A Hitachi ID PAM vault is where you provide us with the login credentials needed to access your installation of Hitachi ID Privileged Access Manager (PAM) in Hitachi ID Management Suite version 7.3 or later.
1) You must enable the webservices option in the Hitachi ID PAM user interface for scanner integration to work over the HTTP or HTTPS protocols. Go to Manage System > Maintenance > Services and enable "Hitachi ID (idapi) API Service" and then verify that it works.
2) See Qualys Integration Notes in the Hitachi ID Systems Customer Portal at https://hitachi-id.com/portal/?q=node/343 (login required) for additional settings that must be configured in your Hitachi ID PAM environment. Can't access this Hitachi article? Show meShow me
Qualys Integration Notes (from Hitachi)
Problem:
When integrating with Qualys systems, Hitachi IP Privileged Password Manager must have certain setting configure to ensure correct operation.
Resolution:
(1) Windows NT agents need to be able to return the correct IP and DNS information to allow API lookups by these values. A new option is availabe: WINNT EMIT INFO. If enabled, the registry setting causes the agtnt.exe agent to return IP/DNS information on reset operations. This option can be set in the product, and can be found at PSA > Maintenance > Connector behaviour > Windows NT Server/domain.
(2) The PSLang scripted agent sample for the ssh agent (agtssh.exe) shipped with the product must have the DNS/IP information collection and return enabled. This is configured at the top of the samples/agtssh.psl script, which must have the $emit_info variable set to 1. The default mode has this set to zero.
(3) The OTP or "one time password" (default) mode of the API must be disabled. This is a DWORD entry in the registry for the instance you wish to configure. This is found in the registry location: <instance>\idapi\DisableOTP. This value should be set to "1".
How to Use Vaults |
Click here and we'll walk you thru the steps. Add IP addresses to scan, configure scanner appliances, configure vaults and authentication records, set up option profiles and start scanning! |
Vault Credentials |
These credentials may be defined for your Hitachi ID PAM vault. |
URL Enter the HTTP or HTTPS URL of the Hitachi ID PAM webservices. (The SSL Verify option is only available when the URL entered uses HTTPS.) |
Username / Password The username (ID) for the Hitachi ID PAM user account. To allow Qualys scanners to connect using this account, this user must have the following settings under Administrator information in the Hitachi ID Management Suite: 1) the privilege "OTP IDAPI caller" and 2) the value entered in the "IP address with CIDR bitmask" field must include the Qualys scanner IP addresses. |
How it works |
Retrieving a password from Hitachi ID PAM requires an IP address and FQDN (hostname) for the scan target. For Unix hosts and Windows hosts that do not require domain authentication, you enter the IP address in the authentication record and the service performs a reverse DNS query to obtain the FQDN of the host. For Windows hosts that do require domain authentication, the service performs a forward DNS query to obtain a domain controller IP address and uses that IP and the FQDN of the domain when querying Hitachi PAM for a password. |
User Permissions |
A Manager user has permission to configure a Hitachi ID PAM vault. A Unit Manager can be granted this permission. |
Tell me about SSL certification validationTell me about SSL certification validation
Qualys scanners will verify the SSL certificate of the web server to make sure the certificate is valid and trusted, unless you clear (un-check) the SSL Verify option. You may want to clear this option to skip SSL verification if the certificate was not issued by a well-known certification authority (CA) or if the certificate is self-signed. (Note: The SSL Verify option is only available when the URL entered uses HTTPS.)