Configure Password Safe Agents

Configure the Password Change Agent

Password Safe automatic password changes are controlled by the change agent that runs as a service on the U-Series Appliance. When the change agent runs, it checks the configuration to determine operational parameters of the U-Series Appliance. Logs provide a record of the change agent activities and messages, and indicate success or failure.

The following overview explains how the change agent runs:

  1. The change agent retrieves a process batch from the database. A process batch consists of one or more managed accounts that have been flagged for a password change.
  2. The passwords are changed on the managed accounts, and the change is recorded.
  3. The change agent waits a set period of time for a response from the change job and moves to the next process batch in the database batch.


To maximize efficiency, we recommend a small batch size (such as 5) and a short cycle time (such as 60 seconds). If a password change fails, the change agent reprocesses it according to the retry value in the change agent settings.

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management Agents > Password Change Agent.

Password Change Agent Configuration Page

  1. Set the following:
    • Enable Password Change Agent: Leave enabled to activate the agent when Password Safe starts.
    • Retry failed changes after (minutes): The amount of time before a failed password change is tried again.
    • Maximum retries: The maximum number of times an attempt is made to change the password after a failed password change attempt occurs.
    • Unlimited Retries: Enable to allow retries when a password change attempt fails.
  2. Click Save Configuration.



Configure the Password Test Agent

The password test agent allows you to manually test all managed accounts and functional accounts. The test ensures that there is an open connection between the assets and Password Safe. BeyondInsight sends a notification email.

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management Agents > Password Test Agent.

Password Test Agent Configuration Page

  1. Check the Enable Password Test Agent box.
  2. Set the schedule, and then click Save Configuration.


Configure Resource Zones

A resource zone is a group of resources on your network. You can create an unlimited number of resource zones to meet the requirements for how your network is segmented; however, one zone for your entire network is sufficient. At least one resource zone is required. Password Safe Cloud creates a default resource zone called Default, which is a catch-all for all domains and workgroups in your network.

Password Safe Cloud uses resource brokers to communicate with the systems in your resource zones. A resource broker is a bundle of software that contains all of the services and components required for Password Safe Cloud to interact with your on-premises servers using TCP 443 for communication.

You must download the Resource Broker Installer from the Password Safe Cloud portal and install the broker on a Windows Server 2019 x64 or greater system in your network. Each resource zone must have at least one resource broker installed, but we recommend you install two or more for efficiency and redundancy of functionality. You may install up to ten resource brokers in each resource zone.

Installing a resource broker on Windows 2016 x64 is supported; however, Windows 2019 x64 is recommended.

A resource zone uses a collection of resource brokers to handle the following four core Password Safe functions. Azure uses a round-robin technique to communicate with the resource brokers within the zone to handle these functions.

  • Authentication against LDAP/Active Directory: Allows authentication into Password Safe against your local LDAP/Active Directory domains.
  • Asset and Account Discovery: Uses a discovery scanning agent to discover assets and accounts in your network.
  • Credential Management: Changes passwords or SSH keys on a scheduled or on-demand basis.
  • Session Proxy: Acts as a proxy to allow a standard user to open SSH or RDP sessions on systems in your network.

For more information on configuring resource zones and installing resource brokers, please see the Password Safe Cloud Resource Broker Installation and Configuration Guide.