Skip to main content
Version: Axidian Privilege 3.3

Configuration

This section contains parameters for configuring PAM.

System Settings

In this section global system settings are specified. Fine-tuning is performed in the Policies section.

Scheduled jobs

OptionDescription
Account checking start timeAt this time Axidian Privilege will start checking all active accounts in the Managed state.
Resources and accounts syncing start timeAt this time Axidian Privilege will start resource information syncing and accounts syncing for resources and domains.
Account password reset start timeAt this time Axidian Privilege will generate new passwords for accounts.
Service connection checking start timeAt this time Axidian Privilege will start checking service connection to resources and domains.
Session log rotation start timeAt this time Axidian Privilege will start session log rotation.
Synchronization interval for user groups from the directoryThe PAM system updates the list of members of user groups from the directory at a specified interval.

Video

OptionDescription
Video recording codec optionsThe libx264 codec is used by default with the following settings: libx264 -preset medium -tune zerolatency.
Video streaming codec optionsThe libx264 codec is used by default with the following settings: libx264 -g 10 -tune zerolatency.
The duration of the recorded video segment, sec.You can set the duration at which the video will be saved as an independent segment, the default is 3600 seconds (1 hour).

Sessions

OptionDescription
Gateway connection timeout, sec.Time after which connection will be closed if gateway isn't responding. Set the value to 0 if you do not want the connection to be interrupted.
Time to connect, min.Close session on the Gateway if a user did not connect to the resource.
Legal noticeThat text will be shown to user before session. Leave it empty if you don't need it.
Maximum amount of sessions per userLimiting the number of concurrent open sessions per user, 0 is the default with no limit.
Notify user about session terminationThe user will be notified before the session ends.
Notifications thresholdNotification will be shown for the specified time before the session expires.
Notification intervalInterval between notifications about expiring session.

Gateway connections

OptionDescription
RDCB addressIP address or DNS name of Remote Desktop Connection Broker
RDCB collection nameRemote Desktop Connection Broker collection name for Axidian Privilege Gateway
Use RDGWCheck it for connecting to Axidian Privilege Gateway with Remote Desktop Gateway
RDGW addressRemote Desktop Gateway address for Axidian Privilege Gateway
Gateway RDP file parametersThese parameters will be added to RDP connection settings for Axidian Privilege Gateway. They will replace old ones

RDP Proxy

In the RDP Proxy Address field, enter the IP address or DNS name of the server with the RDP Proxy. Specify the port or PAM will use the default port.

Web Proxy

In the Web Proxy Address field, enter the IP address or DNS name of the server with the Web Proxy. Specify the port or PAM will use the default port.

PostgreSQL Proxy

In the PostgreSQL Proxy Address field, enter the IP address or DNS name of the server with the PostgreSQL Proxy. Specify the port or PAM will use the default port.

MSSQL Proxy

In the MSSQL Proxy Address field, enter the IP address or DNS name of the server with the MSSQL Proxy. Specify the port or PAM will use the default port.

SSH connection settings

OptionDescription
SSH Proxy addressIP or DNS, port (required)
Default port: 2222
Authentication of resources using SSH server keysSelected SSH server key fingerprint adding type. For more information, see the Types of Adding Fingerprints section.

Web terminal

Activate the Web Terminal using the Enable Web Terminal option.
The Web Terminal allows you to open SSH and RDP sessions in a browser without installing third-party clients. You can open a session via the user's console.

Syslog

The Syslog server is used for integration with a SIEM system and serves as a unified data storage for PAM event records and/or text session logs. Data is updated in real time: during an active remote connection, not after its completion.

To send text logs of sessions, fill in the Syslog server data.
Sending Event log records to the Syslog server is configured via configuration files.

Option
Description
Syslog serverIP address or DNS name of Syslog server
PortSyslog server port
ProtocolNetwork protocol for connection to Syslog server: TCP, UDP
FormatEvent format used by syslog server: CEF, LEEF
Syslog versionIETF standart of Syslog protocol: RFC3164, RFC5424

User Authentication

This section specifies the global authentication settings. Fine-tuning authentication is configured in the Policies section.

User Blocking

If the user enters the wrong password or OTP several times in a row, their account will be blocked for the specified time.

OptionDescription
Number of AttemptsIf this value is exceeded, the user will be temporarily blocked. If the value is 0, the blocking does not apply.
Blocking TimeDefines the period of time after which the user will be unlocked and will be able to enter the password or OTP again.

Automatic logout on inactivity

The Inactivity period in MC/UC interface parameter sets the time after which the user and administrator consoles are automatically logged out. The setting does not affect user access to resources.

Automatic exit occurs if the user:

  • authenticated in the user and/or administrator console via IDP;
  • did not perform any actions in any browser tab during the specified period of inactivity.

Set the period of inactivity from 0 to 480 minutes, where 0 — means automatic logout is disabled.
Background browser operations, such as updating data or checking system status, are not considered user actions.

SSH Key Authentication

If the Allow users to connect to SSH Proxy using SSH keys option is enabled, users can connect to SSH Proxy without passwords using SSH keys added to Axidian PAM. The requirement to enter OTP remains. If this option is disabled, users can only authenticate using a password.

Session opening without re-authentication

This setting allows you to disable re-authentication when running RDP, SSH, and SQL sessions. A code is added to the connection string or RDP file, which is used to authenticate the user without requesting a password or a second authentication factor. The code is valid only once and for a limited time.

For Web Proxy, this setting does not apply: a code is always used.

How to set the number of authentication codes?

The number of codes is set in the component configuration file Axidian Privilege IdP:

  • Windows OS: C:\inetpub\wwwroot\idp\appsettings.json
  • Linux OS: /etc/axidian/axidian-privilege/idp/appsettings.json

Set the value from 1 to 100 for the MaxAuthCodesPerUser parameter:

"DirectoryMechanism": "Ldap",
"Authentication": "Local",
"UseDeveloperSigningCredential": false,
"MaxAuthCodesPerUser": 100,
"QaToolClientSecret": "secret"
OptionDescription
Allow session opening without re-authenticationIf this option is enabled, a one-time authentication code is added to the connection string or RDP file.
Authentication code lifetimeDetermines the validity period of the authentication code. If you start a session with an expired code, the user will need to enter a password and a second authentication factor.
Default value: 60 seconds.
Minimum value: 5 seconds.
Maximum value: 300 seconds.

Password Requirements for Internal Users

OptionDescription
Password Validity PeriodMinimum value: 0—no restrictions.
Default value: 45 days.
Maximum value: 999 days.
Minimum password lengthMinimum value: 4 characters.
Default value: 8 characters.
Maximum value: 255 characters.
Lowercase lettersIf the option is enabled, the password must contain at least one lowercase Latin letter.
Uppercase lettersIf the option is enabled, the password must contain at least one Latin capital letter.
DigitsIf the option is enabled, the password must contain at least one digit 0–9.
Special charactersIf the option is enabled, the password must contain at least one special character from the list: ~!@#$%^&*()_-+={}|[] \:;"'<>,.?/

User Connection

caution

Manage User Connections privileges are required to work with user connections (UserConnectionType.Create, UserConnectionType.Read, UserConnectionType.Update, UserConnectionType.Delete).

Axidian Privilege has the following built-in user connection types:

  • RDP
  • SSH
  • Telnet
  • PostgreSQL
  • MSSQL
  • Web

Built-in types cannot be changed or deleted.

It is also possible to add custom user connection types.

Adding Custom User Connection Types

Add your custom type of user connection and open sessions in the browser without using third-party applications.

  1. Go to the ConfigurationUser Connection section.
  2. Click Add.
  3. Enter a name of the user connection.
  4. Set the login format or leave the default value.
  5. Select the Web Application type and click Next.
  6. Select Session opening method:
    • In browser — the session will open in a new browser tab.
      Access is provided via Web Access Server.
    • Via RDP — the session will open via a downloaded RDP file.
      Select a browser and enable the Run browser in kiosk mode option. Access is provided via RDS Access Server by publishing the selected browser.
  7. Click Next.
  8. Configure the Auto-fill user credentials (SSO) option.
    This option allows automatic filling of the login and password on the target resource using privileged account data. After enabling the option, download the SSO template in JSON format for connecting via the browser, and in XML format for the RDP file.
  9. Click Create.

Auto-fill user credentials (SSO)

SSO (Single Sign-On) is a method that allows users to authenticate to multiple web resources with a single set of credentials. To fill in the credentials automatically, create an SSO template file with the login form data.

To connect to a user using the browser session opening method, download the SSO template in JSON format, and to connect via RDP, download it in XML format. To configure the SSO template in XML format, contact technical support.

An example of an SSO template is located in the PAM distribution package \axidian-pam-tools\sso-templates folder.

caution

The credentials for authentication on the web resource must match the data of the privileged account.

The structure of the SSO template in JSON format
  {
    "username-field": "input[id='login']",
    "password-field": "input[id='password']",
    "submit": "button[type='submit']",
    "cannot-submit": "div[class='v-messages__message']"
  }

To automatically authenticate to a web resource, change the values of the CSS selectors.:

  • username-field — account login, for example: "input[data-marker='login-form/login/input']"
  • password-field — account password, for example: "input[type='password']"
  • submit — login button, for example: "button[data-marker='login-form/login-button']"
  • cannot-submit — authentication error, for example: "div[data-marker='login-form/error']"
How to determine a CSS selector name

Launch the web resource in a browser and navigate to the authentication page. Open DevTools and switch to the Elements panel. Find the desired CSS selector and insert the value into the SSO template.

Service Connection

caution

Manage Service Connection Types privileges are required to work with service connections (ServiceConnectionType.Create, ServiceConnectionType.Read, ServiceConnectionType.Update, ServiceConnectionType.Delete).

Axidian Privilege has the following built-in service connection types:

  • Windows
  • SSH
  • Microsoft SQL Server
  • MySQL
  • PostgreSQL
  • Oracle Database
  • Cisco IOS
  • Inspur BMC

Built-in types cannot be changed or deleted.

It is also possible to add custom service connection types.

Adding Custom Service Connection Types

caution

If your PAM installation's management server is installed on a Windows host, you can only add connectors with a powershell template.

If your PAM installation's management server is installed on a Linux host, you can only add connectors with a bash template.

  1. Open the ConfigurationService Connection section.
  2. Click Add Service Connection Type.
  3. In the window that opens, upload the ZIP archive with the connector file.
  4. Specify the Name of the service connection or use the value loaded from the metadata.
  5. Enter the Description of the service connection. Optional.
  6. Finish operation by clicking Add.

Connectors preparation

To prepare a ZIP archive with the connector file, use the Connector Creation Tool.

Editing Custom Service Connection Types

  1. Open the ConfigurationService Connection section.
  2. Click Edit next to the desired service connection type.
  3. Click Download archive and select a folder on your computer to save the current ZIP archive with the connector file. This archive will be needed to restore the previous state of the service connection if an error occurs when loading a new archive.
  4. Upload a new ZIP archive with connector file.
  5. If necessary, edit Name and/or Description.
  6. Finish editing by clicking Save.

Connector Script Code Viewing

  1. Open the ConfigurationService Connection section.
  2. Click Show script code next to the desired service connection type.

Custom Connection Types Deleting

  1. Open the ConfigurationService Connection section.
  2. Click Delete next to the desired service connection type.
info

A service connection type cannot be deleted if a resource with that type exists.

Uploading the SSH Connector Template

The service operations template is unique for each *nix distribution. The PAM distribution includes templates for the *nix distributions listed below. Path to the templates in the PAM distribution: AxidianPAM_3.3\axidian-pam-tools\ssh-templates\.

SSH connector templates included in Axidian Privilege distribution
  • CentOS
  • Debian
  • FreeBSD
  • Gentoo
  • Oracle
  • RHEL
  • Rocky
  • SLES
  • Ubuntu

To add a template to Axidian Privilege:

  1. Open the ConfigurationService Connection section.
  2. Inside the SSH block, click Add.
  3. Select the file with the SSH connector template you need from the distribution by path AxidianPAM_3.3\axidian-pam-tools\ssh-templates\.

If you need help with development of the new template, please contact Technical Support.

Network Location

The section contains information about adding network locations to limit the use of resources issued by addresses.

To add a network location:

  1. Click Add.
  2. Enter a Name.
  3. Add the Network addresses of the resources to which you want to issue a limited connection.

Tags

This section displays all the tags that have been created. By default, tags are sorted alphabetically in direct order. To sort them in reverse order, click on the table header, the Tags column.

To create a tag:

  1. Click Create.
  2. Enter tag Name. It can contain from 2 to 50 characters and can consist only of Latin and Cyrillic letters, numbers and special characters. The tag name must be unique regardless of case. For example, if you already have an "important" tag, you won't be able to create an "IMPORTANT" tag.
  3. Select a color.
  4. Leave the Display tag in user console (UC) option enabled. If you disable this option, only PAM administrators will be able to use the tag in management console.
  5. Finish adding by clicking Save.

To find the tag:

  1. Specify the tag name in the search bar in whole or in part.
    In PAM installations with PostgreSQL database, the search is case-sensitive. For example, if you have an "important" tag, it won't appear when you type "IMPORTANT". In PAM installations with Microsoft SQL database, the search is case-insensitive, that is, the tag will be displayed when you enter its name with both uppercase and lowercase letters.
  2. Press ENTER or magnifying-glass-search-icon.

To edit the tag:

  1. Select the tag from the list.
  2. Click Edit.
  3. Make the changes. It is possible to change the tag name, color and visibility of the tag in the user console.
  4. Finish editing by clicking Save.

To remove one or more tags:

  1. Select one or more tags from the list.
  2. Click Remove.
  3. In the pop-up window, click Remove.
info

When tag is removed from PAM, the tag will be removed from all the resources to which it was applied.

Monitoring

Axidian Privilege automatically detects unused permissions. Administrator can revoke such permissions to minimize redundant privileges.

Parameter Consider permission unused if it has not been used for more than sets the number of days of inactivity on the permission, beyond which the permission is considered unused.

The following actions are considered to be the use of the permission:

  • successful start of the session;
  • viewing or changing credentials;
  • checking the permission to use pamsu.

Licenses

This section displays data on registered, available, and used licenses. For more information about licenses, see the section Licensing.

Getting

  1. Open the ConfigurationLicenses section.
  2. Copy the value from the Installation ID field.
  3. Send this value to technical support and ask them to generate a license file.
  4. Wait for a response from technical support with a license file in the PAM_yyyy.mm.dd.lic format.

Adding

  1. Open the ConfigurationLicenses section.
  2. Click Add and select a license file.

Removing

  1. Open the ConfigurationLicenses section.
  2. Select one or more licenses and click Remove.