PAM Implementation guide

PAM Implementation guide

General instructions

Introduction

The purpose of this document is to provide the instructions to implement PAM using the Soffid console. This is a step-by-step implementation guide. 

Soffid is an information security product that provides a web console to manage privileged accounts in addition to, identity provisioning, identity governance, including risk management and Single sign on.

Before starting

Before you start the PAM implementation it will be mandatory:

1. Install Soffid IAM Console

The first step will be to install Soffid. You could install Soffid console on-premise, or on the cloud; on your own servers, or using docker or Kubernetes.

For more information visit the  Soffid installation book.

2. Install Soffid PAM

The purpose of PAM is to manage accounts and to determinate what users will have access to critical resources.  Soffid allows to you to install and configure PAM.

For more information visit the PAM Install & config book.

3. Login into Soffid Console

Your user need to be an administrator user or a user with the proper permission to perform the actions for the implementation procedure.

Process definition



Step 1. Create network


The first step of the PAM implementation will be to create a the network we want to scan to discover the hosts

Step-by-step

1. First of all, you must access the networks page, the path to access is the following:

Main Menu > Administration > Resources > Networks

2. Once you are located on the networks page, you must click the button with the add symbol (+)  to add a new network. Then Soffid will display a new empty page to fill in the network data.

You must fill, at least the required fields (fields with an asterisk) to create a network.

Other fields you could configure

Auto calculated fields

3. Once you have filled in all those fields, you must apply changes, by clicking on the "Apply changes" button to create the new  network.

4. When you apply changes:

4.1. If all the required informations is correct, Soffid will save the new network, close the page and  show the networks list with all the networks created on the system, included the last one created.

4.2. If the information filled in is not correct, Soffid will show an alert on the fields which have errors. You must correct the errors and save the network data again.

Screen overview

image-1629873252975.png

Step 2. Configure network discovery


The second step will be to configure the network with the proper parameter to allow you to run the discovery process.

Step-by-step

1. First of all, you must access the network discovery page in he following path:

Main Menu > Administration > Resources > Network discovery

2. Once you have accessed the network discovery page, Soffid will display all the networks created on Soffid using list format.

3. You must select the network you want to scan to discover all its hosts.

4. Then, Soffid will display detailed information about the network. All that information will be a read-only data.

5. You must click the "Enabled discovery" button to display new configuration fields, server, accounts to probe,  schedule, and current execution.

6. The first of one, Server (from now on the discovery proxy server) the selected server will be used to try to connect the detected hosts using the accounts defined on the accounts to probe list. If none server are selected the server selected in the task definition will be used. 

7. The second, Accounts to probe allows  you to add accounts fpr trying to connect to the network hosts discovered.

7.1. You must clic the add button (+) to add a new account. 

7.2. You must select to create a new account or add an existing account.

7.2.1. To register a new account you must select the "Register a new account" option and fill in the login name and the password.

7.2.2. To use an existing account, you must select the "Use an exising account" option and select the chossen account. You have two options:

span style="color: #a6d100; font-weight: bold; font-size: 18px;">7.2.2.1.  Writing the account name on the text field, Soffid helps you with predictive search. Then you must click the "Apply changes" to save the data and Soffid will add the account to the accounts to probe list.

7.2.2.2. Clicking the user icon, Soffid will show you search account window. Once you search and find the proper account, you need to click on the account row.Then soffid will add the account  to the accounts to probe list.

8. The third,  Schedule: you can enable that option to schedule the execution of the task. If you enable that option, a task will be created and configured to be performed on the schedule defined.

8.1. You can update the schedule to be performed, the available fields are the following:

All those fields are mandatory to schedule the task.

For each value of month, day, hour, minute or day of the week:

8.2. If you update the schedule data, you will need to "Apply changes" to save the updated. If there is any error, that will  display and the data will not save; you must correct the data and apply changes again.

9. The fourth, the Current execution option allows you to fire the task execution at the current moment. 

10. The Last execution section displays the information about the last execution of the discover network process, the start and end date and time, and the execution log. 

11. The last one, Previous executions, will display a list with the information about the previous executions. That option will be shown when the task executions were run and finished at least one time. 

Soffid will display a list with the information about the previous executions, the date and time when the task started, the status and also will allow you to download the log file. To download the log file you must click on the proper "Execution log" cell, then a txt file will be downloaded on your computer and you could check it.

Screen overview

image-1629873471079.png



Step 3. Launch network discovery


Then, the third step will be to launch the network discovery process. That is the process in charge to scan the network, get the hosts information and connect to the hosts as well.

Step-by-step

1. The discovery network task can be executed manually or automatically:

1.1. By clicking the "Start now" button, the process will be launched manually at the current moment.

1.2. If the schedule option is enabled, the task will be launched at the schedule defined. You can configure it on the Scheduled task page as well. 

2. Soffid will display the information about the result of the process when it has finished.

3.  Also, Soffid will display in a tree structure the information recover about the host detected identifing indicating whether it was possible to connect, and in afirmative case, the information about the agent and the entry point created, and the recovered accounts

The discovery process is multithread. To discover the host of the network, Soffid launch from 1 to 20 threads, with that configuration Soffid get to optimize the discover process.

Network discovery process

On the Network dicovery page there are two different servers to configure, the first one, the discovery proxy server (located next to the network attributes), the second one, the discovery manager (located on the schedule section). 

Communication between these servers is always encrypted with certificates on both sides.

image-1630055332711.png

The server to discover

That server is in charge to scan the network to discover the hosts of the network. For each host discovered, the Nmap utility gets the info about the ports and the protocols used. Also, that process gets the IP Address and the operating system.  All the recover information will be saved on Soffid database.

If no discovery manager is selected, to execute that process, Soffil will use on of the principal sync servers installed and configured.

The server to connect

The discovery proxy server works as a proxy to connect to the target systems. 

When the discovery manager discovers a host, it gets the host information and then, through discovery proxy server, it attempts to connect to the host using the accounts defined on the accounts to probe list.

Then, the reconciliation process of the created agent, will be launched and it will try to recover the information about the accounts defined on the host. Also, it will try to recover the information about the account protected services. The recover information will be saved on Soffid database.

The next step will be to create, in the possible cases, a new entry point to the host with the basic attributes, and the proper executions to run it. That entry point will display on the Application access tree page.

If no discovery proxy server is selected, Soffid will use the same sync server used to the discover process.



https://en.wikipedia.org/wiki/Nmap


Step 4. Register additional resources (Optional)

Step 4. Register additional resources (Optional)

Step 4.1. Add database (Optional)


The fourth step, to add a database, is an optional step. You only need to configure when there is any database (SQL Server or Oracle) in some of the discovered hosts and you want to manage its accounts as privileged or shared accounts.

Step-by-step

The network discovery process can discover and connect to the hosts. Then Soffid allows you to add databases as account repositories in the proper host.

1. First of all, the agent must be created on Soffid. That agent could be a SQL Server agent or an Oracle agent. To create an agent you can visit the next page Step 4.1. Create an agent (Optional)

2. Then, you must access the network discovery page in the following path:

Main Menu > Administration > Resources > Network discovery

3. Once you have accessed the network discovery page, Soffid will display all the networks. 

3.1. First, you must identify the network and click on the plus icon (+) to display all the hosts discovered.

image-1629873906631.png

 3.2. Then, you must identify the host and click the plus icon (+) to display the options.

 3.3. Finally, on the "Account repositories"  you must click the "Add new" button.

image-1629874227338.png

4. When you click "Add new" Soffid will display a wizard to add the database. 

5. You must select the option "Other" on the "Select system type", and click "Next" button.

5.1. If you click the "Next" button, the wizard will allow you to search the system using Quick, Basic, or Advanced search. When you run the search, Soffid will display all the systems that apply to the search criteria. Be in mind, the agent must have been previously created.

5.2. You must select the proper system from the result list and click the "Next" button. Then Soffid will add the agent to the "Account repositories" list and close the wizard.

image-1629905496878.png

* When you are in the wizard and click the "Undo" button, the wizard will browse to the previous page of the wizard, or close and no operation will execute if it is the first page.

6. Once the database is added to the host, the next step will be to run the reconcile process to get all the accounts and permissions from the database to load into Soffid.

6.1. To access the agent definition, you must click the "Agent definition" button. The button is located close to the name of the agent, inside the "Account repositories" of a specific host, on the network discovery tree.

image-1629970666238.png

6.2. Once you click the button, Soffid will browse to the agent definition.

6.3. Then you must click the "Massive actions" tab.

6.4. At the "Massive actions" tab you must click the button "Reconcile (load target system objects)".  That process is in charge to load into Soffid the accounts and permissions defined on the database. 

6.4.1. If the process is successfully completed you could continue with the next step of the PAM implementation.

6.4.2. In another case, you must check the agent configuration and run again the process.

Screen overview



Step 4. Register additional resources (Optional)

Step 4.2. Create an agent (Optional)


That step will be an optional step, and it will be mandatory only when the SQL Server agent or the Oracle agent was not created previously on Soffid Console and you need to add a database to manage its accounts.

Step-by-step

1. First of all, to create an agent you must access the agent page in the following path:

Main Menu > Administration > Configure Soffid > Integration engine > Agents

2. Once you have accessed the agent page, Soffid will display all the active agents created on Soffid. You must click the button with the add symbol (+)  to add a new agent. Then Soffid will display a new empty page to fill in the agent data.

2.1. You must fill, at least the required fields (fields with an asterisk) to create an agent.

You can visit the Plugins page for more information about how to load a connector on Soffid Console.

2.2. You must fill in the optional parameters that you need to config the agent.

2.3. You must fill in the "Connector parameters". Those parameters depend on the agent.

2.3.1.  SQL Server connector:

Below there are the specific parameters for this agent implementation:

Parameter

Description

User name

Database user name to authenticate

Password

The password of the database user

Driver

Identifies the driver of the relational database to use.

Currently, these are the supported databases: MySQL (& MariaDB), PostgreSQL, Oracle, MS SQL Server, Informix, DB2/400, DB2 Universal, Sybase, ODBC

DB URL

URL that identifies the connection properties. Please refer to the specific database vendor documentation to build this URL.

 

jdbc:mariadb://<HOST>/<DATA_BASE>
jdbc:mysql://<HOST>/<DATA_BASE>
jdbc:postgresql://<HOST>/<DATA_BASE>
jdbc:oracle:<drivertype>:@<database>
jdbc:sqlserver://<HOST>;databaseName=<DATA_BASE>

 

 (*) More documentation about the DB URL 


SQL Sentence to execute at startup

Each time the connection to the agent is established, this SQL statement will be executed.

Password hash algorithm

The algorithm is used to encrypt the password. For instance SHA1, SHA256, MD5, etc

Password hash prefix

Prefix to add it to the password.


{SHA1}BzE/DjIPIsv6Nc/CIFCOs/9FfH4=
{SHA256}AIEM+LlNb8ucXeSE077EGHYgs+KHblmquQ2FL+Dxj7Y=

Enable debug

Two options: Yes, and No.

It enables or not more log traces in the Synchronization Server log

Synchronization method

  • Full synchronization: persists the changes made in Soffid, regardless of the possible changes made in the final system.
  • Incremental synchronization: this type of synchronization is used to avoid losing changes that have been made to the target system. First, Soffid's changes will be propagated to the target system, and then the changes on the target system will be made in the Soffid system. If the changes are in the same attribute, the Soffid value is the one that will persist.

(**)

2.3.1. Oracle connector:

Below there are the specific parameters for this agent implementation:

Parameter

Description

User

Sysdba user name to authenticate

Oracle password

Password of the user to authenticate

Connection string to database

Database URL. Use something like jdbc:oracle:thin:@host:port:sid

Password to protect roles

Optional password to use on password protected roles

Default user profile

Optional profile to set limits on the database resources and the user password

Default tablespace

Optional tablespace for user creation

Temporary tablespace

Optional temporary tablespace for user creation

Enable debug

Two options: [ Yes / No ]. When it is enabled more log traces are printed in the Synchronization Server log

3. Then, you should click the "Apply changes" button to save the new agent. Then Soffid will close the form, and display the agent list including the new agent created.

If you click the "Undo" button, the form will be closed and updates will not be saved.

Once the agent is configured, it could be assigned to the host to continue with the PAM implementation process: Step 4. Add database

Screen overview

SQL Server agent

Oracle agent


Step 4. Register additional resources (Optional)

Step 4.3. Reconcile (Optional)


To request the accounts you must launch the reconcile process. The main purpose of reconciling process is to provide a mechanism to ensure that all users are aligned on the specific roles and responsibilities.

Step-by-step

1. First of all, you need to edit the agent must access the agent page in the following path:

Main Menu > Administration > Configure Soffid > Integration engine > Agents

2. Once you have accessed the agent page, Soffid will display all the active agents created on Soffid. You must click on the record of the agent you want to reconcile. Then Soffid will display a new window with the agent data.

3. Then, you must click on the "Massive actions" tab.

4. At "Massive actions" tab, you must click on the "Reconcile (load target system objects)" button to launch the reconcile process.

5. Once completion of the conciliation process, Soffid will show the result of the process execution. You could click on the alert to view the process result.

5.1. Green alert: the process finished ok.

5.2. Red alert: the process finished with an error.

Screen overview



Step 5. Account management

The account management step shows you how to manage the accounts to change the type, how to locate the accounts on the password vault and how to assign a password. To comply this step the discovery process must be completed.

Step 5. Account management

Step 5.1. Account management

The account management step shows you how to manage the accounts to change the type, how to locate the accounts on the password vault, and how to assign a password. To comply with this step the discovery process must be completed.

Step-by-step

1. To access the accounts of a specific host or database (SQL Server or Oracle), you must click the "Accounts" button. The button is located close to the name of the host or the agent, inside the "Account repositories" of a specific host, on the network discovery tree.

image-1629971294668.png


2. Once you click the button, Soffid will display the accounts list which belongs to the host or agent.

3. You must click on the account record to edit the detailed account info.

4. Then, you will be able to change the account type, place the account on the password vault, and assign a password for each account, one by one.

a. Step 5.2. Change account type

b. Step 5.3. Publish on Password vault

c. Step 5.4. Assign the password

5. And finally, to save the updates you must click on the "Apply changes" button.


Step 5. Account management

Step 5.2. Change account type


The Change account type step shows how to change the type from unmanaged to shared or privileged depending on the case. 

Step-by-step

1. Once Soffid displays the account detail, you can change the Type (located on the Common attributes) to the proper type. You must click on the "Type" drop-down list and select the proper value for the account

image-1629972360721.png

2. Then, you can save the update by clicking on the disk icon (located at the top right), and continue with the next step.


Step 5. Account management

Step 5.3. Publish on Password vault


When critical accounts are detected, the best way to keep them safe is to place them on the Password vault. The password vault allows you to handle the access control list to these accounts, here you can define who are the owners, the managers, and the SSO users

Step-by-step

1. Once Soffid displays the account detail, you can select the "Vault folder" on the "Password vault" section.

image-1629976897490.png

2. There are two ways to assign the vault folder:

2.1. Writing on the predictive text field. In that case, Soffid will show the folders name that matches, and you could select the proper folder.

2.1. Click on the folder icon. Then you could search for the proper folder and select

Be in mind that the vault folders have to be created previously on the Password vault page.

3. Finally, you can save the update by clicking on the disk icon (located at the top right), and continue with the next step.


Step 5. Account management

Step 5.4. Assign the password


To be able to use an account, it is necessary to assign a password, this can be the current password or a new password. In the case of assigning a new password, it will be synchronized with the target system.

Step-by-step

1. Once Soffid displays the account detail, you can change the password. You need to click on the hamburger icon and then on the "Set password" option.

2. Then, Soffid will show a new form to set the password.

3. You must select one of the available options:

3.1. Generated password: If you select that option, Soffid will generate a random password and will display the password on the form.

3.1. Set password: If you select that option, you must create a password and write it on the text field. That password should comply with the password policies defined on Soffid.

4. Finally, Soffid will send the new password to the target system.


Step 6. Passwords rotation

The passwords rotation reduces the vulnerability to password-based attacks. Soffid allows you to limit the password lifespan and force you to change it.

Step 6. Passwords rotation

Step 6. Passwords rotation

Introduction

The password rotation reduces the vulnerability to password-based attacks. Soffid allows you to limit the password lifespan and force you to change it.

Soffid defines a procedure for Password rotation to keep safe the critical accounts. It allows you to create password policies with the proper configuration to create strong passwords, the password type should be "Automatically generated". Those policies must be assigned to critical accounts. Also, it allows to configure of an automatic task,  Expire untrusted passwords,  to check when a password has to be changed.

Scheduled task

image-1652775437925.png

You can find more information about how to configure a scheduled task on the Scheduled task page.

Step 6. Passwords rotation

Step 6.1. Create User type


How to create a new  User type. That will be mandatory to create a new Password policy.

Step-by-step

1. First of all, you must access the User types page, the path to access is the following:

Main Menu > Administration > Configure Soffid > Global Settings > User types

2. Once you are located on the User types page, you must click the button with the add symbol (+)  to add a new User type. Then Soffid will display a new empty page to fill in the data.

You must fill, at least the required fields (fields with an asterisk) to create a user type.

Other fields you could configure

3. Once you have filled in all those fields, you must apply changes, by clicking on the "Apply changes" button to create the new user type.

4. When you apply changes:

4.1. If all the required information is correct, Soffid will save the new user type, close the page and show the user types list with all the user types created on the system, including the last one created.

4.2. If the information filled in is not correct, Soffid will show an alert on the fields which have errors. You must correct the errors and save the user type again.

Screen overview

image-1629989740440.png



Step 6. Passwords rotation

Step 6.2. Create Password policy


How to define a new password policy for the previous user type created.

Step-by-step

1. First of all, you must access the Password policies page, the path to access is the following:

Main Menu > Administration > Configure Soffid > Security settings > Password policies

2. Once you are located on the Password policies page, you must click the "Add password policy", at the proper domain, to add a new Password policy type. Then Soffid will display a new empty page to fill in the data.

You must fill, at least the required fields (fields with an asterisk) to create a password policy.

Other fields you could configure

3. Once you have filled in all those fields, you must apply changes, by clicking on the "Apply changes" button to create the new user type.

4. When you apply changes:

4.1. If all the required information is correct, Soffid will save the new user type, close the page and show the user types list with all the user types created on the system, including the last one created.

4.2. If the information filled in is not correct, Soffid will show an alert on the fields which have errors. You must correct the errors and save the user type again.

Screen overview