Fortinet black logo

Administration Guide

Home FortiPAM 1.1.0 Administration Guide
1.1.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Creating secret templates

Creating secret templates

To create a secret template:
  1. Go to Secret Settings > Templates.
  2. In the secret templates list, select Create.

    The General tab in the New Secret Template window opens.

  3. Select Permission from the top to switch to the Permission tab.

  4. Enter the following information:

    General

    Name

    Name of the template.

    Description

    Optionally, enter a description.

    Server Information

    The general type of server to which the template is intended to connect:

    • Unix-Like

    • Cisco

    • FortiOS

    • Other

    Fields

    Secrets require fields to enter the secret related information.

    To add new fields, select Create and then enter the following information, and click OK:

    Field Name

    The name of the field.

    Type

    From the dropdown, select a field type:

    • Domain: A domain field.

    • Passphrase: A passphrase fields.

    • Password: A password field.

    • Private-Key: A private-key field.

    • Public-Key: A public-key field.

    • Target-Address: A target address field.

    • Text: A text field.

    • URL: A URL field.

    • Username: A username field.

    Mandatory

    Enable to make this field mandatory or disable if this field will be optional.

    From the list, select a field and then select Edit to edit the field.

    From the list, select fields and then select Delete to delete the fields.

    Launcher

    Launcher helps you access a target server. See Launchers.

    A launcher allows you to log in to a website or device without you needing to know the credentials.

    To add a new launcher, select Create and then enter the following information, and click OK:

    You can add up to a maximum of 20 launchers.

    Launcher Name

    From the dropdown, select a launcher.

    Use the search bar to look up a launcher.

    Use the pen icon to edit a custom launcher.

    To create a new launcher, in the dropdown, select Create.

    Enter the following information and click OK:

    Name

    The name of the launcher.

    Type

    From the dropdown, select a launcher type:

    • Other client: Other client launcher type.

    • Remote desktop: RDP client launcher type.

    • SSH client: SSH client launcher type.

    • VNC: VNC client launcher type.

    Executable

    The program file name, e.g., putty.exe for an SSH client.

    Ensure that the program path is already added to the environment variable path in Windows before launching the secret.

    Note:

    An absolute path is also supported, e.g.:

    C:\Users\user1\Documents\putty.exe

    C:\Users\user1\Documents\New folder\putty.exe

    Parameter

    The command line parameters:

    • $DOMAIN

    • $TARGET

    • $HOST

    • $USER

    • $PASSWORD

    • $VNCPASSWORD

    • $PASSPHRASE

    • $PUB_KEY

    • $PRI_KEY

    • $URL

    • $PORT

    • $TMPFILE

    Example

    For putty.exe as the Executable, -l $USER -pw $PASSWORD $HOST are the parameters.

    For putty.exe as the Executable for SSH execution, -l $USER -pw $PASSWORD $HOST -m C:\Users\user1\Desktop\cmd.txt

    or

    -l $USER -pw $PASSWORD $HOST -m "C:\Program Files\cmd.txt" are the parameters.

    Note:

    When there is no space in the path, double quotes are not necessary:

    -l $USER -pw $PASSWORD $HOST -m C:\Users\user1\Desktop\cmd.txt

    When there is space in the path, double quotes must be used with backslash:

    -l $USER -pw $PASSWORD $HOST -m "C:\Program Files\cmd.txt"

    Initial Commands

    Configure initializing the environment. See Creating a new launcher command.

    Clean Commands

    Configure cleaning the environment. See Creating a new launcher command.

    Launcher Port

    The launcher port number.

    The port number will be mapped to the launcher variable `$PORT`.

    The minimum allowed value is 1.

    Integrity Check

    Enable/disable integrity check. For information on integrity check, see Integrity check.

    The Integrity Check option can only be edited if you choose a launcher in the Launcher Name option with a client software entry enabled and selected.

    Note: The option is disabled by default.

    From the list, select a launcher and then select Edit to edit the launcher.

    From the list, select launchers and then select Delete to delete the launchers.

    Password Changer

    A password changer can be configured for a custom secret template to change the password of a secret periodically and to check the health of a secret periodically.

    Note: The option is enabled by default.

    Password Changer

    From the dropdown, select the password changer that will be used for this template or create a new password changer. See Creating a password changer.

    Use the search for to look up a password changer.

    Use the pen icon next to a password changer to edit it.

    Port

    The port used for the password changer (default = 22).

    Password Policy

    The password policy to use in the password changer.

    From the dropdown, select a password policy or create a new password policy. See Creating a password policy.

    Use the search for to look up a password policy.

    Use the pen icon next to a password policy to edit it.

    Max Number of Verification Retries

    The maximum number of retries allowed after which the connection fails (default = 10).

    Verify After Password Change

    When enabled, whenever secrets with the template conducts a password change, a verification of the newly changed password is ran.

    Note: The option is enabled by default.

    TOTP Setting

    TOTP (Time-based one-time password) settings.

    The TOTP configuration from a secret template can be inherited by all the secrets using this template.

    When configuring the secret, you can override the secret template TOTP configuration. See TOTP Setting in Creating a secret.

    See Limitations of TOTP on FortiPAM.

    Length

    The length of the TOTP (default = 6, 4 - 9).

    Duration

    The duration for which the TOTP is valid, in seconds (default = 30, 30 - 90).

    Hash Algorithm

    Select from the following hash algorithms for TOTP:

    • HMAC-SHA-1 (default)

    • HMAC-SHA-256

    • HMAC-SHA-512

    Permission

    Template access control settings.

    Access

    Template accessible to:

    • Everyone: All users have Read/Write permission for templates (default).

    • Customized: A user permission and a group permission table must be configured.

    User Permission

    The level of user access to the template. See User Permission.

    The option is only available when Access is set to Customized.

    For column settings, see Tables.

    Group Permission

    The level of user group access to the template. See Group Permission.

    The option is only available when Access is set to Customized.

    For column settings, see Tables.

  5. Click Submit.

User Permission

  1. In Step 3, when Creating secret templates, select Create in User Permission.

    The New User Permission window opens.

  2. Enter the following information:

    Users

    Select + and from the list, select users in the Select Entries window.

    To add a new user:
    1. From the Select Entries window, select Create and then select +User Definition.

      The New User Definition wizard opens.

    2. Follow the steps in Creating a user, starting step 2 to create a new user.

    Use the search bar to look up a user.

    Use the pen icon next to a user to edit it.

    Permission

    From the dropdown, select an option:

    • Create Secret: Ability to see and use the template to create secrets.

    • Owner: The highest possible permission level with the ability to create, edit, and delete templates.

    Every template must have at least one owner.

  3. Click OK.

    From the list, select a user permission entry and then select Edit to edit it.

    From the list, select user permission entries and then select Delete to delete them.

Group Permission

  1. In Step 3, when Creating secret templates, select Create in Group Permission.

    The New Group Permission window opens.

  2. Enter the following information:

    Groups

    Select + and from the list, select user groups in the Select Entries window.

    To add a new user group:
    1. From the Select Entries window, select Create.

      The Create New User Group window opens.

    2. Follow the steps in Creating user groups, starting step 3.

    Use the search bar to look up a user group.

    Use the pen icon next to a user group to edit it.

    Permission

    From the dropdown, select an option:

    • Create Secret: Ability to see and use the template to create secrets.

    • Owner: The highest possible permission level with the ability to create, edit, and delete templates.

    Every template must have at least one owner.

  3. Click OK.

    From the list, select a user group permission entry and then select Edit to edit it.

    From the list, select user group permission entries and then select Delete to delete them.

Configuring TOTP settings via the secret template CLI commands Example

To configure TOTP settings via the CLI:
  1. In the CLI console, enter the following commands:

    config secret template

    edit Unix\ Account\ (SSH\ Password)

    config totp-setting

    set totp-length 8

    set totp-duration 30

    set hash-type hmac-sha1

    end

    end

Limitations of TOTP on FortiPAM

  1. TOTP auto delivery only supports SSH target authentication.
  2. Password changer does not support public key + TOTP authentication.
  3. With TOTP, WebSSH only supports the keyboard-interactive authentication method.
  4. With a non-proxy or Web launcher, the TOTP code must be copied and entered manually.
  5. Do not enable the password changer for an SSH server with password + FortiToken authentication if the username, password, and FortiToken are from another LDAP server.
Previous
Next

Creating secret templates

To create a secret template:
  1. Go to Secret Settings > Templates.
  2. In the secret templates list, select Create.

    The General tab in the New Secret Template window opens.

  3. Select Permission from the top to switch to the Permission tab.

  4. Enter the following information:

    General

    Name

    Name of the template.

    Description

    Optionally, enter a description.

    Server Information

    The general type of server to which the template is intended to connect:

    • Unix-Like

    • Cisco

    • FortiOS

    • Other

    Fields

    Secrets require fields to enter the secret related information.

    To add new fields, select Create and then enter the following information, and click OK:

    Field Name

    The name of the field.

    Type

    From the dropdown, select a field type:

    • Domain: A domain field.

    • Passphrase: A passphrase fields.

    • Password: A password field.

    • Private-Key: A private-key field.

    • Public-Key: A public-key field.

    • Target-Address: A target address field.

    • Text: A text field.

    • URL: A URL field.

    • Username: A username field.

    Mandatory

    Enable to make this field mandatory or disable if this field will be optional.

    From the list, select a field and then select Edit to edit the field.

    From the list, select fields and then select Delete to delete the fields.

    Launcher

    Launcher helps you access a target server. See Launchers.

    A launcher allows you to log in to a website or device without you needing to know the credentials.

    To add a new launcher, select Create and then enter the following information, and click OK:

    You can add up to a maximum of 20 launchers.

    Launcher Name

    From the dropdown, select a launcher.

    Use the search bar to look up a launcher.

    Use the pen icon to edit a custom launcher.

    To create a new launcher, in the dropdown, select Create.

    Enter the following information and click OK:

    Name

    The name of the launcher.

    Type

    From the dropdown, select a launcher type:

    • Other client: Other client launcher type.

    • Remote desktop: RDP client launcher type.

    • SSH client: SSH client launcher type.

    • VNC: VNC client launcher type.

    Executable

    The program file name, e.g., putty.exe for an SSH client.

    Ensure that the program path is already added to the environment variable path in Windows before launching the secret.

    Note:

    An absolute path is also supported, e.g.:

    C:\Users\user1\Documents\putty.exe

    C:\Users\user1\Documents\New folder\putty.exe

    Parameter

    The command line parameters:

    • $DOMAIN

    • $TARGET

    • $HOST

    • $USER

    • $PASSWORD

    • $VNCPASSWORD

    • $PASSPHRASE

    • $PUB_KEY

    • $PRI_KEY

    • $URL

    • $PORT

    • $TMPFILE

    Example

    For putty.exe as the Executable, -l $USER -pw $PASSWORD $HOST are the parameters.

    For putty.exe as the Executable for SSH execution, -l $USER -pw $PASSWORD $HOST -m C:\Users\user1\Desktop\cmd.txt

    or

    -l $USER -pw $PASSWORD $HOST -m "C:\Program Files\cmd.txt" are the parameters.

    Note:

    When there is no space in the path, double quotes are not necessary:

    -l $USER -pw $PASSWORD $HOST -m C:\Users\user1\Desktop\cmd.txt

    When there is space in the path, double quotes must be used with backslash:

    -l $USER -pw $PASSWORD $HOST -m "C:\Program Files\cmd.txt"

    Initial Commands

    Configure initializing the environment. See Creating a new launcher command.

    Clean Commands

    Configure cleaning the environment. See Creating a new launcher command.

    Launcher Port

    The launcher port number.

    The port number will be mapped to the launcher variable `$PORT`.

    The minimum allowed value is 1.

    Integrity Check

    Enable/disable integrity check. For information on integrity check, see Integrity check.

    The Integrity Check option can only be edited if you choose a launcher in the Launcher Name option with a client software entry enabled and selected.

    Note: The option is disabled by default.

    From the list, select a launcher and then select Edit to edit the launcher.

    From the list, select launchers and then select Delete to delete the launchers.

    Password Changer

    A password changer can be configured for a custom secret template to change the password of a secret periodically and to check the health of a secret periodically.

    Note: The option is enabled by default.

    Password Changer

    From the dropdown, select the password changer that will be used for this template or create a new password changer. See Creating a password changer.

    Use the search for to look up a password changer.

    Use the pen icon next to a password changer to edit it.

    Port

    The port used for the password changer (default = 22).

    Password Policy

    The password policy to use in the password changer.

    From the dropdown, select a password policy or create a new password policy. See Creating a password policy.

    Use the search for to look up a password policy.

    Use the pen icon next to a password policy to edit it.

    Max Number of Verification Retries

    The maximum number of retries allowed after which the connection fails (default = 10).

    Verify After Password Change

    When enabled, whenever secrets with the template conducts a password change, a verification of the newly changed password is ran.

    Note: The option is enabled by default.

    TOTP Setting

    TOTP (Time-based one-time password) settings.

    The TOTP configuration from a secret template can be inherited by all the secrets using this template.

    When configuring the secret, you can override the secret template TOTP configuration. See TOTP Setting in Creating a secret.

    See Limitations of TOTP on FortiPAM.

    Length

    The length of the TOTP (default = 6, 4 - 9).

    Duration

    The duration for which the TOTP is valid, in seconds (default = 30, 30 - 90).

    Hash Algorithm

    Select from the following hash algorithms for TOTP:

    • HMAC-SHA-1 (default)

    • HMAC-SHA-256

    • HMAC-SHA-512

    Permission

    Template access control settings.

    Access

    Template accessible to:

    • Everyone: All users have Read/Write permission for templates (default).

    • Customized: A user permission and a group permission table must be configured.

    User Permission

    The level of user access to the template. See User Permission.

    The option is only available when Access is set to Customized.

    For column settings, see Tables.

    Group Permission

    The level of user group access to the template. See Group Permission.

    The option is only available when Access is set to Customized.

    For column settings, see Tables.

  5. Click Submit.

User Permission

  1. In Step 3, when Creating secret templates, select Create in User Permission.

    The New User Permission window opens.

  2. Enter the following information:

    Users

    Select + and from the list, select users in the Select Entries window.

    To add a new user:
    1. From the Select Entries window, select Create and then select +User Definition.

      The New User Definition wizard opens.

    2. Follow the steps in Creating a user, starting step 2 to create a new user.

    Use the search bar to look up a user.

    Use the pen icon next to a user to edit it.

    Permission

    From the dropdown, select an option:

    • Create Secret: Ability to see and use the template to create secrets.

    • Owner: The highest possible permission level with the ability to create, edit, and delete templates.

    Every template must have at least one owner.

  3. Click OK.

    From the list, select a user permission entry and then select Edit to edit it.

    From the list, select user permission entries and then select Delete to delete them.

Group Permission

  1. In Step 3, when Creating secret templates, select Create in Group Permission.

    The New Group Permission window opens.

  2. Enter the following information:

    Groups

    Select + and from the list, select user groups in the Select Entries window.

    To add a new user group:
    1. From the Select Entries window, select Create.

      The Create New User Group window opens.

    2. Follow the steps in Creating user groups, starting step 3.

    Use the search bar to look up a user group.

    Use the pen icon next to a user group to edit it.

    Permission

    From the dropdown, select an option:

    • Create Secret: Ability to see and use the template to create secrets.

    • Owner: The highest possible permission level with the ability to create, edit, and delete templates.

    Every template must have at least one owner.

  3. Click OK.

    From the list, select a user group permission entry and then select Edit to edit it.

    From the list, select user group permission entries and then select Delete to delete them.

Configuring TOTP settings via the secret template CLI commands Example

To configure TOTP settings via the CLI:
  1. In the CLI console, enter the following commands:

    config secret template

    edit Unix\ Account\ (SSH\ Password)

    config totp-setting

    set totp-length 8

    set totp-duration 30

    set hash-type hmac-sha1

    end

    end

Limitations of TOTP on FortiPAM

  1. TOTP auto delivery only supports SSH target authentication.
  2. Password changer does not support public key + TOTP authentication.
  3. With TOTP, WebSSH only supports the keyboard-interactive authentication method.
  4. With a non-proxy or Web launcher, the TOTP code must be copied and entered manually.
  5. Do not enable the password changer for an SSH server with password + FortiToken authentication if the username, password, and FortiToken are from another LDAP server.
Previous
Next