Transcription

IBM Security Privileged Identity ManagerVersion 1.0.1Administrator Guide SC27-5619-01

IBM Security Privileged Identity ManagerVersion 1.0.1Administrator Guide SC27-5619-01

NoteBefore using this information and the product it supports, read the information in Notices.Edition noticeNote: This edition applies to version 1.0.1 of IBM Security Privileged Identity Manager (product number 5725-H30)and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

ContentsFigures . . . . . . . . . . . . . . . vInitializing a session recordingStarting a session recording .Stopping a session recordingPausing a session recording .Resuming a recording sessionTables . . . . . . . . . . . . . . . viiAbout this publication . . . . . . . . ixAccess to publications and terminologyAccessibility . . . . . . . . .Technical training. . . . . . . .Support information . . . . . . .Statement of Good Security Practices . ix. x. x. x. xChapter 1. Shared access administration 1Administering shared access . . . . . . . . . 1Privileged Administrator view . . . . . . . . 2Privileged user view . . . . . . . . . . . . 3Manual checkout and check-in of shared credentials 3Administrative console host names, ports and URLs 4Chapter 2. Session recordingadministration . . . . . . . . . . . . 7Session recording overview . . . . . .Session recorder configuration . . . . .Recording policies . . . . . . . .AccessProfiles . . . . . . . . . .Adding security auditors . . . . . .Accessing recordings . . . . . . . .Logging on to the IBM Privileged SessionRecorder console . . . . . . . . .Searching for recordings . . . . . .Customizing the columns displayed . . .Playing back recordings . . . . . . .Search index . . . . . . . . . . .Backing up the full-text search index . .Restoring the full-text search index . .Online search index backup properties .Chapter 3. Modifying AccessProfiles. 9. 10. 11. 11. 12. 12. 12. 13.78889917Modifying AccessProfiles for the IBM PersonalCommunications application. . . . . . . . . 17Modifying AccessProfiles for the PuTTY application 19Privileged Session Recorder widgets . . . . . . 21 Copyright IBM Corp. 2013.2323242525Chapter 4. Reports and audit logs . . . 27Types of available reports. . . . . . . . .Viewing reports with Tivoli Common Reporting .Shared access objects for custom reports . . . .Viewing audit logs for privileged identities . . .Customizing Cognos-based reports for IBMPrivileged Session Recorder . . . . . . . .Report examples. . . . . . . . . . . .Example: User information . . . . . . .Example: Application usage . . . . . . .Example: Shared access history . . . . . .Example: Shared access entitlements by ownerExample: Shared access entitlements by role .Example: IBM Privileged Session Recorder . .IBM Privileged Session Recorder Server Event IDdescriptions . . . . . . . . . . . . .Privileged identity management messages . . .Syslog forwarding properties . . . . . . .27293030.3031313233343536. 36. 37. 39Notices . . . . . . . . . . . . . . 41Glossary . . . . . . . . . . . . . . 45A.C.D.E.F.I .MP.R.S.W.4545454546464646464646Index . . . . . . . . . . . . . . . 47iii

ivIBM Security Privileged Identity Manager: Administrator Guide

Figures1.2.3.4.Session recording components. . . . . . . 7How the Privileged Session Recorder widgetswork . . . . . . . . . . . . . . . 21Example of a basic recording AccessProfilewithout check-in and check-out. . . . . . 22User information audit report . . . . . . 31 Copyright IBM Corp. 20135.6.7.8.9.Application usage audit report . . . . .Shared access history report . . . . . .Shared access entitlements by owner reportShared access entitlements by role reportIBM Privileged Session Recorder report. 32. 33343536v

viIBM Security Privileged Identity Manager: Administrator Guide

Tables1.2.3.4.5.6.7.Shared access administration tasks . . . . . 1Data reference for shared access . . . . . . 1Description of variables for host names andport numbers . . . . . . . . . . . . 4Common administrative consoles for IBMSecurity Privileged Identity Manager . . . . 4Examples of how to search with the Start timerange and End time range in AdvancedSearch. . . . . . . . . . . . . . . 11Playback controls . . . . . . . . . . 11Details of the properties for online indexbackup configuration in the psr.propertiesfile. . . . . . . . . . . . . . . . 13 Copyright IBM Corp. 20138.9.10.11.12.Audit logs and reports for the IBM SecurityPrivileged Identity Manager solution. . . . .Related reports for privileged identitymanagement . . . . . . . . . . . .Privileged Session Recorder Server auditevents . . . . . . . . . . . . . .List of message identifiers. . . . . . . .Details of the properties for Syslog forwardingconfiguration. . . . . . . . . . . . .2730363739vii

viiiIBM Security Privileged Identity Manager: Administrator Guide

About this publicationIBM Security Privileged Identity Manager Administrator Guide describes theadministration tasks for managing privileged identities.Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Privileged Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website” on page x.IBM Security Privileged Identity Manager libraryThe following documents are available online in the IBM Security PrivilegedIdentity Manager library:v IBM Security Privileged Identity Manager Deployment Overview Guide, SC27-4382-02v IBM Security Privileged Identity Manager Administrator Guide, SC27-5619-01v IBM Security Privileged Identity Manager Virtual Appliance Deployment Guide,SC27-5625-00Online publicationsIBM posts product publications when the product is released and when thepublications are updated at the following locations:IBM Security Privileged Identity Manager libraryThe product documentation site opic/com.ibm.ispim.doc 1.0.1/kc-homepage.html) displaysthe welcome page and navigation for the library.IBM Security Identity Manager libraryThe product documentation site opic/com.ibm.isim.doc 6.0.0.2/kc-homepage.htm) displaysthe welcome page and navigation for the IBM Security Identity Managerproduct.IBM Security Access Manager for Enterprise Single Sign-On libraryThe product documentation site opic/com.ibm.itamesso.doc 8.2.1/kc-homepage.html)displays the welcome page and navigation for the IBM Security AccessManager for Enterprise Single Sign-On product.IBM Security Systems Documentation centralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.IBM Publications CenterThe /servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications you need. Copyright IBM Corp. 2013ix

IBM Terminology websiteThe IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at ogy.AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.For additional information, see the IBM Security Privileged Identity ManagerDeployment Overview Guide.Technical trainingFor technical training information, see the following IBM Education website port informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at he IBM Security Identity Manager Troubleshooting Guide and IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting Guide provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problemyourself.See IBM Security Privileged Identity Manager Deployment Overview Guide forinstructions and problem-determination resources for IBM Security PrivilegedIdentity Manager.Note: The Community and Support tab on the product documentation canprovide additional support resources.Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESxIBM Security Privileged Identity Manager: Administrator Guide

NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.About this publicationxi

xiiIBM Security Privileged Identity Manager: Administrator Guide

Chapter 1. Shared access administrationWhen your IBM Security Privileged Identity Manager deployment is configured,you can administer shared access features.Administering shared accessThe IBM Security Identity Manager shared access module provides centralizedmanagement of shared and privileged accounts.Table 1 describes administration tasks that you might want to complete, dependingon the requirements of your deployment.Table 1. Shared access administration tasksAdministration TaskDescriptionSetting the service uniqueidentifierIn the managed resource service definition, set theunique identifier for connecting to the managedresource. For example, the unique identifier might be anIP address or the host name of the server.Managing the credential vaultAs an Administrator, you can manage the credentialsfor shared accounts through the credential vault.Managing the credential poolAs an Administrator, you can use IBM Security IdentityManager to manage credential pools. A credential poolprovides a way to group credentials that have similaraccess privileges. This grouping can be defined as aservice group or a set of service groups.Managing shared access policiesShared access policies authorize role members to sharecredentials or credential pools.Shared access bulk loadAs an Administrator, you can use the shared accesscomma-separated value (CSV) file to add accounts tothe credential vault. You also use the CSV file to addand update the credential pools in bulk. You can alsomodify credential settings for the accounts that are inthe credential vault.Shared access objects for customreportsYou can generate custom reports by using the SharedAccess objects. Use the shared access entities, such asCredential, Credential Pool, Credential Lease, andShared Access Policy to generate the custom reports.Table 2 describes data references that you can use during administration tasks.Table 2. Data reference for shared access Copyright IBM Corp. 2013Data ReferenceDescriptionDefault access control itemsUse the default access control items for shared access tomanage access security.Shared access tablesDatabase tables that IBM Security Identity Managercreates and uses to store information that is related toShared Access Module.1

Table 2. Data reference for shared access (continued)Data ReferenceDescriptionShared access classesFor Directory Server schema, shared access module hasseveral types object classes, such as credentialcomponent, credential, credential pool, credential lease,and shared access policy.Auditing schemaYou can use auditing schema to track shared accesspolicy management, credential lease management,credential pool management, and credentialmanagement.For more information:v See “Roadmap for configuring shared access for a managed resource” in the IBMSecurity Privileged Identity Manager Deployment Overview Guidev Shared access documentationIn the IBM Security Identity Manager product documentation, see the“Administration” section to find links to the documentation for administeringshared access.v IBM Security Identity Manager product documentationTo find information about a task in either Table 1 on page 1 or Table 2 on page 1,go to this product documentation. On the home page, locate the productdocumentation search window, and enter the administration task name or datareference name, as listed in the table. For example, to administer shared accesspolicies, enter Managing shared access policies.Privileged Administrator viewIn IBM Security Identity Manager, the shared access feature includes a defaultgroup and a default view for privileged Administrators. The default view showsthe administrative tasks that can be accessed by users who have the groupmembership.The scope of activities for members of the Privileged Administrator group includethe following activities:v Manage a service, including the user accounts and requests for that servicev Manage and load privileged accounts from the managed service into thecredential vaultA privileged Administrator can manage and delegate the activities that are shownin administration console view for the Privileged Administrator group. ThePrivileged Administrator group can also view nearly all tasks on the self serviceconsole.For more information:v Shared access documentationIn the IBM Security Identity Manager documentation, see the section “Features”for links to topics on privileged Administratorsv IBM Security Identity Manager product documentationTo find more information about privileged Administrators, search for Scope ofthe Privileged Administrator group.2IBM Security Privileged Identity Manager: Administrator Guide

Privileged user viewIn IBM Security Identity Manager, the shared access feature includes a defaultgroup and a default view for privileged users. The default view shows the tasksthat can be accessed by users who have the group membership.The scope of activities for members of the Privileged User group includes thefollowing activities:v Manage their own profilev Change their passwordv Check in and check out shared accounts from the credential vaultThe Privileged User group has no default view on the administration console, andno default access control items.For more information:v Shared access documentationIn the IBM Security Identity Manager documentation, see the section “Features”for links to topics on privileged users.v IBM Security Identity Manager product documentationTo find more information about privileged users, go to this productdocumentation. On the home page, locate the product documentation searchwindow, and enter Scope of the Privileged User group.Manual checkout and check-in of shared credentialsUse the IBM Security Identity Manager self-service user interface console to accessshared credentials.Some IBM Security Privileged Identity Manager deployments do not requireautomated access to shared credentials. These deployments use only the IBMSecurity Identity Manager component. In these deployments, users who havesufficient privileges, such as membership in the Privileged Users group, canmanually access shared credentials.v For initial access to the self service user interface console, see the topic “Initiallogin and password information” in the IBM Security Identity Manager ProductOverview Guide in the IBM Security Identity Manager documentation.v When you log in to the self-service interface, go to the My Shared Accesssection of the entry panel. You can select wizards to assist you with thefollowing tasks:– Checking out a credentialCheck out the credential of your authorized shared accesses.– Checking in a credentialCheck in the credential that you checked out previously.– Viewing a passwordView the password for the credentials.v From anywhere in the self-service user interface, you can start the Help systemto view help topics. In the Shared access section of the Help system, see:– “Checking out a credential or credential pool”– “Viewing the password for a shared credential”– “Checking in credentials”Chapter 1. Shared access administration3

For more information:v Shared access documentationIn the IBM Security Identity Manager documentation, see the section “Userscenarios for shared access” to view links to topics on user access.v IBM Security Identity Manager product documentationTo find more information about manual access to shared credentials, go to thisproduct documentation. On the home page, locate the product documentationsearch window, and enter Checking out a credential or credential pool.Administrative console host names, ports and URLsConfiguration and administration tasks for IBM Security Privileged IdentityManager require you to log on to administrative consoles.Host names and portsThe following table contains the different variable host names and port numbersthat are used throughout the guide:Table 3. Description of variables for host names and port numbersVariableDescription was hostname Name of the host where the WebSphere Application Server is installed. dmgr hostname Name of the host where the WebSphereApplication Server Network Deployment Manageris installed. ihs hostname Name of the host where the IBM HTTP Server isinstalled. loadbalancer hostname Name of the host where the load balancer isinstalled. ims hostname Name of the host where the IMS Server isinstalled. ihs ssl port IBM HTTP Server SSL port number. admin ssl port Administrative console secure port number. isim hostname Name of the host where the IBM Security IdentityManager Server is installed. recorder hostname Name of the host where the Privileged SessionRecorder Server is installed.URLsTable 4. Common administrative consoles for IBM Security Privileged Identity ManagerConsolesFormatIBM Security Accessv If you are using a load balancer:Manager for Enterprisehttps://Single Sign-On loadbalancer hostname : ihs ssl port /AccessAdminadminv If you are not using a load balancer:https:// ims hostname : ihs ssl port /adminv If the web server is configured properly:https://ims hostname /admin4IBM Security Privileged Identity Manager: Administrator GuideExample URLv https://imsserver:9443/adminv https://imsserver/admin

Table 4. Common administrative consoles for IBM Security Privileged IdentityManager (continued)ConsolesFormatExample URLIBM Security Accessv If you are using WebSphere ApplicationManager for EnterpriseServer stand-alone:Single Sign-On IMShttps:// was hostname : admin ssl port /Configuration Utilitywebconfhttps://localhost:9043/webconfv If you are using WebSphere ApplicationServer Network Deployment:https:// dmgr hostname : admin ssl port /webconfIBM Security IdentityManageradministrative consolehttps:// isim hostname /itim/consolehttps://isimserver/itim/consoleIBM Security IdentityManager self-serviceconsolehttps:// isim hostname /itim/selfhttps://isimserver/itim/selfIBM Privileged Session v If you are using a load balancer:Recorder consolehttps:// loadbalancer hostname : ihs ssl port /recorder/uiv https://recorderserver:9443/recorder/uiv https://recorderserver/recorder/uiv https://recorderserverihs/recorder/uiv If you are not using a load balancer:v https://loadbalancerhost/recorder/uihttps:// recorder hostname : ihs ssl port /recorder/uiv If the web server is configured properly:https:// recorder hostname /recorder/uiIBM Privileged Session v https:// recorder hostname : ihs ssl port /Recorder Serverrecorder/collector(Collector)v https:// recorder hostname /recorder/collectorv https://recorderserver/recorder/collectorChapter 1. Shared access administration5

6IBM Security Privileged Identity Manager: Administrator Guide

Chapter 2. Session recording administrationAs an Administrator, you must have a comprehensive set of procedures andreference information for managing the resources for session recording.Session recording overviewYou can record privileged identity sessions for auditing, security forensics, andcompliance.The IBM Privileged Session Recorder is a virtual surveillance camera that capturesuser activity during an active session on a workstation. Captured recordings arestored in a centralized database. You can search for recordings and play backrecordings from a web-based corderDaemonCollectorDatabaseWebSphere ApplicationServerPlayerWebSphere ApplicationServerFigure 1. Session recording components.The IBM Privileged Session Recorder captures user activity on Windowsapplications. The software includes session recording enabled AccessProfiles. Thefollowing applications are supported and have bundled AccessProfiles:v Terminal consoles or SSH sessions with PuTTY or IBM PersonalCommunications.v Remote desktop sessions with Microsoft Remote Desktop connection, orVMware vSphere.For other applications, you can add session recording by configuring customAccessProfiles.Screen recordings consist of multiple screen captures. Screen captures of the activeapplication window are captured. Depending on the application type, therecording includes metadata for the keys that are pressed, the window controlsthat are clicked, and the window title.Each recording is identified by a Recording ID. A recording can include moresession metadata. The following items are examples of session metadata:User IDThe IBM Security Access Manager for Enterprise Single Sign-On user whosigned on to a system.Local user IDThe Windows user who logged on a client computer. Copyright IBM Corp. 20137

Application User IDThe privileged account.Local hostHost name of the client computer.Service HostThe system that is accessed using the privileged account.Application nameThe program on the end user computer where the privileged account isused.Process nameThe executable file name of the application.Start TimeThe date and time of day when the recording started on the clientworkstation.End TimeThe date and time of day when the recording ended on the clientworkstation.Session recorder configurationYou can start, stop, pause, or resume recording sessions by adding the PrivilegedSession Recorder widgets to an AccessProfile. You can also customize additonalsession recording options by configuring policies.Recording policiesYou can use AccessAdmin to customize recording settings. You can customizesettings such as server location, recording quality, and keys to exclude.Use AccessAdmin to configure the privileged identity management policies.For example, you can customize some of the following options:v Enable or disable session recording. (pid recorder enabled)v Specify the Privileged Session Recorder Server URL. (pid recorder server)v Capture recording in full color or in grayscale for smaller recordings.(pid recorder image capture option)v Enable or disable key logging. (pid recorder keyboard capture option)v Specify the action to take on the client computer when the Privileged SessionRecorder Server is not available. (pid collector comm fail action)For more information about the policies for session recording, search for Policiesfor privileged identity management in the IBM Security Access Manager forEnterprise Single Sign-On product documentation.AccessProfilesAdd the bundled Privileged Session Recorder widgets to custom AccessProfiles toenable session recording.For example, to customize recording for a Microsoft Remote Desktop Connectionclient application, be sure to add the Recorder widget to the Remote DesktopConnection AccessProfile.8IBM Security Privileged Identity Manager: Administrator Guide

The controls for initializing, starting, stopping, pausing, or resuming a recordingdepend on how the AccessProfile is designed with the available Privileged SessionRecorder widgets.For more information about customizing AccessProfiles, see Chapter 3, “ModifyingAccessProfiles,” on page 17.Adding security auditorsYou can use the configuration utility to add members of security auditors to theISPIMRecorderAuditors group to access the Privileged Session Recorder console.Before you beginInstall and configure the Privileged Session Recorder Server. For more information,see the IBM Security Privileged Identity Manager Deployment Overview Guide.About this taskMembers of the ISPIMRecorderAuditors group have privileges to view sessionrecordings on the Privileged Session Recorder console.The configuration tool already creates one auditor. To add more auditors, followthis procedure.Procedure1. Start the configuration tool. You can start the configuration tool from thefollowing location recorder install home /configtool/IBMCM.exe.2. When the configuration tool is displayed, click Configure Privileged SessionRecorder Server.3. Click Guided Configuration.4. Skip the steps in the configuration tool until the Configure Security Settingspage is displayed.5. In the Configure Security Settings page, specify the the user information youwant to add to the ISPIMRecorderAuditors group. Privileged Session Recorder.The user credentials you specify are used to log on to the Privileged SessionRecorder console.You can choose to create a user or specify an existing account. If you choose touse an existing account, the account must exist on WebSphere ApplicationServer.6. Click Finish.Accessing recordingsYou can access session recordings to play back, investigate, or audit the recordedusage of privileged identities.Logging on to the IBM Privileged Session Recorder consoleTo log on to the Privileged Session Recorder console, the user must be a memberof ISPIMRecorderAuditors group.Before you beginv Deploy and configure Privileged Session Recorder Server. See the IBM SecurityPrivileged Identity Manager Deployment Overview Guide.Chapter 2. Session recording administration9

About this taskTo grant more users access to the IBM Privileged Session Recorder console, youcan add security auditors. For more information, see “Adding security auditors”on page 9.Procedure1. Log on to the IBM Privileged Session Recorder console at https:// recorder hostname /recorder/ui. For example: https://recorderserver/recorder/ui2. Enter your ISPIMRecorderAuditors member credentials.The Privileged Session Recorder management console is displayed.Searching for recordingsYou can locate recordings by keywords, filtering, or by sorting. You can also searchrecordings for custom metadata. You can also save frequent searches for fasteraccess the next time you log on.Procedure1. Log on to the Privileged Session Recorder console.2. Use the search and filter controls to locate the recording you want.3. Play back the recording.Global searchGlobal search provides you with the ability to search all the session recordings forspecific keywords that are embedded in the metadata.For example, you can use the search function accomplish the following tasks:v Find recordings where a specific command was typed.v Find recordings that include a specific application or process.v Find recordings for a specific User ID, Application User ID, or Local User ID.Note: Global search does not support searching by date and time. To filter thesearch results by date and time, use the filter box that is above the recording listtable.Advanced searchTo retrieve recordings over a specific time range, use the Advanced Search.Filters and search criteriaUse the provided filters to refine the results of your search results. For example,you can filter the search by process name, time range, or by combining differentkeywords. To learn about the available session recording attributes that you cansearch for, see “Session recording overview” on page 7.Searching for recordings within a time spanTo retrieve recording over a time span, use the following search filters:Start time range (s1-s2)Where s1 is the beginning, and s2 is the end of the range for start time.10IBM Security Privileged Identity Manager: Administrator Guide

End time range (e1-e2)Where e1 is the beginning, and s2 is the end of the range for end time.Table 5. Examples of how to search with the Start time range and End time range inAdvanced Search.To search forSpecify the following valuesRecordings that start between 1 July 2013 to10 July 2013.Start time range (1 July 2013 - 10 July 2013)Recordings that end between on 1 July 2013to 10 July 2013.End time range (1 July 2013 - 10 July 2013)Recordings between 1 July 2013 to 10 July2013.Start time range (none - 10 July 2013)End time range (1 July 2013 - none)For Search type, select Match all criteria.Saving search queriesIf you repeat searches with specific criteria frequently, you can save your searchqueries for faster result retrieval.Procedure1. In the IBM Privileged Session Recorder console, use the Advanced search fieldsto refine and combine different search critieria.2. Click Saved searches.3. Specif

When your IBM Security Privileged Identity Manager deployment is configured, you can administer shared access features. Administering shared access The IBM Security Identity Manager shared access module provides centralized management of shared and privileged accounts. Table 1 describes administration tasks that you might want to complete, depending