Unified PAM FAQs

Securden facilitates launching connections with remote IT assets and applications. To handle such cases, you can navigate to Admin >> Remote Connections >> Custom Application Launcher and add a time delay (measured in milliseconds) for Securden to wait before filling the data.

You can upload your SSL certificate to the Securden server by following the instructions below.

• Step 1: Download OpenSSL (if you don't already have it installed) from http://www.slproweb.com/products/Win32OpenSSL.html. Ensure the 'bin' folder under the OpenSSL installation is included in the 'PATH' environment variable.
• Step 2: Copy your certificate (e.g. certificate.pfx) and paste it in the system from where you can execute OpenSSL exe. The *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
• Step 3: Run the following commands to export the private key openssl pkcs12 -in certificate.pfx -nocerts -out securden-key.pem -nodes openssl rsa -in securden-key.pem -out securden-key.pem
• Step 4: Run the following command to export the certificate openssl pkcs12 -in certificate.pfx -nokeys -out securden-cert.pem Once you execute the above steps, you will get an SSL certificate and a private key.
• Step 5: Copy the certificate and private key created above and navigate to /conf directory and paste the keys.
• Step 6: In services.msc, restart Securden Vault Service. This replaces the self-signed certificate with your certificate.

You can download the Securden Password Vault mobile application from the App Store or Google Play Store. For that, you'll need to enter the server URL on the mobile application to access the interface.

Yes, it is possible to customize the server port to 443. To do this,

• Navigate to the Securden installation folder\Conf and open the server.properties file with WordPad or Notepad++.
• Restart Securden PAM service (Not required to restart Securden Web service as it is dependent of the PAM service)
• Try to access just the URL https://securden_server

Yes, password rotation can be achieved by enabling the 'Expired Password Rotation' Option available in the Admin >> Notifications >> Expired Password Rotation. Consequently, passwords will be rotated automatically for accounts that support remote password reset when they expire or are about to expire. The expiration days can be enforced by specifying the Password Age in the password policy. The new password gets updated in both the end machine and Securden database, so you don't have to manually change the passwords anywhere.

Yes, there is a way to convert a personal account to a work account but vice versa is not possible. To store personal information, try recreating the accounts being added by selecting the category as 'Personal'.

No, the application server has to be updated separately. However, the upgrade process will be completed in a few minutes, and the operation will be seamless.

Yes, both servers will be stopped during the upgrade process. Hence, we recommend scheduling a maintenance window to upgrade the servers.

Yes. The services should be stopped during the upgrade. Once the upgrade is completed, the services can be started.

You need to take a backup of the Securden installation folder after stopping the service.

Here’s a quick summary of the upgrade steps:

• Before initiating the upgrade, while the server is running, navigate to Admin >> Maintenance & Upgrades >> Product Upgrades section and check the steps to upgrade.
• Now, stop the Securden service on the secondary server first. We are doing this to avoid failover.
• Then, you can stop the service on the primary server. Take a backup of the Securden installation folder.
• Initiate the upgrade on the primary server. You can follow the upgrade steps in the section mentioned above.
• Once the upgrade is completed, start the service and log in to the primary server to check its version.
• Now, you can initiate the upgrade on the secondary server. Once it is completed, log in to check its server version.

Note: You should start or stop the Securden PAM Service alone. Web Service - Securden PAM is dependent on the main service. Hence, it will be started automatically once the main service is started.

As a security best practice, we recommend having the encryption key and database backup file in different locations.

Secure the encryption key in a safe drive or a remote location with strict access control that allows the key to be accessed only by the Securden application or the account used to run Securden services. And enforce MFA to secure user access to the Securden application.

However, if someone gets access to the database and the encryption key, they cannot decrypt the information as we have an application layer encryption in place. They need to install the exact version of the Securden application and restore the database. Even after restoring the database, they would have to log in as an admin/user to view passwords, which might not be possible if you enforce MFA for user authentication.

Instances like this are rarely encountered after a product upgrade. To prevent such occurrences, it is advisable to clear the browser cache and attempt logging in again.

• Navigate to Admin >> Configurations.
• Under the General section, locate 'Do you want to check the Active Directory port before initializing the connection with the AD? If yes, specify the time duration in seconds after which the check times out.' Increase the default Value in seconds to 4, if that doesn't work change the value to 5.

In Securden, when a password is added/modified by a user, it is compared with the passwords that are owned by that user. However, when an account with the same password is shared, we do not check if the password is reused.

If an account is created by "admin", that account's password is compared with the accounts that are owned by "admin". Hence, it is possible to have two accounts (1 owned and 1 shared) with the same password and still not shown as 'Password is reused' for that user.

Absolutely not. In the on-prem model, there is no cloud component involved. There is absolutely no data flow outside of your environment. Internet connectivity is not required for the functioning of the product. There is only one reporting feature that requires internet connectivity – dark web monitoring. Even in the case of this optional dark web monitoring feature, only partial hashes of the passwords are taken and are compared against the dark web. You may disable this reporting feature if you don’t need that.

Yes. We release major and minor upgrades periodically. The upgrades are released as upgrade packs. You may download the upgrade pack and apply through the upgrade manager tool that comes with the product. The upgrade process typically takes only a minute or two. The upgrade process is NOT sequential. That means, you may move to the latest version from ANY version you might be in in a single hop. So, you may plan upgrades at your convenience.

Very simple. It just requires a revised license key. Whenever you need to increase the license count, you may write to sales@securden.com. You will receive the revised license key immediately. We will co-term the additional licenses with the existing subscription and pro-rate the pricing for the remaining subscription period alone.

Yes, you are correct. Agents are not required for managing local account passwords, as it is carried out using WMI. As a prerequisite, Securden needs device connectivity, admin credentials (for remote operations), and WMI for all local users. By default, WMI remains disabled for all local users except for the built-in administrator accounts. Below are the links that would help you enable WMI on specific computers and in bulk using GPO:

Enabling WMI access on a specific Windows machine:
https://www.securden.com/documents/WMI-Access-for-All-Users.pdf

Enabling WMI on multiple machines:
https://www.securden.com/documents/WMI-Access-For-All-Users-GPO.pdf

You can manage the local admin accounts on non-domain joined computers by adding the accounts to Securden first. Then you need to open TCP port 135 AND Windows Management Instrumentation (WMI) service should be running. Once you ensure these, you will be able to manage local admin accounts.

Complete information about the ports used by Securden PAM is available in this document. Please refer to that:

No, you need not install any agent on the target system. Securden simply uses the Windows RDP.

There are two ways in which you can launch connections – Web-based RDP and using native apps. While web-based RDP works out-of-the-box, for launching connections using native apps, a lightweight Securden launcher utility needs to be installed on client machines. Nothing needs to be installed on target systems.

Once the primary server is up and running again, the data stored on your secondary server gets automatically synced with the primary. However, you need to ensure there are no network disruptions between the servers.

Also, once the primary is back online, it remains in 'Standby' mode. You are requested to visit the HA page on your primary server to make it the 'Master' again. If the primary server goes down, by default, administrators or super administrators will receive the failover email.