Set Up Credential Manager Operation Settings

Before you configure credential management features, configure Credential Manager preferences for operation:
capam33
HID_CredentialManagerSettingsPanel
Before you configure credential management features, configure Credential Manager preferences for operation:
 
 
2
 
 
Beginning with release 3.0, the Credential Manager UI was integrated in the main product UI.
Specify General Operation Settings
The General Settings are preferences for Credential Manger operations.
To access these settings:
  1. In the UI, navigate to 
    Settings, Credential Manager, General Settings
    .
  2. Configure the following preferences:
  • Disable CLI Host Name Check
    If a server is executing Credential Manager commands from the CLI, the server must provide a certificate to execute CLI commands. Select this option to override the verification of the appliance host name in the certificate.
  • Allow Self Approval of Password View Request
    Allows users who are authorized approvers to approve their own password view requests.
  • Maximum Number of Report Entries
    Sets the number of Credential Manager entries in a report. The default is 5000. We recommend that you limit entries to less than 5000 records. The maximum size ultimately depends on the type of report, its output format, and the available memory in Credential Manager. If an HTML report runs out of memory, try generating a CSV or a PDF file instead. Alternatively, use the 
    setReportRowLimit
     CLI command.
  • Password View Request Delete Interval Days
    This checkbox specifies the number of days after which a password view request expires.
    Example:
     If you set this field to 12, the password view requests are deleted automatically from the My Approvals list when they become 12 days old. For information about the My Approval list, see Credentials, Workflow, My Approvals.
  • Automatically Update Expired Passwords
    This checkbox enables automatic updates to the passwords for synchronized accounts when the password age exceeds the specification in its Password Composition Policy. 
  • Enable External CLI
    This option enables the Credential Manager CLI. The CLI provides administrative access to password management functions, such as adding and modifying target and request data. The CLI also provides access to a limited set of maintenance operations. The Remote CLI is supported on UNIX, Linux, and Windows platforms. For more information, see Use the Credential Manager CLI.
Archive and Purge Metrics and Audit Logs 
Credential Manager produces many log messages in the form of metrics and audit logs. These logs are saved on your appliance and they can fill up your hard drive, which can be disastrous. These logs are not purged by the Automatic Log Purge feature, which only removes session logs. Use Auto-Archive to archive and purge these logs automatically. You configure archive settings for Metrics and Audit Logs separately. For more information about Metrics and Audit Logs, see Credential Management Log Formats
Prerequisite
Archived logs are saved to a session recording mount, which must be set up first. See Set Up Session Recording for instructions. 
 If you are using a Syslog server to save these messages, you can opt to purge and not archive them.  
Follow these steps:
  1. Select 
    Settings
    Credential Manager 
    and select the 
    Auto-Archive
     tab.
    Metrics and Audit Log archive settings are configured separately. Each section has the same fields.
  2. Select an archive 
    Option
    :
    • PURGE only. Do not archive. 
    • Archive to PRIMARY Mount, then purge. 
    • Archive to FAILOVER Mount, then purge. 
    The Primary and Failover Mounts behave independent of their session recording purposes. Either mount can be used for either or both log types. The "Failover Mount" does not act as a failover for the Primary when archiving.
  3. Select the log 
    Age (Days) 
    after which the purge or archive is performed. For example, to keep the most recent week of logs locally, select 7. The archive happens at midnight GMT and is not configurable. 
  4. To store the logs in a specific folder or folder path, enter it in the 
    Folder
     field. If the folder does not exist, it is created by the process. The process appends a 
    server-
    id
     
     folder and a 
    metrics-
    id
     
     or 
    auditlogs-
    id
     
     folder beneath your specified folder. The 
    id 
    is the Hardware ID found on the 
    Configuration
    Hardware Identifiers
     page. The full path appears as the 
    Storage
     field value once the archive settings are saved successfully. 
  5. Select 
    Save
    .
Once saved, the 
Storage
Mount Status
, and 
Mount Availability
 states appear on the page.
Archive Process
Once an archive process has begun, status and statistics appear in the 
Archive Process
 area. Each cluster member has a row in Metrics and Audit Log, with the most recent information for that process. 
The 
Site 
column lists the configured cluster site name, if any. The 
IP Address
 column is for the individual appliance or cluster member. 
The options for 
Status
 are: Purge OK, Archive OK, Error, No Storage. If the status is "No Storage," the storage mount is not available, and the process deletes only non-essential logs. The 
Status Date
 denotes when the status shown was recorded. 
The 
Action Date
 column is when the purge or archive was taken. This column can be empty if there was nothing to purge or archive during the most recent process. 
Select the 
Reset Process Statistics
 button to clear the data. 
Error messages and warnings are posted on the top of the Dashboard. To get rid of warnings on the Dashboard, select the 
Reset Dashboard Warnings 
button. This button is only active when there are warnings on the Dashboard. 
Configure A2A Request Servers
A2A credential management permits customer applications and scripts to obtain credentials for target applications. To use this feature, first configure global default settings for A2A and request servers. For more information about A2ARequest Servers, see Configure A2A Credential Management.
Follow these steps:
  1. Select 
    Settings
    Credential Manager
     and select the 
    Request Server Settings
     tab.
  2. Review the A2A Global Settings:
    • Check Execution User
       sets default credential request checking to validate the execution user ID.
    • Check Execution Path
       sets default credential request checking to validate the execution path.
    • Check File Path
       sets default credential request checking to validate the file path.
    • Perform Script Integrity Validation
       sets default credential request checking to perform script integrity validation.
  3. Review the Request Server Global Settings:
    • FIPS 140-2 Mode
       
    • Preserve Client/Proxy Host Names
      .
    • Enable Hardware Fingerprinting
       for request servers (hosting A2A Clients).
  4. Select  
    Save
    .
Request Server Subnets
The Request Server Subnets tab displays a list of auto-registered request server settings by subnet.
To add a Request Server Subnet, follow these steps:
  1. Select Add.
  2. In the Add Request Server Subnet window, complete the fields:
  3. Select 
    OK
     to save your subnet.
Set Up Email Notification for Password View Policies
When a user views a password, an administrator or other user can receive an email notification. Email notifications are available only for password view policies. They are sent only for successful initial password view requests. Configure the email server and email templates in the Credential Manager settings. After you specify these settings, then enable the notification in the password view policy. Notifications are configured on a per-policy basis.
To set up the email preferences, see Email Preferences for Password View Policies.
To enable notifications, see Enable Email Notification.
Monitor Default Credential Manager Activities
To help monitor Credential Manager activity, such as passwords not verified, create an activities list from a set of predefined metrics. You can add, remove, and reposition list items. You can set a threshold for the number of occurrences for a given activity to display a warning indicator in the list.
Follow these steps:
 
  1. Select 
    Settings
    Credential Manager
    Default Activities List
    .
  2. To add an item to the list:
    1. Select the 
      +
       (plus) symbol. The Item Name window appears.
    2. Select one or more items from the activity list.
    3. Select 
      OK
      .
    To reposition a list item, select the item and use the Up or the Down arrow.
    To remove an entry from the Activities list, select the 
    X
     icon.
  3. To set a threshold limit that displays a warning icon in the list, enter an integer in the Threshold column. For example, enter a five for the Passwords Not Verified setting. When the number of unverified passwords reaches five, a warning icon appears in the Activities List page.
  4. Select 
    Save
    .
To display the activity report, select 
Credentials, Reports, Activities
.