxM Platform version: The version that has been installed and is currently running.

Users: Displays the total number of created PxM Platform user accounts against the total number of allowed user accounts.

The PxM Platform support account and the first superadmin accounts will not be included in this count.

Devices: Displays the total number of provisioned devices managed by the PxM Platform against the total number of allowed devices. The Osirium Server device will not be included in this count.

MAP servers: Displays the total number of provisioned MAP servers used with the PxM Platform against the total number of allowed MAP servers.

Enabled features Any additional features purchased will be listed here.
Active licence(s) Licencee: Name of the organisation or individual which the licencing has been assigned to.

Expiry: The date/time the license is due to expire.

Note

When a licence is within 30 days of expiry a countdown warning message will appear in the PxM Platform banner on the Web Management Interface.

When a licencing has expired, the PxM Platform will only be fully functional until midday on the following day.

After this period the only access will be to the Web Management Interface and the product licencing upload page.

Uploading a License

To load a licencing:

  1. Click the Load new licence button. A Question window opens.

  2. Click Yes to proceed.

  3. Within the Upload licence window, click Choose File.

    Upload Licence

  4. Within the File upload page navigate to and select a valid PxM Platform licence file.

  5. Within the Upload licence window, click Upload. The new licencing file will be loaded. The licencing information is updated to reflect any changes.

Certificates Tab

By default, the PxM Platform provides a generic certificate to allow secure web connections to the Web Management Interface. On this page you will see information about the current certificate that is being used by the PxM Platform.

However, if you are using the Web Management Interface web login window we recommend that you upload a trusted certificate valid within your organisation.

Click here for information on how to enable the web login feature.

Certificates tab

Upload a Certificate

To upload a new certificate:

  1. On the Certificates tab, click Load new certificate. The Upload TLS Certificate window appears.

    Upload Certificate

  2. In the Upload TLS Certificate window, upload your trusted certificate and an RSA Private key.

  3. Click Upload. The certificate is uploaded.

Enable Web Login

The web login feature allows you to log directly into the Web Management Interface through a browser session. This is useful for users who may not have permission to download and install the PxM Client on their workstation.

Note

An installed PxM Client is still required to single sign-on to devices and to run device tasks.

To enable web login:

  1. On the System settings tab, click the Edit pencil icon for Enable web login. The Edit entry window appears.

  2. On the Edit entry window, select Enabled.

  3. Click Save. Web login is now enabled.

    Note

    For more information, see Upload a Certificate.

To use web login:

  1. In a browser, type the PxM Virtual Appliance HTTPS IP address and press ENTER. The PxM Client Download page opens.

  2. In PxM Platform Login window, enter the login information:

    Field name Description
    Username/Password Depending on the configuration of your PxM Platform, either enter your PxM Platform local account details or your existing external authentication details (Active Directory or RADIUS).
    Token code: If multi factor authentication has been configured within your PxM Platform environment then your PxM Platform Superadmin will provide you with a token code to enter.

    Only after successful verification of both the password and token code will you be logged into the PxM Platform.

  3. Click Login. The Web Management Interface appears.

Fingerprints Tab

Fingerprints help guard against man-in-the-middle attacks on devices, in which attackers can secretly redirect network traffic between the PxM Platform and the device to monitor and manipulate the flow of information.

Fingerprints tab

When a device is deployed on the PxM Platform, a fingerprint is generated which the PxM Platform associates with the device. When connecting, the PxM Platform checks that the fingerprint of the device matches the fingerprint PxM Platform associated with that device. By default, if the device fingerprint is not approved, the PxM Platform notes the discrepancy in the Logs page, but does not block the connection.

Connection Fingerprint Enforcement Behaviour

If you wantthe PxM Platform to block connections to devices with unapproved fingerprints, you can configure the Connection fingerprint enforcement behaviour.

To configure the Connection fingerprint enforcement behaviour:

  1. On the table, click the Edit pencil icon for Connection fingerprint enforcement behaviour. The Edit entry window appears.

    Edit entry value

  2. From the Value drop-down, select one of the following options.

    Value Details
    Log only - The PxM Platform allows connections to devices with unapproved fingerprints.
    - Connection details are logged in the Logs page on the Key Verifier tab.
    Block - The PxM Platform blocks connections to devices with unapproved fingerprints.
    - Users attempting the connection receive an error message.
    - Connection details are logged in the Logs page on the Key Verifier tab.
  3. Click Save. The Connection fingerprint enforcement behaviour value is applied.

Fingerprints table

The Fingerprints table allows you to select fingerprints to associate with designated devices. The following details are available:

Column Details
Device Provisioned device on your PxM Virtual Appliance.
Tool Tool the fingerprint is attached to.
Approved If selected Checked box , the fingerprint is associated with the corresponding device.
If deselected Unchecked box icon the fingerprint is not associated with the corresponding device.

You can configure the PxM Virtual Appliance to block connections to devices with unapproved fingerprints using the Connection fingerprint enforcement behaviour above.

Fingerprint The fingerprint generated for the device. The PxM Virtual Appliance generates fingerprints from the device SSH key or certificate.
Last seen at The last time the PxM Virtual Appliance connected to, or ran a task on, the device.

System Settings Tab

The following can be configured on the System settings tab:

System settings tab

Support Account

The PxM Platform support (osirium_support) account is a PxM Virtual Appliance Ubuntu server administrative account. It is created during the installation of the PxM Virtual Appliance. This account is useful if you are unable to access the Web Management interface and want to troubleshoot issues through the command line.

The default settings is disabled and no password set.

Note

It should always be enabled and a password set when upgrading or carrying out a system restore.

To enable:

  1. Click on the Edit pencil next to Support account (User name: osirium_support).

    Support Acc

  2. Check the Enabled box and type in a password.

    Support Acc enable window

  3. Click Save.

    Support Acc Set

PxM Platform Local Password Policy

If you are creating users that will be authenticated by the PxM Platform this setting will allow you to create and set a password policy to implement a greater complexity and stronger authentication on the passwords set for user accounts. Only passwords that meet the password policy will be allowed ensuring all passwords met the required criteria.

Note

This will not apply to externally authenticated Active Directory or RADIUS users.

To configure:

  1. To the right of PxM Platform password policy, click the Edit pencil icon.

    Local Password policy

  2. Set the appropriate policy using the fields described below.

    Password policy window

    Field name Description
    Invalid Characters Enter any characters you don't want used in a password.
    Any password containing these characters will be disallowed.
    Minimum Length The password must be equal to or greater than the minimum length set.
    Maximum Length The password must be less than or equal to the maximum length set.
    If set to 0, the password will not expire.
    Require Letters and Numbers If true (tickbox checked), the password must contain both letters and numbers.
    Password Retries The user will be locked if an incorrect password is entered this many times.
    If set to 0, the user will be allowed infinite retries to enter their password.
    Unlock time
    (In Seconds)
    Time the user will have to wait before the account is automatically unlocked.
    Maximum Password Age
    (In Days)
    From the moment a password is changed, it starts aging. When the maximum age is exceeded, the user will be forced to change their password at next logon.
    Password Must Differ From The Last N When the user sets a new password, it must be different from the last N passwords they have used.

    If left as the default 0, the password does not have to differ from any passwords used before.

  3. Click Save.

Enable Pass-Through

The pass-through feature allows PxM Platform users to single sign-on to devices using personalised accounts that preexist on the device already. When a user logs onto the PxM Client their credentials (username/password) are cached and encrypted to an instance on the PxM Virtual Appliance.

Then, when the PxM Client user connects to a device which has been configured to use an access level of pass-through (see Creating a New Profile), the cached credentials are used to single sign-on to the device.

Note

Cached pass-through credentials are saved as case sensitive. To ensure successful pass-through the PxM Platform username/password must match the users preexisting device account (username/password).

When a user logs out or disconnects from the PxM Client, their credentials are removed from the PxM Virtual Appliance cache instance. Also, if the PxM Virtual Appliance is restarted (specifically the userauth service) all cached pass-through credentials are removed.

The pass-through feature is Enabled as default which means all user credentials will be cached when logged onto the PxM Client.

If this feature is Disabled at anytime, profiles that have devices with pass-through access levels will show as greyed out in the PxM Client for all user in the profile.

To change the setting:

  1. Click on the Edit pencil icon.

    Enable pass-through

  2. Check or uncheck the Enabled box as per the setting required.

    Edit entry window

  3. Click Save.

Debug Task Logging

If you want more detailed debug messages from your PxM Virtual Appliance you can turn on the debug logging level. It can be helpful and provide more clues if you come across issues.

When enabled, the debug logging mesages will be available on the System configuration > Logs page on the Web Management Interface.

To enable:

  1. Click on the Edit pencil icon.

    Debug Task Logging

  2. Check the Enabled box.

    Edit entry window

  3. Click Save.

Debug API Logging

If you require more detailed messaging and logging of the API function then you can turn on the debug level for the API. It can be helpful and provide more clues if you come across issues.

To enable:

  1. Click on the Edit pencil icon.

    Debug API Logging

  2. Check the Enabled box.

    Edit entry window

  3. Click Save.

External Filestore

We recommend that you attach an external filestore to avoid disk space issues and to hold some of the larger files. This will ensure that the internal disk does not fill up too quickly allowing for a smoother running of system services and tasks.

Enabling and attaching a filestore will allow your PxM Virtual Appliance to save the following files directly onto the attached filestore:

  • Backups.
  • Techouts.
  • Session recordings.
  • Session archives if configured.

To add an external filestore:

  1. Firstly, you will need to add a virtual hard drive to your PxM Virtual Appliance which should be done in accordance with your company policy.

  2. Click on the Edit pencil icon.

    Use external filestore

  3. Check the Enabled box.

    Edit entry window

  4. Click Save. The PxM Platform will now partition, format and map to the external drive. Once successfully mapped, the disk usage bar on the Manage files page will be updated and display both the internal and external disks.

    From here you can monitor your disk status to manage your storage levels and take precautions if you disk space is getting full.

    Note

    The external filestore may take a little time to appear on Web Management Interface, depending on the size of the disk that is being configured.

    External disk on Manage files page

Scheduled Session Archive

If you are session recording all your users on a daily basis then you will be creating a lot of recorded files on your system. This setting will allow you to manage the recordings being saved and help you with archiving the older session recordings for storage and backup.

Implementing a scheduled archive of session recordings will also allow you to manage disk space on your system or external disk. The schedule is based on the age of the recording and will automatically be archived when they reach the age limit set.

When a scheduled session archive setting has been configured it will:

  • Run the Archive Session task everyday at midnight and archive any PxM Client sessions that are older than the age (days) set.

    When a session has been archived it will be marked as archived on the Device access report page on the PxM Client sessions section.

  • Store the archived file in the filestore. Will default to the external filestore if one has been configured.

  • List the archived session file on the Manage files page from where it can be downloaded.

  • Copy the archived file to a remote backup server if one has been configured. See Remote Backup Server Configuration.

  • Delete the session recordings from the PxM Platform filestore and database once successfully archived.

To configure:

  1. Click on the Edit pencil icon.

    Scheduled session archive

  2. Check the Enabled box.

    Session archive edit Window

  3. In the Maximum session age (days) field, type in the number of days before a session is to be archived.

  4. Click Save.

    Session archive configured

Scheduled File Removal

The number of device files created can grow rapidly so to help easily manage older files you may want to configure a schedule that will automatically delete files when they reach a certain age. This will also help you manage your disk space, ensuring stored files don't fill up your disk space which could slow your system down.

The deletion of files will be based on their age. But before you enable this schedule make sure you have any backup requirements in place, especially if you need to archive the files before they are deleted from the PxM Platform.

To configure:

  1. Click on the Edit pencil icon.

    Scheduled file removal

  2. Check the Enabled box.

    File removal edit Window

  3. In the Maximum file age (days) field, type in the number of days before a file is deleted.

  4. Click Save.

    Scheduled file removal

    The File removal task is run everyday at midnight and will now remove any files that are older than the age (days) set.

User Group Synchronisation Interval

This setting should be used to create an automated synchronisation between the user groups in PxM linked to user groups on your Active Directory. This will help ensure that the Active Directory users within the group are kept up to date and any changes (removed/added users, password changes etc) are reflected in the PxM Platform.

Define in minutes how often you want the PxM Platform to synchronise user groups with your Active Directory.

To configure:

  1. Click on the Edit pencil icon.

    User Group Sync Interval

  2. The default value is set to 15 minutes. The value must be greater than or equal to 5.

    Generic value window

  3. Click Save. The PxM Platform will run the User Group Synchronisation task against each Active Directory user group listed on the Manage user groups page and make any necessary updates.

    User group sync log

Backup Breakglass Passphrase

This setting allows you to configure a passphrase to protect the KeePass file containing your device credentials. The KeePass file is stored in the archived backup file created when you run a backup task on the PxM Platform.

To set a backup breakglass passphrase:

  1. Click on the Edit pencil icon.

    Backup breakglass passphrase

  2. Click the Edit pencil icon for Backup breakglass passphrase. The Edit entry window appears.

    Edit entry passphrase

  3. In the Passphrase field, type a passphrase.

  4. Click Save. The backup breakglass passphrase is applied.

Client Settings Tab

The following can be configured on the Client settings tab:

Client Settings tab

PxM Client Colour

The colour option allows you to specify a colour for the PxM Client. This is useful when you want to distinguish the PxM Client connections made to different PxM Virtual Appliance's.

To change the colour of the PxM Client:

  1. Click on the Edit pencil icon.

    Client colour

  2. Enter a HEX colour code; or

    Client colour window

    click the icon to use the Select a Color window:

    Client picker window

  3. Click Save. Now when a user logs onto the PxM Client, the PxM Client window will contain a coloured border. The user will only see the changes the next time they logon.

Connection Settings Tab

The following can be configured on the Client settings tab:

Connection Settings tab

Device Group Separation Identifier

Device group separation allows you to restrict access to device tools from multiple customers, to ensure that workstations don’t become a bridge point for data.

Before creating a group separation identifier, you need to create a meta-column entry of type Device. See Configure meta-info.

The meta-column values define the groups that are available. When a user connects to device tools through the PxM Client, the group separation identifier controls which sets of device tools they can use at the same time.

To configure the group separation identifier:

  1. Click on the Edit pencil icon.

    DGS Identifier

  2. Choose the appropriate option from the drop-down box.

    DGS Identifier edit window

  3. Click Save. Now the values in the device type meta-column will determine which device tools can be accessed after the first device tool connection has been made.

    For example:

    Device Meta-column value
    Device A Group 1
    Device B Group 1
    Device C Group 2
    Device D Group 2

    From the PxM Client, if a user opens a tool from Device A which belongs to Group 1, the tool opens successfully. Then, whilst Device A is open, if the user opens a tool from Device B, then this will be allowed.

    In the default block mode, if the user has a device tool from Group 1 open and then tries to open a tool on Device C which belongs to Group 2, then the user will be unable to access the tool and the PxM Platform will show an error message:

    Osirium proxy separation error

    Only when all Group 1 connections have been closed can the user open device connections from Group 2.

    Note

    This only applies to device tools, NOT to device tasks. Tasks can still be run at any time for any device.

Device Group Separation Behaviour

Device group separation behaviour can be changed from the default Block setting (meaning devices from multiple groups can't be accessed at the same time) to a Warn setting. Selecting Warn means that a warning message appears when a user tries to connect to two devices from different groups, but the user can still continue to access both devices.

To configure the separation:

  1. Click on the Edit pencil icon.

    DGS behaviour

  2. Select the Warn value from the drop-down box.

    DGS behaviour edit window

  3. Click Save.

    Now when a user opens up two connections to a device in different device separation groups, they won't be blocked but will be presented with a warning:

    DGS behaviour warning message

Network Settings Tab

The Network settings tab allows you to configure the following settings on the PxM Platform:

Network Settings tab

DNS Servers

To set DNS servers:

  1. Click on the Edit pencil icon.

    DNS servers

  2. Set the primary, secondary and tertiary servers as required.

    DNS Edit entry

  3. Click Save.

DNS Search Suffix

Adding DNS search suffix entries will help resolve IP addresses when adding new devices.

To add a DNS search suffix:

  1. Click on the plus icon icon next to DNS Suffixes. DNS search suffix 1 will be added.

    DNS search suffix add

  2. Fill in the suffix:

    Edit entry

  3. Click Save.

NTP Server

To set an NTP server:

  1. Click on the plus icon icon next to NTP server. NTP server 1 will be added.

    NTP server add

  2. Click the Edit pencil icon for NTP server 1.

  3. Enter the IP Address or pool of the NTP servers.

    NTP server entry example

  4. Click Save.

    Tip

    You can add multiple NTP servers by clicking the plus icon icon several times.

Syslog Server

The PxM Platform will send copies of its syslog messages to as many external syslog servers as you wish.

To add an external Syslog server:

  1. Click on the plus icon next to Syslog server. Syslog server 1 will be added.

    Syslog server add

  2. Click the Edit pencil icon for Syslog server 1.

  3. Enter the IP Address of the Syslog server the PxM Platform will be communicating with.

    Syslog edit entry

  4. Click Save.

Use CEF Formatted Syslog Messages

Enabling this setting allows the PxM Platform to use the CEF formatting standard when displaying syslog messages.

To enable:

  1. Click on the Edit pencil icon.

    CEF syslog messages

  2. Check the Enabled box.

    Edit entry

  3. Click Save.

Logstash Server

Enter your logstash server details to allow the PxM Platform to push events to your logstash server.

To add a logstash server:

  1. Click on the Edit pencil icon.

    Logstash server

  2. Fill in the details.

    Logstash edit entry

    Field name Description
    Host: Enter the host name or IP address of the logstash server.
    Port Enter the port number assigned to the logstash server.
    Unchecked box Enabled Enabling will allow PxM Platform to connect to the logstash server.
  3. Click Save.

SMTP Configuration

Configure the SMTP to allow emails to be sent from the PxM Virtual Appliance. SMTP is required if you want to setup Email subscriptions, see Managing Email Subscriptions.

Note

The SMTP server should support TLS (Transport Layer Security) otherwise there is a risk that a password will be sent in plain text.

To configure SMTP:

  1. Click on the Edit pencil icon.

    SMTP config

  2. Fill in the details.

    SMTP config edit entry

    Field name Description
    SMTP Server IP address of the SMTP server.
    Port Enter the port number assigned to the SMTP server.
    Username Enter the username that will be used to authenticate onto the SMTP server.
    Password Enter the password that will be used to authenticate onto the SMTP server.
    From Email Address Used to set the Reply-To and Sender headers user@domain of the outbound email.
    From name Used to set a text description in the Reply-To and Sender headers of the outbound email.
    SMTP Server Debug This allows email server transaction messages to be directed to the mail.log file
    Force STARTTLS If checked, will force PxM Platform to use STARTTLS. If the remote server does not support STARTTLS then an error will be logged in mail.log file.
  3. Click Save. All superadmins will receive an email to confirm that email has been successfully configured.

SNMP Configuration

Configure SNMP to allow the PxM Platform to be monitored on your network.

To configure SNMP:

  1. Click on the Edit pencil icon.

    SNMP Config

  2. Fill in the details.

    SNMP config edit entry

    Field name Description
    Read only community string Enter a valid read-only community string to allow SNMP requests to be sent.
    System location Enter the location of the PxM Platform.
    System contact Enter a valid contact name for the PxM Platform.
  3. Click Save.

RADIUS Configuration

For the PxM Platform users to be authenticated through RADIUS, configure the RADIUS settings.

To configure Radius:

  1. Click on the plus icon next to RADIUS configuration. RADIUS configuration 1 will be added.

    Radius config

  2. Click the Edit pencil icon for RADIUS configuration 1. Fill in the following details:

    RADIUS config edit entry

    Field name Description
    Address Enter the IP Address of the RADIUS server.
    Port Enter the port number assigned to the RADIUS server service.
    Secret Enter the RADIUS Secret that will be used to authenticate onto the RADIUS server.
    Retries Enter the number of times you want a user to retry the connection before it fails.
    Timeout Enter the minutes allowed before the connection is timed out.
  3. Click Save.

Remote Backup and Archive Server

If the remote backup and archive server is configured, the PxM Platform will automatically push PxM Platform backups to the specified server at the end of the backup task. If session recording is enabled, session recording archives will also be pushed automatically at the end of the archive task.

Supported protocols are SCP, SFTP and SMB.

To setup remote backup:

  1. Click on the Edit pencil icon.

    Remote Backup and archive server

  2. Within the Edit entry window, fill in the following details:

    Remote Backup and archive server edit entry

    Field name Description
    Server type Select the method to be used to copy the backup file.
    Options available from the drop-dwon listbox are:
    SMB, SCP and SFTP.

    NOTE If None is selected from the drop-down list then the settings will be saved but the backup file will not be copied to the remote server.

    Server IP address Enter the IP address of the remote backup server.
    Port (SMB=445, SCP=22, SFTP=22) Enter the port number for the Server type selected.
    Path or share name Enter the path where the file will be saved to on the remote backup server.
    Username Enter a valid username with access to the remote backup server. The user must have the correct permission to write to the path specified.
    Password Enter a valid password.
  3. Click Save.

RDP Credential Check

The PxM Platform can attempt NTLM authentication before initiating RDP SSO connections. This provides better user feedback if the connection credentials are invalid.

Credential check is disabled by default. When enabled, the PxM Platform will do the credential check when any user opens an RDP SSO connection.

The credential check requires connectivity over ports 445 and 139.

To enable:

  1. Click on the Edit pencil icon.

    RDP credential check

  2. Check the enabled box.

    Edit entry value

  3. Click Save.

Routing Table

Allows you to add static routes into Osirium’s local routing table.

To add entries:

  1. Click the Edit pencil icon.

    Routing table

  2. Within the Edit value window, click New and select Plus icon Add entry.

    Routiong table add entry

  3. Enter the values you want to add to the routing table.

    Routing table values

  4. Click Save icon to save the new entry.

  5. Click Save changes.

    The PxM Virtual Appliance must be rebooted before the routing table is applied to the PxM Platform. This can be done through the Osirium server device detail page > Tasks tab or the PxM Virtual Appliance console window.

SailPoint IdentityIQ Integration Configuration

The PxM Platform can be integrated with SailPoint IdentityIQ to provide a governance based identity access management solution.

Integrating the PxM Platform with SailPoint IdentityIQ, enables the PxM Platform users and PxM Platform user groups to be synchronised into the SailPoint IdentityIQ server. SailPoint IdentityIQ can then manage and instruct PxM on provisioning requests for user creation, modifications, deletes, enable, disable and password changes.

Before the PxM Virtual Appliance can be configured to integrate with your SailPoint IdentityIQ the following prerequisites must be configured on your SailPoint IdenitityIQ server:

  • The Simple Table Integration (STI) module must be installed and configured.

  • The PxM Platform STI schema which has been created, and is available through SailPoint must be applied. The schema provides the default integration configuration requirements as well as creating the database tables that will contain the the PxM Platform user and PxM Platform user group fields.

    Note

    For more information, refer to the SailPoint IdentityIQ documentation.

    Then, when the PxM Virtual Appliance has been configured to connect with your SailPoint IdentityIQ implementation the following will be enabled:

    • SailPoint will be able to create users and user groups on the PxM Platform which will be disabled as default.
    • When new PxM Platform users are created on the PxM Platform they will be automatically synchronised onto the SailPoint IdentityIQ server.
    • Multiple PxM Platform can be added to the SailPoint IdentityIQ server as long as they have a unique hostname.
    • Policies defined within SailPoint IdentityIQ will be applied directly into the PxM Platform.

To synchronise your PxM Virtual Appliance with SailPoint IdentityIQ:

  1. On the left-hand menu, under System, click System configuration. The System configuration page appears.

  2. Click the Network settings tab.

  3. On the table, click the Edit pencil icon to the right of Sailpoint IdentityIQ integration configuration.

    SailPoint config

    The Edit entry window appears.

    SailPoint edit entry

  4. Within the Edit entry window, provide the following details to allow SailPoint IdentityIQ to synchronise with PxM Platform:

    Field name Description
    Host The unique hostname of the SailPoint IdentityIQ server.
    Port The port number assigned to the SailPoint IdentityIQ STI database.
    Database Name Name of the STI database created in SailPoint IdentityIQ.
    Username The SailPoint username used to access the STI database.
    Password The password of the SailPoint username used to access the STI database.
    Unchecked box icon Enabled By default, SailPoint IdentityIQ integration in the PxM Platform is disabled. Select the checkbox to enable SailPoint IdentityIQ integration.
  5. Click Save. The SailPoint IdentityIQ integration details are added to the table.

    Note

    When SailPoint IdentityIQ integration is complete, the PxM Platform automatically begins communicating with SailPoint. Desired integration behaviours, such as policies, must be configured within SailPoint IdentityIQ.

ServiceNow Ticket Integration Configuration

ServiceNow ticket integration in the PxM Platform allows tickets entered in the PxM Platform Change Management Tool to be validated against an existing ServiceNow configuration management database (CMDB), providing the following benefits.

  • Accountability: ability to see when, why and how tickets are allocated.
  • Security: attackers require a valid change ticket on top of privileged credentials.

Prerequisites

  • The PxM Platform must be configured as an OAuth provider on the ServiceNow CMDB. When configured, a Client ID and Client Secret are created. Make a note of these credentials as they will be required to identify the PxM Platform to ServiceNow.

  • Obtain a ServiceNow refresh token by running the relevant command on your workstation, as detailed in the ServiceNow documentation. The client ID and client secret created above, as well as the ServiceNow CMDB URL, are required, as per the example below.

    Example command:

    $ curl -d "grant_type=password&client_id=be3aeb583ace210011c15b24a43e25d8 &client_secret=client_password &username=admin&password=admin" https://instancename.service-now.com/oauth_token.do

    Make a note of the obtained refresh token.

    Note

    The refresh token has a lifespan designated in ServiceNow. When the refresh token expires, the PxM Platform automatically generates a new token.

To integrate ServiceNow with the PxM Platform:

  1. On the left-hand menu, under System, click System configuration. The System configuration page appears.

  2. Click the Network settings tab.

  3. On the table, click the Edit pencil icon to the right of ServiceNow Ticket integration configuration.

    ServiceNow config

    The Edit entry window appears.

    ServiceNow edit entry

  4. Within the Edit entry window, provide the following details to allow ServiceNow to integrate with the PxM Platform:

    Field name Description
    Host URL of the ServiceNow CMDB.
    Client ID Client ID generated when the PxM Platform was configured as an OAuth provider.
    Client Secret Client secret generated when the PxM Platform was configured as an OAuth provider.
    ServiceNow Instance Refresh Token Refresh token obtained when the PxM Platform was configured as an OAuth provider.
    Emergency Ticket (blank to disable) In the event that an incident or change ticket number does not exist on the ServiceNow CMDB, or if you are unable to access the ServiceNow CMDB, you can provide an emergency ticket. The PxM Platform does not check the emergency ticket against ServiceNow.

    NOTE This feature should only be used in an emergency and should otherwise be left blank.

    Unchecked Enabled By default, ServiceNow integration in the PxM Platform is disabled. Select the checkbox to enable ServiceNow integration.
  5. Click Save. The ServiceNow integration details are added to the table.

Mesh Tab

The Mesh mechanism will allow an Active PxM Virtual Appliance primary to push a copy of its backup file to a Mesh secondary virtual appliance. The Mesh secondary virtual appliance does not contain any live configurations. A public key is used between the Active primary virtual appliance and the Mesh secondary virtual appliance to validate the mesh connection.

The stored backup file on the Mesh secondary virtual appliance can then used to restore an Active primary virtual appliance in a disaster recovery situation.<

See PxM Virtual Appliance Restore Instructions Using a Mesh backup.

Note

When you build a mesh or upgrade a mesh server, ensure you don't delete or move the install files that are in /data/kits/latest/ as these are required for the restore process to work.

Mesh tab

To setup:

  1. Within the Active primary virtual appliance, click on the Mesh tab within System Configuration.

  2. Click the Edit pencil icon for Outbound Mesh Connection 1.

    Mesh outbound edit entry

    Fill in the following details:

    Field name Description
    IP Address IP address of the Mesh secondary virtual appliance where the backup will be stored.
    Push Backups Check to enable. This will allow the backup to be copied to the Mesh secondary virtual appliance.
  3. Click Save.

  4. Now click on the Public keyand copy.

  5. Log onto the Mesh secondary virtual appliance and open up the Web Management Interface.

  6. Click System Configuration in the left-hand menu.

  7. Within the System configuration window, click on the Mesh tab.

  8. Click the Edit pencil icon for Inbound Mesh Connection 1.

    Mesh inbound

  9. Enter the API Key copied from the Active primary virtual appliance.

    Mesh inbound edit entry

  10. Click Save.

    Now, an outbound connection can be made from the Active primary virtual appliance to the Mesh secondary virtual appliance. The Mesh secondary virtual appliance will now accept file transfers from the Active primary virtual appliance.

  11. Now you need to create a profile to run the backup task against the Active primary virtual appliance. See Creating a New Profile.

    For a scheduled time see Creating a Schedule or use an existing schedule.

    Once the scheduled backup has been created, it is automatically transfered to the Mesh secondary virtual appliance using SCP file transfer.

    Note

    Any PxM Platform backup files created through manual execution will also be pushed to the Mesh secondary virtual appliance.