Fortinet black logo

Administration Guide

Home FortiPAM 1.3.0 Administration Guide
1.3.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Creating a client software entry for integrity check

Creating a client software entry for integrity check

To create a client software entry for integrity check:
  1. Go to Secret Settings > Integrity Check and select Create.

    The New Client Software window opens.

  2. Enter the following information:

    Name

    The name of the client software entry.

    Package

    Configure client software packages. See Creating client software packages.

    While creating a client software entry for integrity check, you can either store the software package locally, i.e., on the FortiPAM disk or provide an external URL to the package for downloading.

  3. Click Submit.
Creating client software packages
To create a client software package
  1. In Step 1, when Creating a client software entry, select Create in the Package pane.

    The New Client Package window opens.

  2. Enter the following information:

    Name

    The name of the client software package.

    Integrity Check Option

    Select from the following integrity check options:

    • Executable hash: Comparing the executable hash with the provided value (default).

    • Certificate: Checking the certificate of a file.

    Hash Algorithm

    Select from the following hash algorithms:

    • MD5 (default)

    • SHA-1

    • SHA-256

    Note: The option is only available when the Integrity Check Option is Executable hash.

    Hash

    The package/folder hexadecimal hash value.

    Note: The option is only available when the Integrity Check Option is Executable hash.

    CA Certificate

    From the dropdown, select a CA certificate.

    Use the search bar to look up a CA certificate.

    Note: The option is only available when Integrity Check Option is Certificate.

    Package Download Option

    Select from the following two options:

    • Internal download URL

    • External download URL (default)

    External Download Url

    The external download URL for the client software package.

    Only installers are supported.

    Note: The option is only available when the Package Download Option is External download URL.

    Package

    Select + Upload File, locate the client software package from your management computer, and click Open.

    Note: The option is only available when the Package Download Option is Internal download URL.

  3. Click OK.

    From the list, select a client software package and then select Edit to edit the packages.

    From the list, select client software packages and then select Delete to delete the packages.

Creating a client software entry for integrity check via the CLI Example
  1. In the CLI console, enter the following commands to configure the client software table. In the example, for the PuTTY launcher, we have two client software packages. x64 checks the file certificate and downloads the package from an external link. x86 checks against the MD5 checksum and stores the package locally.

    config secret client-software

    edit "putty"

    config pkg

    edit "x64"

    set integrity-check cert

    set download-option external

    set external-url "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe"

    set ca "Fortinet_SSL"

    set client-name "putty"

    next

    edit "x86"

    set hash-algo MD5

    set hash "aeb47b393079d8c92169f1ef88dd5696"

    set package-name "putty.exe"

    set client-name "putty"

    next

    end

    next

    end

  2. Enter the following commands to go to the secret launcher table and bind the client software entry with the launcher.

    config secret launcher

    edit "PuTTY"

    set type ssh

    set client-software "putty"

    next

    end

  3. Enter the following commands to enable the integrity check option in the launcher settings of the template.

    config secret template

    edit "Unix Account (SSH Password)"

    config launcher

    edit 2

    set launcher-name "PuTTY"

    set port 22

    set integrity-check enable

    next

    end

    next

    end

    With the configurations set as above, the secret with Unix Account (SSH Password) template and PuTTY as the launcher includes an integrity check each time it is launched.

Previous
Next

Creating a client software entry for integrity check

To create a client software entry for integrity check:
  1. Go to Secret Settings > Integrity Check and select Create.

    The New Client Software window opens.

  2. Enter the following information:

    Name

    The name of the client software entry.

    Package

    Configure client software packages. See Creating client software packages.

    While creating a client software entry for integrity check, you can either store the software package locally, i.e., on the FortiPAM disk or provide an external URL to the package for downloading.

  3. Click Submit.
Creating client software packages
To create a client software package
  1. In Step 1, when Creating a client software entry, select Create in the Package pane.

    The New Client Package window opens.

  2. Enter the following information:

    Name

    The name of the client software package.

    Integrity Check Option

    Select from the following integrity check options:

    • Executable hash: Comparing the executable hash with the provided value (default).

    • Certificate: Checking the certificate of a file.

    Hash Algorithm

    Select from the following hash algorithms:

    • MD5 (default)

    • SHA-1

    • SHA-256

    Note: The option is only available when the Integrity Check Option is Executable hash.

    Hash

    The package/folder hexadecimal hash value.

    Note: The option is only available when the Integrity Check Option is Executable hash.

    CA Certificate

    From the dropdown, select a CA certificate.

    Use the search bar to look up a CA certificate.

    Note: The option is only available when Integrity Check Option is Certificate.

    Package Download Option

    Select from the following two options:

    • Internal download URL

    • External download URL (default)

    External Download Url

    The external download URL for the client software package.

    Only installers are supported.

    Note: The option is only available when the Package Download Option is External download URL.

    Package

    Select + Upload File, locate the client software package from your management computer, and click Open.

    Note: The option is only available when the Package Download Option is Internal download URL.

  3. Click OK.

    From the list, select a client software package and then select Edit to edit the packages.

    From the list, select client software packages and then select Delete to delete the packages.

Creating a client software entry for integrity check via the CLI Example
  1. In the CLI console, enter the following commands to configure the client software table. In the example, for the PuTTY launcher, we have two client software packages. x64 checks the file certificate and downloads the package from an external link. x86 checks against the MD5 checksum and stores the package locally.

    config secret client-software

    edit "putty"

    config pkg

    edit "x64"

    set integrity-check cert

    set download-option external

    set external-url "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe"

    set ca "Fortinet_SSL"

    set client-name "putty"

    next

    edit "x86"

    set hash-algo MD5

    set hash "aeb47b393079d8c92169f1ef88dd5696"

    set package-name "putty.exe"

    set client-name "putty"

    next

    end

    next

    end

  2. Enter the following commands to go to the secret launcher table and bind the client software entry with the launcher.

    config secret launcher

    edit "PuTTY"

    set type ssh

    set client-software "putty"

    next

    end

  3. Enter the following commands to enable the integrity check option in the launcher settings of the template.

    config secret template

    edit "Unix Account (SSH Password)"

    config launcher

    edit 2

    set launcher-name "PuTTY"

    set port 22

    set integrity-check enable

    next

    end

    next

    end

    With the configurations set as above, the secret with Unix Account (SSH Password) template and PuTTY as the launcher includes an integrity check each time it is launched.

Previous
Next