特权密码管理解决方案，安全密码管理

Web界面，身份验证

1. 是否可以更改PMP占用的默认端口7272？
2. 为什么没有通知我的用户他们的PMP帐户？
3. PMP中有哪些可用的身份验证方案？
4. PMP中有哪些用户角色可用？他们的访问级别是多少？
5. 如果我忘记了我的PMP登录密码怎么办？
6. 为什么InternetExplorer7（和其他浏览器）在访问PMP控制台时抱怨？

安全

1. 我的密码在PMP中有多安全？
2. 通过密码管理API进行的A-to-A、A-to-DB密码管理的安全性如何？
3. 我们可以安装自己的SSL证书吗？怎么用？
4. 如何为MySQL服务器生成唯一的SSL证书？ （适用于PMP 6500以后的步骤）

密码同步

1. 我也可以从PMP控制台更改资源密码吗？
2. 何时使用代理和无代理模式进行密码同步？
3. 如果我为其他版本的Linux&frasl；其他版本的Windows添加自己的资源类型，是否可以启用无代理密码同步？
4. 除了现在支持远程重置的资源类型之外，是否有方法对资源类型进行远程密码同步？
5. 如何排除密码同步未发生时的故障？
6. Windows域密码重置失败，错误消息："；身份验证机制未知"；
7. 启用windows服务帐户重置的先决条件是什么？

备份和灾难恢复

1. 我可以为PMP数据库设置灾难恢复吗？
2. 备份数据存储在哪里？是加密的吗？

故障排除和一般提示

1. 在使用PMP之前，我需要安装任何必备软件吗？
2. 其他人能看到我添加的资源吗？
3. 我可以向PMP资源添加我自己的属性吗？
4. 如果一个没有共享敏感密码的用户离开了企业呢？
5. 从AD导入用户/资源失败……
6. PMP是否支持高可用性？
7. 如何使PMP应用程序与安装在单独机器上的MySQL数据库服务器一起工作（PMP服务器运行的机器除外）？
8. 我能用我们的LOGO重新命名PMP吗？
9. 域SSO是否可以跨防火墙/vpn工作？
10. PMP是否记录用户的密码查看尝试和检索？

许可

1. PMP的许可政策是什么？
2. 我可以为PMP购买永久许可证吗？有哪些选择？
3. 我想有冗余服务器的高可用性设置。一个许可证就够了吗？
4. PMP可以支持100多个管理员吗？
5. 我是否可以扩展我的评估以包括更多管理员用户或更长的天数？
6. 转到专业版时是否必须重新安装PMP？

---

Web界面，身份验证

我可以更改PMP占用的默认端口7272吗？

是的，您可以更改默认端口，如下所述：

• 转到 \conf目录并打开服务器.xml文件
• 将条目“7272”替换为您选择的端口号。7272个条目中应该有72个条目被替换。

---

为什么没有通知我的用户他们的PMP帐户？

只有通过电子邮件通知用户其PMP帐户。如果他们没有收到通知邮件，请检查

• 如果已使用环境中SMTP服务器的详细信息正确配置了邮件服务器设置
• 如果您在邮件服务器设置中提供了有效凭据，因为某些邮件服务器需要它们来发送邮件
• 如果“发件人电子邮件ID”已正确配置为某些邮件服务器拒绝没有“发件人”地址的电子邮件或来自未知域的邮件

---

PMP中有哪些可用的身份验证方案？

可以使用以下三种机制之一：

Active Directory: 启用时，身份验证请求被转发到配置的域控制器，并且根据结果，允许或拒绝用户访问PMP。用户名、密码和域在PMP登录屏幕中提供。此方案仅适用于以前已从AD导入详细信息的用户。只有在Windows系统上安装PMP服务器时才可用。

LDAP Directory: 启用时，身份验证请求将转发到配置的

LDAP目录服务器，根据结果，允许或拒绝用户访问PMP。用户名和密码以及使用LDAP身份验证的选项在PMP登录屏幕中提供。此方案仅适用于先前已从LDAP目录导入详细信息的用户

PMP本地身份验证： 身份验证由PMP服务器在本地完成。无论是否启用了AD或LDAP身份验证，此方案始终可供用户在登录页面中选择。此方案为用户提供了单独的密码，并且AD或LDAP密码从未存储在PMP数据库中。

---

PMP中有哪些用户角色可用？他们的访问级别是多少？

PMP有三个预定义的角色：

• 管理员
• 密码管理员
• 密码用户

Any administrator can be made as "Super Administrator" with the privilege to view and manage all resources.Refer help documentation for details on access levels.

---

如果我忘记了我的PMP登录密码怎么办？

PMP comes with three pre-defined roles:

If you were already given a valid PMP account, you can use the 'Forgot Password?' link available in the login page to reset the password. The user name/e-mail id pair supplied should match the one already configured for the user and in that case, the password will be reset for that user and the new password will be emailed to that email id.

---

为什么InternetExplorer7（和其他浏览器）在访问PMP控制台时有问题？

PMP comes with three pre-defined roles:

The PMP web console always uses HTTPS to communicate with the PMP server. The PMP server comes with a default self-signed SSL certificate, which the standard web browsers will not recognize and issue a warning. Particularly IE 7's warning message appears serious. Ignoring this warning still guarantees encrypted communication between the PMP console and the server but if you want your users to be particularly sure that they are connecting only to the PMP server, you will need to install a SSL certificate that you have bought from a certificate authority, that is recognised by all standard web browsers.

---

安全

我的密码在PMP中有多安全？

Ensuring the secure storage of passwords and offering high defence against intrusion are the mandatory requirements of PMP. The following measures ensure the high level security for the passwords:

• Passwords are encrypted using the Advanced Encryption Standard (AES), which is currently the strongest encryption algorithm, and stored in the database. (AES has been adopted as an encryption standard by the U.S. Government)
• The database which stores all the passwords accepts connections only from the host that it is running on and is not visible externally
• Role-based, fine-grained user access control mechanism ensures that the users are allowed to view the passwords based on the authorization provided
• All transactions between the PMP console and the server take place through HTTPS
• In-built Password Generator can help you generate strong passwords

For detailed information, refer to Prouct Security Specifications document.

---

通过密码管理API进行的A-to-A、A-to-DB密码管理的安全性如何？

The web API exposed by PMP forms the basis for Application-to-Application/Database Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application.

---

我们可以安装自己的SSL证书吗？怎么用？

The PMP runs as a HTTPS service. It requires a valid CA-signed SSL certificate with the principal name as the name of the host on which it runs. By default, on first time startup, it creates a self signed certificate. This self signed certificate will not be trusted by the user browsers. Thus, while connecting to PMP, you need to manually verify the certificate information and the hostname of PMP server carefully and should force the browser to accept the certificate.

To make the PMP server identify itself correctly to the web browser and theuser:

• you need to obtain a new signed certificate from a CA for the PMP host or
• you can configure an existing certificate obtained from a CA with wild-card principal support for the PMP host

You can use OpenSSL or keytool (bundled with Java) to create your certificates, get them signed by a CA and use them with PMP. The choice of which tool to use is yours, based on what your security administrators say. Detailed instructions on using both the tools are provided here. If you already have a certificate signed by a CA, then we recommend using OpenSSL to create the keystore and configure it in PMP (steps 4 and 5 in the instructions below).

• Using OpenSSL
• Using Keytool
• Installing a wild card certificate

使用OpenSSL

OpenSSL is available bundled with most of the Linux distributions. If you have Windows and do not have OpenSSL installed, download it from http://www.slproweb.com/products/Win32OpenSSL.html. Make sure the 'bin' folder under the OpenSSL installation is included in the 'PATH' environment variable.

步骤1：第一步是创建用于SSL握手的公私密钥对

• Open the command prompt
• Execute 'openssl genrsa -des3 -out <privatekey_filename>.key 1024'
  • <privatekey_filename> is the filename you specify to store the private key
• This will prompt you to enter a pass-phrase for the private key. Enter 'passtrix' or a pass-phrase of your choice. (Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alpha characters)
• This will create a file named <privatekey_filename>.key in the same folder

步骤2：创建一个证书签名请求（CSR），提交给证书颁发机构，以使用在上一步中生成的公钥创建签名证书。

• Execute 'openssl req -new -key <privatekey_filename>.key -out <certreq_filename>.csr'
  • <privatekey_filename>.key is the one used in the previous step
  • <certreq_filename>.csr is the filename you specify to carry the certificate creation request to the CA (certificate authority)
• This will prompt you to enter a series of values that are part of the distinguished name (DN) of the server that will host PMP
• Enter values as applicable to you and importantly for the 'Common Name' supply the fully qualified name of the server hosting PMP (with which it will be accessed through the browsers)
• This will create a file name <certreq_filename>.csr in the same folder

步骤3：将CSR提交给证书颁发机构（CA）以获取CA签名的证书

• Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
• This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's root certificate as .cer files
• Save them both in the same working folder where files from steps 1 and 2 are stored

步骤4：将CA签名证书导入密钥库

• On a command prompt navigate to the same working folder
• Execute 'openssl pkcs12 -export -in <cert_file>.cer -inkey <privatekey_filename>.key -out <keystore_filename>.p12 -name pmp -CAfile <root_cert_file>.cer -caname pmp -chain'
  • where
    • cert_file.cer is the signed SSL certificate with the .cer extention
    • privatekey_filename.key is the private key file with a .key extension
    • keystore_filename.p12 name is the keystore that will be generated with a .p12 extension
    • root_cert_file.cer is the CA's root certificate with a .cer extension
  • When prompted for password, enter the same password which you used in step 1 for the private key. Note that this requirement is due to an inherent limitation in tomcat, where these two passwords have to be the same
• This will generate the keystore file <keystore_filename>.p12 on the same folder

第5步：最后，配置PMP服务器以使用SSL证书的密钥库

• Copy this <keystore_filename>.p12 generated in the previous step to <PMP_Install_Folder>\conf folder
• In a command prompt, navigate to <PMP_Install_Folder>\conf folder
• Open the file server.xml and do the following changes
• Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>.p12"
• Make sure the entry  for 'keystorePass' is set to "passtrix" or the password you specified in the previous step while creating the keystore
• Add a new entry keystoreType="PKCS12" next to the keystorePass entry
• Save the server.xml file
• Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!

使用Keytool

步骤1：第一步是创建用于SSL握手的公私密钥对

• Go to <PMP_Home>/jre/bin folder
• Execute the command "./keytool -genkey -alias pmp -keyalg RSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore <keystore_filename>"
  • <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key. Note that due to an inherent limitation in tomcat, these two passwords have to be the same. (Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alpha characters)
  • <no_of_days> is the validity of the key pair in number of days, from the day it was created
• The command will prompt you to enter details about you and your organization
  • For the 'first and the last name' enter the FQDN of the server running PMP
  • For other fields enter the relevant information
  • <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key and <no_of_days> is the validity of the key pair in number of days, from the day it was created
• This will create a keystore file named <keystore_filename> in the same folder, with the generated key pair

步骤2：创建一个证书签名请求（CSR），提交给证书颁发机构，以使用在上一步中生成的公钥创建签名证书。

• Go to <PMP_Home>/jre/bin folder
• Execute the command "keytool -certreq -keyalg RSA -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore <keystore_filename>"
  • Note that the <csr_filename> that you choose should have .csr extension. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the last step
• This will create a CSR file named <csr_filename> in the same folder

步骤3：将CSR提交给证书颁发机构（CA）以获取CA签名的证书

• Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
• This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's certificate as .cer files
• Save them both in the <PMP_Home>/jre/bin folder

步骤4：将CA签名证书导入PMP服务器

• Import your SSL certificate into your keystore
• Go to <PMP_Home>/jre/bin folder
• Execute the command "keytool -import -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_certificate>"
• <your_ssl_certificate> is the certificate you obtained from the CA, a .cer file saved in the previous step. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the previous steps
• Now copy the <keystore_filename> to the <PMP_Home>/conf folder

第5步：最后，配置PMP服务器以使用SSL证书的密钥库

• Go to <PMP_Home>/conf folder
• Open the file server.xml
• Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one used in the previous steps
• Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to "passtrix". Change the value to "<keystore_password>" where <keystore_password> is the one used in the previous steps
• Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!

Note : Tomcat by default accepts only the JKS (Java Key Store) and PKCS #12 format keystores. In case, the keystore is of PKCS #12 format, include the following option in the server.xml file along with the keystore name, keystoreType="PKCS12?This tells tomcat that the format is PKCS12. Restart the server after this change.

安装支持通配符的现有SSL证书

• Go to <PMP_Home>/conf folder
• Open the file server.xml
• Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one belong to the existing wild-card certificate.
• Also search for the entry 'keystorePass' (which will in fact be next to keystoreFile), which will have the default value set to "passtrix". Change the value to "<keystore_password>" where <keystore_password> is the one used to protected the existing wild-card certificate keystore.
• Restart the PMP server and connect through the web browserconsole. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!

Note : Please refer your CA's documentation for more details and troubleshooting

---

如何为MySQL服务器生成唯一的SSL证书？（适用于PMP 6500以后的版本）

Follow the steps below to gererate SSL certificate for MySQL Server. (If you want to have a self-signed key, follow all the steps. If you are using a CA signed certificate, skip steps 1, 2 and 5.)

Step 1  Create certificate authority key

• Open a command prompt
• Execute the command openssl genrsa -out ca.key 1024
• This will create a key named ca.key

Step 2 Create a self-signed certificate authority certificate

• Execute the command openssl req -new -x509 -days 365 -key ca.key -out CAcert.pem 
• Here ca.key is the file you created in step 1
• This will create a file named CAcert.pem

Step 3 Generate private key

• Open a command prompt
• Execute the command openssl genrsa -out ServerKey.key 1024
• This will create a file named ServerKey.key

Step 4 Generate a certificate request

• Execute the command openssl req -new -key ServerKey.key -out server.csr
• Here, ServerKey.key is the file you created in step 3
• This will create a file named server.csr

Step 5 Create a Certificate Signing Request (CSR) for submission to a certificate authority (perform this step only if you are using a self-signed certificate. Otherwise, proceed to step 6)

• Execute the command openssl x509 -req -days 365 -in server.csr -CA CAcert.pem -CAkey ca.key -set_serial 01 -out ServerCer.cer
• Here, server.csr is the file you created in Step 4; CAcert.pem is the file created in Step 2; ca.key is the file created in Step 2
• This will create a file named ServerCer.cer

Step 6 Generate .p12 file

• Execute the command openssl pkcs12 -export -in ServerCer.cer -inkey ServerKey.key -out PMPKeyStore.p12 -name pmp -CAfile CAcert.pem -caname pmp -chain
• Here, ServerCer.cer is the file you created in Step 5. If you are using a CA signed certificate, enter the signed SSL certificate with .cer extension; ServerKey.key is the one you created in Step 3; CAcert.pem is the file created in Step 2
• This will create a file named PMPKeyStore.p12
• Here, you will be prompted to enter 'Export Password'. The password specified here has to be entered in PMP configuration file in wrapper.conf (in Windows installation) and wrapper_lin.conf (in Linux installation) as explained below.
  
  Open wrapper.conf (in Windows installation) and wrapper_lin.conf (in Linux installation) and search for the following line:
  
  wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=passtrix
  
  In the above, replace passtrix with the password you have entered above.

Step 7  Configure the PMP server to use the keystore with your SSL certificate

• By executing the above steps, you would have got four files namely CAcert.pem, ServerKey.key, ServerCer.cer and PMPKeyStore.p12. You need to copy and paste  these files into <PMP-Installation-Folder>/conf directory

Step 8  Import CAcert.pem into PMP

• Navigate to <PMP-Installation-Folder>/bin directory and execute the following command:

In Windows: importcert.bat <absolute path of the CAcert.pem file created in step 2>
In Linux: sh importcert.sh\bat <absolute path of the CAcert.pem file created in step 2>

---

Step 9 Put these files into MySQL

• You need to copy the following three files created after Step 6 and rename them as below:

CAcert.pem to be renamed as ca-cert.pem
ServerKey.key to be renamed as server-key.pem
ServerCer.cer to be renamed as server-cert.pem

• Then, put the renamed files into <PMP-Installation-Folder>/mysql/data directory

Important Note: If you are having High Availability setup, execute the steps 7, 8 and 9 in PMP secondary installation also.

---

Password Synchronization

Can I also change resource passwords from the PMP console?

Yes, of course. PMP can change the passwords currently for Windows, Windows domain and Linux systems. Capability to change passwords of other types of resources like databases, routers, switches etc will be gradually added. PMP supports both agent-based and agent-less modes of changing passwords.

---

When to use the agent and agent-less modes for password synchronization?

Let us first look at the requisites for both the modes:

The agent mode requires the agent to be installed as a service and run with administrative privileges to perform password changes. The communication between the PMP server and agent takes place through TCP for normal information and HTTPS for password transfer and hence communication paths must exist (ports to be kept open) between the server and agent.

For the agentless mode, you must supply administrative credentials to perform the password changes. For Linux you must specify two accounts, one with root privileges and one with normal user privileges that can be used to login from remote. Telnet or SSH service must be running on the resources. For Windows domain, you must supply the domain administrator credentials. For Windows and Windows domain, PMP uses remote calls and relevant ports must be open on the resource.

Based on this you can choose which mode you want for your environment, indicated by the following tips:

Choose agent mode when,

• you do not have administrative credentials stored for a particular resource in PMP
• you do not have the required services running on the resource (Telnet / SSH for Linux, RPC for Windows)
• you run PMP in Linux and want to make password changes to a Windows resource

Choose agentless mode in all other cases as it is a more convenient and reliable way of doing password changes.

---

Can I enable agentless password synchronization if I add my own resource type for other distributions of Linux / other versions of Windows?

Yes, you can. As long as your resource type label contains the string 'Linux' or 'Windows', you can still configure agentless password synchronization for those resources.

Example of valid resource type labels to enable password synchronization:

Debian Linux, Linux - Cent OS, SuSE Linux, Windows XP Workstation, Windows 2003 Server

---

Is there a way to do remote password syncronization for resource types other than the ones for which remote reset is supported now?

Yes, you can make use of Password Reset Listeners, which enable invoking a custom script or executable as a follow-up action to Password Reset action in PMP. Refer to Help Documentation for more details.

---

How to troubleshoot when password synchronization does not happen?

In the agent mode,

• Check if the agent is running by looking at the Windows active process list for the entry 'PMPAgent.exe' or the presence of a process named PMPAgent in Linux
• Check if the account in which the agent is installed has sufficient privileges to make password changes

In the agentless mode,

• Check if the right set of administrative credentials have been provided and the remote synchronization option is enabled
• Check if the necessary services are running on the resource (Telnet / SSH for Linux, RPC for Windows)
• Check if the resource is reachable from the PMP server using the DNS name provided

---

Windows domain password reset fails with the error message: "The authentication mechanism is unknown"

This happens when PMP is run as a Windows service and the 'Log on as" property of the service is set to the local system account. Change it to any domain user account to be able to reset domain passwords. Follow the instructions below to effect that setting:

• Go to the Windows Services applet (from Control Panel --> Administrative Tools --> Services)
• Select the 'ManageEngine PMP' service, right-click --> choose Properties
• Click the Log On tab and choose the 'This Account' radio button and provide the username and password of any domain user - in the format <domainname>\<username>
• Save the configuration and restart the server

---

What are the prerequisites for enabling Windows Service Account Reset?

Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:

(1) Windows RPC service should have been enabled
(2) Windows Management Instrumentation (WMI) service should have been enabled

---

Backup & Disaster Recovery

Can I setup disaster recovery for the PMP database?

Yes, you can. PMP can periodically backup the entire contents of the database, which can be configured through the PMP console. Refer help documentation for more details.

---

Where does the backup data get stored? Is it encrypted?

All sensitive data in the backup file are stored in encrypted form in a .zip file under <PMP_Install_Directory/backUp> directory. It is recommended that you backup this file in your secure, secondary storage for disaster recovery.

---

General

Do I need any pre-requisite software to be installed before using PMP?

There is no prerequisite software installation required to use PMP.

---

Can others see the resources added by me?

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, if you decide to share your resources with other administrators, they will be able to see tham.

---

Can I add my own attributes to PMP resources?

Yes, you can extend the attributes of the PMP resource and user account to include details that are specific to your needs. Refer the help documentation for more details.

---

What if a user who has not shared his sensitive passwords, leaves the enterprise?

This can very well happen in any enterprise, but with PMP you need not worry about passwords getting orphaned. Administrators can 'transfer' resources owned by users to other administrator users and in the process they have no access to those resources themselves, unless they do the transfer to their name. Refer the help documentation for more details.

---

Importing users/resources from AD fails...

Ensure the following:

• Check if the user credentials are correct
• If you are trying with an admin user and it fails, try entering the credentials of a non-admin user. This is just to verify if connection could be established properly

In case, if fails even after ensuring the above, contact passwordmanagerpro-support@manageengine.com.

---

Does PMP provide high availability support?

Yes, refer to Help Documentation for more details

---

How to make the PMP application work with a MySQL database server installed in a separate machine (other than the one in which PMP server is running)?

It is always recommended to run the PMP application (built over Tomcat web server) and the MySQL database in the same machine for better security. We have configured the bundled MySQL database so as it is not visible outside the machine in which it is installed (it will accept connections requested only from localhost) and you will lose this aspect when you separate them. If there is a pressing need to run MySQL elsewhere, follow the procedure detailed below:

• Shutdown PMP server if it is already running
• Install MySQL server in a different machine and create a database named 'PassTrix' (the casing is important, particularly in Linux)
• Start the MySQL server and make sure you are able to connect to the database from remote (using the MySQL command line client)
• Make the following configuration changes in PMP
  • Go to <PMP_Install_Dir>\conf\Persistence folder
  • Open the file persistence-configurations.xml and search for the entry 'StartDBServer' and set its value to 'false' (default will be 'true')
  • Save that file
  • Go to <PMP_Install_Dir>\conf folder
  • Open the file database_params.txt and make the following changes
    • In the URL property, change the entries 'localhost' and '5768' to the hostname and port number corresponding to the remote MySQL server
    • If you want to connect as root leave the username property as is. Otherwise make appropriate changes to that property. Note that PMP requires root privileges in MySQL
    • If you have set a password in the remote MySQL server specify it against the password property. Otherwise remove or comment out that line
    • Save that file
• Now start the PMP server again and it should work with the remote database (which should be already running)

---

Does domain SSO work across firewalls / VPNs?

The domain Single Sign On (windows integrated authentication) is achieved in the Windows environment by setting non-standard parameters in the HTTP header, which are usually stripped off by devices like firewalls / VPNs. PMP is designed for use within the network. So, if you have users connecting from outside the network, you cannot have SSO this enabled.

---

Can I rebrand PMP with our logo?

Yes. If you want to replace the PMP logo appearing on the login screen and on the web-interface with that of yours, you can do so from the web-interface itself. It is preferable to have your logo of the size 210 * 50 pixels.

To rebrand the logo,

• Go to the "Admin" tab
• Click "Customize >> Rebrand"
• Browse and choose the required image
• Click "Save"
• The PMP will appear with rebranded look

---

Does PMP record Password viewing attempts and retrievals by users?

Yes, PMP records all operations performed by the user including the password viewing and copying operations. From audit trails, you can get a comprehensive list of all the actions and attempts by the users with password retrieval. The list of operations that are audited (with the timestamp and the IP address) includes:

• User accounts created, deleted and modified
• Users logging in and logging off the application
• Resources and passwords created, accessed, modified and deleted

---

What's the maximum size of a password that Password Manager Pro can store?

The resource passwords are stored as encrypted text (SQL type TEXT) in the database and hence the size of the content can be upto 64KB. For the PMP application login password, the maximum password length is 100 characters.

---

Licensing

What is the Licensing Policy for PMP?

Evaluation Edition - Evaluation Edition allows you to have 2 administrators in for 30 days. You can manage unlimited resources and evaluate all features of Premium Edition. During evaluation you can get free technical assistance.

Free Edition - Download valid for ever, capable for supporting a maximum of 1 administrator. You can manage a maximum of 10 resources and you will all functionalities of Standard Edition.

Registered Version - need to buy license based on the number of administrators required and the type of edition Standard/Premium:

• Standard - If your requirement is to have a secure, password repository to store your passwords and selectively share them among enterprise users, Standard Edition would be ideal.
• Premium - Apart from storing and sharing your passwords, if you wish to have enterprise-class password management features such as  remote password synchronization, password alerts and notifications, application-to-application password management, reports, high-availability and others, Premium edition would be the best choice.

---

Know the difference ..

Feature	Standard Edition	Premium Edition
User / User group Management
Password Repository
Password Policies
Password Sharing and Management
Audit / Audit Notifications
AD / LDAP integration
Auto Logon Helper
Password change listener
Backup and Disaster Recovery
Password Alerts and Notifications
Remote Password Reset(on demand, scheduled and rule based) - for Windows, Windows Domain, Windows Service Accounts, Windows Scheduled Accounts, Flavours of UNIX and Linux, Cisco and HP ProCurve Devices and MS SQL, MySQL servers )
Reports
Password Management API
High Availability

Can I buy a permanent license for PMP? What are the options available?

Though PMP follows an annual subscription model for pricing, we also provide perpetual licensing option. The perpetual license will cost approximately three times the annual subscription price, with 20% AMS from the second yea onwards. Contact sales@manageengine.com and passwordmanagerpro-support@manageengine.com for more details.

---

I want to have high availability setup with redundant servers. Is one license enough?

Yes, if you buy a single PREMIUM Edition license, you are entitled to have high availability setup. You can apply the same license on Primary as well as Standby servers.

---

Can PMP support more than 100 administrators?

Yes, very much. If you want a license with more than 100 administrator users, please contact sales@manageengine.com and passwordmanagerpro-support@manageengine.com for more details.

---

Can I extend my evaluation to include more administrator users or for more number of days?

Yes. Fill in the required details in the website and we will send you the license keys.

---

Do I have to reinstall PMP when moving to the Professional Edition?

No. You need not have to reinstall or shut down the server. You just need to enter the new license file in the "License" link present in the top right corner of the PMP web interface.

---