0% found this document useful (0 votes)

332 views

TPAM ClientSetup Guide

TPAM Config

Uploaded by

Lakshmi Narayanan Amarnath

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

332 views

TPAM ClientSetup Guide

TPAM Config

Uploaded by

Lakshmi Narayanan Amarnath

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 102

The Privileged Appliance and Modules

(TPAM) 2.5
Client Setup Guide
Copyright 2016 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and AIX
are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Juniper,
JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries. Linux is
a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered trademark of
MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are registered trademarks
of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and other countries. Nokia
is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the United States and/or
other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS is a registered
trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc. PROXYSG is a
trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered trademark of
Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in the United
States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States and other
countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names
or their products. Dell disclaims any proprietary interest in the marks and names of others.

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

TPAM Client Setup Guide

Updated - July 2016
Software Version - 2.5
Contents

AS/400 (iSeries) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Testing System/Checking Password: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changing Password: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Cisco Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cisco Router (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Cisco Router (TEL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Cisco PIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Dell Remote Access Client (DRAC) Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Configure the DRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Log on to the Dell Remote Access Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Create the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Using sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
SSH Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Create and Modify DSS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

HP iLO2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Create and Modify DSS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

HP-UX Trusted and Untrusted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Unlock Locked Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

IBM Hardware Management Console (HMC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

TPAM 2.5
3
Client Setup Guide
Juniper Junos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Management Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

LDAP and LDAPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Mac OS X(10.4-10.8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Enable SSH Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Using sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Create and Modify the DSS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Mainframe (RACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... .... ... .... ... . .38
Create the Functional Account . . . . . . . . . . . . . . . . . .... .... ... .... ... . .38
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . .... .... ... .... ... . .38
Password Check . . . . . . . . . . . . . . . . . . . . . . . . . . . .... .... ... .... ... . .38
Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . .... .... ... .... ... . .38
Mainframe LDAP (RACF/TopSecret) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Account Name Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Mainframe (ACF2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Add the System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Password Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

MS SQL Server (2000 & 2005) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Authentication and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
TPAM Commands for Managing MS SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Encryption Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
SQL Server Named Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Nokia IPSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Novell NDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

TPAM 2.5
4
Client Setup Guide
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

OpenVMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Oracle (9i,10g,11g) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Authentication and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
TPAM Commands for Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Encryption Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Oracle 12G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
A note on managed accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
System settings for CDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
System settings for PCB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

POS 4690 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Add Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Add a Password Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Add Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Add Functional Account via the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

PSM Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Web access proxy profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Set the default web access proxy profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Add a web access proxy profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Assign a web access proxy profile to a DPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Delete a web access proxy profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Add web access system to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Add Permissions to Functional Account in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

SonicWALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Sybase Adaptive Server Enterprise (ASE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

TPAM 2.5
5
Client Setup Guide
Authentication and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
TPAM Commands for Sybase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Encryption Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

HP NonStop Tandem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
TPAM Client Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Teradata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Define a Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Tru64 Enhanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Using sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
SSH2 Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Create and Modify DSS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Linux and UNIX Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Create and Modify the Public Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

VMware vSphere 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Windows Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Windows Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
TPAM 2.5
6
Client Setup Guide
Test System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Troubleshoot System Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Add Windows Domain Member System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Test and Troubleshoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Test System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Troubleshoot System Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

TPAM 2.5
7
Client Setup Guide
1
AS/400 (iSeries)

Add the Functional Account

Add System to TPAM

Add the Functional Account

Create a new functional account on the AS/400 and assign it a password. Grant the functional account the
privileges required to use the chgusrprf command on other profiles.

Add System to TPAM

From the TPAM menu, Systems, Accounts, & Collections | Systems | Add System. Provide the name for the
system and Network Address (this can be either IP address or DNS name) of the AS/400. If automatic password
management is desired, check the option box to do so, and configure the change settings according to your
deployment plan.
Select AS400 as the platform.

Click the Connection tab to configure the details for the functional account, and other communication options.

TPAM 2.5
8
Client Setup Guide
Specify the functional account used on the AS400, and enter the password for the account.
Note the option to specify an Alternate Port. If the default Telnet port of 23 is not used (check with the AS400
administrator), enter the port in this field on which the device will be listening for connections.

Testing System/Checking Password:

Telnet access to the AS/400 with a 3270 or 5250 emulator.
No special characters needed to be pressed other than carriage return on login. Pressing enter after
initial login is acceptable.
SYSTEM: is present on the screen following a successful login. (This is usually in the upper right hand
corner, see illustration below)

Changing Password:
The functional account has the required privileges to use chgusrprf from the command prompt.
The result message for a successful change displays at the very least the following on screen:
USER PROFILE <managed_account> CHANGE

TPAM 2.5
9
Client Setup Guide
2
Cisco Devices

Cisco Router (SSH)

Cisco Router (TEL)
Cisco PIX

Cisco Router (SSH)

SSH v2 protocol is used to connect to the Cisco device.
Username and password authentication is used for connections, managed locally on the Cisco Device.
Cisco Switches use the same platform type in TPAM.
From the TPAM menu, Systems, Accounts, & Collections | Systems | Add System. Provide the name for the
system and network Address (this can be either IP address or DNS name) of the Cisco appliance. If automatic
password management is desired, check the option box to do so, and configure the change settings according to
your deployment plan.
Select Cisco Router (SSH) as the platform.

Click the Connection tab to configure the details for the functional account, and other communication options.

TPAM 2.5
10
Client Setup Guide
Specify the functional account used on the Cisco appliance, and enter the password for the account. Windows
Domain functional accounts may also be used as the functional accounts for Cisco platforms. The connection
will use the designated domain account to manage the platform.
Note the option to specify an Alternate Port. If the default SSH port of 22 is not used (check with the network
administrator), enter the port in this field on which the device will be listening for connections.

Cisco Router (TEL)

The telnet protocol is used for the connection to the Cisco device.
This method uses the line password authentication method and enable authentication method for management.
From the TPAM menu, Systems, Accounts, & Collections | Systems | Add System. Provide the name for the
system and network Address (this can be either IP address or DNS name) of the Cisco appliance. If automatic
password management is desired, check the option box to do so, and configure the change settings according to
your deployment plan.
Select Cisco Router (TEL) as the platform.

Click the Connection tab to configure the details for the functional account, and other communication options.

Specify the functional account used on the Cisco appliance, and enter the password for the account or the line
definition whichever method is used for authentication to the appliance. Windows Domain functional accounts
may also be used as the functional accounts for Cisco platforms. The connection will use the designated domain
account to manage the platform.
Note the option to specify an Alternate Port. If the default Telnet port of 23 is not used (check with the network
administrator), enter the port in this field on which the device will be listening for connections.

TPAM 2.5
11
Client Setup Guide
Cisco PIX
From the TPAM menu, Systems, Accounts, & Collections | Systems | Add System. Provide the name for the
system and network Address (this can be either IP address or DNS name) of the Cisco appliance. If automatic
password management is desired, check the option box to do so, and configure the change settings according to
your deployment plan.
Select Cisco PIX as the platform.

Click the Connection tab to configure the details for the functional account, and other communication options.

Specify the functional account used on the Cisco appliance, and enter the password for the account. Windows
Domain functional accounts may also be used as the functional accounts for Cisco platforms. The connection
will use the designated domain account to manage the platform.
Note the option to specify an Alternate Port. If the default port of 22 is not used (check with the network
administrator), enter the port in this field on which the device will be listening for connections.

TPAM 2.5
12
Client Setup Guide
3
Dell Remote Access Client (DRAC)
Systems

Introduction
Configure the DRAC
Log on to the Dell Remote Access Web Interface
Create the Functional Account
Add System to TPAM

Introduction
This chapter provides step by step instructions for configuring Dell Remote Access Client systems to be
managed by TPAM. The steps involved are functional account creation and modification, as well as SSH key
installation and configuration if necessary. Administrative knowledge of Dell Remote Access is assumed.

Configure the DRAC

To set the network configuration options:
1 Connect a monitor and USB keyboard to the front of the server.

2 Connect an ethernet cable to the Dell remote access NIC on the back of the server.

TPAM 2.5
13
Client Setup Guide
3 Start the server and wait for the BOOT screen to display the option for Remote Access Setup. Access the
interface by pressing Ctrl+E keys within 5 seconds of the option appearing on the screen.
4 On the main screen scroll down to select Lan Parameters and press the ENTER key.

5 Scroll down the list to locate the IPv4 settings and set the required information (IP address, Subnet
mask, and Gateway). Once the required information is entered press the ESC key to exit the screen.

6 Scroll down the main menu to select Lan User Configuration and press the ENTER key.

7 Enter the Account User Name and enter and confirm a password.

TPAM 2.5
14
Client Setup Guide
8 Press the ESC key.
9 Select Save Changes and Exit and press the ENTER key.

10 From the main screen press the ESC key to exit and the system will continue to start.

Log on to the Dell Remote Access Web

Interface
To log on to the Dell Remote Access Web interface:
1 Launch a DRAC supported web browser and browse to https://<DRACipaddress>.
2 Log on to the DRAC using the username and password configured during the initial set up.

3 Select Remote Access | Network Security from the menu.

4 Click on the Services tab. Make sure the Enabled check box is selected for the SSH service.

5 Click the Apply button.

TPAM 2.5
15
Client Setup Guide
Create the Functional Account
In this example the functional account will be named root.

To create the functional account:

1 Click on iDRAC Settings on the left hand menu.

2 Click on the Network/Security tab.

3 Click on Users tab.

4 Click on the User ID number for the root account.

5 Select Configure User.

6 Click the Next button.

7 Under the General section:
Select the Enable User check box
Enter root for the User Name
Select the Change Password check box.
Enter and confirm a password

TPAM 2.5
16
Client Setup Guide
8 In the IPMI User Privileges section:
Select Operator for the Maximum LAN User Privilege Granted
Select None for Maximum Serial Port User Privilege Granted
Leave the Enable Serial Over LAN check box clear

9 In the iDRAC User Privileges section:

Select Operator from the Roles list
Select the Login to iDRAC check box
Select the Configure Users check box.
The rest of the check boxes in this section should be clear.

10 Click the Apply button.

11 Log out

Add System to TPAM

From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name). Select Dell Remote Access as the
platform. If automatic password management is desired, check the option box to do so, and configure the
change settings according to your deployment plan.

TPAM 2.5
17
Client Setup Guide
.
Click the Connection tab to configure the functional account properties for the system. Enter root for the
Account Name.

Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
For more detailed information regarding these and other options for configuring the managed systems, please
consult the TPAM Administrator Guide.
Select an authentication method from one of the following:
Select the Password option button and enter the same password used in the iDRAC functional account
set up.
-- OR --
Select the DSS option button. Select the Avail System Std. Keys or Use System Specific Key option. In
this example we will choose the default system standard key id_dsa.pub. Click the Get Open SSH button
to download the key to your local system.

Select the Allow Functional Account to be Requested for password release check box.

TPAM 2.5
18
Client Setup Guide
Click the Save Changes button.
If authenticating using a DSS key, from the iDRAC browser, select Remote Access | Network/Security | Users.
Locate the SSH Key Configurations menu, select Upload SSH Key(s) and then Next.

Upload the key that was downloaded from TPAM.

TPAM 2.5
19
Client Setup Guide
4
FreeBSD

Introduction
Add the Functional Account
Using sudo
SSH Daemon
Add System to TPAM
Create and Modify DSS Key
Allow Domain Account PSM Access

Introduction
This section provides step by step instructions for configuring OpenSSH for FreeBSD systems to be managed by
TPAM. The steps involved are verification that the ssh daemon is enabled and configured, creation and
modification of the functional account, and if necessary SSH key installation and configuration. Administrative
knowledge of FreeBSD and familiarity with the vi editor are assumed.

Add the Functional Account

Log on to the FreeBSD system as root (or root equivalent account) and create the functional account on the
FreeBSD. In our examples, the functional account is named funcacct.

Using sudo
Instead of using a root equivalent account to manage the account on the FreeBSD system the functional account
can leverage sudo. Log into the FreeBSD system as root (or root equivalent account) and use visudo to edit
/usr/local/etc/sudoers and add the following lines under the User privilege specifications section of the file:
funcacct ALL=(root) NOPASSWD: /bin/grep funcacct ALL=(root) NOPASSWD:
/usr/bin/passwd

You will also need to add the following line so that sudo does not require a tty for the functional account.
Defaults:funcacct!requiretty

TPAM 2.5
20
Client Setup Guide
SSH Daemon
Account management of FreeBSD systems is performed using the SSH protocol. In order for our appliance to
properly communication with a FreeBSD system its ssh daemon must be enabled and properly configured.
Log on to the FreeBSD system as a root account and navigate to the /etc/ssh directory. Make a backup of the
sshd_config file using the cp command and then open sshd_config using vi.

Verify that the following settings are not commented out and set to yes.
PermitUserEnvironment yes
PasswordAuthentication yes
UsePAM no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
If any of these settings would conflict with other ssh dependent applications you can override settings on a per
user basis using Match User
Match User funcacct
PermitUserEnvironment yes
PasswordAuthentication yes
UsePAM no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh /authorized_keys

Add System to TPAM

From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name). If automatic password
management is desired, check the option box to do so, and configure the change settings according to your
deployment plan.

In order to manage the accounts the functional account can leverage sudo. Enter sudo as the Delegation Prefix.
Click the Connection tab to configure the functional account properties for the system.

TPAM 2.5
21
Client Setup Guide
Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
If password authentication will be used for the functional account, select the Password option and provide the
current valid password for the account. To use the key that has been imported from the preceding steps, select
the DSS option and follow the steps outlined in Create and Modify DSS Key.

Create and Modify DSS Key

Under Account Credentials select DSS and then under DSS Key Details select either one of the Avail. System
Std. Keys or Use System Specific key. In this example we will choose the default system standard key id_dsa.
Click the Get Open SSH button to download the key to your local system.Using an ssh/scp client you will then
upload the key to the FreeBSD using the functional account to authenticate.
Once the file has been uploaded, log into the FreeBSD system. Create the .ssh directory for the functional
account & then change directory to the newly create directory:
mkdir .ssh
cd .ssh
Copy the id_dsa.pub file that you downloaded into the .ssh directory as the file authorized_keys:
cp /Users/funcacct/id_dsa.pub authorized_keys
Edit the sshd_config file on the managed FreeBSD system (/etc/ssh/sshd_config) to include the following in the
Authentication section:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Allow Domain Account PSM Access

A placeholder account can be created on a FreeBSD system to allow a domain account PSM access. Add the
account with None selected for password management. On the PSM Session Details tab select SSH- Automatic
Login Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain
account from the Use Windows Domain Account list.

TPAM 2.5
22
Client Setup Guide
5
HP iLO2

Introduction
Add the Functional Account
Add System to TPAM
Create and Modify DSS Key

Introduction
This section provides step by step instructions for configuring HP iLO2 systems to be managed by TPAM. The
steps involved are functional account creation and modification, and SSH key installation and configuration.
Administrative knowledge of HP iLO2 is assumed.

Add the Functional Account

Following the steps below, create the functional account on the HP iLO2 system and modify its properties (the
account funcacct is used in this example). Log on to the web interface of the HP iLO2 with an administrator
account, select the Administration tab, then User Administration and then click the New button.

Provide the user name and login name of the functional account (in this instance funcacct).
IMPORTANT: In order for TPAM to function properly, the User Name and Login Name fields must be
identical for the functional account as well as any managed accounts.

TPAM 2.5
23
Client Setup Guide
In order for the functional account to manage other accounts on the HP iLO2 it ONLY needs Allowed selected
for Administer User Accounts. The option Remote Console Access is referring to access of the server the HP iLO2
is paired to, not SSH access to the HP iLO2 itself.

Add System to TPAM

Click the Connection tab to configure the functional account properties for the system.

TPAM 2.5
24
Client Setup Guide
Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
If password authentication will be used for the functional account, select the Password option and provide the
current valid password for the account. To use the key that has been imported from the preceding steps, select
the DSS option and follow the steps outlined in Create and Modify DSS Key.

Create and Modify DSS Key

Under Account Credentials select DSS and then under DSS Key Details select either one of the Avail. System
Std. Keys or Use System Specific key. In this example we will choose the default system standard key id_dsa.
Click the Get Open SSH button to download the key to your local system.
In order for this file to be properly imported into the HP iLO2 the name of the functional account will need to
be appended at the end of the DSS key line. Using a text editor, open id_dsa.pub and go to the end of the line
the DSS key is on, add a space and then type the HP iLO2 user name of the functional account, in this case
funcacct. Once that has been added close the file and save your changes.
Log on to the web interface of the HP iLO2 with an administrator account and go to Settings | Security.

Browse to the location of the modified id_dsa.pub file and then click the Authorize Key button.

Upon successful authorization, the key file will be listed as the functional accounts user name.

TPAM 2.5
25
Client Setup Guide
6
HP-UX Trusted and Untrusted

Add System to TPAM

Unlock Locked Accounts
Unlock Locked Accounts

Add System to TPAM

From the TPAM menu, Systems, Accounts, & Collections | Systems | Add System. Provide the name for the
system and Network Address (this can be either IP address or DNS name). If automatic password management is
desired, check the option box to do so, and configure the change settings according to your deployment plan.
There is a Delegation Prefix field available so that you can preface the commands that TPAM uses to manage
passwords. The delegation prefix can also be used to specify an absolute path to the command that TPAM uses
to manage password for the system.

Click the Connection tab to configure the details for the functional account, and other communication options.

Specify the functional account used on the HP-UX system, and enter the password for the account.

TPAM 2.5
26
Client Setup Guide
IMPORTANT: Make sure you assign a password rule for the system/account that has a maximum of 8
characters long. Passwords longer than 8 characters will not work.

Note the option to specify an Alternate Port. If the default port of 22 is not used (check with the HP-UX
administrator), enter the port in this field on which the device will be listening for connections.

Unlock Locked Accounts

For the HP-UX (trusted) platform, locked accounts will be unlocked by TPAM when making a password change.
To unlock an HP-UX account (during a password reset) TPAM has the functional account issue the command
/usr/lbin/modprpw. If using delegation prefix the functional account must have permissions to execute the
command, otherwise the password reset will fail.

Allow Domain Account PSM Access

A placeholder account can be created on a HP-UX system to allow a domain account PSM access. Add the
account with None selected for password management. On the PSM Session Details tab select SSH- Automatic
Login Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain
account from the Use Windows Domain Account list.

TPAM 2.5
27
Client Setup Guide
7
IBM Hardware Management Console
(HMC)

Introduction
Add the Functional Account
Add System to TPAM
Allow Domain Account PSM Access

Introduction
This document will guide you through configuring your IBM Hardware Management Console (HMC) for TPAM
password management. This guide is intended for an IBM HMC administrator or a SME (Subject-Matter Expert)
who is familiar with your IBM HMC configuration and custom configurations. Your HMC administrator or SME may
wish to assign permissions more granularity

Add the Functional Account

TPAM connects to the IBM HMC appliance using SSH. The functional account is used to issue commands for
changing account passwords, including itself (if applicable). The functional account requires hmcsuperadmin
or similar permissions to reset users passwords.

Add System to TPAM

TPAM 2.5
28
Client Setup Guide
Click the Connection tab to configure the functional account properties for the system.

If password authentication will be used for the functional account, select the Password option and provide the
current valid password for the account.
NOTE: The option exists to specify a TCP port other than port 22 (the default SSH port). If the system to
be managed is configured to communicate on a port other than 22 for SSH, specify the port in the
Alternate Port field.

Click the Save Changes button. Click the Accounts button to configure the managed account(s) as required for
the system. Select the account on the Listing tab and click the Details tab.

Allow Domain Account PSM Access

A placeholder account can be created on a HMC system to allow a domain account PSM access. Add the account
with None selected for password management. On the PSM Session Details tab select SSH- Automatic Login
Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain account
from the Use Windows Domain Account list.

TPAM 2.5
29
Client Setup Guide
8
Juniper Junos

Introduction
Add the Functional Account
Management Access Configuration
Add System to TPAM

Introduction
This section provides instructions for configuring Junos devices to be managed by TPAM. The steps involved are
verification that the SSH service for management access is enabled and configured, verification of the
functional account, and if necessary SSH key installation and configuration. Administrative knowledge of Junos
and familiarity with its CLI configuration are assumed.

NOTE: The TPAM Junos platform does not support the Jupiter high availability cluster environment. To
support this the customer must utilize TPAM custom platform functionality found in TPAM v2.5.911+

Add the Functional Account

For Junos the functional account must be the devices root account. TPAM can be configured to authenticate to
the Junos device using plain-text password or DSS key authentication.

Management Access Configuration

TPAM manages the device over SSH using the Junos CLI, please consult the Junos documentation of your device
for the appropriate configuration steps to allow secure access to the SSH service.

Add System to TPAM

From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name). Select Juniper(JunOS) as the
platform. Select the appropriate password rule that matches your Junos devices configuration. Junos supports
the following five character classes for plain text passwords:
Lowercase letters
Uppercase letters
Numbers
Punctuation
Special Characters: !@#$%^&*,+<>:;

TPAM 2.5
30
Client Setup Guide
Control characters are not recommended.
If automatic password management is desired, check the option box to do so, and configure the change settings
according to your deployment plan.

Click the Connection tab to configure the functional account properties for the system.

Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
If password authentication will be used for the functional account, select the Password option and provide the
current valid password for the account.
If DSS key authentication will be used select the DSS option and select either one of the Avail. System Std. Keys
or Use System Specific Key. In this example we will choose the default system standard key id_dsa. Click the
Get Open SHH button to download the key to your downloads folder. Please consult the Junos documentation of
your device on how to configure DSS authentication and install the key to your device.

TPAM 2.5
31
Client Setup Guide
9
LDAP and LDAPS

Add System to TPAM

Click the Connection tab to configure the details for the functional account, distinguished name and other
communication options.

TPAM 2.5
32
Client Setup Guide
10

Mac OS X(10.4-10.8)

Introduction
Enable SSH Daemon
Add the Functional Account
Using sudo
Using sudo
Create and Modify the DSS Key
Allow Domain Account PSM Access

Introduction
This section provides step by step instructions for configuring OpenSSH for Mac OS X systems to be managed by
TPAM. The steps involved are verification that the ssh daemon is enabled and configured, creation and
modification of the functional account, and if necessary SSH key installation and configuration. Administrative
knowledge of Mac OS X and familiarity with the vi editor are assumed.

Enable SSH Daemon

Account management of Mac OS X systems is performed using the SSH protocol. In order for the TPAM
appliance to properly communication with a Mac OS X system its ssh daemon must be enabled and configured.
Log on to the Mac OS X system with an administrator account and open System Preferences.

Click on Sharing.

TPAM 2.5
33
Client Setup Guide
Please verify that the Remote Login check box is selected and that Allow access will be granted for the
functional account. If the functional account is not a member of the Administrators group, remote login access
for that account will need to be specifically allowed here.
Once you have verified that Remote Login access via ssh has been enabled and properly configured within
System Preferences you will need to verify that sshd_config file is properly configured as well.
Using terminal navigate to the /private/etc folder, make a backup of the sshd_config file using the cp command
and then open sshd_config using vi.cp.

Verify that the following settings are not commented out and set to yes.
PermitUserEnvironment yes
PasswordAuthentication yes
UsePAM no
If any of these settings would conflict with other ssh dependent applications you can override settings on a per
user basis using Match User
Match User funcacct
PermitUserEnvironment yes
PasswordAuthentication yes
UsePAM no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Add the Functional Account

Following the steps below, create the functional account on a Mac OS X system and modify its properties (the
account funcacct is used in this example). Log into the Mac OS X system with an administrator account and
open System Preferences.

TPAM 2.5
34
Client Setup Guide
Click on Accounts.

You may have to click the lock icon to make changes. Youll be prompted to provide the administrator accounts
password. Click the + button to add the functional account.

Select Administrator from the New Account list, then provide a full name, account name, password and retype
the password to verify it. Then click the Create Account button.

TPAM 2.5
35
Client Setup Guide
Using sudo
Instead of using a root equivalent account to manage the account on the MAC system the functional account can
leverage sudo.
For MAC OSX 10.4
Under the # User privilege specification section of the sudoers file the following lines need to be added AFTER
any lines for groups.
funcacct ALL=(ALL) NOPASSWD:/usr/bin/passwd
funcacct ALL=(ALL) NOPASSWD:/usr/bin/niutil

For MAC OSCX 10.5,10.6 and 10.7

funcacct ALL=(ALL) NOPASSWD:/usr/bin/passwd
funcacct ALL=(ALL) NOPASSWD:/usr/bin/dscl

Add System to TPAM

From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name). If adding a MAC OS X 10.8 system
select MacOSX 10.7 as the platform. If automatic password management is desired, check the option box to do
so, and configure the change settings according to your deployment plan.

Click the Connection tab to configure the functional account properties for the system.

TPAM 2.5
36
Client Setup Guide
Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
If password authentication will be used for the functional account, select the Password option and provide the
current valid password for the account. To use the key that has been imported from the preceding steps, select
the DSS option and follow the steps outlined in Create and Modify the DSS Key.

Create and Modify the DSS Key

Log on to the Mac OS X system as functional account. From the TPAM menu, select Systems, Accounts, &
Collections | Systems | Add System. From there locate and select the system you have defined for this Mac
and then click the Connection tab.

Under Account Credentials select DSS and then under DSS Key Details select either one of the Avail. System Std.
Keys or Use System Specific Key. In this example we will choose the default system standard key id_dsa. Click
the Get Open SHH button to download the key to your downloads folder.
Next you will need to open the Terminal application to perform the following steps.

Create the .ssh directory for the functional account and then change directory to the newly create directory:
mkdir .ssh
cd .ssh
Copy the id_dsa.pub file that you downloaded into the.ssh directory as the file authorized_keys:
cp /Users/funcacct/Downloads/id_dsa.pub authorized_keys

Edit the sshd_config file on the managed Mac system (/private/etc/ssh/sshd_config) to include the following
in the Authentication section:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Allow Domain Account PSM Access

A placeholder account can be created on a MAC OS system to allow a domain account PSM access. Add the
account with None selected for password management. On the PSM Session Details tab select SSH- Automatic
Login Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain
account from the Use Windows Domain Account list.

TPAM 2.5
37
Client Setup Guide
11
Mainframe

Mainframe (RACF)
Mainframe LDAP (RACF/TopSecret)
Mainframe (ACF2)

Mainframe (RACF)

Create the Functional Account

The functional account is the used to issue the alu command for changing account passwords, including itself.
The functional account requires system special permission.

Add System to TPAM

Configure the new system in TPAM as would be done for any system, selecting Mainframe as the platform.
Specify the functional account used and the password assigned.

Password Check
TPAM connects via 3270 and waits for an input prompt. TPAM enters the username and waits for the password
prompt. The password is entered and TPAM waits for an input prompt. Logoff is entered and the session is
evaluated to determine success.

Password Change
The above procedure is followed except the alu password command is entered before the Logoff command is
sent.

Mainframe LDAP (RACF/TopSecret)

Add System to TPAM

TPAM 2.5
38
Client Setup Guide
Click the Connection tab to configure the functional account properties for the system.

Note that the option exists to specify a TCP port other than port 389 (the default LDAP port) or 636 for LDAPS.
If the system to be managed is configured to communicate on a port other than 389 for LDAP, specify the port in
the Alternate Port field. Select the Use SSL check box if LDAPS is to be used.
Enter the name of the functional account that has been created on the mainframe and its password. Follow the
procedure for adding accounts to modify the Functional account to include the DN of this account in the
description field.

The Custom Command field is where you place the LDAP attributes in a space delimited format. For RACF,
there are two attributes that need to be present. The following string represents a valid Custom Command field
for RACF:
racfPassword racfattributes:noexpired
TopSecret requires 3 attributes, an example is below:
userPassword userPassword-Interval:0XX userPassword-Expire:
In all cases, the first attribute must be the password attribute.

Account Name Setup

When setting up accounts for Mainframe LDAP managed systems the Account Name field is not where the actual
account name will be listed.
For example the name you enter in the Functional Account field on the Connection tab is just a place holder.

TPAM 2.5
39
Client Setup Guide
The Description field on the Account Details Information tab is where you must enter the account name for all
accounts on a LDAP/LDAPS managed systems.

All communication between TPAM and the managed LDAP/LDAPS system on the back end will use the account
name in the Description field.

Mainframe (ACF2)

Add the Functional Account

The functional account is used to issue the acf command for changing account passwords, including itself. The
functional account requires operator security permissions. The TPAM functional account requires the following
permissions:
Ability to connect to the Mainframe ACF2 using 3270.
Appropriate permissions to change/modify the password for all TPAM managed accounts.
Appropriate permissions to modify the ACF2 pswd-exp flag.
Access to log on to TSO.

Add the System to TPAM

TPAM 2.5
40
Client Setup Guide
Click the Connection tab to configure the functional account properties for the system. If applicable in your
custom patch, TPAM will use the configured Custom Command.

Password Check
To check passwords TPAM connects via 3270 and waits for an input prompt. TPAM enters the username and waits
for the password prompt. The password is entered and TPAM waits for an input prompt. Logoff is entered and
the session is evaluated to determine success.

Password Change
To change a password the above procedure is followed except the acf password command is entered before the
Logoff command is sent.

TPAM 2.5
41
Client Setup Guide
12
MS SQL Server (2000 & 2005)

Authentication and Encryption

TPAM Commands for Managing MS SQL Server
Encryption Recommendation
Add the Functional Account
Add System to TPAM
SQL Server Named Instances

Authentication and Encryption

The authentication to Microsoft SQL Server never sends the password in clear text. Once connected, however,
all SQL commands issued and the results are sent in clear text unless either the client or the server request
protocol encryption. TPAM, as the client, does not attempt to force the encryption because 1) it would fail to
connect to any server that does not meet the requirements for SSL encryption, and 2) it would require that the
certificate installed at the server is in the certificate trust list on TPAM. TPAM only includes the default Trusted
Root Certificates supplied with the operating system and occasionally updated through OS patches. If the
database server mandates encryption via the Force Protocol Encryption setting in the Server Network
Configuration, TPAM can and will adhere to that mandate.

TPAM Commands for Managing MS SQL

Server
Test System - TPAM opens a connection to the database server using the username/password of the
functional account. If the connection can be established, the test is successful; otherwise, it is
considered a failure.
Check Password - TPAM opens a connection to the database server using the username/password of the
account being checked. If the connection can be established, the test is successful. If not, TPAM then
connects to the database using the functional account and queries master..syslogins for the existence of
the account. If the account exists, it is reported that there is a password mismatch, if it does not, the
error indicates that the account does not exist, and if this connection cannot be established, then an
unable to connect message is returned.
Change Password TPAM connects to the database using the username/password of the functional
account and executes the sp_password system stored procedure for the account. The authentication is
encrypted, but the text of the SQL to execute the stored procedure is sent in clear text, by default. This
means that the password that is being set for the account can be sniffed from the wire. If protocol
encryption is mandated from the database server, nothing is sent in clear text.

TPAM 2.5
42
Client Setup Guide
Encryption Recommendation
It is recommended to use protocol encryption with Microsoft SQL Server databases. It is included with the
product (free), easy to set up, and has only a slight performance impact. It is likely that passwords are not the
only sensitive information being stored in or retrieved from the database. The following links provide
information on setting up the protocol encryption on SQL Server 2000 database servers.
http://support.microsoft.com/kb/276553
http://support.microsoft.com/kb/316898
For SQL Server 2005, the following link provides detailed instructions.
http://technet.microsoft.com/en-us/library/ms189067.aspx
There is no additional setup required at TPAM to utilize secure connections to Microsoft SQL Server. If it is
specified at the DBMS, it will be used by TPAM.

Add the Functional Account

Create a new account on the SQL Server to be the TPAM functional account (the name questtpam is used in
these examples). Give the account a password. Configure this account to use SQL Server Authentication, not
integrated authentication.
Example: exec sp_addlogin questtpam,password
Add the questtpam functional account to the System Administrators server role.
Example: sp_addsrvrolemember @loginame = questtpam , @rolename = sysadmin

Add System to TPAM

From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name) of the server on which the
database resides. If automatic password management is desired, check the option box to do so, and configure
the change settings according to your deployment plan.
Select MS SQL Server as the platform.

The general format of the extra database connection strings is parm=value;parm=value;...

The commands allowed in the Extra DB Connection string are:
encrypt=yes|true|no|false
initial catalog=databaseName (same as database=databaseName)
database=databaseName

TPAM 2.5
43
Client Setup Guide
trustservercertificate=yes|true|no|false
encryptpassword=yes|true|no|false
min pool size=#
max pool size=#
NOTE: When using a "domain or local computer account as the functional account the extra DB connection
string is ignored for purposes of Check System, Check Password, and Change Password.

Click the Connection tab to specify the details for the functional account.
Specify the functional accountused on the SQL Server (i.e. questtpam), and enter the password for the
account.

If MS SQL server supports Windows Authentication in addition to SQL authentication, you can leverage the
Domain Account or Local Computer Account as a functional account. Account discovery will be disabled if one of
these is used for the functional account. The corresponding Windows Active Directory or Windows
system/account should be created beforehand, so that you can choose this account on the Connection tab of
the MS SQL Server system.

Notice the Tunnel DB Connection through SSH check box. Database tunneling through SSH provides the ability
to securely connect to a remote database.
For DBMS accounts, SSH tunneling only uses public key and not manual passwords for establishing the SSH
connections.
TIP: Make sure that the default of AllowTCP Forwarding is set to Yes in the SSH Configuration file of the
managed system.

TPAM 2.5
44
Client Setup Guide
SQL Server Named Instances
TPAM supports dynamic ports by using the network address\namedinstance value in the network address field on
the Systems Detail tab in TPAM. If TPAM detects a named instance value in this field it will not use the Port
listed on the Connection tab or the default port of 1433 to connect to the MS SQL Server system. Instead TPAM
will query for the dynamic port.

If using named instances with static ports, the instance name should not be included in the network address
field, and indicate the static port number on the connection tab.

TPAM 2.5
45
Client Setup Guide
13
Nokia IPSO

Introduction
Add the Functional Account
Add System to TPAM
Allow Domain Account PSM Access

Introduction
This section provides step by step instructions for configuring Nokia IPSO systems to be managed by TPAM. The
steps involved are creation and modification of the functional account, and adding the system to TPAM.

Add the Functional Account

Log on to the Nokia IPSO system URL (Nokia Network Voyager) - http://IPADDRESS/ as admin and create the
functional account. In our examples, the functional account is named funcacct.
From the Top Menu, click Config. From the Configuration Menu, under Security and Access Configuration, click
Users. Locate Add new user:. Enter funcacct (User names must be 1-8 characters long) for Username. Enter 0
(Zero) for Uid. Enter /var/funcacct for Home Directory.

Click the Apply button. Click the Save button. Set the funcacct account password.
Enter New Password:
Enter New Password (verify):
Click the Apply button.

TPAM 2.5
46
Client Setup Guide
Add System to TPAM
From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name). If automatic password
management is desired, check the option box to do so, and configure the change settings according to your
deployment plan.

Click the Connection tab to configure the functional account properties for the system.

Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
Nokia IPSO uses password authentication for the functional account, select the Password option and provide the
current valid password for the account.
Enter Alternate port: (if applicable)
Enter Connection Timeout: Default [20] Seconds.
Enter Functional Account to be used: [funcacct]
Select Password. Enter password. Must match password supplied in Add the Functional Account section.
Click the Save Changes button.
Click the Test System button.

Allow Domain Account PSM Access

A placeholder account can be created on a Nokia IPSO system to allow a domain account PSM access. Add the
account with None selected for password management. On the PSM Session Details tab select SSH- Automatic
Login Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain
account from the Use Windows Domain Account list.

TPAM 2.5
47
Client Setup Guide
14
Novell NDS

Add System to TPAM\

Add System to TPAM

Click the Connection tab to configure the details for the functional account, distinguished name and other
communication options.

Note that the option exists to specify a port other than port 636 (the default Novell port). If the system to be
managed is configured to communicate on a port other than 636 for Novell, specify the port in the Alternate
Port field.

TPAM 2.5
48
Client Setup Guide
15
OpenVMS

Add System to TPAM

Select the Connection tab to configure the details for the functional account, and other communication
options.

Note the option to specify an Alternate Port. If the default port of 22 is not used, enter the port in this field.
Enter the name of the functional account that has been created on the database and its password or DSS Key
option. The functional account must have SECURITY as an authorized privilege, must have RW access to
SYSUAF.DAT, and SYSUAF.DAT must be in the functional account's default directory (i.e., default of SYS$SYSTEM).

TPAM 2.5
49
Client Setup Guide
16
Oracle (9i,10g,11g)

Authentication and Encryption

TPAM Commands for Oracle
Encryption Recommendation
Add the Functional Account
Add System to TPAM

Authentication and Encryption

By default, the connection that TPAM establishes to the Oracle database server utilizes a secure authentication
protocol. Like all of the other DBMS, however, all data sent between the client and the database server after
authentication is then unencrypted. This means that when changing the password for an account, the new
password being set for the account is sent in clear text. Oracle has an optional feature that can be installed
called Oracle Advanced Security Option. This is available for both 9i and 10g, and can be used to provide
encryption of data in transit between the client and the server (in addition to many other security
enhancements it provides.) This option allows the DBA to configure a listener for an instance to require a secure
channel via SSL. Like Sybase, it is possible to set up both secure and unsecured listeners for the same instance.

TPAM Commands for Oracle

Test System - TPAM opens a connection to the database server using the username/password of the
functional account. If the connection can be established, the test is successful; otherwise, it is
considered a failure.
Check Password - TPAM opens a connection to the database server using the username/password of the
account being checked. If the connection can be established, the test is successful. If not, TPAM then
connects to the database using the functional account. If the connection is successful, then TPAM
assumes a password mismatch for the account. Otherwise, an Unable to connect result is returned.
Change Password TPAM connects to the database using the username/password of the functional
account and executes alter user xxx identified by yyy to change the accounts password. The
authentication is encrypted, but the text of the SQL is sent in clear text.

Encryption Recommendation
It is recommended to configure a secure listener on all Oracle instances for use with TPAM. Consult your Oracle
documentation or DBA to set up the secure listener for the data server.

Add the Functional Account

Create a UserID that uses password authentication.

TPAM 2.5
50
Client Setup Guide
Example: create user questtpam identified by password default tablespace USERS;
Grant create session and alter user privileges to the account.
Example: grant create session to questtpam;
grant alter user to questtpam;
For autodiscovery to work if the functional account does not have the DBA role, then
grant select on DBA_USERS to <functional account>
must be used.

Add System to TPAM

The general format of the extra database connection strings is parm=value;parm=value;...

The commands allowed in the Extra DB Connection string are:
dba privilege=SYSDBA|SYSOPER
pooling=true|false
min pool size=#
max pool size=#
incr pool size=#
decr pool size=#
connection lifetime=#
connection timeout=#
Click on the Connection tab.
Specify the functional account used on the Oracle database (i.e. questtpam), and enter the password for the
account.

TPAM 2.5
51
Client Setup Guide
NOTE: If the functional account is sys, this account needs to have the sysdba role in order for TPAM to
successfully connect.

TPAM 2.5
52
Client Setup Guide
17
Oracle 12G

Add the Functional Account

System settings for CDB
System settings for PCB

Add the Functional Account

In Oracle 12c, there are two types of users: common users and local users.

To create a functional account to manage both common and local users:

1 A common user must be created. In this example c## is a special prefix for common users, c##tpamfunc
is the account name and Q1w2e3r4t5 is the account password.
a These commands are executed under the predefined Oracle system account with the default
role:
create user c##tpamfunc identified by Q1w2e3r4t5 container=ALL;
grant create session to c##tpamfunc container=ALL;
grant alter user to c##tpamfunc container=ALL;
b This command is executed under the predefined Oracle sys account with the SYSDBA role if you
want to run Account Discovery for common users in CDB:

grant select on DBA_USERS to c##tpamfunc;

c These commands are executed under the predefined Oracle sys account with the SYSDBA role if
you want to run Account Discovery for local users in a given PDB (say, pdborcl):
alter session set container=pdborcl;
grant select on DBA_USERS to c##tpamfunc;
2 For a functional account to manage local users in a given PDB we need to create a local user in this PDB.
Below are the commands to create such a user where:
tpamfunclocal is account name

Q1w2e3r4t5 is account password

These commands are executed under the predefined Oracle system account with the default role:
alter session set container=pdborcl;
create user tpamfunclocal identified by Q1w2e3r4t5;
grant create session to tpamfunclocal;
grant alter user to tpamfunclocal;
This command is executed under the predefined Oracle sys account with the SYSDBA role if you want to
run Account Discovery for local users in this PDB:
grant select on DBA_USERS to tpamfunclocal;

TPAM 2.5
53
Client Setup Guide
A note on managed accounts
For managed accounts to be applicable for password reset/check, the corresponding user should
have the create session privilege. For example (yklocal is account name):
grant create session to yklocal;

System settings for CDB

CDB stands for multi tenant container database. CDB is an Oracle Database installation that contains
at least one PDB.
Here are the settings for a managed system:

Where c##tpamfunc is an oracle user created as a functional account for TPAM (please see the commands for
creating such an account above)
orcl is global system identifier (SID) and global database name. This name was proposed by default during
Oracle installation. Specifying orcl in the Service Name field also works (According to the Oracle, the service
name for an Oracle database is normally its global database name).

TPAM 2.5
54
Client Setup Guide
System settings for PCB
If you want to work with PDB (pluggable database), you should specify a PDB name in the Service name field.
You may need it to manage local users in a given PDB (please see the links to the Oracle documentation earlier).
In the screen shots below, pdborcl is the default PDB name.

NOTE: To manage local users in a given PDB, for a functional account, you can use either a common user
(c##tpamfunc in the examples above), or a local user in a given PDB (tpamfunclocal in the examples
above).

Using a common user as a functional account (c##tpamfunc):

Using a local account as a functional account:

TPAM 2.5
55
Client Setup Guide
TPAM 2.5
56
Client Setup Guide
18
POS 4690

Add Functional Account

Add a Password Rule
Add System to TPAM

Add Functional Account

To create the functional account:
1 Log on to the POS 4690 system.

2 Enter 1 and press the ENTER key.

3 Enter 5 and press the ENTER key.

TPAM 2.5
57
Client Setup Guide
4 Enter 3 and press the ENTER key.

5 Enter 2 and press the ENTER key.

6 Enter your Operator ID and press the ENTER key.

TPAM 2.5
58
Client Setup Guide
7 Enter the ID for the Manager model.

8 Enter a Password for the ID.

9 Enter Y and press the ENTER key.

TPAM 2.5
59
Client Setup Guide
10 Enter Y and press the ENTER key.

11 Enter Y and press the ENTER key.

12 Enter N and press the ENTER key.

13 Enter Y and press the ENTER key.

TPAM 2.5
60
Client Setup Guide
14 Enter Y and press the ENTER key.

Add a Password Rule

The System Administrator will need to configure a password rule for the 4690 systems in the admin interface as
shown below. POS 4690 systems only allow numeric characters for the password.

TPAM 2.5
61
Client Setup Guide
Add System to TPAM
From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name). If automatic password
management is desired, check the option box to do so, and configure the change settings according to your
deployment plan.

Select the password rule that was created for the POS 4690 systems from the Password Rule list.
Click the Connection tab to configure the functional account properties for the system.

Make sure that the Functional Account name matches the Operator ID that you configured on the POS 4690
system.

TPAM 2.5
62
Client Setup Guide
19
ProxySG

Introduction
Add Functional Account
Add Functional Account via the CLI
Add System to TPAM

Introduction
TPAM has the ability to manage two accounts on Blue Coats ProxySG systems, the Enable and the Funcacct
(console account).

Add Functional Account

The functional account for the ProxySG is the console access account. This account is also used for CLI access to
ProxySG. The name of the account is determined by the Administrator. This account can be altered through the
Blue Coat Web Console or through the CLI console. If these are not configured please refer to
ProxySg_InstallGuide document.

To create the functional account:

1 Access the Blue Coat console at https://Blue Coatss IP or DNS:8082

2 Click on Authentication | Console Access.

3 Enter a new user name in the User Name field.

TPAM 2.5
63
Client Setup Guide
4 After entering the new user name you will be prompted to re-authenticate. Enter the user name and
password and click the OK button.

5 Click the Change Password button.

6 Enter and confirm the new password. Click the OK button.

7 After entering the new password you will be prompted to re-authenticate. Enter the user name and
password and click the OK button.

This account information will be used to configure the Connection tab for the system in the TPAM web interface.

TPAM 2.5
64
Client Setup Guide
Add Functional Account via the CLI
The functional account can also be configured via CLI. Please refer to your Blue Coat documentation to obtain
the correct commands.
Example:
user create Funacct
user edit "funcacct
hashed-password $1$vCk8O4tH$N9aII2A8duj4l41NDGZmS/

Add System to TPAM

Click the Connection tab to configure the functional account properties for the system.

If a port other then 22 is being used, enter the Alternate Port.Enter the Functional Account name and password.
Enter the Enable Password for the ProxySG system.Click the Save Changes button.This will create the two
managed accounts that can be managed by the system. The enable and funcacct accounts. To view these
accounts click the Accounts button.

TPAM 2.5
65
Client Setup Guide
Attempts to create any other accounts will result in an error message.

The SSH protocol used is determined by how the ProxySG system is configured. It is assumed that only v1 or v2
may be enabled at any given time on the ProxySG.

TPAM 2.5
66
Client Setup Guide
20
PSM Web Access

Introduction
Web access proxy profiles
Set the default web access proxy profile
Add a web access proxy profile
Assign a web access proxy profile to a DPA
Delete a web access proxy profile
Add web access system to TPAM

Introduction
If your company has a web based application and you want to manage access to this application you can set up
a system with a platform of PSM Web Access.
NOTE: A DPA is required to use the PSM Web Access platform.

Web access proxy profiles

A web access proxy profile allows you to set the proxy configuration that is used for PSM Web Access systems.
Once added, the default web access proxy profile will automatically be assigned to any DPAs in the cluster and
be used by the WebAccessAccount when starting a PSM session. If another web access proxy is added in addition
to the default, it must be manually assigned to the DPA on the DPA Management page.

Set the default web access proxy profile

To set the default web access proxy profile:
1 Select Management | Profile Management from the menu.
2 Select Web Access Proxy from the Profile Type list.

3 Make sure the Default profile is highlighted in the list box on the left.

TPAM 2.5
67
Client Setup Guide
4 Enter the HTTP Proxy and/or HTTPS Proxy and Port to be used.
5 Click the Save Changes button.
Now all DPAs will be assigned this proxy profile unless it is manually changed on the DPA Management page.

Add a web access proxy profile

To add a web access proxy profile:
1 Select Management | Profile Management from the menu.
2 Select Web Access Proxy from the Profile Type list.
3 Click the New Profile button.
4 Enter a unique name for the profile.
5 Enter the HTTP Proxy and/or HTTPS Proxy and Port to be used.
6 Click the Save Changes button.

Assign a web access proxy profile to a DPA

To assign a web access proxy profile to a DPA:
1 Select Management | DPAs from the menu.
2 Select the DPA from the server list. Click the Details tab.

3 Select the web access proxy profile from the list.

4 Click the Save Changes button.

Delete a web access proxy profile

To delete a connection profile:
1 Select Management | Profile Management from the menu.
2 Select Web Access Proxy as the profile type.
3 Select the profile to be deleted from the list.

TPAM 2.5
68
Client Setup Guide
4 Click the Delete Profile button.
5 Click the OK button on the confirmation window.
NOTE: A connection profile can only be deleted if it is not assigned to any DPAs

Add web access system to TPAM

From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system.

Enter the URL that you want the sessions to be limited to in the Restricted URL field. Click the Save Changes
button. If you want the ability to navigate away from the restricted URL that is entered, preface the restricted
URL with ALLOWNAV;. This is not case-sensitive. For example to start at www.dell.com and allow navigation
away from there, ALLOWNAV;www.dell.com would be typed in the restricted URL box.
Click on the Affinity tab.

Select the PSM DPA Server that you want to use to manage these sessions.
Use the Ticket System tab to set any ticket validation requirements for session requests.
Assign permissions to this system using the Collections and Permissions tabs. Click the Save Changes button.
Saving the system will create a default WebAccessAccount which can then be requested by authorized users.

TPAM 2.5
69
Client Setup Guide
21
SAP

Add System to TPAM

Add Permissions to Functional Account in SAP

Add System to TPAM

To add SAP system to TPAM:
1 From the TPAM menu select Systems, Accounts, & Collections | Systems | Add System.
2 Enter the system name.
3 In the network address box the SAP host name and system number are entered in this format:
hostname:sysnr. For example a host name of n4shost.corp.company-software.lab with a instance
number of 42 would be entered as follows: n4shost.corp.company-software.lab:42. If the target is a
cluster, the network address entered should be the network address of the message server and should
NOT include :sysnr.
4 If automatic password management is desired, check the option box to do so, and configure the change
settings according to your deployment plan.
5 Enter the als client in the client ID box. When the target is a cluster enter the
r3Name:GroupName:MSPort in this box.

6
7 Click the Connection tab to configure the details for the functional account, and other communication
options.

TPAM 2.5
70
Client Setup Guide
8 Enter the name of the functional account that has been created in SAP and its password.
9 Click on the remaining tabs to complete configuration of the system. See the TPAM Administrator Guide
for more details on adding a system.
10 Click the Save Changes button.

Add Permissions to Functional Account in

SAP
Within SAP the functional account used to communicate with TPAM must have an S_USER_GRP authorization
granted (or any authorization set that contains this authorization, e.g. SAP_ALL) for the functional account to
manage other users accounts.

To configure the functional account to work with TPAM:

1 Enter the functional account name in the User field.

2 Click the create icon.

TPAM 2.5
71
Client Setup Guide
3 Enter information on the Address tab.
4 Click the Save icon.
5 Click the Roles tab.

6 Enter the administrative role name.

TPAM 2.5
72
Client Setup Guide
7 Click the Save icon.
SAP passwords will remain in a productive state for all user types and TPAM will not reset passwords that have
been deactivated.

TPAM 2.5
73
Client Setup Guide
22
SonicWALL

Introduction
Add the Functional Account
Add System to TPAM

Introduction
This section provides step by step instructions for configuring Dell SonicWALL Network Security Appliances
(NSA) and SonicWALL TZ series to be managed by TPAM. The steps involved are creation and modification of the
functional account, and adding the system to TPAM.
NOTE: The Dell SonicWALL device must be running a SonicOS firmware revision of 5.9 or later.

Also, TPAM can change passwords for both the Admin account and all Local Users, it can only check passwords
for the Admin account and Local Users who are members of the SonicWALL Administrators group.

Add the Functional Account

Log onto the Dell SonicWALL Web management interface using the admin account, or a local account with full
administrative privileges.
Create a new local user, in this case we are using funcacct. Enter a password that conforms to any policy you
have configured on the firewall.

From the Group tab, add the account to the SonicWALL Administrators group.

TPAM 2.5
74
Client Setup Guide
Click the OK button to save the changes.

Add System to TPAM

Click the Connection tab to configure the functional account properties for the system.

TPAM 2.5
75
Client Setup Guide
Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
Dell SonicWALL Network Security Appliances use password authentication for the functional account. Select the
Password option and provide the current valid password for the account.
Click the Save Changes button. Click the Test button.

TPAM 2.5
76
Client Setup Guide
23
Sybase Adaptive Server Enterprise (ASE)

Authentication and Encryption

TPAM Commands for Sybase
Encryption Recommendation
Add the Functional Account
Add System to TPAM

Authentication and Encryption

By default, an ODBC connection to ASE does not secure the login packet, meaning the clear text password is
sent across the network. TPAM specifies password encryption for the connection, so the password is never sent
in clear text during authentication. After authentication, however, all information sent between the client and
server is unencrypted. s a result, the change password issued from TPAM (or any other application) sends not
only the password of the account being changed in clear text, but also the password of the TPAM functional
account. The parameters for the sp_password system stored procedure in ASE requires the callers (with
sso_role) password to execute. Sybase does provide a mechanism to enable SSL Encryption of the data stream,
and this can be set up to listen on a selected port only, allowing some connections to be encrypted and others
using the default that is not encrypted. TPAM can now be configured to communicate with this encrypted port,
ensuring that no clear text passes between TPAM and the Sybase data server.

TPAM Commands for Sybase

Test System - TPAM opens a connection to the database server using the username/password of the
functional account. If the connection can be established, the test is successful; otherwise, it is
considered a failure.
Check Password -TPAM opens a connection to the database server using the username/password of the
account being checked. If the connection can be established, the test is successful. If not, TPAM then
connects to the database using the functional account and queries master..syslogins for the existence of
the account. If the account exists, it is reported that there is a password mismatch, if it does not, the
error indicates that the account does not exist, and if this connection cannot be established, then an
unable to connect message is returned.
Change Password TPAM connects to the database using the username/password of the functional
account and executes the sp_password system stored procedure for the account. The authentication is
encrypted, but the text of the SQL to execute the stored procedure is sent in clear text, by default. This
means that the password that is being set for the account and the TPAM functional account can be
sniffed from the wire

Encryption Recommendation
It is recommended to configure a secure port on all Sybase instances for use with TPAM. Consult your Sybase
documentation or DBA to set up the secure listening port at the data server. The instructions can be found in

TPAM 2.5
77
Client Setup Guide
Secure Sockets Layer (SSL) in Adaptive Server, under Security Administration in the System Administrators
Guide of the Sybase documentation.

Add the Functional Account

Create a login ID on Sybase that uses database authentication (not integrated).
Assign the ID a password.
Example: exec sp_addlogin questtpam,password
Grant Security Officer privileges to the account.
Example: grant role sso_role to questtpam

Add System to TPAM

The general format of the extra database connection strings is parm=value;parm=value;...

The commands NOT allowed in the Extra DB Connection string are:
password
pwd
uid
host
port
sslcafile
data source
encryption
trustedfile
dsurl
Select the Connection tab to configure the details for the functional account, and other communication
options.

TPAM 2.5
78
Client Setup Guide
Specify the functional account used on the SQL Server (i.e. questtpam), and enter the password for the
account.

If you plan on checking the Use SSL option, you must get your System Administrator to install the Trusted Root
Certificate first through the config interface.
The Tunnel DB Connection through SSH option provides the ability to securely connect to a remote database.
Enter the Account Name that you will use to connect to the remote system. If SSH is not listening on port 22
please provide the correct port you want the connection forwarded to.
For DBMS accounts, SSH tunneling only uses public key and not manual passwords for establishing the SSH
connections.
TIP: Make sure that the default of AllowTCP Forwarding is set to Yes in the SSH Configuration file of the
managed system.

TPAM 2.5
79
Client Setup Guide
24
HP NonStop Tandem

Introduction
Server Setup
Add the Functional AccountAdd the Functional Account
TPAM Client Setup
Test Connectivity

Introduction
TPAM uses a functional account created on the managed host with administrative privileges to manage
privileged accounts. There is no agent to be configured on the managed server.

Server Setup
To make sure the TPAM server can communicate with the HP NonStop Tandem server please do the following:
Obtain the Telnet package from HP, install, and configure it to run on the default port of 23, or any other
desired port.
Make sure any interim firewalls will allow Telnet traffic between the TPAM appliance and the HP NonStop
Tandem server.
Set up the functional account. See Add the Functional Account.

Add the Functional Account

Create a new account on the HP NonStop Tandem server (the name funcacct is used in this example).
The Tandem elevated account, super, which has group ID 255 and userID 255 or (255,255) or a group manager id
with group id 255, can use the TACL ADDUSER command as in the example below:
ADDUSER SUPER.FUNCACCT,255,n
n is an integer from 0 - 255 that uniquely identifies the user funcacct within the group.
If using the Safeguard command interpreter Safecom, then the super ID can use the ADD USER command as in
the example below:
ADD USER super.funcacct,255,n
n is an integer from 0 - 255 that uniquely identifies the user funcacct within the super user group.

TPAM 2.5
80
Client Setup Guide
TPAM Client Setup
To add a HP NonStop Tandem system to TPAM:
1 Select Systems, Accounts, & Collections | Systems | Add System.
2 Enter the System Name and Network Address. (this can be either IP or DNS Name).
3 Select HP Non-Stop from the platform list.
4 Leave the Enable Automatic Password check box selected to manage password for this system.
5 Enter tacl in the initial command field. TPAM will use this to access the logon command.
6 Click the Connection tab.
7 If the default port of 23 is not used enter an alternate port number.
8 Enter the name and password of the functional account that has been created on the database. This
account must have administrative privileges required to manage other database accounts.
9 Click the Save Changes button.

Test Connectivity
Telnet access may be checked from a machine with Telnet client software installed, provided any intervening
firewalls allow the traffic through.
A test from a windows command prompt can check this by running the following command, replacing <NonStop
IP> with the HP NonStop server IP address:
telnet < NonStop IP > 23
A test can also be run from the TPAM client /parconfig interface:
/parconfig> Net Tools> TelnetTest>
Network Address to test: <NonStop IP>
Port: 23 (default) or designated alternative port
Timeout:20s (default)

TPAM 2.5
81
Client Setup Guide
25
Teradata

Introduction
Define a Data Source
Add the Functional Account
Add System to TPAM

Introduction
This section highlights instructions for configuring Teradata systems to be managed by TPAM. The steps
involved are:
Create/Define Datastore Connection(s)
Create Teradata User Account(s)
Configure functional account and testing
Create managed system on TPAM
Create managed account(s) and testing

Define a Data Source

To define a data source via the Teradata Administrator Utility program:
1 From the main window, click File | Define Data Source.The ODBC Data Source Administrator dialog box
appears and displays the User DSN tab by default.
2 Click the Drivers tab, and ensure the required ODBC driver is installed on your system.
3 Click the System DSN tab or User DSN tab.
4 Click the Add button.The Create New Data Source dialog box appears.
5 Select the Teradata ODBC driver, and then click Finish.
6 The ODBC Driver Setup for Teradata Database dialog box appears. Enter the following fields:
NOTE: For in depth information refer to the ODBS Driver for Teradata User Guide.

Name - Name for the data source.

Type a unique description such as Payroll or Accounts Payable.
[Optional] Description - Descriptive text about this data source.
Name(s) and IP address(es) - Name or IP address of the server of your Teradata Database to
connect to.
Do not resolve alias name to IP address - Select to not resolve alias names during set up. Clear
this check box to allow aliases to be resolved whenever connecting to a database.

TPAM 2.5
82
Client Setup Guide
Use Integrated Security - Select to connect to the database through Single Sign On (SSO). The
Mechanism, Parameter, Username and Password boxes are unavailable and your logon
information is authenticated by network security when logging on to your computer.
[Optional] Mechanism - If a security mechanism is in place, select the authentication mechanism.
[Optional] Parameter - If a mechanism is selected, enter the applicable authentication string.
[Optional] Username - User name to use to log on to the Teradata Database.
[Optional] Password - Password for the user name.
[Optional] Default Database - Database to work in by default. Use unqualified object names only
in this database; qualify all other objects using the database name. If this field is left blank, the
default database is your username.
[Optional] Account String - Account string associated with the user name.
Session Character Set - Specify the default character set for the session. To use a different
character set, select from the pull-down menu. The default is ASCII.
7 Click OK twice.
IMPORTANT: When connecting to Teradata Database V2R6.2.x or earlier, do not use UTF8 or UTF16 session
character sets if the system contains Kanji object names. If any Kanji Database or User names exist on the
system, the initial loading of the database tree fails.

IMPORTANT: When connecting to Teradata Database 12.0 or later, do not choose ASCII if any Kanji
Database or User names exist on the system. Choose UTF8 or UTF16 session character sets so the
information displays correctly on the page.

Add the Functional Account

To create or modify a user account:
1 Choose one of the following options:
To create a new user with no shared specifications from an existing one, click Tools | Create |
User.
To create a new user either identical or closely related to an existing one, highlight the user to be
cloned in the main window, and then click Tools | Clone User.
To modify an existing user, first highlight the user to be modified in the main window, and then
click Tools | Modify User.
2 Define the attributes and options as indicated in Create User and Modify User Dialog Box Description
section of the Teradata Administrator Manual.
3 Click Create or Modify.

Add System to TPAM

TPAM 2.5
83
Client Setup Guide
Click the Connection tab to configure the functional account properties for the system.

Note that the option exists to specify a TCP port other than port 1025 (Default port for Teradata is 1025). If the
system to be managed is configured to communicate on a port other than 1025, specify the port in the Alternate
Port field.
Teradata uses password authentication for the functional account, select the Password option and provide the
current valid password for the account.
Enter the following fields.
Alternate Port: (if applicable)
Connection Timeout: Default [20] Seconds.
Functional Account to be used: [administrator level account required]
Password: (Must match password supplied in Add the Functional Account section)
Click the Save Changes button.

TPAM 2.5
84
Client Setup Guide
26
Tru64 Enhanced Security

Introduction
Add the Functional Account
Using sudo
SSH2 Daemon
Add System to TPAM
Create and Modify DSS Key
Allow Domain Account PSM Access

Introduction
This section provides step by step instructions for configuring the Secure Shell Daemon (sshd2) for Tru64 systems
to be managed by TPAM. The steps involved are verification that the sshd2 daemon is enabled and configured,
creation and modification of the functional account, and if necessary Secure Shell key installation and
configuration. Administrative knowledge of Tru64 and familiarity with the vi editor are assumed.

Add the Functional Account

Log on to the Tru64 system as root (or root equivalent account) and create the functional account. In our
examples, the functional account is named funcacct.

Using sudo
Instead of using a root equivalent account to manage the account on the Tru64 system, the functional account
can leverage sudo. Log into the Tru64 system as root (or root equivalent account) and use visudo to edit the
sudoers file and add the following lines under the User privilege specifications section of the file:
funcacct ALL=(root) NOPASSWD: /bin/grep
funcacct ALL=(root) NOPASSWD: /bin/passwd
You will also need to add the following line so that sudo does not require a tty for the functional account.
Defaults:funcacct!requiretty

SSH2 Daemon
Verify that the Tru64 system is configured to run the Secure Shell daemon (sshd2) and if necessary edit the sshd2
configuration file (/etc/ssh2/sshd2_config) to ensure that both password and public key authentication are
permitted:
AllowedAuthentications publickey,password

TPAM 2.5
85
Client Setup Guide
If changes are made to the sshd2_config file, restart sshd to re-read the configuration:
/etc/init.d/sshd restart

Add System to TPAM

From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and network address (this can be either IP address or DNS name). Run the rcmgr get SECURITY
command on the Tru64 system to determine the security configuration and set the Platform type accordingly --
Tru64 Untrusted for BASE security, or Tru64 Enhanced Sec. for ENHANCED security. If automatic password
management is desired, check the option box to do so, and configure the change settings according to your
deployment plan.

In order to manage the accounts the functional account can leverage sudo. This can be done by entering sudo as
the Delegation Prefix.
Click the Connection tab to configure the functional account properties for the system.

Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
If password authentication will be used for the functional account, select the Password option and provide the
current valid password for the account. To use public key authentication, select the DSS option and click the
Get Sec SSH button to download the TPAM Sec SSH Key. Follow the steps outlined in the next section to
complete the public key authentication configuration on the Tru64 System.

Create and Modify DSS Key

Log into the Tru64 system as the funcacct user, and create a .ssh2 directory under the user's home directory:
TPAM 2.5
86
Client Setup Guide
mkdir .ssh2
Copy the TPAM Sec SSH Key (e.g. id_dsa.export) to the .ssh2 directory created above (see instructions in the
previous section to download the TPAM Sec SSH key). Once the key is on the Tru64 system, convert it to from a
UNIX compatible text file:
cd .ssh2
/usr/bin/mtools/dos2unix id_dsa.export
Authorize the TPAM SSH key, by creating a Key entry in the .ssh2/authorization file:
echo Key id_dsa.export >> authorization

Allow Domain Account PSM Access

A placeholder account can be created on a Tru64 system to allow a domain account PSM access. Add the account
with None selected for password management. On the PSM Session Details tab select SSH- Automatic Login
Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain account
from the Use Windows Domain Account list.

TPAM 2.5
87
Client Setup Guide
27

Linux and UNIX Systems

Introduction
Add the Functional Account
Create and Modify the Public Key
Add System to TPAM
Allow Domain Account PSM Access

Introduction
This section provides step by step instructions for configuring OpenSSH for Linux/Unix systems to be managed
by TPAM. The steps involved are functional account creation and modification and SSH key installation and
configuration. Administrative knowledge of Linux/Unix and familiarity with the vi editor are assumed.
CAUTION: Modification to the /etc/passwd file can result in irreparable damage to the system. Only
experienced system administrators should perform this function, after taking proper backup
precautions.

Add the Functional Account

Create a new account on the Linux server and modify its properties. (the account name funcacct is used in this
example).

To create the functional account:

1 useradd -c "Functional Account" -m funcacct
2 Use visudo to edit sudoers file and add the following lines:

*Linux and most UNIX systems

funcacct ALL=(root) NOPASSWD: /bin/grep
funcacct ALL=(root) NOPASSWD: /usr/bin/passwd

*AIX systems
funcacct ALL=(root) NOPASSWD: /bin/sed
funcacct ALL=(root) NOPASSWD: /usr/bin/passwd
funcacct ALL=(root) NOPASSWD: /usr/bin/pwdadm
TIP: Different versions of Linux and UNIX may have these commands placed in different
locations, so the paths may vary. Please consult a Linux/UNIX system administrator for
assistance.

3 Press the Esc key, type :wq! to save the file and exit visudo.

TPAM 2.5
88
Client Setup Guide
Create and Modify the Public Key
Create the .ssh directory for the funcacct account:
cd ~funcacct
mkdir .ssh
Copy the public key (id_dsa.pub) from TPAM to the .ssh directory created above, as the file authorized_keys.
Log on to the admin interface via HTTPS and select Keys | Manage SSH Keys from the menu. One method of
accomplishing this is to download the key to a workstation and then transfer it to the remote host via secure
FTP or similar method.
Change ownership of the .ssh directory to the functional account:
chown -R funcacct~funcacct
Edit the sshd configuration file on the client system (/etc/ssh/sshd_config) to include the following in the
Authentication section:
PasswordAuthentication yes
PermitRootLogin yes
PermitUserEnvironment yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
NOTE: Different versions of Linux and UNIX may require slightly different parameters for SSH
configuration. Consult a Linux/UNIX system administrator for assistance.

Restart the sshd daemon:

Linux: service sshd restart

-OR-
UNIX: kill HUP [pid]

Add System to TPAM

To add system to TPAM:
1 Log onto the admin interface of TPAM.
2 Select Systems, Accounts, & Collections | Systems | Add System from the menu.
3 Enter the system name, network address (can either be IP address or DNS name).
4 Select the Enable Automatic Password Management? check box if desired.
5 On the Management tab, set the change settings according to your deployment plan.
6 There is a Delegation Prefix field available on the Information tab so that you can preface the commands
that TPAM uses to manage passwords. In order to manage the accounts the functional account can
leverage sudo. Enter sudo as the Delegation Prefix.

TPAM 2.5
89
Client Setup Guide
7 Click on the Connection tab.

8 Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system
to be managed is configured to communicate on a port other than 22 for SSH, specify the port in the
Alternate Port field.
9 To use the key that has been imported from the preceding steps, select the DSS option. If password
authentication will be used for the functional account, select the Password option and provide the
current valid password for the account.
For more detailed information regarding these and other options for configuring the managed systems, please
consult the Administrator Guide.

Allow Domain Account PSM Access

A placeholder account can be created on a *nix system to allow a domain account PSM access. Add the account
with None selected for password management. On the PSM Session Details tab select SSH- Automatic Login
Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain account
from the Use Windows Domain Account list.

TPAM 2.5
90
Client Setup Guide
28
VMware vSphere 4

Introduction
Add the Functional Account
Add System to TPAM

Introduction
This section provides step by step instructions for configuring a VMware vSphere 4 server to be managed by
TPAM. The steps involved are creation and modification of the functional account. Administrative knowledge of
VMware vSphere 4 is assumed.

Add the Functional Account

Following the steps below, create the functional account on the vSphere 4 server and modify its properties (the
account funcacct is used in this example). Log on to the vSphere server using the vSphere Client.
Once authenticated to the server from the vSphere Client menu select View | Administration | Roles.

Click Add Role.

TPAM 2.5
91
Client Setup Guide
You will then need to provide a name for the new role, in this example well use FuncRole. The ONLY privilege
the functional account will need is Manage user groups, which is found under Host | Local operations.
In order to create the functional account on the vSphere you will need to switch to the Inventory View. From the
vSphere Client menu select View | Inventory. From there click on the Users & Groups tab.
Right-click in the area listing the users and select Add.

Provide the Login funcacct, the User Name Functional Account, type the password, retype to confirm, and
make the user a member of the users group. Click the OK button.
Next click on the Permissions tab. Right-click in the area listing the users, and select Add Permission.

Under Users and Groups, add funcacct and under Assigned Role, select the FuncRole that you created
earlier from the list. Click the OK button.
Youve successfully created the functional account on the vSphere server and assigned it a role which will allow
it to manage the passwords of other users on the server.

Add System to TPAM

TPAM 2.5
92
Client Setup Guide
Click the Connection tab to configure the functional account properties for the system.

Note that the option exists to specify a TCP port other than port 443 (the default SSL port). If the system to be
managed is configured to communicate on a port other than 443 for SSL, specify the port in the Alternate Port
field.

TPAM 2.5
93
Client Setup Guide
29
Windows Active Directory

Introduction
Add System to TPAM

Introduction
The concepts for managing domain level accounts or local system accounts with a domain account are
essentially the same as for standalone systems. The difference is the scope of authority for the functional
account used by TPAM, and some of the underlying mechanisms.

Add System to TPAM

The first step is to add a system in TPAM to represent the domain. The first step is to create a system in TPAM to
represent the domain. This is done in the same manner as any managed system, by selecting Systems,
Accounts, & Collections | Systems | Add System from the menu.

TPAM will query DNS for the SRV records of the domain controllers associated with the DNS name of the Active
Directory domain populated in the network address box.
Click the Connection tab to configure the details for the domain, functional account, and other communication
options:
Enter the fully qualified domain name (i.e. saturn.planets.network.net). This cannot be a substitute
name, but must be the real DNS name for the domain. (Required) This is not the Domain Controller,
but the only the Domain Name.
Enter the NetBIOS name for the domain. (Required)
Specify the functional account created in the domain that TPAM will use to manage system accounts.
This account must belong to the Domain Administrators group. Provide the initial password for the
functional account.
If the Non-Privileged Functional Account check box is selected then any password changes for accounts
on this system will use the accounts current password to log in and make the password change instead of
using the functional account password.

TPAM 2.5
94
Client Setup Guide
If you do not select the Allow Functional Account to be Requested for password release check box then the
password will only be accessible to an ISA.

The special permissions on the functional account can be either:

Read all properties
Write all properties
Read permissions
Reset password
OR
Reset password
Account restrictions (read/write)
LockoutTime (read/write)

NOTE: If the Windows Net Logon service is not running a password check will be reported as host
unreachable. A password checked through the DPA with invalid functional account credentials can be
successful, but if checked through TPAM will result in host unreachable.

TPAM 2.5
95
Client Setup Guide
30
Windows Systems

Introduction
Add the Functional Account
Add System to TPAM
Test System
Troubleshoot System Connectivity
Add Windows Domain Member System to TPAM

Introduction
This section provides step by step instructions for configuring Windows 2000/2003 or domain systems. The steps
involved are functional account creation and modification and system creation on TPAM. .

Add the Functional Account

On the Windows system, create a new user account to be the functional account for TPAM. This account must be
added into the Administrators group. It is highly recommended that this account be given a strong password,
and immediately placed under TPAM management. If the account being created is in an Active Directory, the
same steps apply with the additional scope of Domain Administrator privilege.
TIP: The account name does not have to called questtpam, as long as the managed system and TPAM
both use the same account name for the system being managed. Using a standard account name is simply
a way to reduce management complexity.

TPAM 2.5
96
Client Setup Guide
It is recommended that the Password Never Expires check box is selected. Once configured in TPAM, this
account can be auto-managed to keep the password secure.

Add System to TPAM

5 On the Management tab, set the change settings according to your deployment plan.

TPAM 2.5
97
Client Setup Guide
6 The Computer Name box on the Information tab is required for password management and also uses
TPAMs auto logon feature. If this field is not populated, TPAM will attempt to determine the systems
computer name when the system is tested and update the field.
TIP: PSM customers have the option to have TPAM log the user into the remote system using the
Computer Name\USERID format. This will prevent any incorrect logon if the default domain is
saved as the DOMAIN name versus the Local Workstation. If Use Windows Domain Account is
selected on the Session Authentication sub-tab of the PSM Details tab, the user credentials will be
passed as DOMAIN\USERID. You will notice with both options that the DOMAIN field is grayed out at
login.
TIP: PSM sessions to Windows machines using an RDP proxy connection type can be configured on
the Windows machine to use SSL/TLS security for RDP connections. Note that the computer name
set in TPAM for the system may need to be uppercase for the connections to succeed.

7 Click on the Connection tab to set the properties of the functional account that was created on the
Windows system in the steps above.

8 Enter the name of the functional account and its initial password. For Windows systems, the use of DSS
authentication is not available, as it is not natively supported by the OS.
IMPORTANT: Managed accounts on Windows systems need to be given the user right of Access this
computer from the network which can be defined via a Windows policy.

When the appliance checks a managed accounts password it connects to the managed Windows system as the
managed account to verify the validity of the stored password. If an authentication error is reported the
appliance views it as a password mismatch. In most cases this error is caused by the managed accounts not
having the right to access this computer from the network.

Test System
To test the system connectivity to TPAM:
1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter the system name on the Filter tab.
3 Click on the Listing tab.
4 Select the system in the listing.
5 Click the Test System button.
A successful test result indicates that the remote system is now ready to be managed by TPAM.

TPAM 2.5
98
Client Setup Guide
Troubleshoot System Connectivity
The most common causes of failure are connectivity with the system, or a problem with the functional account.
It is recommended that any errors at this level be fixed before proceeding to add managed accounts, etc.
Connectivity:
Are there security rules on the network (firewalls, routers, etc.) that might be preventing this
traffic?
Is traffic from TPAM routable to the network address of the system to be managed?
Are there any problems with cables, hubs or switches, etc.?
Functional Account:
Is the functional account properly authorized to access the system? In a common setup, sudo is
used to elevate the functional accounts privileges on the system.
Has the functional account been locked out or disabled?
Is the functional account configured to allow remote logon?
A good troubleshooting method to use for failed test situations is to try to access the system to be managed
from another system (not TPAM) remotely, using the same functional account. Problems with the configuration
of the functional account on the remote system should exhibit the same problems from alternate access points.

Add Windows Domain Member System to

TPAM
Creating Windows systems that are members of an Active Directory domain is only slightly different than a
standalone system. The difference is in selecting the functional account used to manage the system.

Enter the system name, address, etc. as with any new system.
Select Windows as the platform.
Enter the Computer Name.
Click on the Connection tab to configure the functional account and other communication options.

TPAM 2.5
99
Client Setup Guide
To use an existing domain level functional account (rather than a local functional account), select the
Use Domain Account check box.
Select the domain/account from the list of available choices. All configured domain accounts will appear
in the list, so there may be several.
The Domain Account field will be populated with the selected information. No further configuration of the
functional account is required.
IMPORTANT: The functional account is a member of the Administrators group, but there are some
privileges that only belong to the single Administrator account. If the password policy on the Windows
system has specific length and character requirements, then the password rule in TPAM must meet those
requirements. If this is not done, there can be a password change failures. The reason is because accounts
in the Administrators group (such as the TPAM functional account) cannot override password policy. Only
the Administrator account can override this password policy when setting a password.

TPAM 2.5
100
Client Setup Guide
31
Test and Troubleshoot

Test System
Troubleshoot System Connectivity

Troubleshoot System Connectivity

The most common causes of failure are connectivity with the system, or a problem with the functional account.
It is recommended that any errors at this level be fixed before proceeding to add managed accounts, etc.
Connectivity:
Are there security rules on the network (firewalls, routers, etc.) that might be preventing this
traffic?
Is traffic from TPAM routable to the network address of the system to be managed?
Are there any problems with cables, hubs or switches, etc.?
Functional Account:
Is the functional account properly authorized to access the system? In a common setup, sudo is
used to elevate the functional accounts privileges on the system.
Has the functional account been locked out or disabled?
Is the functional account configured to allow remote logon?
A good troubleshooting method to use for failed test situations is to try to access the system to be managed
from another system (not TPAM) remotely, using the same functional account. Problems with the configuration
of the functional account on the remote system should exhibit the same problems from alternate access points.

TPAM 2.5
101
Client Setup Guide
About Dell

Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.

Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
[email protected]

Technical Support Resources

Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
https://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
Create, update, and manage Service Requests (cases)
View Knowledge Base articles
Engage in community discussions
Chat with a support engineer

TPAM 2.5
102
Client Setup Guide

Product Management Final Exam
No ratings yet
Product Management Final Exam
24 pages
JUDGE DALE-COURT SYSTEM - Odt
95% (20)
JUDGE DALE-COURT SYSTEM - Odt
25 pages
Pija Company Analysis Wisynco Vs Lasco
No ratings yet
Pija Company Analysis Wisynco Vs Lasco
5 pages
Delta V System Administration
100% (3)
Delta V System Administration
294 pages
VFSM Ag 7 8
No ratings yet
VFSM Ag 7 8
541 pages
9720107-006 Enhanced Diagnostic Monitor v2.4.0 Users Guide
100% (1)
9720107-006 Enhanced Diagnostic Monitor v2.4.0 Users Guide
210 pages
Programming FPGAs: Getting Started with Verilog
From Everand
Programming FPGAs: Getting Started with Verilog
Simon Monk
3.5/5 (2)
Tesis Magister Manajemen Pemasaran
83% (6)
Tesis Magister Manajemen Pemasaran
16 pages
Administration Guide NMC2 R161 Ed03
No ratings yet
Administration Guide NMC2 R161 Ed03
197 pages
Guardian Edge Client Administrator Guide
No ratings yet
Guardian Edge Client Administrator Guide
49 pages
FTOS Configuration Guide For The S55 System FTOS 8.3.5.5
No ratings yet
FTOS Configuration Guide For The S55 System FTOS 8.3.5.5
780 pages
PAN OS 6.0 Admin Guide PDF
No ratings yet
PAN OS 6.0 Admin Guide PDF
348 pages
All-Products Esuprt Ser Stor Net Esuprt Force10 Force10-S4820 Reference Guide2 En-Us
No ratings yet
All-Products Esuprt Ser Stor Net Esuprt Force10 Force10-S4820 Reference Guide2 En-Us
1,114 pages
QRadar 71MR2 AdminGuide
No ratings yet
QRadar 71MR2 AdminGuide
316 pages
Tib Admin Server
No ratings yet
Tib Admin Server
287 pages
PAN OS 6.1 Admin Guide
No ratings yet
PAN OS 6.1 Admin Guide
666 pages
Force10-S25p - Reference Guide - En-Us PDF
No ratings yet
Force10-S25p - Reference Guide - En-Us PDF
1,262 pages
G8264 Ag 8-3
No ratings yet
G8264 Ag 8-3
670 pages
QNAD 71MR1 AdminGuide
No ratings yet
QNAD 71MR1 AdminGuide
296 pages
DataPower SOA Appliance Administration Deployment and Best Practices
No ratings yet
DataPower SOA Appliance Administration Deployment and Best Practices
300 pages
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Config PaloAlto
100% (1)
Config PaloAlto
684 pages
Getting Started Guide PAN-OSv5.0
No ratings yet
Getting Started Guide PAN-OSv5.0
126 pages
Pan Os 6.1
No ratings yet
Pan Os 6.1
680 pages
FTOS Configuration Guide
No ratings yet
FTOS Configuration Guide
1,220 pages
Pan Os 6.0 GSG
No ratings yet
Pan Os 6.0 GSG
108 pages
PAN-OS® 8.0 CLI Quick Start
No ratings yet
PAN-OS® 8.0 CLI Quick Start
48 pages
Palo Alto Networks Administrators Guide
No ratings yet
Palo Alto Networks Administrators Guide
274 pages
Pan Os
No ratings yet
Pan Os
928 pages
Force10-S60 Reference Guide3 En-Us
No ratings yet
Force10-S60 Reference Guide3 En-Us
830 pages
Npam Admin
No ratings yet
Npam Admin
354 pages
Ubee DDW365 MSO Operations Guide Cox 091515
No ratings yet
Ubee DDW365 MSO Operations Guide Cox 091515
256 pages
Powerconnect-8024 Reference Guide En-Us
No ratings yet
Powerconnect-8024 Reference Guide En-Us
1,818 pages
Pan Os
0% (1)
Pan Os
952 pages
00d2331 Application Guide EN4093
No ratings yet
00d2331 Application Guide EN4093
488 pages
G8124-E Ag 8-3 PDF
No ratings yet
G8124-E Ag 8-3 PDF
526 pages
Pan Os
No ratings yet
Pan Os
932 pages
Cloud Web Help
No ratings yet
Cloud Web Help
306 pages
Cloud Web Help
No ratings yet
Cloud Web Help
306 pages
Manual - Netgear ReadyNAS Pro 6 RNDP6000
No ratings yet
Manual - Netgear ReadyNAS Pro 6 RNDP6000
132 pages
Bitdefender GravityZone AdministratorsGuide 1 EnUS
No ratings yet
Bitdefender GravityZone AdministratorsGuide 1 EnUS
261 pages
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
No ratings yet
Pan Os 61 AdminGuide
No ratings yet
Pan Os 61 AdminGuide
698 pages
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
Fortigate System Admin 40 Mr3
No ratings yet
Fortigate System Admin 40 Mr3
311 pages
Av Security
No ratings yet
Av Security
86 pages
Pelco SM5200 Config
No ratings yet
Pelco SM5200 Config
24 pages
Endura System Manager nsm5200 PDF
No ratings yet
Endura System Manager nsm5200 PDF
24 pages
Quick Reference Guide: Microsoft Windows Xpe-Based Thin Clients - T5710 & T5720
No ratings yet
Quick Reference Guide: Microsoft Windows Xpe-Based Thin Clients - T5710 & T5720
72 pages
Fortiauthenticator Admin 12
No ratings yet
Fortiauthenticator Admin 12
46 pages
Dell OpenManage Network Manager User Guide 6.2 SP2
No ratings yet
Dell OpenManage Network Manager User Guide 6.2 SP2
722 pages
Zos User Guide
No ratings yet
Zos User Guide
452 pages
System Administration Manua v5.0.2
No ratings yet
System Administration Manua v5.0.2
76 pages
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
From Everand
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
Christopher Rush
5/5 (1)
Npam Install
No ratings yet
Npam Install
46 pages
Teamcenter 10.0 Security Services Installation
No ratings yet
Teamcenter 10.0 Security Services Installation
150 pages
Webroot SecureAnywhere User Guide - 101411
No ratings yet
Webroot SecureAnywhere User Guide - 101411
186 pages
PAN OS 6.0 Admin Guide
No ratings yet
PAN OS 6.0 Admin Guide
478 pages
Dell SonicWALL E-Class SRA 10.6.2 Admin Guide
No ratings yet
Dell SonicWALL E-Class SRA 10.6.2 Admin Guide
585 pages
Lenovo CNOS AG 10-7 PDF
No ratings yet
Lenovo CNOS AG 10-7 PDF
746 pages
TIBCO Administrator™: Server Configuration Guide
No ratings yet
TIBCO Administrator™: Server Configuration Guide
297 pages
875 3766 10 Acsls
No ratings yet
875 3766 10 Acsls
576 pages
Programming the Photon: Getting Started with the Internet of Things
From Everand
Programming the Photon: Getting Started with the Internet of Things
Christopher Rush
5/5 (1)
The IT Factory
From Everand
The IT Factory
H.J.C. van Aken
No ratings yet
System Map Plan Du Réseau: Simcoe Peterborough
No ratings yet
System Map Plan Du Réseau: Simcoe Peterborough
1 page
TPAM 2.5.916 ReleaseNotes
No ratings yet
TPAM 2.5.916 ReleaseNotes
13 pages
Matsya Opengurukul Brochure
No ratings yet
Matsya Opengurukul Brochure
19 pages
SYNFlood Attack Solaris
No ratings yet
SYNFlood Attack Solaris
30 pages
Makemytrip Booking Id Nh210282852611: Hotel Details
No ratings yet
Makemytrip Booking Id Nh210282852611: Hotel Details
2 pages
Normaltestreport
No ratings yet
Normaltestreport
3 pages
Ebooks File A Photographic Atlas For The Anatomy and Physiology Laboratory 7th Edition Kent Marshall Van de Graaff All Chapters
100% (5)
Ebooks File A Photographic Atlas For The Anatomy and Physiology Laboratory 7th Edition Kent Marshall Van de Graaff All Chapters
84 pages
Grade 4 Pacing Chart 2nd Semester
No ratings yet
Grade 4 Pacing Chart 2nd Semester
6 pages
Spacemacs Cheatsheet
No ratings yet
Spacemacs Cheatsheet
2 pages
Read On.: Excavator Operating Weight Class 70 Tonnes
No ratings yet
Read On.: Excavator Operating Weight Class 70 Tonnes
4 pages
High School Basketball Preview
No ratings yet
High School Basketball Preview
14 pages
Get How It Works Book of Incredible History: Everything You Need to Know about the World We Lived In 12th Edition Philippa Grafton free all chapters
100% (4)
Get How It Works Book of Incredible History: Everything You Need to Know about the World We Lived In 12th Edition Philippa Grafton free all chapters
55 pages
User Manual: 4CH/8CH Super HD 4.0MP Network Video Recorder 4.0MP Network Camera
No ratings yet
User Manual: 4CH/8CH Super HD 4.0MP Network Video Recorder 4.0MP Network Camera
45 pages
CV Resume
No ratings yet
CV Resume
2 pages
thuvienhoclieu.com-Bo-de-kiem-tra-giua-HK2-Tieng-Anh-6-global-24-25
No ratings yet
thuvienhoclieu.com-Bo-de-kiem-tra-giua-HK2-Tieng-Anh-6-global-24-25
16 pages
288SRO dimention
No ratings yet
288SRO dimention
4 pages
Tutorial On How To Create An Op-Amp in Cadence
No ratings yet
Tutorial On How To Create An Op-Amp in Cadence
9 pages
Praharsh PPT (Modelling of Unified Power Flow Controller) GG
No ratings yet
Praharsh PPT (Modelling of Unified Power Flow Controller) GG
16 pages
3_GGI 3203_Classification of Mixed Pixels_updated
No ratings yet
3_GGI 3203_Classification of Mixed Pixels_updated
15 pages
A Final Project Report ON: Study of Risk Management On Banking Sector
No ratings yet
A Final Project Report ON: Study of Risk Management On Banking Sector
4 pages
Cronica Del Pajaro Que Da Cuerd - Haruki Murakami
No ratings yet
Cronica Del Pajaro Que Da Cuerd - Haruki Murakami
1,116 pages
Op New Blood Super Secret Security Handbook
100% (2)
Op New Blood Super Secret Security Handbook
20 pages
68 105 115 - TR V PR GB 0020 03 - SLG - Web
No ratings yet
68 105 115 - TR V PR GB 0020 03 - SLG - Web
48 pages
Causes of Landslides
No ratings yet
Causes of Landslides
9 pages
Manual Extension
No ratings yet
Manual Extension
6 pages
Astigmatism
No ratings yet
Astigmatism
21 pages
Hillcrest Property, LLC v. Pasco County, No. 13-12383 (11th Cir. June 18, 2014)
No ratings yet
Hillcrest Property, LLC v. Pasco County, No. 13-12383 (11th Cir. June 18, 2014)
11 pages
Bank
No ratings yet
Bank
5 pages
SchenckProcess Frozen Electronics GB
No ratings yet
SchenckProcess Frozen Electronics GB
3 pages
Pressure Vessel Dimension Inspection
No ratings yet
Pressure Vessel Dimension Inspection
17 pages
Business Notes
100% (5)
Business Notes
162 pages