Configure Password Safe Agents

Configure the Password Change Agent

Password Safe automatic password changes are controlled by the change agent that runs as a service on the U-Series Appliance. When the change agent runs, it checks the configuration to determine operational parameters of the U-Series Appliance. Logs provide a record of the change agent activities and messages, and indicate success or failure.

The following overview explains how the change agent runs:

  1. The change agent retrieves a process batch from the database. A process batch consists of one or more managed accounts that have been flagged for a password change.
  2. The passwords are changed on the managed accounts, and the change is recorded.
  3. The change agent waits a set period of time for a response from the change job and moves to the next process batch in the database batch.

Recommendations

To maximize efficiency, we recommend a small batch size (such as 5) and a short cycle time (such as 60 seconds). If a password change fails, the change agent reprocesses it according to the retry value in the change agent settings.

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management Agents > Password Change Agent.

Password Change Agent Configuration Page

  1. Set the following:
    • Enable Password Change Agent: Leave enabled to activate the agent when Password Safe starts.
    • Active Change Tasks: The number of accounts to change.
    • Check the change queue every (seconds): The frequency at which Password Safe cycles the password change queue.
    • Retry failed changes after (minutes): The amount of time before a failed password change is tried again.
    • Maximum retries: The maximum number of times an attempt is made to change the password after a failed password change attempt occurs.
    • Unlimited Retries: Enable to allow retries when a password change attempt fails.
  2. Click Save Configuration.

 

Configure the Mail Agent

Password Safe uses email to provide notification between approvers and requesters, error alerting, and general information delivery.

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management Agents > Mail Agent.

Password Safe Mail Agent Configuration Page

  1. Set the following:
    • Enable Mail Agent (Running): Enable to activate the mail agent when Password Safe starts.
    • Send mail every x minutes: The number of minutes that pass before emails are sent.
    • Delete messages after x failed attempts: The number of times the mail agent attempts to send an email.
  2. Click Save Configuration.

 

Configure the Password Test Agent

The password test agent allows you to manually test all managed accounts and functional accounts. The test ensures that there is an open connection between the assets and Password Safe. BeyondInsight sends a notification email.

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management Agents > Password Test Agent.

Password Test Agent Configuration Page

  1. Check the Enable Password Test Agent box.
  2. Set the schedule, and then click Save Configuration.

 

Configure Session Agents for Remote Proxy Sessions

In a distributed environment where there is more than one BeyondInsight instance installed, a Password Safe user can request a session to a remote instance. In this scenario, the user can request passwords and sessions for a remote instance by selecting a node on the Requests page in the Password Safe web portal.

BeyondInsight uses session agents to provide automatic heartbeat statuses to the primary BeyondInsight server. On startup the agent is set to Active, and on shutdown the agent is set to Inactive. The agent provides a status every five minutes. The Password Safe web portal displays only the active agents as nodes.

Configure a Display Name for a Session Agent

The display name is what appears as the name of the node in the Password Safe web portal. Configure the display name as follows:

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management Agents > Session Agents.

Session Agents Configuration Page

  1. The Session Agents pane lists the active and inactive agents. Select an agent, and then enter the Display Name in the Details pane for that agent.
  2. If the DNS name for the remote server is different from the primary BeyondInsight server, you can define a custom host name in the Host Name Override box. This ensures your connection to the host is valid and secure if using a custom certificate.
  3. In the Display Name box, enter the node name that you want to display in the Password Safe web portal.
  4. Click Save Configuration.

 

Enable the Node Selector in Password Safe

If you want users to access specific BeyondInsight instances in the Password Safe web portal, then you must turn on the applicable Sessions setting in Global Settings configuration.

Global setting for Sessions to allow users to select a remote proxy

  1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Global Settings.
  1. Under Sessions settings, click the toggle to enable the Allow users to select a remote proxy when creating sessions option.
  2. Click Update Sessions Settings.