Settings

The System Admin Settings menu provides in-depth configuration to your CPAM server. From this menu located in the System Admin tab, you can manage your entire server's behavior. This document contains the different configurations available for your CPAM System Admin.

To view all the settings, navigate to the System Admin tab and hover the Settings menu.

The available settings are:

  • System Settings

  • Plugin Settings

  • AD/LDAP Settings

  • SAML Settings

  • Passwords & Accounts

  • API Keys

  • Report Distribution Lists

  • System Messages

  • Mail Settings

  • User Fields

  • Gatekeeper Fields

  • Host Fields

  • Field Patterns

  • Connection Forms

  • Global Host Groups

  • Tunneled Services

  • Best Practices Checklist

  • Archiving and Pruning

System Settings

The System Settings page enables you to view and add authorized domains, establish a custom form, manage customer credentials, set your server to maintenance mode, set expiration time for a session in your CPAM server, set Best Practices, share audit logs with a syslog server, and change your Connection Manager encryption preference.

The following sections provide details on each section in the System Settings page.

As its name suggests, the Authorized Domains section contains a list of all the domains (@domain.com) that a user's or customer's email can have to access your CPAM server. The system displays these authorized domains in the New Customer and New User forms. Only System Admins can add, remove, and set domains as primary.

To create an authorized domain:

  1. Click Add Domain.

  2. Type the domain after the @ symbol.
    Instead of "@company.com", type "company.com".

  3. Click Save.

To remove an authorized domain, click Remove in the domain list. The system must have at least one authorized domain at all times, so you can only remove domains when you have created a new domain, and have set it to Primary Domain.

To set a domain as the Primary Domain, click Set in the domain list. The domain moves to the top of the list. The Primary Domain is the default domain used when adding new users.

The Custom From Settings enables you to set a default Connection Form. Read the Connection Form section in this document.

To set a Default Connection Form, click the drop-down menu and select the custom form you want to establish as the default.

Use the Customer Credential Settings to set a notification message for users that want to view a customer credential’s password. Type the notification message in the View Credential Password Notification Message field.

If the Send Credential Notifications to Gatekeeper Notification List option is checked, the system sends an email to the customer linked to the credential and the emails set in the Notification List for Customer Credential Actions.

Maintenance Mode disables access to the CPAM server to non-administrator users. When you set your CPAM server in Maintenance Mode, the system displays a customizable message that your non-admin users will see when trying to log in to the CPAM server.

Check the Schedule end of maintenance mode at: option to provide access to your users at a specific date and time. If you do not set an end date, a System Admin must Disable the maintenance mode manually in this same page.

The system effectively disables access 10 minutes after you click Save.

The Web Session Expiration enables you to set how long an idle session remains active.

The Best Practices Settings enable you to select the compliance Best Practices for the system to continuously evaluate. For more information on the available best practices, use the following resources:

Syslog Server enables you to export audit and system events via UDP to an external server running the Syslog service. If no port number is specified, UDP port 514 is assumed.

You can specify a port by putting it after the IP Address, separated by a colon. In many cases, DNS resolution may not be configured on the CPAM server, so it's often best to avoid using host names when specifying a syslog server.

The Connection Manager Cipher Preference setting enables you to express a preference for the encryption cipher used in the Connection Manager when users connect to the CPAM sessions. Since export control may limit the available ciphers for some users, a small amount of users may fall-back to using a cipher with a shorter key length than the expressed preference. CPAM recommends 128-bit AES as a compromise between connection efficiency and security appropriate for most systems.

Plugin Settings

The Plugin Settings provide options for System Admins to configure Privileged Access Management (PAM) provider plugins. In this page, you can start and stop PAM providers plugins, or create a new PAM Server Configuration.

The Privileged Access Management (PAM) Server Configurations are used by PAM provider plugins to connect to remote, third party PAM servers and vaults.

An Administrator can only create Global PAM configurations, which assume that the remote PAM vault is directly accessible by the CPAM Server.

Customer users, particularly Gatekeeper or Application administrators, can create PAM Configurations that use one of their managed Sites as a tunnel for the PAM provider plugin to reach the vault, allowing the CPAM server to use vaults that reside within that Customer's networks and would otherwise be unreachable.

When creating PAM Configurations, administrators need to provide a Name, a Description, and a URL that the plugin uses to make its requests. This endpoint must be accessible from the CPAM server. Along with those configurations, administrators must select a PAM provider plugin that is currently loaded into the server, and configure its required Connection Parameters as specified.

A suitable list of placeholders can be used, so that the remote vault can be connected to as needed. To see the list of placeholders, the Administrator needs to hover their mouse over Help.

Placeholders resolved according to the appropriate service, host and user that is trying to access the service, each time that a credential is requested. PAM Plugins use these values as part of their workflow when connecting to the remote provider.

AD or LDAP Settings

The Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) Settings enable you to set AD or LDAP Credentials from an AD or LDAP provider. This feature facilitates the authentication of your CPAM server users by pulling their identity and credential from and AD or LDAP provider. Additionally, this page enables you to set a default user role and user group for users that sign in to your CPAM server using the linked AD or LDAP provider.

The Global Properties section enables you to set a default user role and user group for new users that receive access to your CPAM server. Your CPAM server sets the default to Standard User for the user role and defaultUserGroup for their user group. Click Edit to modify these settings.

Read the User Groups and Roles sections of the System Admin Guide to create new user roles and user groups.

The Credentials section enables you to configure the query that the CPAM server should run in your AD or LDAP provider to obtain the users' IDs and credentials.

The AD/LDAP Providers section enables you to link your provider to your CPAM server.

You can add more than one query in more than one provider.

To add an AD/LDAP Provider, you must create a Credential first. This enables the system to link the Credential to your Service Provider.

SAML Settings

The SAML Settings page contains the configuration of SAML in your CPAM server. You can upload your Identity Provider Metadata to configure SAML.

Passwords & Accounts

The Passwords & Accounts enables you to configure settings for user accounts, passwords, physical devices, Remote Desktop Protocol (RDP), authentication requirements, authorized networks and API Keys.

User Account Settings allows you to:

  • Disable Inactive and Not Registered accounts after a custom number of days.

  • Notify users about their account disablement.

  • Set a number of failed login attempts in a given time before being locked out.

  • Set the unlocking of an account to a time limit or a manual override.

  • Set the minimum length for a User ID.

Password Settings allows you to set password rules for all user types.

NOTE:

Changes to the system password policy apply to new User accounts, or to Users who reset their password.

Physical Devices Authentication enables you to set a physical device as an authentication process, instead or in addition to a password. Physical devices can be keycards or fingerprint readers.

RDP Settings enables you to set the access you have to your customer's assets (specifically drives and printers) during a session. You can also enable your users to override your policy.

Authentication Requirements enables you to enforce authentication through:

  • Authorized Networks

  • Email Verification

  • Mobile Authenticator

  • Multi-Factor Authentication (MFA) for Nexus Users

IMPORTANT:
To set MFA for the Nexus Application, your users must have access to one of the following MFA methods: mobile authentication via SMS or authentication application, SAML with MFA, or authorized IP network configuration.
Additionally, your CPAM server must be version 19.4 for mobile authentication and authorized IP network configuration or 23.1.12 for SAML with MFA configuration.
Finally, you and your Nexus users must configure MFA authentication at the same time. Otherwise, the connection between the Nexus application, your CPAM, and your Users will break.

Authorized Networks displays all available networks. A user can add a new network or delete an existing network.

The API Keys Settings enable you to set rules for API Keys in your CPAM server. From this page, you can disable API Keys, set expiration dates for API keys and tokens.

API Keys

The API Keys page enables you to create, edit, reset, and expire API Keys. To create an API Key, click New API Key. After you complete the New API Key format, the system displays a pop up with the newly created API Key.
Copy and safe-keep the API Key, as it can not be seen again.

After you close pop up, you can Edit, Reset, and Expire the API Key.

Report Distribution Lists

Your CPAM server enables you to create distribution lists to share specific reports with key people in your organization.

To create a distribution list, click New Report Distribution List. Type the emails of the people who receive the report. When you finish, click Save.

These users will receive reports set in your Reports tab.

System Messages

System Messages enables you to configure messages for your CPAM user and your customers.

The Administrator Notification List is an email address that is used to deliver internal notifications about system events to your system administrators. A distribution list is recommended if you would prefer to notify more than one recipient.

The System Message opens as a banner across the top of the Login page, or optionally on every page. This is useful to notify Users of upcoming system downtime or system policy changes. If you enter a number in Expire message in ____ hours, the System Message automatically disappear after the specified time has elapsed. Click the colored boxes to set the text and background colors of the message. To delete a message, clear the Message area and click Save.

The Login Page Note appears as a notice on the Login page. This is useful to provide information to everyone prior to login. You can use HTML in the note, which is sanitized before display to prevent dangerous tags.

Login Help Contact Information appears as a help contact information in Authorization when a key is requested right after being authenticated in Login, and in forgot password. This is useful to provide information about who to contact in case the authorization key is not received or the password is forgotten. You can use HTML in the contact information, which is sanitized before display to prevent dangerous tags.

The Report A Problem Email feature allows vendor reps to submit any issues they encounter while using CPAM. You can designate a contact email address to receive notifications on problems encountered during sessions directly from the CPAM server.

Support Contact Information allows you to customize the contact information on the footer of the emails sent by the application. The default values are a general CPAM contact email and phone number. You can update one or both values to reflect specific internal support routes, such as a help desk or administrator.

The Quick Connect Terms and Conditions message appears when a user receives your Quick Connect invitation. See Sessions for more information on Quick Connect.

Mail Settings

Mail Settings has the connection information for sending an email. Only two protocols are supported: SMTP and TLS. Typically SMTP is port 25, and TLS is port 587. SSL (port 465) is not supported since it has been replaced by TLS.

Up to three different mail servers can be configured. The Primary Mail Server is the preferred one. This provides some resilience in the mail delivery service. In case CPAM is not able to connect to the primary server, it uses the First Backup Mail Server to send emails. In case the First Backup Mail Server is not usable, CPAM tries the Second Backup Mail Server instead.

Test emails can be sent from the Mail Settings section. This makes it easy to verify that the mail settings for each server are correct before saving the configuration.

Custom Fields

Custom Fields are created and edited by System Admins to allow additional data to be kept about Users, Gatekeepers, and Hosts.

To create a new Custom Field, click New in the User Fields, Gatekeeper Fields, or Host Fields settings. Complete the form and Save your custom field.

NOTE: The fields you create for users, gatekeepers, or hosts do not appear in all the menus. If you want to have the same field in two of the menus, you have to create it in all menus.

The New Custom Field form has the following configurations:

  • Label: The value that is displayed to the user who is editing or viewing the Gatekeeper information.

  • Type: The field type to render:

    • Drop-down: A list of pre-defined options.

    • Radio: A list of options from which the user must select one.

    • Text: A field where the user inputs text.

    • Multi-Select: A list of options from which the user might select more than one.

    • Check Box: A boolean option.

  • Required: This field required.


Additionally, the New Custom Field has advanced configuration options:

  • Sort Priority: This numeric value is required (default: 10) and is used to order the values on the View and Edit pages. Items are sorted first by this value (smallest to highest) and then in alphabetic order by the Label value.

  • Minimum Length: The user input must have at least this many characters in their input. Spaces count as characters.

  • Maximum Length: The user input must not be longer than this many characters. Spaces count as characters.

  • Regex Pattern: The system administrator may select a Regular Expression Field Pattern from the defined values.
    See Field Patterns for more information.

Click Edit from the list of Custom Fields to edit an existing Custom Field.

If you click Test this Regex, a separate page opens where you can enter in some test text and validate that your Regular Expression works. From this page, click Save new Field Pattern to return to Add New Field Pattern page.

Field Patterns

Field Patterns are used in multiple areas of the system including Custom Fields and Connection Forms. Field patterns consist of four pieces of information.

The name is used to distinguish between other Field Patterns. This human-readable name appears in drop-dow selections.

Regular expressions are the most important piece of information. Regular Expressions are very powerful ways of matching (or not matching) strings of text based off of defined patterns.

Example Pattern Example Error Message
^\d+$ This field can only contain numbers.
^[€\$]\d+\.*\d{0,2}$ Please enter a price in either USD or EUR, like €3 or $5.02.
^\d{4}$ This field must be a four-digit code.
(?=.{7})(?:.*?[a-zA-Z]){3}.* At least 7 characters, 3 of which must be letters A-Z.
^\d{3}-[A-Z]+$ Customer IDs are 3 numbers, a dash, then some uppercase letters.

The text displayed to the user when the pattern does not match.

Pattern Flags are not commonly used.

NOTE:

For more information, see the official Oracle Java documentation site.

Connection Forms

Connection Forms are customizable formats that you create to obtain information from the CPAM user that initiates a connection to a Gatekeeper and starts a session with a customer through the Connection Manager. The format helps you and your customer to track all the connections and sessions between your CPAM server, your CPAM users, and your customers.

To create a connection form, click New and provide a unique name and description for your connection form. After your connection form is created, you can click View to add fields that may or may not have a Field Pattern.

After you finish editing your connection form, navigate to the System Settings to set is as default.

Global Host Groups

The Global Host Groups feature provides the capability to create Global Host Groups that can be applied to Gatekeeper hosts by CPAM System Admins.

When editing a Gatekeeper host, the CPAM Administrator can assign a Global Host Group to the host from the list of Global Host Groups.

When a User connects to a Gatekeeper, is able to group the hosts together by their Global Host Group, to help organize Gatekeepers with many hosts, as opposed to simply sorting all hosts alphabetically when grouping is not used.

Users are also able to show/hide groups to display only the groups they are interested in.

Best Practices Checklist

This feature checks and reports the status of several system settings. Each option displays whether or not the recommended setting has been met. An overall score is assigned based on the number of passing checks.

The administrator is allowed to accept the current score, or fix the settings with a click on the individual checks.

Once the minimum score has been accepted, when any setting is modified that lowers the accepted score, the administrator is notified of this with a message that remains at the top right of each page. To remove this message, the administrator may click on it and accept the new score.

Administrators can also select the individual compliance levels they want their server to comply to, between different compliance regulations. We try to keep these recommendations up to date with the latest legislation.

Archiving and Pruning Audit Files

Archiving and Pruning enables System Admins to:

The Audit Configuration box shows information about the audit directories:

  • Usage: Amount of disk space used by the audit directory.

  • Available: Amount of maximum disk space that can be used by the audit directory.

  • % Used: Percentage of disk space used by the audit directory.

  • Days to Keep: Maximum number of days that an audit file is kept in the directory, after that it is considered old making it eligible for pruning.

  • Pruning Enabled: Indicates if pruning is enabled.

In Audit Configuration click Configure of the corresponding audit:

  • Terminal audit for Telnet and SSH protocols.

  • Video audit for VNC, Desktop Sharing, RDP protocols.

  • Database audit for Oracle protocol.

A settings pop-up opens. Click on the toggles next to each protocol to enable or disable audit. It’s important to note that disabling audit does not disable pruning for that directory.

In Audit Configuration click Configure of the corresponding audit. A settings pop-up opens:

  • Prune Files Older Than: Deletes any files that are older than the specified number of days. If you set this value to 0, it prunes any audit file, regardless of its age.

  • Prune Older Audit Files Over: Deletes the oldest files after the directory reaches the specified size in megabytes. It’s crucial to make sure that this value does not exceed the capacity of the file system. This value does not take into account the values from other directories, so the sum of all megabytes for all directories should not exceed the capacity of the file system.

  • Prune older archived files over: Same as Prune older audit files over but for audit archive directories.

In Prune Quick Connect Configuration.

  • Prune QC Sessions and History after: Define the amount of days after which sessions and history are pruned.

  • Prune pending QC Sessions if still pending after: Define the amount of days after which pending sessions are pruned.