18.4.5. Procedure – Using Lieberman ERPM to authenticate on the target hosts

Purpose: 

To configure PSM to retrieve the credentials used to login to the target host from a Lieberman Enterprise Random Password Manager (ERPM) device, complete the following steps.

Note

The current implementation of the integration between PSM and ERPM does not support SSH server-side private key authentication.

Prerequisites: 

Note

Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on PSM using gateway authentication or an AA plugin. Therefore gateway authentication or an AA plugin must be configured for these connections. For details, see Section 18.2, Configuring gateway authentication and Section 18.5, Integrating external authentication and authorization systems.

Steps: 

  1. Navigate to Policies > Credential Stores.

  2. Click and enter a name for the Credential Store.

  3. Select Lieberman.

    Figure 18.17. Policies > Credential Stores > Lieberman — Authenticate with Lieberman ERPM on the target hosts

    Policies > Credential Stores > Lieberman — Authenticate with Lieberman ERPM on the target hosts
  4. Enter the hostname or IP address of your Lieberman Enterprise Random Password Manager (ERPM) server into the ERPM address field.

    Use an IPv4 address.

    If your ERPM setup is configured to use an external authentication method, then in the Authenticator field, enter the name of the Authentication Server (Authenticator Source) set on your ERPM server (under Delegation > Authentication Servers).

    For example, if you wanted PSM to authenticate to ERPM using the domain account "LSC\Shell", then you would set the Authenticator field in PSM to the value "LSC". This would indicate to ERPM that the identity being used to connect ("Shell") is associated with an authenticator (in this example, an AD domain) called "LSC". With that information, ERPM knows who to talk to in order to get an authentication response.

    If no domain account authenticator is set under Delegation > Authentication Servers in ERPM, PSM will use the [Explicit] authenticator.

  5. Specify the account PSM should use to login to the ERPM server.

    • To use always the same account, select Fixed username and enter the username and the password.

    • For SSH connections, PSM can use the username and password that the user provided during the gateway authentication process. To use this account, select Use credentials provided at gateway authentication.

    Note

    Authentication with the same user as the one used during gateway authentication is only available for SSH connections and is not available in the case of RDP connections.

    Note

    PSM accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

  6. To verify the certificate of the ERPM server, select Verify server certificate and select the CA list that contains the CA certificate that signed the certificate of the ERPM server from the Trusted CA list field. For details on creating trusted CA lists, see Procedure 7.11, Verifying certificates with Certificate Authorities.

  7. Enter the default namespace of the accounts into the Default namespace field, for example, [Linux], [LDAP], [IPMI], W2003DOMAIN.

    If Lieberman is used in a domainless environment, you can use the following macros:

    • To use the hostname (system name) of the target as the namespace, enter {HOST}.

      This macro does not perform domain name resolution.

    • To use the IP address of the target, enter {IP}.

      This macro does not perform reverse lookup.

    Note

    You cannot use both {HOST} and {IP} in the default namespace.

  8. Enter the IP address of the DNS servers to use for resolving the hostnames when using Domain mapping into the Primary DNS server and Secondary DNS server fields.

    Use an IPv4 address.

  9. Perform this step if you want to configure RDP autologin to a computer with a domain user.

    To retrieve the password of a domain user from Lieberman ERPM, PSM queries the domain controller directly. In a domainless environment, Default namespace is used instead.

    Note

    Domain/Host mapping is used for authenticating RDP connections only.

    Map the domain name to the hostname of the domain controller:

    1. In Domain/Host mapping, click .

    2. Enter the domain name in the Domain field.

    3. Enter the hostname of the domain controller in the Host field.

    You can map multiple domains to domain controllers.

    Figure 18.18.  Policies > Credential Stores > Lieberman > Domain/Host mapping

    Policies > Credential Stores > Lieberman > Domain/Host mapping
  10. Click .

  11. Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store to use in the Credential Store field, then click .