Eliminate Embedded Passwords - Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager includes an API that enables applications to disclose passwords
as needed, at runtime. This is intended to replace application storage
of static, plaintext passwords in configuration files, source code,
registry entries, etc. Privileged Access Manager periodically randomizes passwords used
to connect to network services (DB, FTP, web, etc.), while applications
use the API to retrieve passwords as required.
The Privileged Access Manager API is accessed as a SOAP web service over HTTPS.
For example, Privileged Access Manager may randomize an Oracle DBMS login
password every 24 hours. Web applications which use the password
to establish database connections can periodically sign into
Privileged Access Manager with their own credentials (see below) and retrieve
the current value of this password.
An important design consideration when implementing a privileged
password retrieval API is how the client which requests password
disclosure (the web application in the above example) authenticates
itself to the web service. Privileged Access Manager secures this process with a
combination of access controls, one-time passwords and network
- API clients each have their own ID, used to sign into Privileged Access Manager.
- These IDs are attached to console user groups and assigned access rights
to privileged accounts managed by Privileged Access Manager. This allows Privileged Access Manager to
determine which passwords a given ID is allowed to retrieve.
- API client login IDs are assigned one-time passwords (OTPs).
In effect, the password used by the client software to sign into the
Privileged Access Manager API changes to a new, random string after each successful
login by the client application into the Privileged Access Manager web service.
- API client login IDs are linked to IP subnets.
An API client can only sign into the Privileged Access Manager web service from an
IP address in the correct range.
An "API wrapper" library is provided to simplify use of the Privileged Access Manager
web service. Different versions of the library are provided for a
variety of runtime platforms and programming languages, such as .NET,
Java, Linux/C, etc. This wrapper code performs several functions:
- Storing the one time password (OTP) used to authenticate to the API.
- Serializing access to the API, so that the OTP is always valid
(avoiding race conditions where two threads receive two OTP values at
almost the same time).
- Keeping cached copies of passwords previously retrieved from the API,
along with cache expiry time. This improves system performance as
calls to the wrapper library do not always trigger web services calls
to Privileged Access Manager. This also ensures service resilience, in the event that
Privileged Access Manager becomes temporarily unavailable.
- Encrypting both the OTP and locally cached passwords.
Encryption of the OTP and cached passwords implies an
encryption key. The API wrapper libraries support a variety of methods
to produce this key, all of which are intended to fingerprint the
authorized application and its runtime environment. This includes:
- A static key (e.g., embedded into the application or configuration
file) -- useful during development or debugging.
- A key generated from characteristics of the machine on which
the application runs, such as its MAC addresses, IP addresses,
- A key generated from characteristics of the program which is
calling the API (i.e., a cryptographic hash of the program itself).
- Hashes of configuration files and command-line arguments.
The objective of these key generation mechanisms is to lock down the
application and its runtime, so that only the approved application
running on an approved system will be able to retrieve a password
from Privileged Access Manager or from the local cache. An attacker who compromises
the system running an application should be prevented from adding
logging statements to display the retrieved password, from moving
the application to another server and retrieving passwords there,
from running the program with different command-line arguments or
configuration files, so that it prints the password to a log file, etc.
Hitachi ID Systems is happy to provide new versions of this wrapper library
for different run-times or programming languages based on customer
The wrapper library is also provided in command-line form, suitable for
use in scripts and for troubleshooting.
- Randomize Privileged Passwords:
Privileged Access Manager periodically randomizes passwords on privileged accounts.
- Launch Privileged Login Sessions:
Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
- Limit Concurrent Administrator Logins:
Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
- Record Administrator Logins:
Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
- Password History:
Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
- Audit Logs and Reports:
Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
- Eliminate Embedded Passwords:
Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
- Change Service Account Passwords:
Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.