AAPM (Application to Application Password Manager)

Overview

The AAPM module enables secure passwords exchange between applications.

An essential part of the AAPM module is the fudopv script. It is installed on the application server and it communicates with the Wheel Fudo PAM Secret Manager module to retrieve passwords.

fudopv

Execution parameters

fudopv [<options>] <command> [<parameters>]

Command/option/parameter Description
Commands  
getcert Fetch Wheel Fudo PAM SSL certificate.
getpass <type> <account>

Fetch password to selected account.

type:

  • direct - direct, unmonitored connection;
  • fudo - connection monitored by the PSM module
Options  
-c <path> Use configuration file from provided path.
--cfg <path>  
-h, --help Show options and parameters list.
  1. Upload fudopv script to the server and change its access rights to allow execution.
../../_images/chmod.png
  1. Log in to the Wheel Fudo PAM administration panel.
  2. Create a user object with user role, static or one-time password authentication and server’s IP address defined in the API section.

Note

  • Select Management > Users.
  • Click Add.
  • Enter user’s name.
  • Define account’s validity period.
  • Select user from the Role drop-down list.
  • Assign safe and click the object to open its properties.
../../_images/user_edit_safe.png
  • Select the Reveal password option.
../../_images/reveal_password.png
  • In the Authentication section, select Password or One time password from the Type drop-down list.
  • In case of static password authentication, type in the password in Password and Repeat password fields.
  • In the API section, click the i icon and enter the IP address of the server, which will be requesting passwords using fudopv script.
  • Click Save
  1. Run fudopv getcert command to initiate the configuration.
../../_images/getcert_first_run.png

Note

fudopv configuration files are stored in the .fudopv folder in user’s home folder.

  1. Open fudopv.cfg file in a text editor of your choice.
../../_images/fudopv_cfg.png
Section Description
[FUDO]  
address Wheel Fudo PAM’s IP address.
cert_path Path to the Wheel Fudo PAM’s SSL certificate files.
   
[CONN]  
bind_ip IP address of the server, running the fudopv script. The IP address must be the same as the IP address defined in the API section in user configuration.
   
[AUTH]  
username User login as defined in step 3.
otp Path to the otp.txt file containing the one time password.
secret Path to the secret.txt file containing user’s static password.

Note

  • In the [FUDO] section, in the address line, enter the Wheel Fudo PAM IP address.
  • Leave the cert_path line as is, it will be updated automatically after successfully running the fudopv getcert command.
  • In the [CONN] section, uncomment the bind_ip line and provide the IP address of the server running the fudopv script.
  • In the [AUTH] section, in the username line, provide the login of the user object defined in step 3.
  • Depending on the users authentication method, comment the corresponding line defining the authentication secret information.

For example:

[FUDO]
address=10.0.0.8.61
cert_path=<CERT_PATH>

#[CONN]
bind_ip=10.0.0.8.11

[AUTH]
username=fudopv
#otp=/Users/zmroczkowski/.fudopv/otp.txt
secret=/Users/zmroczkowski/.fudopv/secret.txt
  1. Run fudopv getcert command to fetch Wheel Fudo PAM’s SSL certificate.
../../_images/sha.png

Note

After running the script successfully, the path to the certificate in the configuration file will be automatically updated.

../../_images/fudopv_cfg_cert.png
  1. Edit the secret.txt file and provide user’s static password; or edit the otp.txt file and store the one time password.

Note

  • The one time password can be found in user’s properties, in the Authentication section.
../../_images/user_edit_otp.png
  • The otp.txt file will be automatically updated each time the fudopv getpass command is run.
  1. Run command:
  • fudopv getpass direct <account_name>, to fetch password to connect directly to the server.
../../_images/getpass_direct.png
  • fudopv getpass fudo <account_name>, to fetch password to establish monitored connection with the target host.
../../_images/getpass_fudo.png

Warning

Correct operation of the fudopv script requires disabling the login reason prompt option in the safe’s properties.

../../_images/safe_login_reason.png

API interface

AAPM’s API interface is described in detail in the Wheel Fudo PAM 3.1 - API documentation manual.

Related topics: