Osirium

This sections explains the Osirium PAM Template library, the role they play and how they are managed. The following topics are covered:What are templates?Template structureWorking with templatesTemplate versioningTemplate release notesManaging templatesUploading the templatesUploading an individual templateShow templateEdit a templateUploading a web driverDownloading a templateDownload bulk import templateDelete a templateWhat are templatesTemplates are an interface between Osirium PAM and a device. Templates provide Osirium PAM with the necessary access control and account provisioning information to communicate with the device.Templates are:XML or AutoIt files.External to the Osirium PAM system so can be easily edited, changed and new ones created and uploaded.Required per device but can be used by multiple compatible versions of the device.Easily uploaded through the Admin Interface individually or using a template library.Provisioning a device means adding a device into Osirium PAM so it can be managed. To provision a device a template must be available.Templates allow Osirium PAM to:Interact with and manage the device using it's native management interfaces.Define single sign-on access to the device.Delegate tasks to users.Currently, Osirium PAM supports the following protocols:SSHTELNETHTTPHTTPSRDPvSphereMSSQL Management Studio (using sql authentication)Template structureTemplates can be broken down into three main areas:ConfigurationAction TasksData Collection TasksConfigurationThe device configuration information includes:Connection critical configuration: required in order for Osirium PAM to connect and communicate with the device: hostname, IP address, port etc.Device access: details how the device can be accessed by Osirium PAM and through single sign-on for users.Access tokens: defines the access levels supported by the device and which can be used for user single sign-on.User tools: lists the access protocols that are supported by the device and can be used to access the device.Action tasksDevice tasks configured within a template include:User add/delete/set password.Set device parameters.Data Collection tasksData collection tasks with a template include:User show.Device version.Read-only parameters.Working with templatesBefore adding tasks to an existing template, we recommend a number of best practices be implemented when editing and updating Osirium PAM templates.There are two ways that templates can be edited:Using the Admin Interface inline editor.Downloading the template and editing locally on your workstation.Inline editorYou can create a template file or edit a template or template library containing several files from the Template Editor page in the Admin Interface.To create a template file:Go to the Template library page.Click the NEW TEMPLATE button. The Template Editor opens in a new browser window.To edit a template:Go to the Template library page.On the table, click a template. The Template detail

The data when it reaches its destination.The certificate types supported by Osirium PAM are:Trusted Certificate (.crt/.pem) with an accompanying RSA Private key (.key). Both are required for a successful upload.Single PKCS #12 archive file (.pfx) which contains both the certificate and key. These are commonly used in Microsoft environments.We recommend that you upload a trusted certificate valid within your organisation. For further details on the types of signed certificates that can be used in Osirium PAM click here.Upload a certificateThe steps to upload a certificate differ depending upon the certificate type.Certificate with RSA private keyPKCS12 archive fileUpload a certificate with RSA private keyTo upload a trusted certificate with RSA private key:On the Certificates tab, click LOAD NEW CERTIFICATE.In the Upload TLS Certificate window, upload your trusted certificate and RSA private key. Both are required for a successful upload.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.TLS Certificate: Uploaded certificates will be verified to ensure they are an X.509 certificate with a .crt/.pem file format.RSA Private Key: Uploaded keys are verified to ensure they are an rsa key with a .key/.pem file format.If the private key you are uploading has been encrypted, enter the password in the Key password (optional) input box.Click UPLOAD. The certificate is uploaded.Upload a PKCS12 fileTo upload a PKCS #12 archive file:On the Certificates tab, click LOAD NEW CERTIFICATE.In the Upload TLS Certificate window, upload your PKCS #12 file.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.The certificate contained within the PKCS #12 file will be verified to ensure it is a X.509 certificate.The private key contained within the PKCS #12 file will be verified to ensure it is an rsa key.If the private key you are uploading has been encrypted, enter the password in the Key password (optional) input box.Click UPLOAD. The certificate is uploaded.Fingerprints tabFingerprints help guard against man-in-the-middle attacks on devices, in which attackers can secretly redirect network traffic between Osirium PAM and the device to monitor and manipulate the flow of information.When a device is deployed on Osirium PAM, a fingerprint is generated which Osirium PAM associates with the device. When connecting, Osirium PAM checks that the fingerprint of the device matches the fingerprint Osirium PAM associated with that device. By default, if the device fingerprint is not approved, Osirium PAM notes the discrepancy in the Logs page, but does not block the connection.Connection fingerprint enforcement behaviourIf you want Osirium PAM to block connections to devices with unapproved fingerprints, you can configure the Connection fingerprint enforcement behaviour.To configure the Connection fingerprint enforcement behaviour:On the table, click the icon for Connection fingerprint enforcement behaviour. The Edit entry window appears.From the Value drop-down, select one of the following options.ValueDetailsLog only- Osirium PAM allows connections to

(IdP).When a user logs on, Osirium PAM will request authentication from the identity provider. The identity provider is then responsible for authenticating the user credentials andnotifying Osirium PAM. If the authentication has been successful, Osirium PAM will authorise the user and permit access.The service provider configuration is used to construct the SAML2 metadata which will allow the Osirium PAM service to communicate and interact with the IdP.Configuring SAML2To configure:Click on the next to Service provider configuration.Witin the Edit entry window enter the details as followsNoteThe details entered will depend upon the Identity Provider that you will be delegating authentication to. Click here for instructions for configuring Osirium PAM SAML2 Authentication with Azure.Also click here for details on the limitations and troubleshooting when using Microsoft Azure.HeadingDescriptionEntity IdEnter a name or url to identify the service provider. This id will be used when configuring the IdP.Public AddressThe Public Address is the FQDN or IP address where the SAML Assertion is HTTP POSTed by the users browser. This could be the PAM Server or a PAM UI instance but it must be accessible by the user’s browser.Default value is set to the IP address of the PAM Server or HA floating IP address if configured.Username attribute/claimDefault is samlNameId. This name needs to match the name of the attribute/claim once configured on your IdP.This is required for Osirium PAM to authorise the user once the IdP has authenticated the user. The username extracted from the SAML Assertion will be used to match an existing local user with the same username within Osiruim PAM user list.NOTE: As Osirium PAM does not permit the ‘@’ character in usernames if the value is an e-mail address the portion before the ‘@’ is extracted and used.Require assertion encryptionRequires the Identity Provider to encrypt the whole SAML Assertion.Require signed messagesRequires the Identity Provider to sign SAML messages.Require NameId encryptionRequires the Identity Provider to encrypt the NameId element of the SAML Assertion.Organisation nameEnter your organisation details that will be used by the IdP to identify you.Organisation siteEnter your organisation details that will be used by the IdP to identify you.Support NameEnter the name of the support person/group that will manage IdP related issues.Support e-mailE-mail address of the support person/group that will manage IdP related issues.Click SAVE.Click DOWNLOAD SERVICE METADATA. This file is required by the IdP to construct the SAML2 metadata. If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.Once you have configured your IdP, you will need to upload the signing certificate to complete the configuration in Osirium PAM. This will then allow the Osirium PAM service to communicate and interact with the IdP to authenticate users with an Auth type set to SAML2.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file

A password as the existing RADIUS user password will be used to authenticate them into Osirium PAM.SAML2: this authentication type setting means that the user will use their Active Directory username/password to logon . Osirium PAM will then request authentication from the identity provider. The identity provider is then responsible for authenticating the user credentials and notifying Osirium PAM. If the authentication has been successful, Osirium PAM will authorise the user and permit access.Active Directory: this authentication type setting means that the user will use their Active Directory username/password to log on. Osirium PAM will consult with the Active Directory to verify the user logon before logging the user on.Active Directory then TOTP: this authentication type requires a multi-factor login meaning a user will have to enter their Active Directory username/password as well as generate and enter a TOTP (Time-based One Time Password) to log on.Active Directory then RADIUS: this authentication type requires a multi-factor login meaning a user will have to enter their Active Directory username/password as well as a RADIUS token to log on.Click SAVE.Backup scheduleThis setting allows you to configure scheduled backups of the PAM Server.To configure scheduled backups:Click on the icon. The Edit entry window opens.In the Value field, select an option. You add additional options by creating a new schedule. See Manage Schedules for details.Click SAVE. The backup schedule is applied.Backup breakglass passphraseThis setting allows you to configure a passphrase to protect the KeePass file containing your device credentials. A passphrase must be configured in order for the KeePass file to be stored in the archived backup file that is created when you run a backup task on Osirium PAM.To set a backup breakglass passphrase:Click on the icon. The Edit entry window opens.In the Passphrase field, type a passphrase.Click SAVE. The backup breakglass passphrase is applied.Client settings tabThe following can be configured on the Client settings tab:Hide session recording overlaySession recording terms of useClient colourClient colourThe colour option allows you to specify a colour for the UI. This is useful when you want to distinguish the connections made to different Osirium PAM.To change the colour:Click on the icon.Enter a HEX colour code; orClick the icon to use the Select a Color window:Click SAVE. Now when a user logs onto the UI, the browser tab icon will contain the colour configured.Connection settings tabThe following can be configured on the Connection settings tab:Device group separation identifierDevice group separation behaviourDevice group separation identifierDevice group separation allows you to restrict access to device tools from multiple customers, to ensure that workstations don’t become a bridge point for data.Before creating a group separation identifier, you need to create a meta-column entry of type Device. See Configure meta-info.The meta-column values define the groups that are available. When a user connects to device tools through the UI, the group separation identifier controls which sets of device tools they can use at the same time.To configure the group separation identifier:Click on the icon.Choose the appropriate option from the drop-down box.Click SAVE. Now the

The System configuration page provides information relating to Osirium PAMand allows you to configure a number of different settings.The following tabs are available:Licencing tabCertificates tabFingerprints tabHigh Availability tabSAML2 tabSystem settings tabClient settings tabConnection settings tabNetwork Settings tabLicencing tabThe licencing page provides an overview of the licence you have bought and the features that have been activated as part of your licence.It can help you manage your allowance limits against your current configurations and when you are in need of an upgrade to your licence limits.The following information is presented on the page:HeadingDescriptionProduct usageOsirium PAM version: The version that has been installed and is currently running.Users: Displays the total number of created user accounts against the total number of allowed user accounts. The support account and the SuperAdmin account will not be included in this count.Devices: Displays the total number of provisioned devices managed by against the total number of allowed devices. The PAM Server device will not be included in this count.MAP servers: Displays the total number of provisioned MAP Servers used with Osirium PAM against the total number of allowed MAP Servers.Enabled featuresFeatures available under this licence are displayed here, which may include:MAP serversSession recordingService accountsChange ticketsDevice group separationActive licence(s)Licencee: Name of the organisation or individual which the licencing has been assigned to.Expiry: The date/time the license is due to expire and the number of days remaining.Licence limitsWhen a licence total for Users, Devices or MAP Servers has been reached, if you attempt to add more, a message will be displayed stating that the licence limit has been met.Licence expirationWhen a licence is within 30 days of expiry a countdown warning message will appear in the banner on the Admin Interface.A licence will expire at midday UTC of the expiry date. Once expired:The only access available to Osirium PAM will be to the product licencing upload page on the Admin Interface.Only the PAM Server will be displayed in the Device list. All other device tasks will be hidden.If a new licence is uploaded before the current licence has expired, the existing licence will be superceded by the new licence.Uploading a licenseTo load a licencing:Click the LOAD NEW LICENCE button. A Question window opens.Click YES to proceed.Within the Upload licence window, click Choose File.Within the File upload page navigate to and select a valid Osirium PAM licence file.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.Within the Upload licence window, click UPLOAD. The new licencing file will be loaded. The licencing information is updated to reflect any changes.Certificates tabBy default, Osirium PAM provides a generic certificate to allow secure web connections to the PAM UI and Admin Interface. On this page you will see information about the current certificate that is being used.Certificates are used to protect the data being sent between Osirium PAM by encrypting the data before it is sent and then decrypting