Installation & Getting Started
This document allows you to learn the step-by-step procedure to install Password Manager Pro (PMP) in your system. This document also deals with other related topics such as the system requirements for PMP, steps to start and shut down the PMP server, steps to connect to the web interface after successfully starting the server, and many more.
You will learn the following topics with respect to PMP installation and configuration here:
- System Requirements
- Components of PMP
- Ports used by PMP
- Installing the PMP Agent
- Installing PMP
- Silent Install
- Starting and Shutting Down PMP
- Launching the PMP Web Client
- Using MS SQL Server as the Backend Database
- Using MS SQL Cluster as the Backend Database
- Running the PMP service using a group Managed Service Account
- Workflow in PMP
- Managing PMP Encryption Key (From PMP 6402 onwards)
- Rotating the Encryption Key
- Managing the PMP Database Password
- Migrating PMP Installations
- Updating Web Server Certificates using Password Manager Pro Web Console
- MSP Edition
Apart from the standard system requirements (both hardware and software), the following elements are essential for the proper functioning of the PMP server:
Note: The following are required, if you're planning to make use of Password Manager Pro's account discovery and password reset provisions.
- An external mail server (SMTP server) for the functioning of PMP server and to send various notifications to users.
- A service account [OR] a gMSA that has either domain admin rights or local admin rights in the PMP server and in the target systems that you would like to manage.
- Microsoft .NET framework.
- Visual C++ Redistributable for Visual Studio 2015 and above (for Password Manager Pro's Account Discovery and Password Reset features).
1. Download the .zip folder from this link and extract the remcom.exe file from the .zip folder.
2. Copy and paste the remcom.exe file into the <PMP Installation Folder>/bin directory.
2. System Requirements
The below table provides an overview of the hardware and software configurations required by Password Manager Pro:
|Hardware||Operating systems||Web interface|
Note: For Session Recordings, the disk space requirement may vary based on the usage levels.
Note: In general, PMP works well with any flavor of Linux and can also be run on VMs of the above operating systems.
HTML client requires one of the following browsers** to be installed in the system:
** Password Manager Pro is optimized for 1280 x 800 resolution and above.
See this document for more details on the software and hardware requirements for Password Manager Pro, based on your organization's size.
3. Components of PMP
PMP comprises of the following components:
- The PMP server
- The PMP Agent:
- for extablishing connections with the remote resources.
- The database PostgreSQL 9.5.3:
- bundled with PMP that runs as a separate process.
- accepts connections only from the host where it is running.
- runs in an invisible mode.
4. Ports Used by PMP
The below table lists the set of all ports used by PMP for remote access:
|Port Name||Port Number|
Web client port
LDAP without SSL port
LDAP with SSL port
MS SQL port
My SQL port
Sybase ASE port
PMP API port
Password Verification port
135, 139, 445
SSH CLI port
Auto Logon Sparview Gateway port
5. Installing the PMP Agent
To know more about the installing the agent, click here.
6. Installing PMP
You can install PMP in both Windows and Linux operating systems.
6.1 Steps to Install PMP in Windows
- Download and execute the file ManageEngine_PMP.exe. The PMP installation wizard shows up.
- Follow the step-by-step instructions in the installation wizard.
- Choose an installation directory. By default, PMP will be installed in the path C:\Program Files\ManageEngine\PMP. Henceforth, this installation directory shall be referred to as PMP_Home.
- In the final wizard, you will have the following options:
- Option to view the ReadMe file.
- Option to choose to start the server immediately.
- Option to start the server later after installation. Use the Windows tray icon to start the server manually later. Using the tray icon, you can also perform other actions such as stopping the server and uninstalling the product.
6.2 Steps to Install PMP in Linux(non-root)
- Download the file ManageEngine_PMP.bin for linux.
- Execute the command chmod a+x <file-name> to assign the executable permission.
- Execute the command: ./<file_name>.
- Execute the command ./<file_name> -i console, if you are installing on a headless server.
- Follow the step-by-step instructions as they appear on the screen. Now, PMP will be installed in your machine in the location chosen. Henceforth, this installation directory shall be referred to as PMP_Home.
7. Silent Install
To know about silent install in Password Manager Pro, click here.
8. Starting and Shutting Down PMP
8.1 In Windows
|Using the Start Menu||Using the Tray Icon|
8.2 In Linux
9. Launching the PMP Web Client
There are different ways of connecting to the PMP web client:
9.1 Automatic Browser Launch
Once the server has started after the successful installation of PMP, the PMP Login screen shows up in a browser window. As PMP uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.
9.2 Launching the Web Client Manually
Right-click the PMP tray icon and click PMP Web Console to launch the web client manually. The PMP Login screen shows up in a browser window. As PMP uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the User name and Password in the login screen and press Enter. For an unconfigured setup, the default User name/Password is admin/admin. Every time you start the server, the browser will be automatically launched.
Open a browser and connect to the URL specified in the below box:
<hostname> - the host where the PMP server is running.
<portnumber> - the default port is 7272.
9.3 Connecting the Web Client in Remote Hosts
As PMP uses the secured HTTPS connection, you will be prompted to accept the Security Certificate. Hit Yes, type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password is admin and admin, respectively. Every time you start the server, the browser will be automatically launched.
10. Using MS SQL Server as the Backend Database
(Feature available only in Enterprise Edition)
Though PMP supports both PostgreSQL and MSSQL databases as the backend (MySQL is no more supported), PMP is configured to run with PostgreSQL, by default, and it comes bundled with the product. If you want to run PMP using the MSSQL database, follow the steps below:
10.1 Steps to Run PMP with MS SQL Server as the Backend Database
- To ensure high level of security, PMP has been configured to connect to the SQL server only through SSL.
- PMP supports MS SQL server as the backend database, only from the version 6400 and above.
- If you are using an earlier version of PMP with MySQL as the backend database, here are the steps to migrate the data to MS SQL.
10.1.1 Create SSL certificate and install it in the Windows Certificate Store (in the machine where the SQL server is running)
Prior to connecting PMP with the SQL server, you need to enable SSL encryption in the SQL Server. For this, you need to create an SSL Certificate and get it signed by either a Certificate Authority (CA) or self-sign it (See more).
A) Generating the certificate and getting it signed by a third-party CA:
Create the certificate using openssl. This involves two steps - generating private key and generating certificate request. Use the following commands to create the certificate.
- Generating Private Key: Execute the following command:
openssl genrsa -des3 -out server.key 2048
- Generating Certificate Request: Follow the below steps:
- Use the server's Private Key to create a certificate request. Enter the Passphrase for the key, Common Name, Hostname or IP Address, when prompted. For the Common Name, specify the FQDN of the SQL Server.
openssl req -new -key server.key -out server.csr
- Once the certificate is generated, get it signed by a third-party CA such as VeriSign, Thawte, RapidSSL, etc, or self-sign it, based on your environment's requirement. For more details on submitting the CSRs, refer the corresponding CA's documentation/website. Remember, this is a paid service. In a few days, you will receive your signed SSL certificate and the CA's root certificate as .cer files.
- Install the server certificate in the machine where the SQL server is running.
- Install the CA root certificate in the PMP server.
- Use the server's Private Key to create a certificate request. Enter the Passphrase for the key, Common Name, Hostname or IP Address, when prompted. For the Common Name, specify the FQDN of the SQL Server.
- Installing the server certificate in the machine where the SQL server is running: Use MMC
- Click Start >> Run in the machine where the SQL server is running. In the Run dialog box type: MMC. The MMC console is displayed.
- From the Console menu, click Add/Remove Snap-in. Click Add and then click Certificates. Click Add again. You will be prompted to open the snap-in for the current user account, the service account, or for the computer account. Select the Computer Account.
- Select Certificates (Local Computer) >> Personal >> Certificates.
- Right-click Certificates and click All Tasks >> Import.
- Browse and select the certificate to be installed.
- Installing the CA's root certificate in PMP:
- Copy the CA's root certificate and paste it under <Password Manager Pro Installation Folder >/bin directory.
- From <Password Manager Pro Installation Folder>/bin directory, execute the following command:
importCert.bat <name of the root certificate pasted as explained above>
- This adds the certificate to the PMP certificate store.
B) Creating a self-signed certificate using Powershell:
To create a self-signed certificate and use it, carry out the following steps in the machine where SQL server is installed:
- Navigate to the SQL Server and open Powershell(run as Administrator).
- Execute the following command:
New-SelfSignedCertificate -DnsName FQDN of the SQL server -CertStoreLocation cert:\LocalMachine\My
- The above command will install and store a self-signed certificate in your local store.
10.1.2 Import the SSL certificate to PMP
To import SSL certificates to PMP,
- Copy the server certificate and paste it under the <Password Manager Pro Installation Folder>/bin directory.
- Execute the following command:
importCert.bat <name of the server certificate>
This adds the certificate to the PMP certificate store.
10.1.3 Enable SSL Encryption in SQL Server
- Click Start in the machine where trhe SQL server is running. From the Microsoft SQL Server program menu, click Configuration Tools, and then click SQL Server Configuration Manager.
- Expand the SQL Server Network Configuration, right-click the Protocols for the server you want, and then click Properties. (Remember to click the Protocols for
section in the left pane of the tool and not the specific Protocols in the right pane.)
- On the Certificate tab, configure the Database Engine to use the certificate.
- Set the ForceEncryption option for the Database Engine to Yes, so that all the client/server communication is encrypted and the clients that cannot support encryption are denied access (recommended). Set the ForceEncryption option for the Database Engine to No, if you want the encryption to be requested by the client application (not recommended).
- Restart the SQL Server.
For more details, refer to the section Configuring SSL for SQL Server in the Microsoft's knowledge base article.
10.1.4 Execute ChangeDB.bat in PMP
Note: Skip this step, if you are already using PMP with MySQL as the backend database and migrating your data to the MS SQL server.
Provide the details about the SQL server to PMP by editing the file ChangeDB.bat (Windows) or ChangeDB.sh (Linux). Follow the below steps:
- Navigate to the <Password Manager Pro Installation Folder>/bin folder and execute the file ChangeDB.bat (Windows) or sh ChangeDB.sh (Linux).
- In the window displayed, enter the below details:
- Select the Server Type as SQL Server.
- Host Name: The name or the IP address of the machine, where the MS SQL server is installed.
- Instance Name: Specify the named instance of the SQL server, to be used for PMP. If the instance name is not specified, PMP will try establishing connection with the default instance on port 1433.
Since PMP connects to MS SQL only in SSL mode, it is recommended that you create a dedicated database instance running in a specific port for PMP. If you want to specify a port number other than 1433, you can specify it in the Host Name parameter above as <hostname>:<port>.
- Database Name: Name of the PMP database. Default is "PassTrix". If you want to have a different database name, specify it here. PMP will take care of creating the Master Key, Symmetric Key, etc.
- Authentication: The way by which you wish to connect to the SQL server. Choose Windows, if you are connecting to the SQL server from Windows. Make use of the Windows Single Sign On facility, provided the PMP service is running with a service account, which has the privilege to connect to the SQL server. Otherwise, select the option SQL.
It is recommended to choose the option Windows, as the Username and Password used for authentication are not stored anywhere.
- User Name and Password: If you have selected the option SQL in step v, specify the user name and password with which PMP can connect to the database.
The User Name and Password entered here will be stored in the database_params.conf file in PMP. So, take care of hardening the host.
You can use even your Windows login credentials, if you are connecting to the database from Windows. In this case, you need to enter the User Name as <domain-name>\<username>.
- Encryption Key: The key to encrypt your data and store it in the SQL server. You may either leave it "Default" allowing PMP to generate a key. If you want to have your custom key, select the option Custom.
If you have selected the option Custom, do the following:
Create Database >> For details, refer to http://msdn.microsoft.com/en-us/library/aa258257(v=sql.80).aspx
Create Master Key >> For details, refer to http://technet.microsoft.com/en-us/library/ms174382.aspx
Create Certificate >> For details, refer to http://msdn.microsoft.com/en-us/library/ms187798.aspx
Create Symmetric Key >> For details, refer to http://msdn.microsoft.com/en-us/library/ms188357.aspx
- Provide the certificate name and symmetric key name in the GUI.
- Finally, click Test to ensure that the connection settings are proper and then click Save.
After performing the above steps, navigate to the <Password Manager Pro Installation Folder>/conf directory and move the masterkey.key file to a secure location. The SQL Server encrypts the data with a hierarchical encryption and key management infrastructure. Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. One among them is the Database Master Key, which in turn is created by the Service Master Key and a Password. This password is stored in PMP under the <Password Manager Pro Installation Folder>/conf directory in a file named masterkey.key. It is highly recommended that you move the masterkey.key file to a secure location. This is to ensure data security. Take care to keep this key safe. You will require it while performing High Availability and Disaster Recovery. If you lose this key, you will have to configure MS SQL server setup all over again.
For more details on encryption and key management in MS SQL, refer to this MSDN document http://msdn.microsoft.com/en-us/library/ms189586.aspx.
11. Using MS SQL Cluster as the Backend Database
To know more about using MS SQL Cluster as the backend database, click here.
12. Running the PMP service using a group Managed Service Account
Password Manager Pro allows you to run/manage services using group Managed Service Account (gMSA). To learn about gMSA in detail, refer to Microsoft's documentation.
To create a group Managed Service Account,
- Open Powershell ISE as administrator.
- Execute the following commands:
- Import-Module ActiveDirectory
- Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
- New-ADServiceAccount -Name <MSA_AccountName> -DNSHostName <DNSNAme> -PrincipalsAllowedToRetrieveManagedPassword <Machine_Name>$
- Add-ADComputerServiceAccount -Identity <Machine_Name> -ServiceAccount <MSA_AccountName>
- Install -ADServiceAccount -Identity <MSA_AccountName>
- Provide Full Control Permission to the installation folder.
To configure LogOn Services,
- Navigate to Services >> Properties >> LogOn.
- Browse for MSA Account.
- Now, clear the Password field and click Apply.
- Click Ok.
Now you have successfully configured the LogOn Services.
If you are unable to Install the Service Account, execute the below command before executing Install statement:
- Set-ADServiceAccount -Identity <MSA_AccountName> -KerberosEncryptionType AES128,AES256
13. Workflow in Password Manager Pro
To know about the workflow of Password Manager Pro, click here.
14. Managing PMP Encryption Key (from PMP 6402 onwards)
PMP uses AES-256 encryption to secure the passwords and other sensitive information in the password database. The key used for encryption is auto-generated and is unique for every installation. By default, this encryption key is stored in a file named pmp_key.key under the <PMP_HOME>/conf folder. For production instances, PMP does not allow the encryption key to be stored within its installation folder. This is done to ensure that the encryption key and the encrypted data, in both live and backed-up database, do not reside together.
We strongly recommend that you move and store this encryption key outside of the machine, where PMP is installed, in another machine or an external drive. You can supply the full path of the folder, where you want to move the pmp_key.key file, manually move the file to that location and delete any reference within PMP server installation folder. The path can be a mapped network drive or an external USB (hard drive / thumb drive) device.
PMP will store the location of the pmp_key.key in a configuration file named manage_key.conf, present under the <PMP_HOME>/conf folder. You can also edit that file directly to change the key file location. After configuring the folder location, move the pmp_key.key file to that location and ensure the file or the key value is not stored anywhere within the PMP installation folder.
PMP requires the pmp_key.key folder to be accessible with necessary permissions, to read the pmp_key.key file, when it starts up every time. After a successful start-up, it does not need access to the file anymore and the device with the file can go offline.
- Always ensure sufficient protection to the key with multiple layers of encryption (such as by using Windows File Encryption) and access control.
- Since only the PMP application needs access to this key, make sure no other software, script or person has access to this key under any circumstances.
- Take care of securely backing up the pmp_key.key file by yourself. You can recover the PMP backups only if you supply this key. If you misplace the key or lose it, PMP will not start.
- If you store the database_params.conf file at a different location, you will have to copy the file back to the original location (i.e. to <PMP Installation Folder>/conf/ ), whenever you perform an application upgrade.
15. Rotating the Encryption Key
(Feature available only in Enterprise Edition)
Even if you are sure of managing the encryption key securely outside of PMP, one of the best practices is to periodically change the encryption key. PMP provides an easy option to automatically rotate the encryption key.
15.1 How does the key rotation process work?
PMP will look for the current encryption key present in the file pmp_key.key, available in the path specified in the manage_key.conf file, present under the <PMP_HOME>/conf folder. Only if it is present in the specified path, the rotation process will continue. Before rotating the encryption key, PMP will take a copy of the entire database. This is to avoid data loss, if anything goes wrong with the rotation process.
During the key rotation process, all passwords and sensitive data will be decrypted first using the current encryption key and subsequently encrypted with the new key. Later, the new key will be written in the pmp_key.key file present in the location as specified in the manage_key.conf file. At the end of successful key rotation, PMP will write the new encryption key in the same file that contains the old key. If any error occurs while writing the key, the rotation process will be aborted.
15.2 Steps to rotate the encryption key (if you are NOT using High Availability)
- Ensure that the current encryption key (pmp_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PMP gets the read/write permission while accessing the pmp_key.key file.
- Stop the PMP server.
- Open the command prompt and navigate to <PMP-Installation-Folder>/bin directory. Execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
- Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete.
- Start mthe PMP server once you see the confirmation message.
15.3 Steps to rotate the encryption key (if you are USING High Availability)
- Navigate to Admin >> General >> High Availability in the PMP web interface. Make sure High Availability and Replication Status are alive.
- Check if the current encryption key (pmp_key.key file) is present in the location as specified in the manage_key.conf file. Also, ensure that PMP gets the read/write permission when accessing the pmp_key.key file.
- Stop the PMP Primary server and make sure PMP Secondary server is running.
- Open the command prompt in the PMP Primary installation, navigate to the
/bin directory and execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux).
- Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete. You will see confirmation message ons successful completion of the rotation process
- Copy the new encryption key from the Primary installation and paste it in the location, as specified in the manage_key.conf file. This is the location from where the Standby will fetch the pmp_key.key file.
- Now, start the Primary and the Standby servers.
16. Managing the PMP Database Password
Apart from AES encryption, the PMP database is secured using a separate password, which is auto-generated and unique for every installation. The password for the database can be stored securely in PMP itself. There is also an option to store the password at some other secure location, accessible by the PMP server.
By default, the database password is stored under <PMP Installation Folder>/conf/database_params.conf. If you choose to manage the database password by yourself, store the configuration file somewhere securely and instruct the location of the file to PMP. Follow the below steps:
- If you are starting PMP as service, go to <<PMP Installation Folder>/conf/wrapper.conf (in Windows) / <PMP Installation Folder>/conf/wrapper_lin.conf (in Linux) and edit the following entry under Java Additional Parameters.
wrapper.java.additional.9=-Ddatabaseparams.file=<full path of the database_params.conf file location>
- If you are starting PMP from command line or through the tray icon, you need to edit the file system_properties.conf present in <PMP Installation Folder>/conf directory. In this file, edit the following entry under Splash Screen default Properties.
databaseparams.file=<full path of database_params.conf file>
- If you misplace the conf file or lose it, PMP will not start. So, take care to save it in a secure location.
- Enclose the full path of database_params.conf file in double-quotes. Eg. databaseparams.file="C:\Program Files\Manage Engine\PMP\conf\database_params.conf"
17.1 License Types
There are three license types:
- Evaluation download: Valid for 30 days, capable of supporting a maximum of 2 administrators. You can test the Enterprise edition features.
- Free Edition: Licensed software that allows you to have 1 administrator and manage up to 10 resources. Valid forever.
- Registered Version - Licensing is based on two factors:
- Number of Administrators
- Types of Edition - Standard, Premium or Enterprise
17.2 User Roles and Licensing
Password Manager Pro comes with five user roles:
The term 'administrator' denotes Administrators, Password Administrators and Privileged Administrators. So, licensing restricts the number of administrators as a whole, which includes Administrators, Password Administrators and Privileged Administrators. There is no restriction on the number of Password Users and Password Auditors. To get more details on the five user roles, see here.
- Standard - If your requirement is to have a secure, password repository to store your passwords and selectively share them among the enterprise users, Standard Edition would be ideal.
- Premium - Apart from storing and sharing your passwords, if you wish to have enterprise-class password management features such as remote password reset, password alerts and notifications, application-to-application password management, reports, high-availability and others, Premium edition would be the best choice.
- Enterprise Edition - If you require more enterprise-class features like auto discovery of privileged accounts, integration with ticketing systems and SIEM solutions, jump server configuration, application-to-application password management, out-of-the-box compliance reports, SQL server / cluster as backend database, Enterprise edition will be ideal.
- Key Manager Plus Add-on - If you require life cycle management functions for SSH keys and SSL certificates in your environment, the Key Manager Plus add-on will perfectly meet your needs. Key Manager Plus is ManageEngine’s key and certificate management solution. Features offered with this add-on in Password Manager Pro include automated SSH/SSL discovery, SSH key pair lifecycle management, CSR process management, certificate deployment and tracking, SSL vulnerability scanning, and certificate expiration alerts. The add-on licensing is based on the number of SSH keys and SSL certificates you want to manage.
17.4 Features Matrix
17.5 Add-on Features
|Standard Edition||Premium and Enterprise Editions|
SSL/TLS Certificate Discovery:
Public CA Integration:
For more information on licensing or to procure a license, get in touch with our sales team @firstname.lastname@example.org.
18. Migrating PMP Installations
If you want to move the PMP installation from one machine to another, or to a different location within the same machine, follow the procedure detailed below:
Do not remove the existing installation of PMP until the new installation works fine. This is to ensure a backup and to overcome any disaster/data corruption during the movement.
18.2 Steps Required
If you are using the PostgreSQL database bundled with PMP:
- Take a backup of the current database and install the same version of PMP (as the one you are currently running) in the new machine.
- Restore the backup data in the new installation.
If you are using MySQL as the backend database:
- Stop the PMP server / service, if running.
- If you have installed PMP to run as a startup service, remove it as a service before proceeding further. (See the table below for the procedure to remove it as a service)
- Take a zip of the entire PMP installation folder and move the zip to a different machine or to a different location in the same machine as required.
- Now, install it to run as a service.
|Installing as a Startup Service in Windows||Installing as a Startup Service in Linux|
To install as a service using batch file:
To remove as service using batch file:
To remove as service:
- When you use this procedure, you cannot uninstall the program using the Windows Add/Remove programs fuctionality. Simply delete the entire installation folder and you are done.
- There is no need to reapply the license after moving the installation.
19. Updating Web Server Certificates using Password Manager Pro Web Console
If you want to use PMP web console to update the web server certificates, follow the below steps:
- Navigate to Admin >> Configuration >> Password Manager Pro Server.
- In the Password Manager Pro Server page that opens, install your keystore file belonging to the SSL certificate and/or change the default PMP server port.
- To update your SSL certificate, select the type of the keystore file (JKS, PKCS12 or PKCS11) from the Keystore type drop down menu.
- Browse the keystore file from your system and upload it in the Keystore Filename field.
- Enter the password of your keystore file beside the Keystore Password field.
- If you want to change the default PMP server port, enter the port number against the Server Port field.
- Click Save.
Restart Password Manger Pro after saving the changes.
20. MSP Edition
If you want to use the MSP edition of PMP, refer here.
For any assistance, please contact email@example.com / Toll Free: + 1 888 720 9500