ManageEngine Password Manager Pro (PMP)

Describes how to setup remote password security with ManageEngine Password Manager Pro (PMP).

Leave Feedback

Introduction

ManageEngine Password Manager Pro (PMP) is a web-based application that provides privileged account security and remote access management. This privileged password management solution securely stores and manages sensitive information such as passwords, documents, and digital identities.

Prerequisites

The following OpsRamp gateways are required must be setup:

  • Active Gateway server: Install on all the resources/resource environment on which ManageEngine Password Manager application is hosted.
  • Stand-by Gateway server: Serves as a backup of primary Gateway server (Active Gateway).
OpsRamp Gateway System Requirements
Gateway Installation PurposeVirtual Instance Requirements
Gateway for Password Vault IntegrationVirtual CPUs, 4 GB RAM / 50 GB HDD / 1 NIC

Supported hypervisors are VMware ESXi, Citrix XenServer, Microsoft Hyper-V and KVM

Custom attributes

Custom attributes allow you to extend the set of properties that define a resource to include your information. For example, you can create a custom attribute, Asset Tag, and specify a value for each resource. These custom attributes and values control how a resource is managed in OpsRamp.

In this integration, custom attributes help you to fetch the privileged resources information, such as account and password from PMP. You can then map OpsRamp resources with PMP resources using custom attributes.

OpsRamp configuration

Configuration involves:

  1. Creating and assigning custom attributes.
  2. Installing and configuring the integration.

Step 1: Create and assign custom attributes

This steps involves creating the custom attribute, assigning a value to the custom attribute, and assign the custom attribute to resources.

To create a custom attribute:

  1. From All Clients, select a client.
  2. Go to Setup > Custom Attributes > Custom Attributes and click +.
  3. From Create Custom Attributes, provide the following:
    • Scope: Specifies for whom the custom attribute is applicable. Partner: Refers only to a Partner. However, clients under the partners can also inherit the attribute. Client: Refers to a specific Client. Selecting this option, lets you also select the required client from the  Client drop-down option.
    • Client if the scope is for a client.
    • Custom Attribute Type: Provide unique name for the custom attribute. For example: Resource Account Number
    • Description: Provide a description for the custom attribute.
  4. Click Submit.
    Create Custom Attribute

    Create Custom Attribute

To assign a custom attribute value:

  1. From Custom Attributes, click + and provide the following to assign a custom attribute value:
    • Custom Attribute Type: Displays the name established previously.
    • Custom Attribute Value: Provide a unique value.
    • Description: Provide a description for the custom attribute value.
  2. Click Submit.
Create Custom Attribute Value

Create Custom Attribute Value

To assign resources to the custom attributes:

  1. From Custom Attributes, select the custom attribute (search is available) and click on the Assign icon
    Assign Icon

    Assign Icon

  2. From Assign Entity Objects to Custom Attributes, provide the following:
    • Custom Attribute Type: Auto-generated
    • Custom Attribute Value: Auto-generated
    • Assign On: Default is Resources & Services.
    • Entity type: Select either Resources or Services.
  3. From All Resources and Services, select or search for a specific resource or service and click the right arrow icon. The selected resources appear in the other box.
  4. Click Submit.
Assign Custom Attribute Value to a Resource

Assign Custom Attribute Value to a Resource

The created custom attribute appears with the details on the Custom Attributes page.

Custom Attribute with Resource

Custom Attribute with Resource

Step 2: Install and configure the integration

To install and configur the integration:

  1. From All Clients, select a client. Note: Installing ManageEngine at the client-level is mandatory.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select Password Management > ManageEngine Password Manager and click Install.
  4. Click Add to create the credential mapping and provide the following:
    • Name: Specify the password vault.
    • Properties: Provide the following:
      • accessToken: Provide authToken copied from PMP API user creation step.
      • endPointURL: Provide the API endpoint URL to get password from PMP.
      • IS_ACCOUNT_NOTES_REQD: TRUE if account notes are required while retrieving a password, otherwise, false. The account note values are configured with the Account details and Resource details. See FAQs for more information.
      • IS_TICKETID_REQD_MANDATORY: TRUE if the ticket ID is required while retrieving a password, otherwise, false. See FAQs for more information.
      • resourceId: Select the previously created custom attribute from the drop-down list. The resource ID is stored in client level custom attributes.
  5. Click Save.
Create Configuration

Create Configuration

ManageEngine PMP configuration

When configuring ManageEngine PMP, create a user account for every user who will use the PMP API. Attach a single endpoint URL for each user to uniquely identify each user account. For example, user@hostname.

To configure:

  1. Log into ManageEngine Password Manager Pro.
  2. From the left pane, click Users.
  3. From the Add User drop-down list, click Add API User.
    Add User

    Add User

  4. Provide a unique login name.
  5. Provide name of Gateway from where the API user will access PMP for password management operations.
  6. Provide a unique Full Name of user. The user is identified with this name externally where the user activities such as reports, audit trails are traced.
  7. Select the appropriate access level for the user. Supported access levels: Administrator, Password Administrator, Privileged Administrator, Password User, Custom Roles
  8. Select one of the following options for Access Scope.
    • Select All Passwords in the system to change an Administrator, Password Administrator, or Privileged Administrator to a Super Administrator. With this scope, the user can access all passwords in PMP without any restriction.
    • Select Passwords Owned and Shared to revert the role of Super Administrator to Administrator or Password Administrator or Privileged Administrator. With this scope, user can access only self-created and shared passwords. Note: Do NOT configure the Public key for SSH CLI access and SSL Certificate for XML-RPC API access fields.
  9. Select Enable Now for REST API.
  10. Click Generate for an API key. The API key is the authentication token for your access.
    • Copy and store the key in a secure location for your future reference. This key is required as an accessToken in OpsRamp configuration.
    • Important: The API key in the user interface appears only once. If you lose the key, you need to regenerate a new one.
  11. Set a validity period for the API key. Select Never Expires if you want the key to be valid forever or select Expires On and set a date to provide a certain validity period for the key.
  12. Provide Department and Location names and then click Save.

The API user account is created in ManageEngine Password Manager Pro. When you launch a remote console, OpsRamp retrieves the password through Gateway. Once the password is received, regular process of launching remote console is achieved.

FAQs

  1. What is the IS_ACCOUNT_NOTES_REQD field in the configuration Properties section?

    • In PMP, a few attributes are associated with Account and afew attributes are associated with Resource. Account Notes is an account attribute that can be used to specify additional information for Account Type or Resource Type while fetching password from PMP. This information is used to identify the resource or account in OpsRamp.
    • If IS_ACCOUNT_NOTES_REQD is set as true, then the notes information appears along with the account name. For example, after installing PMP and setting IS_ACCOUNT_NOTES_REQD as true, the resource name  (Windows_Jump_Box) appears along with user name admin in accounts list.
      Account Details

      Account Details

  2. What is IS_TICKETID_REQD_MANDATORY field in configuration Parameters section? If IS_TICKETID_REQD_MANDATORY is set as true, then the Ticket Id field appears in the launch console pop-up window. This Ticket Id provided in the launch console pop-up window can be used as a reference to know the purpose for fetching an account or password.

OpsRamp process flow for ManageEngine usage

The following is the process flow for how ManageEngine is used.

  1. User launches remote console in OpsRamp.
  2. OpsRamp integration sends command to OpsRamp Gateway to retrieve all accounts of resources.
  3. User account appears on the console.
  4. Based on the selected account, OpsRamp sends command to OpsRamp Gateway to retrieve the password.
  5. Once password is received, regular process of launching remote console is achieved.