Creating secret templates

To create a secret template:

1. Go to Secret Settings > Templates.
2. In the secret templates list, select Create.

   The General tab in the New Secret Template window opens.

   

3. Select Permission from the top to switch to the Permission tab.

   

4. Enter the following information:

   General
   Name	Name of the template.
   Description	Optionally, enter a description.
   Server Information	The general type of server to which the template is intended to connect: Unix-Like Cisco FortiOS Other
   Fields	Secrets require fields to enter the secret related information. To add new fields, select + and enter the following information: Name The name of the field. Field Type From the dropdown, select a field type: Target-Address: A target address field. Domain: A domain field. URL: A URL field. Username: A username field. Password: A password field. Public-Key: A public-key field. Private-Key: A private-key field. Passphrase: A passphrase fields. Text: A text field. Required Enable to make this field required or disable if this field will be optional. Note: By default, all fields are marked as required. From the list, click x next to a field entry to delete it.
   Launcher	Launcher helps you access a target server. See Launchers. A launcher allows you to log in to a website or device without you needing to know the credentials. To add a new launcher, select + and enter the following information: You can add up to a maximum of 20 launchers. When you select Web Launcher as the secret launcher, a new Web Filler tab allows you to configure advanced web filler settings, so that extension can locate the correct web elements to patch credential information into. See Auto web filler. Launcher From the dropdown, select a launcher. Use the search bar to look up a launcher. Use the pen icon to edit a custom launcher. To create a new launcher, in the dropdown, select +. Enter the following information and click Submit: Name The name of the launcher. Type From the dropdown, select a launcher type: Other client: Other client launcher type. Remote desktop: RDP client launcher type. SSH client: SSH client launcher type. VNC: VNC client launcher type. Executable The program file name, e.g., putty.exe for an SSH client. Ensure that the program path is already added to the environment variable path in Windows before launching the secret. Note: An absolute path is also supported, e.g.: C:\Users\user1\Documents\putty.exe C:\Users\user1\Documents\New folder\putty.exe Parameter The command line parameters: $DOMAIN $TARGET $HOST $USER $PASSWORD $VNCPASSWORD $PASSPHRASE $PUB_KEY $PRI_KEY $URL $PORT $TMPFILE Example For putty.exe as the Executable, -l $USER -pw $PASSWORD $HOST are the parameters. For putty.exe as the Executable for SSH execution, -l $USER -pw $PASSWORD $HOST -m C:\Users\user1\Desktop\cmd.txt or -l $USER -pw $PASSWORD $HOST -m "C:\Program Files\cmd.txt" are the parameters. Note: When there is no space in the path, double quotes are not necessary: -l $USER -pw $PASSWORD $HOST -m C:\Users\user1\Desktop\cmd.txt When there is space in the path, double quotes must be used with backslash: -l $USER -pw $PASSWORD $HOST -m "C:\Program Files\cmd.txt" Client Software Enable to select a client software entry from the dropdown. See Integrity check. Use the search bar to look up a client software entry. Note: The option is disabled by default. Initial Commands Configure initializing the environment. See Creating a new launcher command. Clean Commands Configure cleaning the environment. See Creating a new launcher command. Launcher Port The launcher port number. The port number will be mapped to the launcher variable `$PORT`. The minimum allowed value is 1. Integrity Check Enable/disable integrity check. For information on integrity check, see Integrity check. The Integrity Check option can only be edited if you choose a launcher in the Launcher Name option with a client software entry enabled and selected. Note: The option is disabled by default. From the list, click x next to a launcher to delete it.
   Password Changer A password changer can be configured for a custom secret template to change the password of a secret periodically and to check the health of a secret periodically. Note: The option is enabled by default.
   Password Changer	From the dropdown, select the password changer that will be used for this template or create a new password changer. See Creating a password changer. Use the search for to look up a password changer. Use the pen icon next to a password changer to edit it.
   Port	The port used for the password changer (default = 22).
   Password Policy	The password policy to use in the password changer. From the dropdown, select a password policy or create a new password policy. See Creating a password policy. Use the search for to look up a password policy. Use the pen icon next to a password policy to edit it.
   Max Number of Verification Retries	The maximum number of retries allowed after which the connection fails (default = 10).
   Max Record of Credential History	The maximum number of credential history to be kept in the database (default = 5).
   Verify After Password Change	When enabled, whenever secrets with the template conducts a password change, a verification of the newly changed password is ran. Note: The option is enabled by default.
   TOTP Setting TOTP (Time-based one-time password) settings. The TOTP configuration from a secret template can be inherited by all the secrets using this template. When configuring the secret, you can override the secret template TOTP configuration. See TOTP Setting in Creating a secret. See Limitations of TOTP on FortiPAM.
   Length	The length of the TOTP (default = 6, 4 - 9).
   Duration	The duration for which the TOTP is valid, in seconds (default = 30, 30 - 90).
   Hash Algorithm	Select from the following hash algorithms for TOTP: HMAC-SHA-1 (default) HMAC-SHA-256 HMAC-SHA-512
   Permission Template access control settings.
   Accessibility	Template accessible to: Everyone: All users have Read/Write permission for templates (default). Customized: A user permission and a group permission table must be configured.
   Create Secret	From the list, select user/user groups with the ability to see and use the template to create secrets. The option is only available when Accessibility is set to Customized.
   Owner	From the list, select user/user groups with the highest possible permission level and with the ability to create, edit, and delete templates. Every template must have at least one owner. The option is only available when Accessibility is set to Customized.

5. Click Submit.

User Permission

1. In Step 3, when Creating secret templates, select Customized in Accessibility.
2. In the Create Secret dropdown, select users with the ability to see and use the template to create secrets.
3. In the Owner dropdown, select users with the highest possible permission level and with the ability to create, edit, and delete templates.
4. Click Submit.

   From the list, click x next to an entry to delete it.

Group Permission

1. In Step 3, when Creating secret templates, select Customized in Accessibility.
2. In the Create Secret dropdown, select user groups with the ability to see and use the template to create secrets.
3. In the Owner dropdown, select user groups with the highest possible permission level and with the ability to create, edit, and delete templates.
4. Click Submit.

   From the list, click x next to an entry to delete it.

Configuring TOTP settings via the secret template CLI commands Example

To configure TOTP settings via the CLI:

1. In the CLI console, enter the following commands:

   config secret template

   edit Unix\ Account\ (SSH\ Password)

   config totp-setting

   set totp-length 8

   set totp-duration 30

   set hash-type hmac-sha1

   end

   end

Limitations of TOTP on FortiPAM

1. TOTP auto delivery only supports SSH target authentication.
2. Password changer does not support public key + TOTP authentication.
3. With TOTP, WebSSH only supports the keyboard-interactive authentication method.
4. With a non-proxy or Web launcher, the TOTP code must be copied and entered manually.
5. Do not enable the password changer for an SSH server with password + FortiToken authentication if the username, password, and FortiToken are from another LDAP server.

Auto web filler

When you launch a secret with web launcher, the extension automatically inputs user name and password to log in to the target website.

However, the web launching feature has the following three limitations:

• When launching to some special website, the extension cannot find the user name or the password field correctly using its predefined key.

• After logging in to a website, the extension tries to fill user name or password into an unrelated field.

• The extension can only fill in user name, password, but 2FA Token is not supported.

Using auto web filler, these issues with web launching have been fixed.

The feature needs Microsoft Edge and Google Chrome extension V3.

To configure auto web filler for the web launcher:

1. When configuring a secret template as shown in Creating a secret template, select Web Launcher as the Launcher.

   A new Web Filler tab is available.

2. Go to the Web Filler tab.

   

3. Enter the following information:

   Authentication path	The authentication path URL suffix. This is the login page of a website. The extension checks the URL that it visits against the authentication path and applies the configured setting if it is a match, The authentication path can only be part of the desired URL. For example, /#login can be added instead of https://fortipam.ca/#login to allow matching on various sites.
   Field	The field from the secret to be patched to the element located by the selector. The field can be user name/ password. It refers to the user name/password value in a secret configuration. Web Element Selector: Represents the selector for the element in HTML. This can be located with the inspect mode. The field defines how to locate the user name/password fields on the login page. Override Path: Represents if the path should be searched for the selector instead of the authentication path. By default, this is empty. This means the user name/password fields are located in the page added in Authentication path. If the page to enter user name/password is different than the one mentioned in Authentication path, fill in with user name/password page path. Mask: Represents if there is a mask for the value to be filled in. If enabled, enter the value in the mask format. Also, more secret fields can be sent to the extension and auto filled during the login process as long as the token is used for 2FA.
   Token	The token from the secret is patched to the element located by the selector. Attribute: The token value. Web Element Selector: Represents the selector for the element in HTML. This can be located with the inspect mode. The field defines the page path to locate the token. Override Path: Represents if the path should be searched for the selector instead of the authentication path. By default, this is empty. This means the token field is located in the page added in Authentication path. If the page to enter the token is different than the one mentioned in Authentication path, fill in with token page path. Mask: Represents if there is a mask for the value to be filled in. If enabled, enter the value in the mask format.

4. The General and Permission tabs can be configured as shown in Creating a secret template.