Enterprise Random Password Manager (ERPM) integrates with Sybase in two ways:
1. ERPM manages the accounts used by Afaria services.
Afaria is Sybase's powerful and flexible mobile device management and security solution for the enterprise. Afaria offers a single administrative console to centrally manage, secure and deploy mobile data, applications and devices.
Companies that are required to change the accounts used by Afaria services are now able to automate and audit the changing of those account credentials with ERPM. How do we do it?
The Afaria service runs as a user account on a Windows system and has all of the requirements therein – rights, permissions, etc. It must run as a user account. When the service is updated, the service requires a binary patch and it must be reinstalled. Here is the process that ERPM automates:
- Update the process account in Active Directory
- Automatically discover all services and processes that use the process account
- Propagate the process account to the Windows service
- Via ERPM's custom propagation, run the Afaria binary patcher
- Again, via custom propagation, run an arbitrary process to reinstall the service
When managing Afaria, many of the actions that may occur can also trigger messages that can be forwarded along to a number of other systems using ERPM's Event Sink system. ERPM makes use of an Event Sink integration wizard to trigger actions and display operational data in any third-party application. Actions such as password check out, password randomizations and successful or failed propagations can fire an event sink. The event server is built into the solution.
2. ERPM manages privileged accounts within the Sybase Adaptive Server Enterprise (ASE) database.
EPRM provides full database privileged account management as well as Application-to-Database (A-to-DB) credential management.
Sybase ASE Credential Management: ERPM automatically discovers, changes, and grants secure audited access to all privileged (i.e. administrative) Sybase ASE account passwords. In the absence of automated processes, IT staff often set privileged credentials to the same common, unchanging password or may update the credentials through ad-hoc scripts and group policy changes. Manual processes to change these privileged account passwords pose risks, since improperly implemented and incomplete password updates can result in account lockouts, cascading system failures, and extended IT service disruptions.
ERPM automates the entire process. It will change Sybase ASE privileged account passwords on a regular basis determined by your organization. It will then propagate these secure, frequently changed passwords to each location and grant fast, audited access to authorized IT staff whenever they need to perform routine maintenance and emergency firecall repairs.
Each time authorized IT staff request privileged access to Sybase ASE databases for routine maintenance or emergency fire-call repairs, ERPM creates an authoritative audit trail showing the requester, target database and account, date and time, location, and purpose of the request.
Whenever you are required to prove compliance, ERPM gives you detailed reports that eliminate the manual effort it otherwise takes to document that all of your Sybase ASE privileged accounts are secure.
A-to-DB Credential Management: When applications use the Sybase database credentials, ERPM can propagate the newly changed credentials to the application that requires them. Unique for its ability to control embedded privileged account credentials throughout the application tiers, ERPM helps you replace hard-coded privileged account passwords found in applications with cryptographically secure, frequently changed password credentials. Whether the password is in a configuration file, compiled into a program, or needs to be programmatically called from the application, ERPM can propagate the new credentials to all embedded locations. This ensures your applications stay running when these process accounts are updated, and guarantees you will no longer have unchanged passwords that are years old.
ERPM makes use of a Software Development Kit (SDK) for A-to-DB credential management. Applications run the SDK client code when needed to retrieve current credential information programmatically, over an encrypted connection, from ERPM’s secure data store. The SDK also enables newly-deployed systems running your applications to register programmatically with ERPM. This enables you to enforce password security policies immediately upon first deployment of your new systems.
The SDK is provided in multiple formats including a Java applet, executable (CLI), COM object, and direct URL reference and runs only when needed to enable client access. It supports PKI, integrated authentication, and other methods to operate with virtually any authentication environment.