• No results found

Enterprise Random Password Manager

N/A
N/A
Protected

Academic year: 2021

Share "Enterprise Random Password Manager"

Copied!
352
0
0

Loading.... (view fulltext now)

Full text

(1)

Installation Guide

Enterprise Random Password Manager

(2)

The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited.

Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If there are any problems in the

documentation, please report them to Lieberman Software in writing. Lieberman Software does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software.

Microsoft, Windows, Word, Office, SQL Server, SQL Express, SharePoint, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and product names are trademarks of their respective owners.

Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310.550.8575 Internet E-Mail: support@liebsoft.com Website: http://www.liebsoft.com

(3)

CONTENTS

INTRODUCTION ... 7 Overview ... 7 Performance Notes ... 8 License Agreement ... 9 Limited Warranty ...10

Background and Goals ...10

PREREQUISITES ... 13

Recommended Knowledge ...14

Solution Host System Requirements ...14

Solution Web Services Requirements ...16

Solution Database Requirements ...19

MS SQL Requirements for Solution ...19

Oracle Requirements for Solution ...20

Solution Service Accounts ...22

Managed Database Pre-requisites ...23

Managed Computers and Devices Pre-requisites ...26

Port Requirements ...27

INSTALLATION OF PREREQUISITES ... 31

Installing and Configuring IIS ...33

Installing IIS ...34

Required Web Components on a Non-Web Server ... 41

Enable ASP Support ... 47

Enable ASP.NET Support ... 50

Enable IIS6 Compatibility Support ... 54

How to Configure SSL ...58

SSL with IIS - With an Existing Cert ... 58

SSL with IIS - No Existing Cert ... 61

MS SQL and Oracle ...71 SQL 2008 Installation ...71 Oracle 11g Installation ...89 Database Connectors ... 104 Microsoft SQL ... 104 Oracle ... 104 Sybase ASE ... 112 MySQL ... 123 DB2 ... 129

(4)

Windows 2008 & Later Remote COM+ Access ... 138

Configure the COM Object and Deferred Processor Account ... 145

Granting Rights to the Database ... 158

INSTALLATION ... 161

Management Console Installation ... 162

Component Overview ... 162

Quick Installation ... 165

Mini-Setup ... 171

Configuring ERPM Datstore for HA Configurations with MS SQL Server ... 180

Configuring ERPM Datastore for HA with Oracle Database Servers ... 187

Configuring SSL Encryption to the Database ... 188

Encryption Settings ... 189

HSM Troubleshooting ... 194

Controlling Access to the Admin Console ... 200

Web Application Installation ... 204

Web Application Overview ... 204

Web Application Authentication and Delegation ... 206

Web Application Security ... 207

Web Application Installation Dialog ... 208

Web Application Settings ... 210

App Options ... 210

Password Access ... 213

File Store Settings ... 217

Account Elevation ... 218 Security ... 220 User/Session Management ... 223 Remote Sessions ... 225 Console Display ... 229 User Dashboards ... 231

Web Application - Post Installation ... 234

Integrated Authentication ... 234

Web Application - Updating Settings ... 237

Manual Web Application Installation ... 239

1. Manually Configure the Web Files ... 239

2. IIS 7 and ASP Pages ... 241

3. Configure IIS Directories ... 246

4. File Store Manual Setup ... 249

5. COM+ Identity Wrapper ... 253

6. COM Components ... 257

7. Website Configuration Options and Settings ... 259

Two Factor Authentication Configuration ... 261

OATH 2-Factor ... 262

OATH Tokens ... 264

Additional OATH Resources ... 269

(5)

OATH Without Existing Tokens ... 274

Configuring OATH Requirements for Management Console Access ... 280

Configuring OATH Requirements for Web Interface Access ... 282

PhoneFactor ... 284

RADIUS 2-Factor ... 289

RADIUS 2-Factor for Explicit Accounts ... 294

RSA SecurID ... 300

Configuring RSA SecurID ... 306

RSA SecurID Configuration Verifier ... 309

Configuring RSA SecurID Requirements for Management Console Access ... 310

Configuring RSA SecurID Requirements for Web Interface Access ... 311

Troubleshooting RSA SecurID Configuration ... 315

UPGRADE INSTRUCTIONS ... 329

Upgrade Notes ... 348

INDEX ... 349

(6)
(7)

This chapter includes an overview of Enterprise Random Password Manager (ERPM), what problems it is designed to solve, performance information, expected pre-requisite knowledge, and some background information on Windows.

This chapter also includes the license and warranty information for ERPM.

IN THIS CHAPTER

Overview ... 7

Performance Notes ... 8

License Agreement ... 9

Limited Warranty ... 10

Background and Goals ... 10

OVERVIEW

Enterprise Random Password Manager is a privileged account management platform. It is designed to

find and manage systems and devices with the intent of building a CMDB of the customer network. Once the systems and devices are discovered, begin to manage the identities (accounts and passwords) on a regular schedule and provide access to these credential as needed in a controlled and audited fashion. ERPM will function as a standalone solution, capable of managing platforms on its own. ERPM will also function as a platform, with the ability to integrate and operate or be operated by external programs, provisioning and work flow systems and much more.

ERPM has the ability to not only change passwords for simple accounts like root or Administrator, but also for service accounts that are used to run services, tasks, COM and DCOM objects, scripts,

configuration files, and more. For these service accounts, once a password change for a service account is performed, ERPM will propagate the new password to all those referenced locations without an admin needing to define every location the account is used.

ERPM provides more functionality beyond password management, password vaulting, and session management. ERPM also provides for:

Account escalation - the ability to add a user to a pre-defined group with higher privileges than the user would normally have on a target system and then automatically remove that access.

Secure file storage - the ability to upload and store as an encrypted data blob in the programs secure data store, any file such as password spread sheets, digital certificates, instructions, and more. After

(8)

the files are uploaded, an ACL system identifies what users will be able to retrieve the files while auditing access to the files.

Orchestration - ERPM can run headless; being controlled programmatically. This permits tight integration in other systems such as work-flow engines, run book orchestration for user and system provisioning and de-provisioning, programmatic access to almost all functions, and much more. This control os provided via SOAP based web services and PowerShell. User's may tie into ERPM using any program or language which can call the web service or PowerShell.

Privileged Account Management - providing session based control to privileged accounts to run specific programs against specific hosts. Via the optional bastion server model, any program, website, script, etc., may be run in a controlled and secured environment to allow users from network access to specific systems or other trusted or untrusted networks using specific tools with specific feature sets. This allows access to the tool set need to get a job done without providing direct physical access or access to the credential.

Session Recoding - building on the concept of privileged account management, when using the optional bastion host, these sessions can be recorded for later playback and auditing of the user actions that took place during a user's session. This further helps to comply with auditing mandates as well as training procedures.

PERFORMANCE NOTES

Enterprise Random Password Manager is a multi-threaded product designed with scalability and speed in

mind for every operation. At the default settings of 100 threads (100 simultaneous connections) on a well connected network (100Mbps) where all systems are accessible, password change performance is typically 400 machines per minute for a simple password change (not including propagation steps). This is not a guarantee of service as off-line systems, high-latency, low-bandwidth, and unhealthy systems will affect performance. When running on Windows Server 2008 R2, the maximum thread count can be set as high as 200-250 simultaneous threads. In Windows Server 2012 and later, the thread count may go even higher and do so with much greater reliability.

Threading options may be tuned up or tuned down by changing maximum number of threads that will be dispatched from the Program Options dialog under Settings | Program Options. Variances in customer environments and provided hardware may permit more simultaneous threads or may require threading options be turned down.

All scheduled operations and job retries are handled in the background by a deferred processor service. Most clients using the default settings note traffic equivalent to NetBIOS type traffic at about 2% of available bandwidth during an operation, if they note any affect at all on network traffic. Typically, target machine impact is unfelt (CPU, Memory, Hard Disk, Network) but will vary based on the type of operation performed (e.g. changing an account password or restarting a service).

(9)

LICENSE AGREEMENT

This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, you should return the software and documentation as well as all

accompanying items promptly for a refund.

1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of Enterprise Random Password Manager to control the licensed number of systems and/or devices. 2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software.

3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,

de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.

4. Notice: This software contains functionality designed to periodically notify Lieberman Software Corporation of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software Corporation under these circumstances, and you agree to not hold Lieberman Software Corporation responsible for the use of any or all of the information by Lieberman Software Corporation or any third party.

When used lawfully, this software periodically transmits to us the serial number and network

identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party.

Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067

(10)

310.550.8575 Internet E-Mail: support@liebsoft.com Website: http://www.liebsoft.com

LIMITED WARRANTY

The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media.

The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages.

Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without

warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the

programs or documentation of/for consequences of any such errors. This agreement is governed by the laws of the State of California.

Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write:

Lieberman Software Corporation 1900 Avenue of the Stars

Suite 425 Los Angeles CA 90067

You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or e-mail us at: sales@liebsoft.com.

BACKGROUND AND GOALS

The Need for Strong Local Credentials

Organizations with a need for the most basic access security should use unique local logon credentials customized for each workstation and server in their environment. Unfortunately, most organizations use common credentials (same user name and password for the built-in administrator account) for each

(11)

system for the ease of creating and managing those systems by the IT Department without any concern as to the consequences to the organization should these common credentials be compromised. With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the implementation of reasonably hard to compromise local logon credentials is mandatory for most organizations as a means for protecting not only the confidentiality of their data, but also to protect against tampering.

Creating Strong Local Credentials

Lieberman Software’s program: Enterprise Random Password Manager can change any common account on all workstations and servers in just a few minutes without the need for scripts or any other type of program. The new credentials can be stored in a local or remote SQL Server database and can be recovered on demand using the password recovery website. Enterprise Random Password Manager can be configured to regularly change the passwords of common accounts on all target systems (i.e.

workstation built-in administrator account) according to a schedule so that each account receives a fresh cryptographically strong password regularly. This product feature protects the overall security of an organization so that the compromise of a single machine’s local administrator password does not lead to the total compromise of the entire organization’s security. Enterprise Random Password Manager also provides the ability to automatically discover all references to the specified account, such as services, tasks, COM and DCOM objects, and more, and following a password change for a users account, whether domain or local, propagating the new password to all those references.

Delegated Password Recovery

ERPM also contains a web interface to allow the remote recovery of passwords. The web interface is web application comprised of ASP and ASP.NET web pages that allows any user with the appropriate group memberships the right to use the application as well as the right to recover passwords for

accounts managed by the program. All access to the web application as well as all password recoveries are logged and the history is also available via the same web interface to authorized users.

Because this application protects and provides extremely sensitive information, it is essential that particular attention be payed to the security settings of the application and also use appropriate encryption such as SSL based on the scope of access provided.

For more information on security hardening, please refer to the proposed options for server hardening: http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/546-server-hardeni ng-guide.html.

(12)
(13)

If you are looking to migrate from Random Password Manager (as opposed to Enterprise Random

Password Manager) to ERPM, please contact your account representative for assistance on this matter. If you are under a current support, Lieberman Software will assist you in a once time migration free of charge.

This section will provide basic instructions to get Enterprise Random Password Manager installed and managing passwords in the shortest amount of time. Components listed such as website, management console, and potentially the database may be on separate systems or shared.

In order to perform a successful installation, a few items will be required:

Windows Server 2008 R2 or later; Windows Server 2012 R2 is recommended

Internet Information Services (IIS) 7.5 or later with support for Active Server Pages Enabled

MS SQL 2005 or later or Oracle 11g database - SQL Express fine for testing

.NET Framework v3.5 SP1

.NET Framework v4.x

A privileged account for the COM application(s) and deferred processor, can be the same account

Specific communication ports

Additional supporting files

The following sections will outline the requirements and rights required to perform a successful installation of Enterprise Random Password Manager. The sections are broken down by ERPM

component. If multiple components will be installed on a single system, then the requirements for both components should be met on the same host.

The solution is an N-tier product where individual components can and should be (resources permitting) be distributed across multiple systems. The product is supported in a physical, virtual, or physical-virtual mixed environment. The virtual host platform is irrelevant to the support of the product however, virtual host configurations can severely impact or impede the ability of the product to work as virtual host and guest configurations do affect every component of the virtual guest that is running the product.

(14)

IN THIS CHAPTER

Recommended Knowledge ... 14

Solution Host System Requirements ... 14

Solution Web Services Requirements ... 16

Solution Database Requirements ... 19

Solution Service Accounts ... 22

Managed Database Pre-requisites ... 23

Managed Computers and Devices Pre-requisites ... 26

Port Requirements ... 27

RECOMMENDED KNOWLEDGE

ERPM uses a management console application in conjunction with a local service to setup the recurring password change jobs. Setting up the web application to allow access to the password store through the web interface includes the deployment of an IIS Web application. The web application includes COM objects and a collection of ASP and ASP.NET files that will be setup in a virtual directory on the web server. The web server must be Microsoft Internet Information Services. A Microsoft SQL Server or Oracle database is required to store program data.

While Lieberman Software provides documentation and support in how to setup and configure ERPM in conjunction with the various technologies that it uses, it is also required to have knowledge of the program datastore and target databases, IIS web server technologies, network administration, and networking in general as these components will be used by the solution. These elements should be patched, secured, and properly configured to ensure that the password store system will not be compromised.

SOLUTION HOST SYSTEM REQUIREMENTS

This section covers requirements for the console/deferred processing tier of ERPM. Requirements for the the password retrieval website are covered in the next section.

A Windows Server operating system will be required for a production installation of Enterprise Random Password Manager. The solution will work fine on a physical server or a virtual machine. For lab/testing environments, a workstation class operating system, such as Windows Vista Business, or Windows 7 Professional will suffice. All Service Pack levels and editions are supported except where specifically noted. Supported versions of Windows are:

(15)

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows 8.1 Professional or higher, 64bit version*,**

Windows 8 Professional or higher, 64bit version*,**

Windows 7 Professional or higher, 64bit version*,** Windows Server 2012 R2, is the recommended host platform.

*These versions are not recommended or supported for a production implementation; these versions should only be used in a testing scenario.

**This application is a 32bit application and will run in a WOW64 environment on a 64bit system. They are certified by Microsoft to run on these versions.

Keeping in mind best practices regarding Windows and MS SQL hardware requirements, in addition to what the host and other services will require, ERPM will also require:

512MB of RAM

Approx. 500MB of Hard Drive Space to install*

Intel or AMD multi-core processor or multi-CPU system

.NET Framework version 3.5 with service pack 1

.NET Framework version 4.x

It is recommended to exceed these recommendations. The recommended minimum configuration is:

Windows Server 2012 R2

2GB of RAM for the ERPM application

4GB+ of hard drive space for local log files

Intel or AMD multi-core or multi-proc/multi-core processors

4GB+ RAM for the program database

.NET Framework version 3.5 with service pack 1

.NET Framework version 4.5

32bit Java v1.5

This manual does not cover installation of Windows.

If using a Windows Server 2008 R2 or later host operating system for ERPM, there will be inconsistencies with remote COM+ management interfaces when managing COM+ on Windows 2000 target machines. For further information on this matter including how to address the issues, please read the following article:

(16)

http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/491-stub-received-bad-data-when-propagating-windows-2000-a.html

If attempting to manage databases other than Microsoft SQL, the most recent 32bit OLEDB providers, typically available from the DB vendor or installation media, will be required to be installed.

Before successfully installing ERPM , the .Net Framework must also be installed; specifically version 3.5 SP1 AND version 4.x. Version 3.5 SP1 is included in server 2008 R2. Version 4.x must be installed on operating systems prior to Windows Server 2012. Windows Server 2012 will require additional steps to install version 3.5 SP1. The .Net Framework is leveraged for some of the propagation types such as Microsoft SCOM and some of the Cross-Platform support features. It is highly recommended to obtain the latest version and service packs of the .Net Framework.

ERPM also ships with a Java based SDK for application to application and application to database secure password management. This is available for both Windows and non-Windows operating systems. Java 1.5 or higher, 32bit edition, will be required to make use of this. If Java 1.5+ is not installed, the program's Java based SDK will not be available to ERPM. If there are no plans to make use of the program's Java based SDK, then there is no need to install Java on the host system or target systems. If attempting to integrate System Center Service Manager (SCSM) - the SCSM SDK binaries will need to be obtained from the installation directory of SCOM and placed into the installation directory of ERPM if using SCSM 2010.

Virtual environments are fully supported for all components of the solution. However, there may be severe performance limitations depending on the virtual environment versus the environment being managed. Typically, the application(s) and website(s) are virtualized while the database is a physical system. Please refer to the following knowledge base article for more information on HA, DR, and basic comments on security:

http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/59-disaster-recover y-security-high-availability.html

* This does not include space required by logging files. Log files are enabled by default and can consume enormous amounts of space over time.

Note: As of version 4.83.8, Enterprise Random Password Manager is no longer supported on Windows Server 2008 (non-R2 versions). Version 4.83.7 and earlier would run on Server 2008 (non-R2) 64bit editions only.

SOLUTION WEB SERVICES REQUIREMENTS

This section covers requirements for the password retrieval website tier of ERPM. Requirements for the the management console/deferred processor are covered in the previous section.

(17)

On the machine or machines functioning as the web host(s), change the following security policy (gpedit.msc): Computer Configuration | Administrative Templates | System | User Profiles: Do not forcefully unload the user registry at logoff = Enabled.

If the above change is not made on the web host(s), the web site COM+ application may stop working (in time) and a DCOM error (10006) may be logged in the web server(s) application event log and the website will not function, displaying an inability to retrieve a list of authenticators from the database.

IIS 7.5 or later - see below for detailed requirements

.NET Framework version 3.5 with service pack 1

.NET Framework version 4.x

Internet Information Services (IIS) with support for Active Server Pages must be installed on the system that will host Enterprise Random Password Manager. Supported versions of IIS include:

IIS 7.5

IIS 8.0

IIS 8.5

IIS 7.5 and 8.x require the following role services be included when configuring IIS:

Static Content

Default Document

HTTP Errors - required for file vault

ASP.NET (v4.5)

ASP – active server pages

Static Content

Static compression - optional

IIS Management console (not the IIS6 version)

IIS6 Metabase compatibility

Windows authentication - optional, required if using Windows integrated authentication Installation and configuration of IIS will be covered in the next section.

Note: As of version 4.83.8, Enterprise Random Password Manager is no longer supported on Windows Server 2008 (non-R2 versions). Version 4.83.7 and earlier would run on Server 2008 (non-R2) 64bit editions only.

The management console can push out the website to a remote web server. If the website will be hosted on a remote system, relative to the management console, it will be necessary to enable remote COM+ access on the web server to support an automated installation of the website. For information on how to

(18)

enable this access, the Remote COM+ and IIS (see "Remote COM+ and IIS Access" on page 138) section of this guide.

(19)

SOLUTION DATABASE REQUIREMENTS

A Microsoft SQL database or Oracle database will be required at the time of installation and is used for Enterprise Random Password Manager's storage and configuration database; all systems lists, system information, account information, stored passwords, etc. are stored in the database. During the

installation, the options to use an existing installation of a database or implement a new instance on the same server or a different server (different server recommended) will be offered.

With respect to what Lieberman Software Recommends, both are excellent choices depending on available resources, licensing, and your available in-house support staff. We however have notes about the use of these databases...

It is essential when using an Oracle back-end that the Oracle DBA tune the database to achieve the level of performance that is being sought after. Oracle provides some extra tools to support this tuning, but it must still be performed by your Oracle DBA; there is nothing Lieberman Software can program in to ERPM to achieve the desired performance. Comparatively, SQL Server uses an automated tuning system that does not generally require a DBA. Oracle achieves scalability by allowing almost everything in it to be manually configured. Oracle also starves many applications by default and this absolutely requires a DBA to parcel out resources to different applications.

There are no rules of thumb for Oracle nor any general purpose guidance other than if you are not getting sufficient performance from our application to engage the Oracle DB and manually optimize our environment. Oracle works well with our application, however it will require an Oracle DBA to manage our database.

MS SQL REQUIREMENTS FOR SOLUTION

Supported versions of MS SQL include:

MS SQL 2014

MS SQL 2014 Express*

MS SQL 2012

MS SQL 2012 Express*

MS SQL 2008 R2

MS SQL 2008 R2 Express*

MS SQL 2008

MS SQL 2008 Express*

MS SQL 2005

MS SQL 2005 Express*

(20)

*SQL Express versions are not recommended or supported for production implementations and should be used for testing scenarios only. SQL Express also configured itself to a random port number during installation. This port number will be required to complete the installation of ERPM.

Standard and Enterprise editions are supported. SQL 2012 or later is strongly recommended. Installation and configuration of MS SQL will be covered in the next section.

Use Integrated Authentication or explicit SQL authentication; integrated authentication is the preferred method of connection as it does not require storage of any connection credentials by the host system. If using a dedicated instance of SQL to provide to ERPM or RPM, simply grant:

 SYSADMIN = user role or

 Control Server = database server right

This allows the granted users the rights to perform all actions within that instance of SQL including creating the required databases, stored procedures, all other features in the main application, as well as backup and restoration.

If it is not desired or permitted to grant SYSADMIN or Control Server to the SQL instance, then the database that ERPM will use must be pre-created within SQL by the DBA. The SQL account, or Windows users/groups will need to be granted the following roles/rights over the ERPM database:

 DBO = user role

 View Server State = server permission or

 db_datareader = user role

 db_datawriter = user role

 db_ddladmin = user role

 View Server State = server permission

 Execute = database permission

 Create tables = database permission

 Create views = database permission

ORACLE REQUIREMENTS FOR SOLUTION

Supported versions of Oracle include:

(21)

Oracle Database 11g R1, 32bit

Oracle Database 11g R1, 64bit

Oracle Database 11g R2, 32bit

Oracle Database 11g R2, 64bit

Standard Edition One, Standard Edition, Enterprise Edition are supported. The Oracle database may be hosted on a Windows or non-Windows platform.

Enterprise Random Password Manager will require its own table space and must be granted an unlimited quota on this table space.

The following rights will be required by the account used to connect to the Oracle database:

CONNECT

CREATE TRIGGER

CREATE SEQUENCE

CREATE TABLE

CREATE VIEW

Oracle uses overly conservative initial configurations for a heavily threaded product such as ERPM. In a default configuration where ERPM is spawning at least 100 threads to the database, this can cause the database to run out of resources resulting in failed jobs (incomplete password changes). This behavior is easily seen and replicated by trying to do things such as changing passwords across a largish number of systems. One way to combat this is to drop the thread count down to 40 (Settings | Program Options) for ERPM. This has the effect of slowing down the job processing while increasing the likelihood of a successful job (as far as the DB is concerned). Another [highly recommended] option is to change the memory and thread allocation to the oracle database. Start with:

show parameter memory

show parameter process

This will give you your baseline settings. To change the allocations use:

alter system set memory_target=xxxxM scope=spfile;

alter system set processes=yyyy scope=spfile;

Where xxxx is the amount of memory allocated to the database and yyyy is the number of threads. We recommend a value of 2000 or much higher for the memory and a minimum value of 1000 threads. Note: The Oracle 11g R2 OLEDB provider (version 11.2.0.3) does not properly register on Windows servers. If using this version of the OLEDB provider, please also run the following command after installation of the Oracle OLEDB provider on your Windows server: regsvr32

(22)

SOLUTION SERVICE ACCOUNTS

Enterprise Random Password Manager is comprised of an N-tier architecture: database, management console, web server, and zone processors. All tiers may be on a single system or spread across multiple systems. The web site, management console, and zone processors are mutually exclusive in their

operation. The web site and zone processors may use the same service account or use separate service accounts with different permissions.

ERPM use a COM+ object for its interactions from the web server to the application database. This object requires the use of a privileged account. This account should be a domain member (as applicable) and have the following rights and memberships:

 Administrator of the web server host system

 Domain User*

 Log on as a batch job

 DBO rights for the application database if using integrated authentication

*If multiple trusting domains will be managed by a single implementation of ERPM, the COM account must be a trusted user for the target domain(s) as well or manual configuration of an authentication bridge will be required. If using a directory other than active directory for user authentication, this requirement may be skipped.

Pre-configuration of this account will be covered in the next section.

ERPM performs all scheduled jobs such as password change jobs or password verification reports by using a service on the management console host system or a standalone service called a zone processor. The account should be a domain member (as applicable) and have the following rights and

memberships:

 Administrator of the management console host system

 Log on as a service*

 DBO rights for the application database (system admin of the DB not required) if using integrated authentication

 Administrative rights over target managed systems**

This account used to run the deferred processing service cannot be managed automatically by ERPM! Managing this account by ERPM will cause the job being run to be stopped mid-process which will leave the job in a locked and incomplete state. This will likely cause all scheduled jobs to stop running until manual intervention is taken. An alternative to using a service account for the scheduling service is to configure the service to run as LocalSystem. This will negate password management requirements for the service. However, to be successful in using this method, you must also grant permissions to the

(23)

database for the computer account (ComputerAccountName$) as well as ensuring the computer account is seen as an administrator of all managed systems.

NOTE: If the computer account is added to a new group in Active Directory in order to provide these administrative rights, the computer must be restarted.

The website COM object must be configured to run as a user account, but this account can be automatically managed by ERPM.

* If the service account/interactive user account cannot be administrators of the target systems, then alternate administrative accounts will need to be configured for use by the tool. Please see the

administrator's guide for steps on configuring alternate administrator accounts. If possible, avoiding the use of alternate administrator accounts within Enterprise Random Password Manager when managing COM+ and DCOM objects, including scheduled tasks should be avoided as these interfaces do not allow for impersonation.

**The COM account, if using a separate account than the deferred processing account, may need administrative rights over target Windows systems. This right becomes a requirement IF the website option to Block password Check-in if account is in use is turned on. Enabling this option allows the COM object to enumerate all active sessions and determine if the specified account is still "logged in".

For all accounts running components of ERPM, including users of the administrative console, they must be allowed to "Create Global Objects". This security permission is granted to Administrators by default via local system policy, but it is also sometimes removed by group policy. ERPM creates and shares information between its components. If this policy is not allowed for the service accounts and users of the administrative console on the machine(s) hosting our components, the the console or the

components will not be able to function. This policy is found in the local policy under: Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignments >> Create Global Objects.

MANAGED DATABASE PRE-REQUISITES

Various databases can be managed within Enterprise Random Password Manager. In order to connect to and manage these databases, the appropriate database provider will need to be installed on the ERPM host system. The providers may be downloaded from the database manufacturer. A provider for Microsoft SQL is already provided with Windows.

The following databases require additional database specific providers to allow for management of their privileged identities from the Enterprise Random Password Manager host system.

(24)

Oracle

MySQL

Sybase - Sybase ASE OleDB provider

DB2

Changing DB2 account passwords is supported but does not require a specialized provider for password management as DB2 utilizes the database host system's local account store rather than providing its own internal accounts store as does Microsoft SQL, Oracle, or MySQL. However, Enterprise Random Password Manager can enumerate the local accounts associated with the DB2 Instance. For this process to work, the DB2 database OLEDB provider must be installed.

The rights required to change a password in a target account's password will vary from database to database. The rights required will also vary depending on the target account being changed. Certain knowledge will also need to be known prior to a successful password change within a database such as instance or service name. For the most up to date description of rights required to change various identities within a target database, see the database vendor for information. Following is an un-inclusive list of possible rights required for various databases:

Microsoft SQL = Microsoft SQL can leverage explicit SQL accounts or "integrated authentication"

accounts. Accounts using "integrated authentication" will be local computer accounts or accounts from a trusted domain. In order for either of these account types to manage account passwords within MS SQL, the following rights must be granted to the desired account or group:

GRANT VIEW ANY DEFINITION

GRANT CONTROL SERVER

Interactive login account and/or deferred processing account will require these rights in order to change passwords and enumerate accounts within the SQL database. Rights must be granted to a Windows user or group for Integrated Windows authentication. Database instance name and port (if different than default) will be required.

If the sysadmin right is given, no other rights will be required on the MS SQL server.

Oracle = An Oracle login account will be required when configuring an Oracle password change job. This login account must have sufficient rights to change the desired target account's password. Presuming the login account can connect to the specified Oracle service (and instance if applicable) the following rights must be granted to the desired login account:

ALTER USER

To enumerate the user accounts in an Oracle instance (accounts store view in Enterprise Random Password Manager), the following rights must be granted to the desired login account:

(25)

SELECT ANY DICTIONARY

My SQL = A MySQL login account will be required when configuring a MySQL password change job. This login account must have sufficient rights to change the desired target account's password. Presuming the login account can connect to the specified MySQL service and target database, the following global privilege must be granted to the desired login account:

UPDATE

To enumerate the user accounts in a MySQL instance (accounts store view in Enterprise Random Password Manager), the following global privilege must be granted to the desired login account for the appropriate database:

SELECT

Sybase = A login account will be required when configuring a Sybase password change job. This login account must have sufficient rights to change the desired target account's password. Presuming the login account can connect to the specified Sybase service (and instance if applicable), the login account must belong to the either of the following roles:

SSO_ROLE

SA_ROLE

To enumerate the user accounts in a Sybase instance (accounts store view in Enterprise Random Password Manager), the following access must be granted to the desired login account:

SELECT access to the password column of the SYSLOGINS table in the MASTER database DB2 = The rights required to change rights for accounts associated with a DB2 instance depends on whether database is hosted on Windows or Linux/UNIX. If hosted on Windows, ERPM interactive login account and/or deferred processing account will require Account Operators unless the target account (account being managed) is also a local administrator. If the target account is a local administrator, then the ERPM interactive login account and/or deferred processing account will require local Administrators membership as well. If the target account is hosted on Linux/UNIX, ERPM will be configured to connect to the target system as the target user for this password change job. Any user should be able to change their own password. See the administrator's guide for configuring password changes on Linux/UNIX systems. Follow the steps for changing accounts on Windows or Linux/UNIX.

To enumerate accounts in a DB2 database instance (accounts store view), the login account will require:

CONNECT TO DB

(26)

MANAGED COMPUTERS AND DEVICES PRE-REQUISITES

The following lists the requisite services and expected configurations for target managed computers and devices.

Windows, see port requirements for further information -

File and Print Services for Microsoft Networks

Server Service

Remote Registry is optional and allows for further system information gathering such as MAC address retrieval

If using Enterprise Random Password Manager and propagating/managing the following items, remote management support to:

COM+/MTS - requires application server role with network COM+ access

DCOM

IIS - If intent is to manage on a target system, IIS must also be installed on the host system - requires application server role with network COM+ access

WMI - for System Center Operations Manager run as account management. Also required is placement of the SCOM SDK binaries (from the SCOM server) in the Enterprise RPM installation directory.

Enabling remote access to COM+ and IIS requires additional configuration steps on the target systems. These steps are outlined in the Remote COM+ and IIS Access (on page 138) section.

Linux/UNIX/OSX -

Determine current SSH port - required for password change and account enumeration

Login password for a root level account, or the root account being managed

Low powered login account - optional, used if root accounts are not permitted to SSH to target system

Some distributions of Solaris, AIX, or other Linux/UNIX distributions may require password

authentication be enabled in the /etc/ssh/sshd_config file. This will be obvious as there will be errors to reflect this during a password change job in the E/RPM log. To enable password authentication, open /etc/ssh/sshd_config and set the PasswordAuthentication directive to yes. Then, restart the SSH daemon. How to restart the daemon will be distro specific. Following are examples of various restart commands:

 FreeBSD: /etc/rc.d/sshd restart

(27)

 Suse: rcsshd restart

 Ubuntu: sudo /etc/init.d/ssh restart

 Red Hat/Fedora/CentOS: /etc/init.d/sshd restart OR service sshd restart Cisco -

Login account password

Current password for enable

SSH or Telnet port if changed from default IPMI -

Login account password; Root or Admin level password

SSH/Telnet devices, actual requirements will vary based on target type and embedded operating system -

Login account password; Root or Admin level password

SSH or Telnet port if changed from default

Special consideration may need to be given these devices for the process used to update stored passwords. Please review the admin guide for information on modifying the XML files used for SSH/Telnet targets.

PORT REQUIREMENTS

The following ports can be used by Enterprise Random Password Manager: Actual port usage will vary based on the options used and systems managed.

The following ports are the standard well known ports for the various protocols. These ports may have been changed on the target systems. It is the solution Administrator's responsibility to determine if any of the target ports have been changed and reflect that changed port when password change jobs or account discovery jobs are performed.

Port 22 - SSH, TCP, outbound - used for managing non-Windows devices that support SSH. Non-Windows devices only.

Port 23 - Telnet, TCP, outbound - used for managing non-Windows devices that support Telnet. Non-Windows devices only.

Port 25 - SMTP, TCP, outbound - port for e-mail support. Only required if email notifications will be allowed from the solution.

(28)

Port 80/443 - HTTP/S, inbound - password recovery from ERPM password recovery website.

Port 135 - Remote DCOM management port and secondary ports typically provided by granting access to DLLHOST.EXE in the %systemroot%\system32 directory, TCP/UDP, outbound. This port is also required to support automated installation of the password recovery website. The website can be manually installed on the target web server so this port does not need to be open on the web server unless also managing DCOM objects on the web server or IIS web sites and virtual directories. For Enterprise Random

Password Manager, this port is required to be able to set credentials for COM+, and DCOM applications, IIS web sites and virtual directories, as well as Scheduled Tasks (iTask interface). Remote COM/DCOM may require the use of additional ports (1024+) - check your system configuration.

Port 137 - NetBIOS name service, UDP, outbound. This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for management of Windows systems.

Port 138 - NetBIOS datagram distribution service, UDP, outbound. This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for management of Windows systems. Port 139 - NetBIOS Name Service Ports, TCP, outbound. This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for management of Windows systems.

Port 389/636 - LDAP/LDAPS, TCP, outbound. LDAP compliant directories such as Active Directory or Oracle Internet Directory

Port 445 - Alternate NetBIOS Name Service port, TCP, outbound. This port is not required unless the normal NetBIOS Name Service ports are closed (137, 138, 139). Be aware that this alternate port for the NetBIOS Name Service will not work on Windows NT 4 or earlier.

Port 514 - ArcSight / QRadar / Syslog, UDP, outbound. Port 623 - IPMI, UDP, outbound.

Port 80/443/Other - HTTP/HTTPS, TCP, inbound. When configuring the password recovery website, it will default to using HTTP (port 80) without the use of SSL. SSL is highly recommended for use with the password recovery website but is the responsibility of the administrator to configure. If the HTTP + SSL is configured (HTTPS) then the default ports requirement for the web server is port 443. Whether HTTP or HTTPS is used, the administrator of the website can also choose to redirect web traffic to any port other than 80 or 443.

Port 1433 - SQL Server, TCP, outbound. Ports used for connecting to SQL Server must be accessible from the machine running Enterprise Random Password Manager as well as any instances of the web

interface. This port is a typically a custom TCP/IP port and can be configured through the SQL Server database provider. If MS SQL is using a different port then specify this on the database connection configuration dialog.

(29)

Port 2002 - Java SDK remote connection, TCP, outbound. Port 3306 - MySQL, TCP, outbound.

Port 3389 - Remote Desktop Protocol (RDP), TCP, outbound. Port 5000 - Sybase, TCP, outbound.

Port 50000 - DB2, TCP, outbound.

Port - Other, depending on the application being managed, such as SharePoint or if additional external items/processes are leveraged, additional ports will be required. Please refer to the following

requirements for known port connection requirements:

BMC Remedy - TCP/UDP, outbound, BMC_AR_Port

HP Service Manager - TCP, outbound, HPSM Port

Microsoft SharePoint Server - TCP outbound, the SharePoint administrative port

Microsoft System Center Configuration Manager - TCP, outbound - typically Microsoft File and Printer Sharing or Remote management ports

Oracle WebLogic - TCP outbound

(30)
(31)

Enterprise Random Password Manager includes multiple components some of which are optional and separate. This installation guide contains

This section outlines installation of the pre-requisites. Actual installation experience may vary. Covered is:

Installation of IIS 7.x

Installation of MS SQL 2008 (r2)

Installation of Oracle 11g

COM and Deferred Processor Account Not covered is:

Installation of .NET Framework

Installation of Java SDK

Whether or not the password retrieval website will be installed locally on the ERPM host system, certain components IIS must be installed in order to perform a an automatic installation of the web site to a remote server. Local IIS components will also be required to manage remote IIS installations, however, only a couple of elements will be required and those are outlined in the following sections.

IN THIS CHAPTER

Installing and Configuring IIS ... 33 MS SQL and Oracle ... 71 Database Connectors ... 104 Remote COM+ and IIS Access ... 138 Configure the COM Object and Deferred Processor Account ... 145

(32)
(33)

INSTALLING AND CONFIGURING IIS

The following sections detail how to install and configure IIS on their respective host operating systems.

IN THIS CHAPTER

Installing IIS ... 34 How to Configure SSL ... 58

(34)

INSTALLING IIS

Important! The Enterprise Random Password Manager web interface does not work properly on 32bit editions of Windows 2008 and is not supported on 32bit editions of Windows 2008.

The installation experience for IIS 7.5 and 8.0 on Server 2008 R2 and Server 2012 is identical and the same procedures can be followed.

IIS requires the following role services be included when installing IIS:

 Static Content

 Default Document

 HTTP Errors

 ASP.NET

 ASP

 Static compression - optional

 IIS6 metabase compatibility

Any items that these components want to add will also need to be included.

To install Internet Information Services, open Server Manager and select the Roles node. In the details pane (right side), click the Add Roles link to start the Server Roles Wizard.

(35)
(36)

Click Next on the description page.

On the Select Role Services page, under the Application Development header, select ASP and ASP.NET. By default Windows 2008 or later does not enable support for Active Server Pages, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for Active Server Pages has not been enabled, please see Enable ASP Support for IIS (see "Enable ASP Support" on page 47) to enable support for it.

(37)

By default Windows 2008 or later does not enable support for ASP.NET, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for Active Server Pages has not been enabled, please see Enable ASP.NET Support for IIS (see "Enable ASP.NET Support" on page 50) to enable support for it.

(38)

If prompted to Add role services required for ASP? and/or Add roles services required for ASP.NET, click Add required role services.

On the Select Role Services page, under the Management Tools header, select IIS 6 Metabase Compatibility. Click Next to continue.

(39)

By default Windows 2008 and later does not enable support for IIS 6 Metabase Compatibility, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for IIS 6 has not been enabled, please see Enable IIS6 Compatibility Support for IIS (see "Enable IIS6 Compatibility Support" on page 54) to enable support for it.

(40)
(41)

Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard.

The IIS administrators console may be launched by selecting Internet Information Services (IIS) Manager from the Administrative Tools menu, by selecting Web Server under the Roles node in Server Manager, or by typing inetmgr at the command prompt or run menu.

REQUIRED WEB COMPONENTS ON A NON-WEB SERVER

[Enterprise] Random Password Manager is an N-tier product consisting of web services, a management console, a database, and scheduling services (zone processor or default deferred processor). It is a recommended practice to separate out the product into at least three tiers consisting of:

1) Web Services

2) Management console & scheduling service 3) Database

(42)

When the machine hosting the management console will NOT also function as a web server, certain portions of IIS may still be required. In the modular paradigm of Windows, if IIS is not installed, neither are the binaries to be able to manage and talk to remote instances of IIS. Therefore to perform a remote installation of the web services (push) or to manage IIS 6 and IIS 7.x, it will be required to install these binaries.

The installation experience for IIS 7.5 on Server 2008 R2 is identical and the same procedures can be followed.

IIS 7 requires the following additional role services be included when installing IIS 7 for remote web service installations and remote IIS management:

 IIS6 management compatibility - if also managing web servers that run IIS 6 If IIS 6 web servers will not also be managed, then simply add IIS with no options.

To install Internet Information Services in Windows 2008, open Server Manager and select the Roles node. In the details pane (right side), click the Add Roles link to start the Server Roles Wizard.

(43)
(44)

Click Next on the description page.

On the Select Role Services page, under the Management Tools header, select IIS Management Console (required for IIS 7), IIS 6 Metabase Compatibility, and IIS 6 Management Console. All other items may be deselected. Click Next to continue.

(45)

By default Windows 2008 does not enable support for IIS 6 Management Compatibility, it is added during the installation of IIS by following these steps. If using an existing installation of IIS where support for IIS 6 has not been enabled, please see Enable IIS6 Compatibility Support for IIS 7 (see "Enable IIS6 Compatibility Support" on page 54) to enable support for it.

(46)
(47)

Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard.

The IIS administrators console may be launched by selecting Internet Information Services (IIS) Manager from the Administrative Tools menu, by selecting Web Server under the Roles node in Server Manager, or by typing inetmgr at the command prompt or run menu.

ENABLE ASP SUPPORT

If installing this application onto an existing web server and Active Server Pages was not previously enabled, turn it on by using following the procedure.

(48)

In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add Role Services link.

(49)

On the Select Role Services page, under the Application Development header, select ASP.

If prompted to Add role services required for ASP?, click Add required role services. This will automatically add ISAPI Extensions.

(50)

On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard.

There are no further actions to perform once the wizard completes.

ENABLE ASP.NET SUPPORT

If installing this application onto an existing web server and ASP.NET was not previously enabled, turn it on by using following the procedure.

(51)

In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add Role Services link.

(52)
(53)

If prompted to Add role services required for ASP.NET?, click Add required role services. This will automatically add ISAPI Extensions.

(54)

On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard.

There are no further actions to perform once the wizard completes.

ENABLE IIS6 COMPATIBILITY SUPPORT

If installing this application onto an existing web server and IIS 6 Compatibility was not previously enabled, turn it on by using following the procedure.

(55)

In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add Role Services link.

(56)

On the Select Role Services page, under the Management Tools header, select IIS 6 Metabase Compatibility. Click Next to continue.

(57)

On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. Windows will begin the setup and configuration of IIS. When the file operations are complete, click Close to close the wizard.

(58)

HOW TO CONFIGURE SSL

This product does not ship with an SSL certificate for encryption between the password retrieval website and the client browser. This means it is up to the web server admin to configure SSL and determine which certificate to use.

See the following pages for configuring SSL on IIS 7+.

SSL WITH IIS - WITH AN EXISTING CERT

In order to encrypt transmissions from the web server (IIS) to the client browser, to protect the

privileged passwords while they are in transit, it is necessary to configure SSL. This product does not ship with a pre-configured SSL certificate. Certificates can be obtained through a public certification authority or through an internal private certificate authority or numerous free utilities, or in IIS 7.x and later, with a self-signed certificate. The following steps presume that a certificate is already installed on the host web server and must be requested.

Open Internet Information Services (IIS) Manager from the Administrative Tools. Go the server's node and open Server Certificates.

(59)

Go the website that hosts the products web pages or hosts the virtual directory for the web pages. In the Actions pane, click Bindings.

(60)

Select the protocol Type to be HTTPS and assign the preferred SSL Port. If an alternate port is selected, this must be reflected in the URL as HTTPS://address:port_number/.... Select the appropriate certificate from the SSL certificate drop down list. Click OK.

(61)

To require the website use SSL, go the website that hosts the products web pages or the virtual directory that hosts the web pages and from the IIS area, open SSL Settings.

Set the option to Require SSL. Click Apply. No other configuration options are required.

SSL WITH IIS - NO EXISTING CERT

In order to encrypt transmissions from the web server (IIS) to the client browser, to protect the

privileged passwords while they are in transit, it is necessary to configure SSL. This product does not ship with a pre-configured SSL certificate. Certificates can be obtained through a public certification authority or through an internal private certificate authority or numerous free utilities, or in IIS 7.x and later, with a self-signed certificate. The following steps presume that a certificate is NOT already installed on the host web server and must be requested.

(62)

Open Internet Information Services (IIS) Manager from the Administrative Tools. Go the server's node and open Server Certificates.

(63)

Type in a friendly name for easy identification and click OK. The certificate will be created and added to the list of certificates installed on the server.

(64)

To create a certificate request to an on-line Enterprise CA, click Create Domain Certificate.

On the Distinguished Name Properties dialog, specify the Common name (for easy identification), and all other properties, then click Next.

(65)

If this is going to an off-line CA, select the appropriate Cryptographic Service Provider Properties. If this is going to an on-line CA, this page will not be presented. Click Next.

(66)

If this is going to an off-line CA, a prompt for the name of the certificate request will be presented. This text file will be sent to the CA for processing. Once the certificate is approved, simply follow the wizard to Complete Certificate Request, then examine the next section to configure SSL with an existing certificate. Click Finish.

(67)

If this is going to an on-line CA, select the name of the CA by clicking the Select button. Then supply the friendly name of the website. The friendly name is the name of the server specified in the URL. Click Finish.

(68)

Go the website that hosts the products web pages or hosts the virtual directory for the web pages. In the Actions pane, click Bindings.

(69)

Select the protocol Type to be HTTPS and assign the preferred SSL Port. If an alternate port is selected, this must be reflected in the URL as HTTPS://address:port_number/.... Select the appropriate certificate from the SSL certificate drop down list. Click OK.

(70)

To require the website use SSL, go the website that hosts the products web pages or the virtual directory that hosts the web pages and from the IIS area, open SSL Settings.

References

Related documents

Such initial socialization was encouraged because research (e.g. Jarvenpaa and Leidner, 1998) has identified that the building of trust is important to the development of

Direct Implementation HISP as an Endpoint Direct (SMTP / SMIME) Sending HISP E-Mail Server Security/Trust Agent SSL/TLS Receiving HISP E-Mail Server Security/Trust Agent

“Marlinspike's Convergence is radically different from the situation today where the web of trust is based on a SSL server certificate signed by a certificate authority and

1.4.3.2 ACOs shall ensure that either (1) at least 20 percent of attributed Iowa Wellness Plan members complete the Healthy Behaviors each performance year or

Figure 4 – Enterprise Random Password Manager (ERPM) from Lieberman Software ERPM detects and reports every location where privileged accounts are used – including local and

Click on E-Mail Server Configuration to configure Email address, Server Address and Authentication.. By enabling ‘Get Settings from Register’ checkbox the entire configuration data

The Cortado Corporate Server does not have any connection to the outside, just internal server connections, to the mail server and BlackBerry Enterprise Server (BES) for example.

We create tailored solutions to meet your needs; driving down costs, improving the day to day management of cash and maximizing cash availability for your customers.. We have