ManageEngine Password Manager Pro (PMP) is a web-based application that provides privileged account security and remote access management. This privileged password management solution securely stores and manages sensitive information such as passwords, documents, and digital identities.

Prerequisites

The following gateway types are required and must be set up:

  • Active gateway server: Install on all the resources/resource environment on which ManageEngine Password Manager application is hosted.
  • Standby gateway server: Serves as a backup of primary gateway server, the active gateway.
Gateway Installation PurposeVirtual Instance Requirements
Gateway for Password Vault IntegrationVirtual CPUs, 4 GB RAM / 50 GB HDD / 1 NIC

Supported hypervisors are VMware ESXi, Citrix XenServer, Microsoft Hyper-V and KVM

Ensure that the resource associated with this integration is onboarded.

Custom attributes

Custom attributes allow you to extend the set of properties that define a resource to include your information. For example, you can create a custom attribute, Asset Tag, and specify a value for each resource. These custom attributes and values control how a resource is managed.

In this integration, custom attributes help you to fetch the privileged resources information, such as account and password from PMP. You can then map resources with PMP resources using custom attributes.

Step 1: Create custom attributes

This steps involves creating the custom attribute, assigning a value to the custom attribute, and assign the custom attribute to resources.

  1. From All Clients, select a client.
  2. Go to Setup > Custom Attributes > Custom Attributes and click +.
  3. From Create Custom Attributes, enter:
    • Scope: Specifies for whom the custom attribute is applicable. Partner refers only to a Partner. However, clients under the partners can also inherit the attribute. Client refers to a specific Client. Selecting this option, you can also select the required client from the Client drop-down option.
    • Client if the scope is for a client.
    • Custom Attribute Type: Enter unique name for the custom attribute. For example: Resource Account Number
    • Description: Enter a description for the custom attribute.
  4. Click Submit.
    Create Custom Attribute

Step 2: Assign a custom attribute value

  1. From Custom Attributes, click + and enter the following to assign a custom attribute value:
    • Custom Attribute Type: Displays the name established previously.
    • Custom Attribute Value: Enter a unique value.
    • Description: Enter a description for the custom attribute value.
  2. Click Submit.
Create Custom Attribute Value

Step 3: Assign resources to the custom attributes

  1. From Custom Attributes, select the custom attribute (search is available) and click the Assign icon.
    Assign Icon
  2. From Assign Entity Objects to Custom Attributes, enter:
    • Custom Attribute Type: Auto-generated
    • Custom Attribute Value: Auto-generated
    • Assign On: Default is Resources & Services.
    • Entity type: Select either Resources or Services.
  3. From All Resources and Services, select or search for a specific resource or service and click the right arrow icon. The selected resources appear in the other box.
  4. Click Submit.
Assign Custom Attribute Value to a Resource

The created custom attribute is displayed with the details on the Custom Attributes page.

Custom Attribute with Resource

Step 4: Install and configure the integration

  1. From All Clients, select a client.
  2. Go to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
  6. Search for ManageEngine Password Manager using the search option available.
    Note: Alternatively, you can use the All Categories option to search.
  7. Click ADD in the ManageEngine Password Manager application and click Install.
  8. Click Add to create the credential mapping and enter:
    • Name: Specify the password vault.
    • Properties: Enter:
      • accessToken: Enter authToken copied from PMP API user creation step.
      • endPointURL: Enter the API endpoint URL to get password from PMP.
      • IS_ACCOUNT_NOTES_REQD: TRUE if account notes are required while retrieving a password, otherwise, false. The account note values are configured with the Account details and Resource details. See FAQs for more information.
      • IS_TICKETID_REQD_MANDATORY: TRUE if the ticket ID is required while retrieving a password, otherwise, false. See FAQs for more information.
      • resourceId: Select the previously created custom attribute from the drop-down list. The resource ID is stored in client level custom attributes.
  9. Click Save.
Create Configuration

Step 5: ManageEngine PMP configuration

When configuring ManageEngine PMP, create a user account for every user who will use the PMP API. Attach a single endpoint URL for each user to uniquely identify each user account. For example, user@hostname.

  1. Log into ManageEngine Password Manager Pro.

  2. From the left pane, click Users.

  3. From the Add User drop-down list, click Add API User.

    Add User
  4. Enter a unique login name.

  5. Enter the name of the gateway from which the API user accesses PMP for password management operations.

  6. Enter a unique Full Name of user. The user is identified with this name externally where the user activities such as reports, audit trails are traced.

  7. Select the appropriate access level for the user. Supported access levels: Administrator, Password Administrator, Privileged Administrator, Password User, Custom Roles

  8. Select one of the following options for Access Scope.

    • Select All Passwords in the system to change an Administrator, Password Administrator, or Privileged Administrator to a Super Administrator. With this scope, the user can access all passwords in PMP without any restriction.
    • Select Passwords Owned and Shared to revert the role of Super Administrator to Administrator or Password Administrator or Privileged Administrator. With this scope, user can access only self-created and shared passwords. Do NOT configure the Public key for SSH CLI access and SSL Certificate for XML-RPC API access fields.
  9. Select Enable Now for REST API.

  10. Click Generate for an API key. The API key is the authentication token for your access.

    • Copy and store the key in a secure location for your future reference. This key is required as an accessToken for configuration.
    • Note that the API key in the user interface is displayed only once. If you lose the key, you need to regenerate a new key.
  11. Set a validity period for the API key. Select Never Expires if you want the key to be valid forever or select Expires On and set a date to provide a certain validity period for the key.

  12. Enter Department and Location names and click Save.

The API user account is created in ManageEngine Password Manager Pro. When you launch a remote console, the password is retrieved through the gateway.

After the password is received, regular process of launching remote console is achieved.

Workflow for ManageEngine usage

The following is the process flow for how ManageEngine is used.

  1. Launch the remote console.
  2. A command is sent to the gateway to get all accounts of resources.
  3. The user account is displayed on the console.
  4. Based on the selected account, a command is sent to the gateway to get the password.
  5. After the password is received, the remote console launch is completed.

FAQs

What is the IS_ACCOUNT_NOTES_REQD field in the configuration Properties section?

  • In PMP, a few attributes are associated with Account and afew attributes are associated with Resource. Account Notes is an account attribute that can be used to specify more information for Account Type or Resource Type while fetching password from PMP. This information is used to identify the resource or account.
  • If IS_ACCOUNT_NOTES_REQD is set as true, the notes information is displayed including the account name. For example, after installing PMP and setting IS_ACCOUNT_NOTES_REQD as true, the resource name (Windows_Jump_Box) is displayed including user name admin in accounts list.
Account Details

What is IS_TICKETID_REQD_MANDATORY field in configuration Parameters section?

If IS_TICKETID_REQD_MANDATORY is set as true, the Ticket Id field is displayed in the launch console pop-up window. This Ticket Id provided in the launch console pop-up window can be used as a reference to know the purpose for fetching an account or password.