fartyalvikram
New Member.
1453 views

Protecting Privileged Account Manager using Access Manager

I want to Protect Privileged Account Manager below URL
https://xxx.xxx.x.xxx/
https://xxx.xxx.x.xxx/myaccess

For this I followed the below URL
https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/b19nyji5.html

I was created a policy for injecting headers as per given below screen

But when I try to login they redirect Privileged Account Manager login page and the username and password are the same which I am using for login into Privileged Account Manager both URLs.

I am using Privileged Account Manager v3.2 and Access Manager v4.4 Appliance.
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Protecting Privileged Account Manager using Access Manager

Try setting the second header name to be all upper-case, just like the
username header. Case matters, and I see that the documentation is
inconsistent in that regard, so I have already reported that to Micro
Focus. In the meantime, see if correcting yours will let the system work
as it should.

Otherwise, we probably need to get logs from PAM/PUM on what it is seeing
as you try to authenticate.

As a final note, once this is setup I believe it will allow anybody with
access to the protected resource to be able to SSO into PAM/PUM as the
admin user; be sure you set an appropriate authorization policy for this
protected resource so that not just anybody who can reach an Access
Gateway (AG) can get into PUM by happening to know the right URI.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
fartyalvikram
New Member.

Re: Protecting Privileged Account Manager using Access Manag

The below logs are generate when I try to login into PAM using NAM Reverse Proxy DNS for PAM
Log file is /opt/netiq/npum/logs/unifid.log and this logs are generate when I hit https://xxx.xxx.x.xxx/ URL
192.168.1.197 is the IP of Access Manager.
Wed Dec 20 12:33:14 2017, 205, 515340032, 2287, Info, https GET / client:192.168.1.197 rc:0 status:304(Not Modified) (5ms)
Wed Dec 20 12:33:15 2017, 215, 531130112, 2287, Info, registry getLicense client:localhost rc:0 status:0 (2ms)
Wed Dec 20 12:33:15 2017, 552, 515340032, 2287, Info, https GET / client:192.168.1.197 rc:0 status:200(OK) (566ms)
Wed Dec 20 12:33:15 2017, 555, 531130112, 2287, Info, admin checkEULA client:localhost rc:0 status:0 (1ms)
Wed Dec 20 12:33:15 2017, 677, 531130112, 2287, Info, https GET / client:192.168.1.197 rc:0 status:200(OK) (83ms)
Wed Dec 20 12:33:15 2017, 879, 515340032, 2287, Info, registry getLicense client:localhost rc:0 status:0 (2ms)
Wed Dec 20 12:33:15 2017, 998, 531130112, 2287, Info, registry getLicense client:localhost rc:0 status:0 (4ms)
Wed Dec 20 12:33:16 2017, 364, 4160747264, 2287, Info, admin checkEULA client:localhost rc:0 status:0 (1ms)
Wed Dec 20 12:33:16 2017, 455, 4160747264, 2287, Info, admin checkEULA client:localhost rc:0 status:0 (1ms)


And when I hit https://xxx.xxx.x.xxx/myaccess URL the below logs are generate in /opt/netiq/npum/logs/unifid.log file
Wed Dec 20 12:50:01 2017, 495, 4159694592, 2287, Info, https GET /myaccess client:192.168.1.197 rc:0 status:301(Moved Perman
ently) (5ms)
Wed Dec 20 12:50:01 2017, 557, 4159694592, 2287, Info, https GET /myaccess/ client:192.168.1.197 rc:0 status:304(Not Modifie
d) (4ms)
Wed Dec 20 12:50:02 2017, 671, 513234688, 2287, Error, Invalid authentication token signature
Wed Dec 20 12:50:02 2017, 673, 513234688, 2287, Info, cmdctrl viewAlerts client:localhost rc:0 status:0 (2ms)
Wed Dec 20 12:50:02 2017, 844, 4159694592, 2287, Info, https GET /myaccess/ client:192.168.1.197 rc:0 status:200(OK) (390ms)
Wed Dec 20 12:50:03 2017, 91, 4159694592, 2287, Error, Invalid authentication token signature
Wed Dec 20 12:50:03 2017, 93, 4159694592, 2287, Info, cmdctrl viewAlerts client:localhost rc:0 status:0 (2ms)


And my Reverse Proxy setting for PAM is given below and I also changed the header into uppercase like X_PAM_ADMIN and X_PAM_PASSWD but its not working.
0 Likes
fartyalvikram
New Member.

Re: Protecting Privileged Account Manager using Access Manag

Its working when I hit the below URL
For Admin Console : https://pam.demo.local/?sso=1
For My Access : https://pam.demo.local/myaccess/index.htm?sso=1

But can you please explain me why its working like this, why we need to add /?sso=1 and /index.htm?sso=1 with my actual URL.
And what should I have to do if I want to access these Admin Console and My Access of PAM using actual URL like below
For Admin Console : https://pam.demo.local/
For My Access : https://pam.demo.local/myaccess/
0 Likes
Knowledge Partner
Knowledge Partner

Re: Protecting Privileged Account Manager using Access Manager

On 12/20/2017 06:24 AM, fartyalvikram wrote:
>
> Its working when I hit the below URL
> For Admin Console : https://pam.demo.local/?sso=1
> For My Access : https://pam.demo.local/myaccess/index.htm?sso=1


Yes, the documentation states that you need to add that query string on
the end, presumably to tell PUM/PAM that you are using SSO and therefore
to accept the HTTP headers as credentials.

> But can you please explain me why its working like this, why we need to
> add */?sso=1* and */index.htm?sso=1* with my actual URL.


I do not know why PAM/PUM wants that, but you could probably ask an
account representative that type of question. This may be to get past
something like cross-site hacking attempts, by ignoring a nonce set on the
regular login form (if it has one), or to just read the HTTP headers
rather than alternate method of getting credentials from a user (which, if
injected without the user's meaning to, could be an attack on their account).

> And what should I have to do if I want to access these Admin Console and
> My Access of PAM using actual URL like below
> For Admin Console : https://pam.demo.local/
> For My Access : https://pam.demo.local/myaccess/


Is there a particular reason you would want to do that despite the
documentation saying not to? If you check with Micro Focus they may have
a way of having PAM/PUM always treat queries as if the sso setting is
present, or you may be able to use NAM to rewrite requests to add that if
it is ever missing. The easiest thing is probably just to bookmark the
correct URI and go to it from the start.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
fartyalvikram
New Member.

Re: Protecting Privileged Account Manager using Access Manag

We are protecting these PAM URL for the client and they don't want to use any query string in the URL, that's why I have to do something, So they can access PAM Protected URL without adding any query string.
And can you please guide me how can I overcome this situation using NAM Rewrite Policy as you suggested or any other solution.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.