Registering Credentials
The credential can be registered via the shortcut in the quick actions menu, or through the Credentials ➔ All report.
Credential Information
To register a credential it is mandatory to fill in the fields Username , Password type and Device .
At the information tab we have the following fields:
Username: It is the credential username, that also will be used for the sessions authentication, must match the credential on the remote system;
Password type: Enable admin to categorize credentials type, which is used to segregate users to permissions using Access Group.
You can register a new Password type through the Settings ➔ Credentials ➔ Credential types menu; The Domain user type enables proxy use of the credential on other devices. But it is necessary to inform the domain in the field Domain ;
Domain: Select which domain this credential belongs to, it can be used to start sessions in other devices from the same domain, that is not the one attached in the Device field;
Device: The device that holds the credential, allowing to start sessions in this device;
Additional information: Can be used to complements the use of the credential on the target device, in the case of database connections, the name of the database must be populated in this field; This field is available also for use in automated password exchange, RemoteApp macros, and database connections;
Status: Flag whether the credential is active for use or not;
Password: Credential password up to 256 characters; If automated password change is configured, this limit will be reduced to 70 characters to prevent character repetition;
Set current password: Indicative that the user wants to change the value of the password that is already registered in senhasegura. For new registrations, allows the editing of the password;
Show password: Display the password plaintext during editing;
Generate password: Will generate a random password respecting the password strength described in the Password policy;
Tags: Identifiers for credential segregation;
An informational box for password policies should be considered when creating the password for your credential, thus ensuring that you make a more secure password.
Password policy will ensure:
- will NOT contain the username
- will NOT be present in the password dictionary
- It will be UNIQUE for each credential
Note that there is a section named Password policy from this setting senhasegura determines how the password will be generated and used in automated exchanges.
Execution settings
The Execution settings tab contains the configuration to the credential automated password change procedure.
Parent credential: When selecting a credential to be Parent this credential will always change it is own password to match the Parent password. It works as a password change chain, where the change of a parent credential initiates the process of all its child credentials passwords.
The existence of a parent credential does not prevent the child credential from being changed manually or automatically;
Credential automatic password change settings
Enable automatic change: Flag to enable automatic credential change using Password policy rules;
Change plugin: The plugin will be used by senhasegura to connect and run the commands into the device to perform the password change.
Change template: Here is an Execution Template that will be executed by the executor plugin.
senhasegura is installed with many templates out-of-the-box. Inside senhasegura PAM Solution our clients and partners also can be updated with more templates developed by the senhasegura team and partners community.
Authentication settings
Use own credential to connect: Flag whether the credential itself should be used to connect to the device to perform the password change;
Authentication credential: If the credential itself is not used to perform the automated change, you must indicate which credential will be used to connect to the device; Being possible to use a credential to start sessions to the device and still use a target credential to perform the password change.
Reconciling Credentials
On this screen, on the Execution Settings tab, the user will be able to configure the settings for changing the credential password, both for the authentication credential and to define the plugin, template and the credential that they want to use to perform the reconciliation .
The Credential password change settings and the Reconciliation credential settings are independent of each other, so even if the checkbox that activates automatic change is not selected, the user can activate the functionality or not of the reconciliation credential.
Status: Mandatory parameter, inactive by default.
- **Inactive:** the option to select the reconciliation credential is blocked.
- **Active:** the user is allowed to select the desired credential.
The credential indicates which password the system will use to authenticate itself and the template determines which commands will be executed at the time of reconciliation Therefore the user always needs to select a template and authentication credential combination.
If the credential password change took place outside the vault, you can perform reconciliation for credentials that have the configured reconciliation credential.
The Reconcile credential action is available in Executions -> List operations this credential reconciliation action can be performed for credentials there was an authentication error and you have a reconciliation credential registered.
Session settings
At this tab you can configure the usage of this credential at proxy sessions.
Connectivity
You can select which protocols this credential can be used. Only the selected connectivities will be available for the user to start a session with this credential.
Remote application settings
Use Remote application settings when credential might need to be used in applications installed in devices.
Restrict access to remote application only: If active, the credential can only be used for RemoteApp proxy sessions. You cannot use a proxy session that delivers the desktop or terminal of the device. This does not prevent password withdrawal;
Automation macro RemoteApp (grid): You can relate which RemoteApp macros are linked to the credential and available to proxy users;
Use own credential to connect: Flag the same credential will be used to authenticate to the target device and RemoteApp;
Authentication credential: If the authentication credential on the device is different from the RemoteApp credential, indicate which credential will be used in the authentication step;
Authentication device: The device where the credential will be authenticated and the macro will run. If filled, the original credential device we are registering will be ignored;
Now senhasegura will process the access groups that allow the viewing of the credential and make available to users. Every stage of registration is reported by SIEM. If a manual password change occurs, the child credentials won't be notified.
Additional settings
In the Additional settings you can set the following:
Identifiers (for web services): Alias to identify the credential when triggered via A2A web services;
User credential owner -: You can define a senhasegura user owner of the credential. When determined, only the owner user will always have access to the credential and can make changes to it;
Use Notifications to alert the user owner if some administrator change the credential owner, it also possible to check any change in Reports ➔ Traceability ➔ Credential.
Server path: Path that is used in password exchange templates when the credential is registered into a physical file;
Additional authentication fields (grid): Additional fields for authentication on websites. Some sites require a lot of additional information to complete the login steps. You can give an alias to the values to complement the web authentication script;
Notes: General credential Notes;
Criticality: Set the criticality of the credential by choosing one of the following options: High, Medium, or Low, this will affect the Behavior functionality.
Other Information
The limit of Credentials to be registered in senhasegura depends on the licensing contracted. Contact the senhasegura Support for more information.