Onboarding accounts in vault
Accounts can authenticate using passwords, SSH keys or secrets-based authentication. Keys and secrets are collectively referred to as secrets in this documentation. Sectona provides the capability to work with secure storage of key-based authentication and rotation of secrets automatically as per password rotation policies.
Normally, SSH keys consist of a pair of the public key and private key. SSH keys are used for authenticating the remote machine without entering a password. SSH keys are more secure than traditional passwords because the private key generated is never shared. Even the private key is encrypted with a password to hide the contents of the private key. The system is capable of saving the private key along with the passphrase and also rotating the private key along with the passphrase. SSH key management is supported on the following platforms Red Hat, Solaris, HP-UX, IBM AIX supporting OpenSSH.
This section describes in details the following:
Add an account via application interface
To add a local account from the account management interface, follow the below steps:
Login to the system and select PAM from the product navigator.
Click on Manage → Accounts to open the accounts inventory page.
Click on +Add Account button.
Select an Asset Category and Asset Type → Click on Host-name of an asset on which you desire to add a new account.
You will be redirected on the Accounts page of the selected asset host-name.
Click on + Add New Account button and fill in the credentials.
Click on the Save button and select the Save option → the account is now on-boarded in the system.
To add an Active Directory-based account from the account management interface, follow the below steps:
Login to the system and select PAM from the product navigator.
Manage → Accounts to open accounts inventory page.
Click on + Add Account button.
- To link this account on target servers, select the Assets from the displayed list.
A form will open and then you can select Host-name/Domain name on which you will be adding the AD based account. Select Type = AD Account.
- Add Directory Server name from the selected options. Note :- Make sure the AD & Directory store account details have been added by the administrator through PC. Until then you will not be able to add these details in PAM.
- Add Domain Account name from the selected options. Note :- Make sure the relevant AD services are running as it is only then that the synced Domain Accounts will be displayed in the drop down menu.
Click on the Save button and select the Save option → the account will be on-boarded on the Active Directory server.
To add a local account from the asset management interface, follow the steps below:
Login to the system and select PAM from the product navigator.
Navigate to Manage → Select Asset Management to open assets inventory page.
Click on the Account icon of an asset on which you desire to add the account.
You will be redirected on the accounts page of the selected asset host-name.
You can either add a new account and fill in the credentials or edit existing accounts linked the selected asset.
Click on the Save button and select the Save option → The account is now on-boarded in the system.
To add an Active Directory-based account from the asset management interface, follow the below steps:
Follow the first two steps the same as above.
Search for Directory Server from the asset list.
Click on the Account icon of an asset on which you desire to add the account.
You will be redirected on the accounts page.
Add details of the New Account form and fill in the credentials.
Click on the Save button and select the Save option → the account is now on-boarded in system.
To link this account on target servers, click on Linked Assets.
List of all the assets in the system will be populated on the right side.
Select the desired assets on which you want to add this account and click on Save button.
General Parameters for on-boarding an account
Attributes | Description |
|---|---|
Account Type | Select an account type like "AD Account" or a "Local" account or a "Just-In-Time" account. Attributes change depending on the Account Type. |
Authentication Type | Select the method of authentication used for the account like "Key Based", "Password" or "Key Based+Secret Key"
|
Account Name | Enter the privilege account name |
Password | Enter the password for the account |
Owner (optional) | Enter the Account owner name |
Account Category | Select and account category like “Interactive account" or “Service account” |
Only Console Access (optional) | Applicable for console-based access like SQL Plus over SSH. User will need to select a Console Account from the drop-down list for Console Access |
Enforce Password Change (optional) | Enabling this option will include this account by default in the scheduled password rotation job. |
Tags (optional) | You can associate an account with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc. |
Status | By default, an account’s status is active, you can deactivate an account if it's not going to be in use anymore. Let's say you have an application team user who is leaving the organization, you can disable his/her account in the system to ensure that it is not being used by any other user and also you will always have previous trails and logs associated with that account in the system. |
Adding accounts in bulk
Sectona PAM platform provides an option to on-board multiple accounts in the system manually using the bulk import option. Follow the below steps to bulk on-board accounts in the system:
Login to the system and select PAM from the product navigator.
Navigate to Manage → from Asset Management in the sidebar select Accounts.
Click on Bulk Account and select the Import option.
On the new page → Select the desired Account Category → Interactive Account/Service Account.
Select an Authentication type for your account like Password or Key Based or Key Based + Secret Key.
Tags (optional): Add relevant tags to this user. Refer section Tags for more information about adding context with tags.
- Select the static account group in which you want to add the onboarded accounts from the Linked Account Group drop-down list.
Enforce Password Change enable for including the accounts for schedule-based password change job.
Toggle this option to keep the accounts active in the system.
Download the Import format by clicking on the Download format button.
Follow the below steps to fill-up the Import format sheet and upload data in the system:
Open the downloaded Import format.
Enter the Asset Type like Windows server or Unix Based.
Enter Host-name/IP specify any one of them.
Enter DB Instance (optional) this is required only if the account is being on-boarded for a Database asset.
Enter Account Name followed by Password.
Enter Access Key and Secret Access Key (only applicable if the account authentication type is selected as Key Based + Secret Key).
Select all the columns and copy from the sheet.
On the PAM web console click on the Next button → Paste the copied text → Click on the Next button → Review the list of accounts and click Finish to on-board the list of accounts in system.
Using the bulk method, you can add upload up to 1000 accounts at a time.
For Key Based authenticated accounts only the asset details and account names are required to be filled in the Import format sheet and the Key can be uploaded from the web portal directly.
Account on-boarding via account discovery
There are two scenarios of on-boarding accounts via account discovery:
Configuring a new discovery job and on-boarding newly discovered accounts
On-boarding existing discovered accounts from discovery view
Configuring a new account discovery job and on-boarding discovered accounts
Login to the system and select PAM from the product navigator.
Navigate to Manage → Select Discovery from the left sidebar.
Click on Account and then click on +Add Account Discovery.
Job Title enter a desired job title.
Asset Category select from the drop-down the desired asset category.
Asset Type select an asset type associated with the selected asset category.
Schedule Type select Once for running the job one time. Select Recurring followed by Recur Every value for running the job on a schedule basis.
Task Start select a date from when the discovery job process should be enabled. (only applicable for scheduled discovery job).
Schedule Time select a time when the discovery job should trigger. (only applicable for scheduled discovery job).
Select Onboard Accounts as the Yes (Reset Password) option to auto onboard the discovered accounts in the system directly. Select No for just discovering the accounts.
Exclude Account(s) enter one or more account names in comma separated format like admin, administrator, etc. which you want to exclude from the discovery job.
- Tags (optional): Add relevant tags to this user. Refer section Tags for more information about adding context with tags.
Account Category: Select and account category like “Interactive account" or “Service account”
- Enforce Password Change enable for including the accounts for schedule-based password change job.
- Owner enter the name of the account owner (only applicable if Onboard Accounts is selected as Yes).
- Toggle this option to keep the accounts active in the system.
Click on the Save button and select Save + Run Now option to trigger the discovery job immediately.
To onboard the discovered accounts, follow the below steps:
If you have chosen Yes in onboard accounts field then the system will reset the current password for the discovered accounts.
On-boarding manually existing discovered accounts from discovery view
Login to the system and select PAM from the product navigator.
Navigate to Manage → Click on Discovery View from the Discovery section.
A list of discovered Assets and Accounts will be displayed.
Click on the Accounts tab to open the list of discovered accounts.
Select Onboard option.
A pop-up will be opened, enter the account password → Click on Save and select the Save option to onboard the account in the system.
Account on-boarding via management APIs
Refer to the section Develop to work with management APIs to allow onboarding of accounts via management APIs.
| Icon | Title |
|---|---|
| Account |
|
| Onboard |
|
Related How-to Articles
- Add an Azure account
- Add AWS account
- Add Cisco Switch account manually
- Adding AD account for Windows manually
- Add Linux accounts in bulk
- Add Unix Account manually
- Create a Windows local account manually
- Create local Windows accounts in bulk
- Create MYSQL database account manually
- Create Oracle database account manually
- How to add accounts in bulk
- How to add a VMware ESXi/ESX account manually?
- How to add a vSphere local account manually?
- How to add database accounts in bulk?
- How to add SSH key authenticated account for Linux/ UNIX?
- Manually adding a Cisco router account
- Manually adding firewall (FortiGate, Cisco) account
- Manually adding vCenter/vSphere local account