Quantcast
Channel: Support Portal
Viewing all 1872 articles
Browse latest View live

Logjam (Diffie-Hellman) error reporting in newly updated browser

July 8, 2015, 8:11 am
$
0
0
An error occurred during a connection to password.xxxx.xxxx.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)


Even after updating the schannel.dll not to use DH, still cannot connect.
Search

Hardening of PMP SSL/TLS configuration

July 8, 2015, 8:17 am
$
0
0
My site is in the process of hardening all of our services that require authentication. I upgraded our PMP insall to version 8.1 (8101) and I configured it with a globally trusted certificate.

I then ran a nmap scan against the install for the script ssl-enum-ciphers on the port 7272.  Much to my surprise, it reported back that SSLv3 ciphters are turned on.

The results were:
PORT     STATE SERVICE  VERSION
7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

I changed the server.xml file according to another PMP post recommendation:

To turn off SSL 3.0 on PMP

https://forums.manageengine.com/topic/how-to-configure-passwordmanager-pro-7-0-to-not-use-ssl3-poodle-attack

I did this and once the nmap is ran again the only protocol that shows is the TLSv1.0, which is better than having it respond to SSL.

PORT     STATE SERVICE  VERSION
7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Reading through the other product forums I found that by adding TLSv1, TLSv1.1, TLSv1.2 to the SSLprotocols= line we get the other flavors of TLS turned on..

  • stop the PMP service and take a backup of the server.xml file present in PMP/conf directory.
  • Edit this file with wordpad and look for the value   sslProtocol="TLS" .
  • Change it to  SSLProtocols="TLSv1,TLSv1.1,TLSv1.2"  and save the file.
    • NOTE THE SSLProtocol is now Plural (s) added to it. (This will disable SSLv3 in tomcat server)
  • Change it in both the lines you find in the file.
  • Then start the PMP service and you should be able to connect to the webpage.

I did this and get these results back.

PORT     STATE SERVICE  VERSION
7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

So by making these changes it fixes the default build of having SSL 3.0 ciphers (old demoted ciphers) available and just leaving the more secure TLS running. I will be turning the Olders TLS's off shortly.

Hope this helps others in your quest of in a better security posture for your organizations.

Regards,

--Forrest





Re : Password reset by resourse

July 9, 2015, 1:22 am
$
0
0
Hi, to my knowledge this is not possible. Then again, I am not a PMP engineer. 

I am also not sure why you would like that, as the idea behind PMP is to not know the password untill you need it. PMP can do this for you. If you change the password in AD yourself and it is synced to PMP the security would be compromised? 

Greets,
Wilfred

Re : Changing password on Cisco Devices

July 9, 2015, 1:24 am
$
0
0
For anyone who is experiencing the same problem...

I was still running version 6.9.0. This problem was solved in version 7.1 and higher. 

After upgrading to the current version (8.1) I can now change the password of the admin account.

Re : Password reset by resourse

July 9, 2015, 1:28 am
$
0
0
Hi Alexander,

Thanks for the post.
As Wilfred mentioned, PMP does not perform a two way sync. So you can trigger a password reset from PMP and set it in the target device. But it cannot pull the passwords out of the target device. Even when you Discover resources from AD, it will only pull the Windows machines along with the local accounts. But it will not pull the current passwords. You can do a bulk password reset or you can reset the password for the first time in due of the the product usage. Once this is done, all users will be forced to login to PMP to check out/use the respective password.

Hope this helps you.
Do contact us if you have any other questions.


Thanks & Regards,
Ganesh
[Technical Consultant |  Password Manager Pro ]



   


Password reset failed

July 10, 2015, 8:31 am
$
0
0
Hi.

We are having problem resetting password. We've performed a check-in/check-out of password on one of our resource. but per checking the audit logs, it shows an error.


Re : Hardening of PMP SSL/TLS configuration

July 12, 2015, 8:45 pm
$
0
0
To make PMP work with Firefox 39.0, you'll need to modify the ciphers= strings from:
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
to
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

A smaller list may be all that's needed, but this works.

Automatic Password Reset - HP PRocurve

July 15, 2015, 2:14 am
$
0
0

Hello,

We are currently experiencing an issue when trying to set up automated password resets on our HP Procurve 2610 switches.

I have PMP set up to connect to the switches and log in using SSH, putty and the Web Browser. The automatic logins all work successfully.

As we reset the passwords on our switches on a regular basis I am attempting to set up the automatic password reset using SSH (current setting below):

I am able to run the 'Password Verify' command for each account successfully. However when I attempt to complete a remote password reset this fails with the following:

Given that I know the credentials stored in PMP for the switch are correct, what would be stopping the password reset?

When we first log into the switches using SSH/putty we get the following message, could this be causing problems and is there any way around this?

Regards

Mark

Search

Define password policy with REST API

July 20, 2015, 9:03 am
$
0
0
Hi,

Is it possible to set password policy when creating a resource with the REST API ?

Regards,

Romain Joachim

Improve upgrade process for High Availability installs

July 21, 2015, 10:46 am
$
0
0

We have experienced a number of recurring issues during installs and upgrades of PMP on Linux.  The main one is that the files and directories are being installed with "root" as the owner instead of the PMP user, even when the install script is being run as PMP.  This results in the PMP service not starting up.  The first time we encountered this, we were informed to chown the directories to the correct user.  We have since had to do this for nearly every install and some upgrades.  It would be preferable that this were done by the install script so we don't have to continually troubleshoot startup problems with the PMP service.

Next, as a High Availability installation, the upgrade process is cumbersome and error prone, again causing problems with the secondary server starting up and with replication.  If the secondary server is currently working, why must we (basically) delete it and rebuild the secondary server from scratch?  If this process was an upgrade and not an outright replacement, the issues of missing files, certs, incorrect ownership of directories, etc. could be avoided.

Has anyone else encountered these problems, and have you found a way to resolve them?

Webinar: Join us for a Walk-through of Password Manager Pro Enterprise Edition

July 21, 2015, 11:01 am
$
0
0

Hi,

Our businesses  keep growing,  and  so  do  cyber  risks.   To stay  in control,  we  need  to  put tighter locks  on  privileged accounts.  This calls  for managing  the entire  life  cycle  of administrative passwords  and closely monitoring  privileged access.

You  already  know  about Password Manager Pro    that helps control  privileged access.  Its newly released  enterprise e dition  helps reinforce  your  security  defences   with  the provision  to automatically enumerate  privileged accounts, closely monitor  privileged sessions  with dual controls,  and integrate  with  enterprise  IT infrastructure. I is a complete  Privileged Access  Management solution built  to bolster your  IT  security.

Please join  us  for a free  webinar   on  July  22  to  learn  more  about  the  e nterprise  edition .

 

Webinar Password Manager Pro  Enterprise Edition - A Walk- through

Wednesday, July  22,  2015

10: 00 AM PST|PDT |  1: 00  PM EST |  10: 30  PM  IST

Register  now

 

In  this  webinar you  will  learn  how  to:  

  • Automatically discover  privileged accounts  and  s treamline   your everyday password  management operations

  • Closely monitor  privileged access  with session recording  and shadowing (dual controls)

  • Leverage  integrations  with ticketing systems  and  SIEM solutions  for improved  security

 

Register  now


Thanks,
Bala
ManageEngine Password Manager Pro  

Re : Password Reset Schedule Failure

July 21, 2015, 8:51 am
$
0
0
Any movement on this yet.

We are experiencing the same issue as the others. Please share what we can do to fix this.

Thanks

Manny

Upgrade from 7101 to 7500 failed with Error Occurec... Uninstalling

July 22, 2015, 5:21 am
$
0
0
Hei,

upgrade from 0701 to 7500 failed with Error Occured: Uninstalling.

In the updatemgrlog.txt i can see the there are a few Servere 
[com.adventnet.persistence.UpdateManagerUtil]  [INFO] : Data directory change permission steps skipped
[com.zoho.framework.utils.crypto.EnDecrypt]  [SEVERE] : Encryption failed
[com.adventnet.persistence.PersistenceInitializer]  [INFO] : Reading .\conf\database_params.conf 
[com.zoho.framework.utils.crypto.EnDecrypt]  [SEVERE] : Encryption failed


Might be wort to mention that we just moved PMP from an old to a new server. However i have upgraded from version 6.6 to 7.1 without problems on the new server.
Anyone got any ideas or can point me in the right direction?


Problem with Upgrade PMP from 7101 to 7500 im getting an error saying Error Occured... Uninstalling

July 24, 2015, 1:11 am
$
0
0

Hi,

when im trying to Upgrade PMP from 7101 to 7500 im getting an error saying Error Occured... Uninstalling.

Looking in updatemgrlog i see:

[com.adventnet.persistence.UpdateManagerUtil]  [INFO] : Data directory change permission steps skipped
[com.zoho.framework.utils.crypto.EnDecrypt]  [SEVERE] : Encryption failed
[com.adventnet.persistence.PersistenceInitializer]  [INFO] : Reading .\conf\database_params.conf
[com.zoho.framework.utils.crypto.EnDecrypt]  [SEVERE] : Encryption failed
[com.adventnet.ds.DefaultDataSourcePlugIn]  [INFO] : ConnectionPoolParams :: minSize :: [20], maxSize :: [1], idleTimeout :: [1 800 seconds], blockingTimeout :: [30 seconds]
[com.adventnet.persistence.PersistenceInitializer]  [INFO] : Archive Adapter class ::: com.adventnet.db.archive.DefaultArchiveAdapter
[com.adventnet.persistence.PersistenceInitializer]  [INFO] : Storage Adapter class ::: null
[com.adventnet.db.api.RelationalAPI]  [SEVERE] : haltjvm.on.dbcrash is set to [false]
[SYSOUT]  [INFO] : shutDownStrings :: []

It might be worth mentioning that we just moved from an old to a new server and this problem is on the new server. Can anyone point me in the right direction?

Re : Extend landing server feature to tunneling connection with other resources

July 24, 2015, 1:27 am
$
0
0
Hello, All!!!
Need this feature too.

Example: we have MySQL Server with DB. And it incoming connect only from localhost.
May I create this scheme?
PMP -> LandingServer:22 -> MYSQLDBHOST -> DB MYSQL (127.0.0.1:3306)
Search

Anoying interface.

July 27, 2015, 2:19 am
$
0
0

 

Hi, we are your customer for over 5 years and by myself I’m using your software for about 10.

We’ve been using your password manager as core password software – but now – with lots of resources it gets annoying – mainly we use search option but normal users gets angry every day to find something.

At the beginning we started to use groups…yes tree view etc…but suddenly it occurred that in fact browsing them is even more annoying.

Guys – time to move with the software – we are looking at your competitors and they get better and better every day – your interface stays the same for years !

On one hand it’s good but on other hand... why we cannot browse resources like folders – just have nice tree view with folders created globally or locally or workable tree view to browse and explore ?

Just please try to work with few hundreds of them J on such flat interface.

 

Regards

Bogdan


Re : Anoying interface.

July 27, 2015, 3:35 am
$
0
0
Hi Bogdan,

Thank you for raising your concerns. We know how important & valuable you are to ManageEngine & we do not want to lose you at any circumstances.

We would like to schedule a call & work with you to understand your pain points. This will help us to propose an appropriate solution.

Please raise a support ticket at passwordmanagerpro-support@manageengine.com along with your availability & contact details. We look forward to working with you.

Assuring our best support at all times.

Thanks & Regards
Vignesh.K
Technical Consultant
ManageEngine IT-Security Team

Remove input keys buffering

July 27, 2015, 4:15 am
$
0
0
Hi,

I am new to PMP and noticed that whenever I open an ssh connection to a server my inputs are buffered then dumped on the screen. Is there a way to remove this feature? the delay is really annoying especially when you have some good amount of commands to run.

Thank you,
Elie

Re : Modify Search Result Fields

July 28, 2015, 10:26 am
$
0
0
Hi Dan,

Thanks for the forum post.
Administrator / Password Administrator in PMP can very well edit the resource and account information using the  search operation. We request you to upgrade to latest version to make use of this option if it is not visible during search 

The fields to be displayed during the search can not customized currently. We will add  this request to our road-map and provide this option in one of our future releases.

Feel free to write to us if you have any other questions.

Thanks & Regards,
Chris
[Technical Consultant | Password Manager Pro]

Re : Anoying interface.

July 28, 2015, 10:30 am
$
0
0


Hi Bogdan,

Thank you for raising a support request. We tried calling you at different intervals, couldn't reach you. Please post your availability & we will be glad to work with you.

Thanks for your understanding. Assuring our best support at all times.

Thanks & Regards
Vignesh.K
Technical Consultant
ManageEngine IT-Security Team
Viewing all 1872 articles
Browse latest View live
Search