Securden Unified PAM

Unified PAM FAQs

This page outlines product troubleshooting tips and frequently asked questions on Securden Unified PAM. Should you need further technical assistance, feel free to write to support@securden.com

Frequently Asked Questions

plus icon minus icon
Does Securden provide release notes for each released version, and if so, are these release notes made available through your website?

Yes. Securden provides comprehensive release notes for each new version upgrade on product releases. We follow this practice diligently to keep customers well-informed at every stage, aligning with NERC CIP compliance. The release notes are labeled category-wise as product enhancement, new features, security fixes, and bug fixes for easy reference. Customers can access these release notes from the website. Also, the release notes are sent to customers via email.

plus icon minus icon
How to configure time delays during remote sessions over custom application launcher?

Securden facilitates launching connections with remote IT assets and applications. To handle such cases, you can navigate to Admin >> Remote Connections >> Custom Application Launcher and add a time delay (measured in milliseconds) for Securden to wait before filling the data.

plus icon minus icon
How to add SSL certificate to the Securden server?

You can upload your SSL certificate to the Securden server by following the instructions below.

  • Step 1: Download OpenSSL (if you don't already have it installed) from http://www.slproweb.com/products/Win32OpenSSL.html. Ensure the 'bin' folder under the OpenSSL installation is included in the 'PATH' environment variable.
  • Step 2: Copy your certificate (e.g. certificate.pfx) and paste it in the system from where you can execute OpenSSL exe. The *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
  • Step 3: Run the following commands to export the private key openssl pkcs12 -in certificate.pfx -nocerts -out securden-key.pem -nodes openssl rsa -in securden-key.pem -out securden-key.pem
  • Step 4: Run the following command to export the certificate openssl pkcs12 -in certificate.pfx -nokeys -out securden-cert.pem Once you execute the above steps, you will get an SSL certificate and a private key.
  • Step 5: Copy the certificate and private key created above and navigate to /conf directory and paste the keys.
  • Step 6: In services.msc, restart Securden Vault Service. This replaces the self-signed certificate with your certificate.
plus icon minus icon
How to configure access to the Securden Password Vault mobile application?

You can download the Securden Password Vault mobile application from the App Store or Google Play Store. For that, you'll need to enter the server URL on the mobile application to access the interface.

plus icon minus icon
Is it possible to configure the Securden server to run on port 443?

Yes, it is possible to customize the server port to 443. To do this,

  • Navigate to the Securden installation folder\Conf and open the server.properties file with WordPad or Notepad++.
  • Restart Securden PAM service (Not required to restart Securden Web service as it is dependent of the PAM service)
  • Try to access just the URL https://securden_server
plus icon minus icon
Can passwords be automatically rotated upon expiration?

Yes, password rotation can be achieved by enabling the 'Expired Password Rotation' Option available in the Admin >> Notifications >> Expired Password Rotation. Consequently, passwords will be rotated automatically for accounts that support remote password reset when they expire or are about to expire. The expiration days can be enforced by specifying the Password Age in the password policy. The new password gets updated in both the end machine and Securden database, so you don't have to manually change the passwords anywhere.

plus icon minus icon
Is there a way to convert a work account to a personal account?

Yes, there is a way to convert a personal account to a work account but vice versa is not possible. To store personal information, try recreating the accounts being added by selecting the category as 'Personal'.

plus icon minus icon
When two or more servers have been configured for high availability purposes, will updating the primary server alone update the software on the secondary (application) server as well?

No, the application server has to be updated separately. However, the upgrade process will be completed in a few minutes, and the operation will be seamless.

plus icon minus icon
Will this update cause any downtime in the application?

Yes, both servers will be stopped during the upgrade process. Hence, we recommend scheduling a maintenance window to upgrade the servers.

plus icon minus icon
Does the update need a server reboot or service post-updating the application?

Yes. The services should be stopped during the upgrade. Once the upgrade is completed, the services can be started.

plus icon minus icon
What are the precautions to be taken before updating?

You need to take a backup of the Securden installation folder after stopping the service.

Here’s a quick summary of the upgrade steps:

  • Before initiating the upgrade, while the server is running, navigate to Admin >> Maintenance & Upgrades >> Product Upgrades section and check the steps to upgrade.
  • Now, stop the Securden service on the secondary server first. We are doing this to avoid failover.
  • Then, you can stop the service on the primary server. Take a backup of the Securden installation folder.
  • Initiate the upgrade on the primary server. You can follow the upgrade steps in the section mentioned above.
  • Once the upgrade is completed, start the service and log in to the primary server to check its version.
  • Now, you can initiate the upgrade on the secondary server. Once it is completed, log in to check its server version.

Note: You should start or stop the Securden PAM Service alone. Web Service - Securden PAM is dependent on the main service. Hence, it will be started automatically once the main service is started.

plus icon minus icon
On finishing the installation of the new Securden system, the encryption key has been relocated to a different directory on the server. Is that good enough? What are the security implications if someone could copy that key and the database to another location?

As a security best practice, we recommend having the encryption key and database backup file in different locations.

Secure the encryption key in a safe drive or a remote location with strict access control that allows the key to be accessed only by the Securden application or the account used to run Securden services. And enforce MFA to secure user access to the Securden application.

However, if someone gets access to the database and the encryption key, they cannot decrypt the information as we have an application layer encryption in place. They need to install the exact version of the Securden application and restore the database. Even after restoring the database, they would have to log in as an admin/user to view passwords, which might not be possible if you enforce MFA for user authentication.

plus icon minus icon
What should be done if the login to the PAM solution works but results in a white page? The login screen reappears when the white page is refreshed.

Instances like this are rarely encountered after a product upgrade. To prevent such occurrences, it is advisable to clear the browser cache and attempt logging in again.

plus icon minus icon
What should be done on receiving the error message ‘Domain controller is not reachable’?
  • Navigate to Admin >> Configurations.
  • Under the General section, locate 'Do you want to check the Active Directory port before initializing the connection with the AD? If yes, specify the time duration in seconds after which the check times out.' Increase the default Value in seconds to 4, if that doesn't work change the value to 5.
plus icon minus icon
How will Securden software recognize the same password in two different accounts?

In Securden, when a password is added/modified by a user, it is compared with the passwords that are owned by that user. However, when an account with the same password is shared, we do not check if the password is reused.

If an account is created by "admin", that account's password is compared with the accounts that are owned by "admin". Hence, it is possible to have two accounts (1 owned and 1 shared) with the same password and still not shown as 'Password is reused' for that user.

plus icon minus icon
Will there be any data flow outside our environment for PAM? If so, what would be the confidentiality and security assurance?

Absolutely not. In the on-prem model, there is no cloud component involved. There is absolutely no data flow outside of your environment. Internet connectivity is not required for the functioning of the product. There is only one reporting feature that requires internet connectivity – dark web monitoring. Even in the case of this optional dark web monitoring feature, only partial hashes of the passwords are taken and are compared against the dark web. You may disable this reporting feature if you don’t need that.

plus icon minus icon
Would there be any updates for the on-prem installation of the PAM software?

Yes. We release major and minor upgrades periodically. The upgrades are released as upgrade packs. You may download the upgrade pack and apply through the upgrade manager tool that comes with the product. The upgrade process typically takes only a minute or two. The upgrade process is NOT sequential. That means, you may move to the latest version from ANY version you might be in in a single hop. So, you may plan upgrades at your convenience.

plus icon minus icon
How to expand the scope of usage for PAM in the future, and how will additional user access be unlocked if required? Could you please outline the process for this expansion?

Very simple. It just requires a revised license key. Whenever you need to increase the license count, you may write to sales@securden.com. You will receive the revised license key immediately. We will co-term the additional licenses with the existing subscription and pro-rate the pricing for the remaining subscription period alone.

plus icon minus icon
How to manage passwords of the local accounts present in non-domain systems? It is stated that the endpoint does not need an agent. If so, are native tools required to manage it?

Yes, you are correct. Agents are not required for managing local account passwords, as it is carried out using WMI. As a prerequisite, Securden needs device connectivity, admin credentials (for remote operations), and WMI for all local users. By default, WMI remains disabled for all local users except for the built-in administrator accounts. Below are the links that would help you enable WMI on specific computers and in bulk using GPO:

Enabling WMI access on a specific Windows machine:
https://www.securden.com/documents/WMI-Access-for-All-Users.pdf

Enabling WMI on multiple machines:
https://www.securden.com/documents/WMI-Access-For-All-Users-GPO.pdf

plus icon minus icon
How to manage local admin accounts on a Windows server that are not listed in Active Directory but exist locally on the target system? Additionally, what specific ports need to be opened from Securden to the target system?

You can manage the local admin accounts on non-domain joined computers by adding the accounts to Securden first. Then you need to open TCP port 135 AND Windows Management Instrumentation (WMI) service should be running. Once you ensure these, you will be able to manage local admin accounts.

Complete information about the ports used by Securden PAM is available in this document. Please refer to that:

PAM - Ports.pdf
plus icon minus icon
Should an agent be installed on the target system for RDP, or is Securden using the standard MS Windows RDP feature?

No, you need not install any agent on the target system. Securden simply uses the Windows RDP.

There are two ways in which you can launch connections – Web-based RDP and using native apps. While web-based RDP works out-of-the-box, for launching connections using native apps, a lightweight Securden launcher utility needs to be installed on client machines. Nothing needs to be installed on target systems.

plus icon minus icon
Any data written to the secondary server does not get synchronised back to the primary server when the primary server fails. Following the database crash, a new "data" folder is also being created. How to determine the cause of the data not syncing back?

Once the primary server is up and running again, the data stored on your secondary server gets automatically synced with the primary. However, you need to ensure there are no network disruptions between the servers.

Also, once the primary is back online, it remains in 'Standby' mode. You are requested to visit the HA page on your primary server to make it the 'Master' again. If the primary server goes down, by default, administrators or super administrators will receive the failover email.

plus icon minus icon
How do we ensure users can manage their personal accounts in Securden without manually assigning personal folders to each user?

Yes, users can manage personal accounts using Securden without a separate folder assigned by the administrator. When users add accounts to the PAM interface, they can choose if the accounts are Work or Personal accounts.

Note: The personal accounts added to Securden cannot be accessed by anyone other than the user who added them.

The users can filter and view their personal accounts by navigating to Accounts, clicking on the drop-down symbol against All Accounts and clicking Personal Accounts.

plus icon minus icon
Can a Remote Gateway Server (jump server) be used for SSH, like how it can be used for RDP?

Jump hosts (called remote gateway in the UI) can be configured for all types of remote connections. When a remote gateway is configured in Securden, all remote connections (SSH and RDP) will be routed through the designated gateway.

plus icon minus icon
Is there a way to manually trigger the expiration notification for testing purposes?

As of now, we don't have a specific option to manually trigger email notifications for testing purposes. However, you can simulate this by creating an account, setting its expiration for tomorrow, and configuring the account expiration notification to be sent one day in advance. This way, you'll receive an email notification for expiration.

plus icon minus icon
What are the steps to be followed to apply the license key?
  • Download the license file (Securden-PAM-License.txt)
  • Log in to Securden web interface and navigate to Admin tab
  • Find License under General section
  • Apply the downloaded license file
plus icon minus icon
What are the ways to add Active Directory accounts to Securden?

You can add an Active Directory account into Securden Unified PAM in one of the following two ways:

  1. By discovering the account from Active Directory
  2. By adding the account manually

(i) Discovering the account from the Active Directory:
This method leverages Active Directory to automatically discover and import accounts.

  • Launch AD Discovery: Access the account discovery feature in Securden, from Accounts >> Add >> Discover Accounts.
  • Configure AD Parameters: Provide the necessary details such as the AD domain, credentials, and specific organizational units (OUs) or groups to target for the discovery.
  • Import: Once the discovery process is complete, the accounts get imported into the Securden vault/PAM

For detailed steps, please refer to the Securden Unified PAM Administrator Guide.

(ii) Adding an AD account manually to the Securden server:
When you manually add an AD account to Securden, ensure that it is added as a Windows domain account type. Additionally, the account should have:

  • The domain controller’s IP address
  • The username should match the same account name
  • The password should be updated
  • The connectivity from the Securden server to the Active Directory

Once these fields are filled in correctly, the account will be added to Securden and synchronized with the Active Directory. Once synchronized, any changes made to the account in the AD will automatically be reflected in Unified PAM.

plus icon minus icon
Is it possible to restrict the visibility of user’s work passwords to the administrator role in a web interface?

Only super administrators have the implicit permission to view passwords of work accounts stored in the database. By default, administrators cannot view passwords of users unless they are explicitly shared by the owner to the administrator. Even when sharing these accounts, the owners can select the level of access to the account the administrator can have.

There are four permission levels with which you can share an account:

  • Open Connection allows launching RDP, SSH sessions with target machines, and auto-filling credentials for web applications without showing the underlying password in plain text in the GUI.
  • View lets the user view the details and password.
  • Modify allows editing of the password.
  • Manage grants all privileges and is considered concurrent ownership.
plus icon minus icon
When a user leaves, is there a method to transfer their accounts to someone else who can then access the passwords?

Yes, absolutely. When a user leaves the organization, it's possible to transfer their accounts to someone else who is allowed to access their credentials. This can be executed in three simple steps:

  • First, select the user about to leave the organization and click on the Transfer Ownership button transfer ownership present against each user in the left side pane of the Users section.
  • Select what items you want to share from the list.
  • Once the preferences are set, select the user to which the accounts are to be transferred from the drop-down and click Transfer.

plus icon minus icon
Where do I access the cloud storage backups?

You will have to just point the backup location in the product to the cloud storage (drive location) and the backup gets pushed to the destination drive in an encrypted state. In case the server crashes or goes down, you can download the latest DB backup from the cloud storage and get the product back online by performing disaster recovery.

plus icon minus icon
Will users be able to view and launch web applications through the 'Custom Application Launcher' when connecting from an Android device?

Securden only facilitates launching connections through custom application launchers on the Windows operating system (OS). Hence, when users log in from Android devices, they won't see the options for connecting via custom application launchers.

plus icon minus icon
When uploading documents containing Swedish characters, the letters appear distorted. Is there a way to change the encoding of the documents to UTF-8, or is there another solution available?

This patch accountmanagement_views.pye would help you overcome the issue faced with the uploaded documents. You can also try using the steps mentioned below:

  1. Navigate to \Privileged_Account_Manager\pam\accountmanagement
  2. Rename accountmanagement_views.pye to accountmanagement_views.pye.old
  3. Download accountmanagement_views.pye and paste it on the above-mentioned location
  4. Restart Securden PAM Service
  5. Now, you can check the issue by uploading the document.
plus icon minus icon
In Securden EPM, can the installed agents identify local accounts on endpoints located in offices or remote areas?

As of now, the local accounts cannot be discovered by deploying agents on the endpoints. The agent based (account) discovery feature is currently unavailable. For domain members, you can use the Windows Account Discovery for discovering the local accounts. However, for workgroup, we recommend you get the accounts added manually or imported via csv in bulk.

plus icon minus icon
When migrating Securden database to a new SQL server, where to find the configuration within the product to determine which product the database is tied to? How to go about the configuration update?

By default, Securden comes with PostgreSql, has a backend database. You can find the details of the database in the 'server.properties' file under the \PAM\conf folder. With regards to migrating the backend database, we have a detailed guide. You may refer to the guide and try migrating the database.

plus icon minus icon
What are the steps to refresh passwords for IIS/Scheduled tasks?

These are the steps to refresh passwords for IIS App Pools, Schedule Tasks, and other Windows dependencies in Securden.

  1. To refresh the passwords for dependencies, start by ensuring the particular machine is discovered in Securden. If not, navigate to Accounts >> Add >> Discover Accounts to import into Securden.
  2. Once the machine is imported into Securden, it will automatically retrieve all dependencies. Now, select the account from Securden and attempt to change the password. The changes made will automatically propagate to dependencies as well. This method allows you to refresh the accounts of IIS/Schedule tasks.
  3. If you wish to automate the process, go to the Folders tab and choose the specific folder containing the account you're looking for. On the right side of the Securden GUI, select 'Remote Password Reset.' Now, you can define the periodicity for rotating the passwords.
plus icon minus icon
Is it possible to migrate from an external MS-SQL DB to PostgreSQL on the Securden EPM server, and if yes, is there a documentation on that process?

No, it is not possible to migrate from MS-SQL server to PostgreSQL. The only option would be for us to perform a fresh installation using PostgreSQL.

plus icon minus icon
How to identify the accounts that are used in the task scheduler?

In order to identify the accounts used in the task scheduler, you should ensure that the account and the computer on which the service account runs are imported into the Securden server. Once they are imported, Securden can fetch its dependencies, including the task scheduler.

plus icon minus icon
What to do if local accounts (from the Administrators group) are deleted from a machine, but cannot be removed from the list of accounts?

Securden discovers the local accounts on the computers through Windows discovery. Once the local admin accounts are discovered, we do not have an option to synchronize those accounts based on the changes made. Hence, when a local account is deleted from a server, Securden Unified PAM will not remove it from the UI automatically.

plus icon minus icon
If users are removed from AD groups, will their logins still appear in the product's user list?

In Securden, when a user is deleted or disabled from the Active Directory, we disable the user, and he will be restricted to logging into the Securden UI. However, when a user is removed from an AD group and if the user is still present on the AD, then we pull the changes into Securden, and the user will not be part of the particular AD group anymore. Whereas the user will be active within Securden and will be able to login to the Securden UI with his AD credentials.

 

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly