Set Up Credential Manager Operation Settings

Before you configure credential management features, configure Credential Manager preferences for operation:
capam33
HID_CredentialManagerSettingsPanel
Before you configure credential management features, configure Credential Manager preferences for operation:
2
Beginning with release 3.0, the Credential Manager UI was integrated in the main product UI.
Specify General Operation Settings
The General Settings are preferences for Credential Manger operations.
To access these settings:
  1. In the UI, navigate to
    Settings, Credential Manager, General Settings
    .
  2. Configure the following preferences:
  • Disable CLI Host Name Check
    If a server is executing Credential Manager commands from the CLI, the server must provide a certificate to execute CLI commands. Select this option to override the verification of the appliance host name in the certificate.
  • Allow Self Approval of Password View Request
    Allows users who are authorized approvers to approve their own password view requests.
  • Maximum Number of Report Entries
    Sets the number of Credential Manager entries in a report. The default is 5000. We recommend that you limit entries to less than 5000 records. The maximum size ultimately depends on the type of report, its output format, and the available memory in Credential Manager. If an HTML report runs out of memory, try generating a CSV or a PDF file instead. Alternatively, use the
    setReportRowLimit
    CLI command.
  • Password View Request Delete Interval Days
    This checkbox specifies the number of days after which a password view request expires.
    Example:
    If you set this field to 12, the password view requests are deleted automatically from the My Approvals list when they become 12 days old. For information about the My Approval list, see Credentials, Workflow, My Approvals.
  • Automatically Update Expired Passwords
    This checkbox enables automatic updates to the passwords for synchronized accounts when the password age exceeds the specification in its Password Composition Policy.
  • Enable External CLI
    This option enables the Credential Manager CLI. The CLI provides administrative access to password management functions, such as adding and modifying target and request data. The CLI also provides access to a limited set of maintenance operations. The Remote CLI is supported on UNIX, Linux, and Windows platforms. For more information, see Use the Credential Manager CLI.
  • Password View Request Banner
    Optional. Enter the text for a banner that is displayed on Password View Requests. This banner can contain information about what users need to enter in the Reason Description and Reference Code fields when they attempt to view a password for an account. You can also set this banner on the Create a Basic Password View Policy page. If set as part of a Password View Policy, it takes priority over this General Setting.
Archive and Purge Metrics and Audit Logs
Credential Manager produces many log messages in the form of metrics and audit logs. These logs are saved on your appliance and they can fill up your hard drive, which can be disastrous. These logs are not purged by the Automatic Log Purge feature, which only removes session logs. Use Auto-Archive to archive and purge these logs automatically. You configure archive settings for Metrics and Audit Logs separately. For more information about Metrics and Audit Logs, see Credential Management Log Formats.
Prerequisite
Archived logs are saved to a session recording mount, which must be set up first. See Set Up Session Recording for instructions.
If you are using a Syslog server to save these messages, you can opt to purge and not archive them. 
Follow these steps:
  1. Select
    Settings
    ,
    Credential Manager
    and select the
    Auto-Archive
    tab.
    Metrics and Audit Log archive settings are configured separately. Each section has the same fields.
  2. Select an archive
    Option
    :
    • PURGE only. Do not archive.
    • Archive to PRIMARY Mount, then purge.
    • Archive to FAILOVER Mount, then purge.
    The Primary and Failover Mounts behave independent of their session recording purposes. Either mount can be used for either or both log types. The "Failover Mount" does not act as a failover for the Primary when archiving.
  3. Select the log
    Age (Days)
    after which the purge or archive is performed. For example, to keep the most recent week of logs locally, select 7. The archive happens at midnight GMT and is not configurable.
  4. To store the logs in a specific folder or folder path, enter it in the
    Folder
    field. If the folder does not exist, it is created by the process. The process appends a
    server-
    id
    folder and a
    metrics-
    id
    or
    auditlogs-
    id
    folder beneath your specified folder. The
    id
    is the Hardware ID found on the
    Configuration
    , ,
    Hardware Identifiers
    page. The full path appears as the
    Storage
    field value once the archive settings are saved successfully.
  5. Select
    Save
    .
Once saved, the
Storage
,
Mount Status
, and
Mount Availability
states appear on the page.
Archive Process
Once an archive process has begun, status and statistics appear in the
Archive Process
area. Each cluster member has a row in Metrics and Audit Log, with the most recent information for that process.
The
Site
column lists the configured cluster site name, if any. The
IP Address
column is for the individual appliance or cluster member.
The options for
Status
are: Purge OK, Archive OK, Error, No Storage. If the status is "No Storage," the storage mount is not available, and the process deletes only non-essential logs. The
Status Date
denotes when the status shown was recorded.
The
Action Date
column is when the purge or archive was taken. This column can be empty if there was nothing to purge or archive during the most recent process.
Select the
Reset Process Statistics
button to clear the data.
Error messages and warnings are posted on the top of the Dashboard. To get rid of warnings on the Dashboard, select the
Reset Dashboard Warnings
button. This button is only active when there are warnings on the Dashboard.
Configure A2A Request Servers
A2A credential management permits customer applications and scripts to obtain credentials for target applications. To use this feature, first configure global default settings for A2A and request servers. For more information about A2ARequest Servers, see Configure A2A Credential Management.
Follow these steps:
  1. Select
    Settings
    ,
    Credential Manager
    and select the
    Request Server Settings
    tab.
  2. Review the A2A Global Settings:
    • Check Execution User
      sets default credential request checking to validate the execution user ID.
    • Check Execution Path
      sets default credential request checking to validate the execution path.
    • Check File Path
      sets default credential request checking to validate the file path.
    • Perform Script Integrity Validation
      sets default credential request checking to perform script integrity validation.
  3. Review the Request Server Global Settings:
    • FIPS 140-2 Mode
    • Preserve Client/Proxy Host Names
      .
    • Enable Hardware Fingerprinting
      for request servers (hosting A2A Clients).
  4. Select 
    Save
    .
Request Server Subnets
The Request Server Subnets tab displays a list of auto-registered request server settings by subnet.
To add a Request Server Subnet, follow these steps:
  1. Select Add.
  2. In the Add Request Server Subnet window, complete the fields:
  3. Select
    OK
    to save your subnet.
Set Up Email Notification for Password View Policies
When a user views a password, an administrator or other user can receive an email notification. Email notifications are available only for password view policies. They are sent only for successful initial password view requests. Configure the email server and email templates in the Credential Manager settings. After you specify these settings, then enable the notification in the password view policy. Notifications are configured on a per-policy basis.
To set up the email preferences, see Email Preferences for Password View Policies.
To enable notifications, see Enable Email Notification.
Monitor Default Credential Manager Activities
To help monitor Credential Manager activity, such as passwords not verified, create an activities list from a set of predefined metrics. You can add, remove, and reposition list items. You can set a threshold for the number of occurrences for a given activity to display a warning indicator in the list.
Follow these steps:
  1. Select
    Settings
    ,
    Credential Manager
    ,
    Default Activities List
    .
  2. To add an item to the list:
    1. Select the
      +
      (plus) symbol. The Item Name window appears.
    2. Select one or more items from the activity list.
    3. Select
      OK
      .
    To reposition a list item, select the item and use the Up or the Down arrow.
    To remove an entry from the Activities list, select the
    X
    icon.
  3. To set a threshold limit that displays a warning icon in the list, enter an integer in the Threshold column. For example, enter a five for the Passwords Not Verified setting. When the number of unverified passwords reaches five, a warning icon appears in the Activities List page.
  4. Select
    Save
    .
To display the activity report, select
Credentials, Reports, Activities
.