Multiple application credentials for checkout

We have PAM 3.2 installed and are currently configuring it. How does one manage multiple credentials for a single application? For example, the Microfocus Filr application has an admin account accessed via http://<host>:8443 and a vaadmin account accessed via http://<host>:9443. Should I create separate account domains for each in the Credential Vault or one account domain with multiple credentials?

If the latter (one account domain with multiple credentials), how do I do this? Consider the following account domain with two credentials:

If I connect to https://<fmconsole>/myaccess and click on the Applications Tab and checkout Application_Filr, I see the following:

Notice that even though there are two credentials in the first image, only the second is shown when the credential is checked out. If I add more credentials, only the last is displayed, not all the credentials added for the particular applications domain. Is this how things are supposed to work? Page 210 of the admin guide has a section titled "Adding Shared Account Credentials in the Account Domain" which seems to indicate that all credentials should be made available when checked out, not just the last entered. Is this a bug?
  • achinayoung,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    These forums are peer-to-peer, best effort, volunteer run and that if your issue
    is urgent or not getting a response, you might try one of the following options:

    - Visit and search the knowledgebase and/or check
    all the other self support options and support programs available.
    - Open a service request:
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (
    - You might consider hiring a local partner to assist you.

    Be sure to read the forum FAQ about what to expect in the way of responses:

    Sometimes this automatic posting will alert someone that can respond.

    If this is a reply to a duplicate posting or otherwise posted in error, please
    ignore and accept our apologies and rest assured we will issue a stern reprimand
    to our posting bot.

    Good luck!

    Your Micro Focus Forums Team

  • 1. At a time a user can checkout one account only from an AccountDomain.
    2. Please note that the admin account needs to be set as the default credential on your accountDomain 'Application_filr'. This admin account would be used to reset the password of the checkout user, in your case vaadmin, once you checkin the account.
    3. You can add multiple credentials to the domain. The ones that are not checked-out will be available for other users to checkout and use.
  • Ok. The Microfocus Filr application has a separate "admin" password for the Filr server on port 8443 and a separate "vaadmin" password for the Filr server on port 9443. What is the best way to store this and make available to admins in PAM?

    And what about UNIX root passwords or local Windows Administrator passwords? How should these be added to PAM?
  • Since an admin will need specific access to each credential and the types of these admin accounts are used for different purposes (:8443 vs :9443), then I think it would make sense to create separate Account Domains, one for each service. Do you plan to do any Password Reset script for this? I am not sure if a Credential is required to be set or not, but if one is selected, then that credential will never be allowed for checkout, as it is reserved for checkin purposes and password reset. So if you did configure some Password Reset script, you would need at least two credentials for each account domain, one that is checked out and another that is reserved by PAM as a "proxy" user to checkin and reset the password. If you do happen to create a password reset script for Filr, please do share! ;)