Token Authentication

Using Authentication Tokens for PAM REST APIs.

PAM has always exposed APIs for every function it has, but the only way to access the API is with the use of a username and password.

This means that the application that calls PAM should have this hard coded username and password to login to PAM and ultimately call the API function like creating a new record.

This is generally considered an undesirable approach because exposing the username and password like this also exposes other areas of the network that this user can access which may be completely unrelated to the System’s operations.

Because of this and other reasons, we implemented the recommended practice of letting other applications login to the System using tokens.

 

What PAM can do is generate tokens for a specific user where this token could be used to authenticate in PAM on behalf of the user for which this token was generated.

Then the external application that wants to communicate with PAM should have access to PAM by the PAM-generated token that is saved to or hard coded into the application or function.

 

The advantages of using the authentication token as compared to a username and password is that the token is specific to the PAM as opposed to an actual user’s credentials.

This allows the application to communicate with the PAM without hard coding a user’s password anywhere thus protecting any other areas of the network that this user can access (think of using their AD credentials which could expose any number of security issues).

 

PAM provides the facilities to generate tokens for specified users, to maintain a current list of tokens and to enable (and disable) tokens invalidating them for subsequent use.

PAM also provides an option to create tokens with expiration making them invalid after a defined period of time.

 

PAM-API-Authentication-Tokens

 

Generate API Authentication Tokens

To Generate API Authentication Tokens:

PAM requires the use of the Federated Sign-In Module in order to generate tokens. If you do not have this module deployed then the option to Generate Tokens will not be available.

 

  1. Login to PAM as a System Administrator. Only System Administrator can manage Authentication Tokens.
  2. Navigate to Administration > Tokens.
  3. Click the Generate Token button.
  4. Populate the Generate Token dialog as described below:
    1. In the Principal field, enter the username that the token will be generated for.

      Note that only a single user (not multiple users or groups) can have a token generated at a time. Simply repeat this process to generate tokens for additional users or to generate another token for this same user.

    2. In the Expiration (mins) field, enter an expiration time for the token in minutes. To generate a token that will not expire, leave this field empty.

      Note that the expiration countdown begins when the token is generated not when it is first used.

    3. In the IP Filter field, enter location given as a comma-separated list of IPv4 or IPv6 addresses or masks optionally preceded by a dash to indicate valid IP space outside of the specified mask.
    4. In the Comment field, enter an optional comment related to this token.

    5. The Token field is read-only and will display the token after it is generated.

       

      API-Token-Generate-Token1

  5. When the Generate Token dialog is populated as needed, click the Generate button to generate the token for this user.

  6. This token and its corresponding values will be displayed for reference in the Authentication Tokens list.

    Only part of the Authentication Token is displayed in the Authentication Tokens list, so you will need to click the Copy to Clipboard ( PAM API Authentication Tokens Copy to Clipboard ) button to access the full token.

    Read further about how to use these tokens to call the PAM APIs to retrieve secrets, create new records and more.

Perform the actions

After the token(s) is generated, you may perform the following actions:

  • Sort the ordering of tokens by clicking on the desired column header.
  • Use the Search box to locate specific tokens.
  • Export the displayed list of tokens to a CSV, PDF, XLSX, CSV Protected or XLSX Protected file.
  • Click the Copy to Clipboard button to easily share the full token with your user(s) or to paste it into external applications or functions.
  • Immediately Enable or Disable use of the tokens by clicking the appropriate option.

Provided Information

The following information is provided as columns in the Authentication Tokens report:

  • ID: Displays the internal PAM ID that is associated with this token.
  • Time: Displays the timestamp (MM/DD/YYYY HH:MM:SS) of when the token was generated.
  • User: Displays the user that is associated to this token.
  • Folder: Displays the Folder.
  • Expiration: Displays the expiration time associated to this token. An empty field means that the token does not have an expiration time and a time with a strike though indicates that the token has expired.
  • IP Filter: Displays the comma-separated list of IPv4 or IPv6 addresses or masks optionally preceded by a dash to indicate valid IP space outside of the specified mask. Examples of IP Filter: 10.0.0.0/24, -10.0.0.0/24, 10.0.0.0/24,10.1.1.0/24,10.2.2.122
  • Token: Displays part of the token. Use the Copy to Clipboard button to access the full token. Disabled tokens will be shown with a strikethough.
  • Comment: Displays the optional comment that was associated to this token.
  • Actions Menu: Provides the following options:
    • Enable/Disable: Click Disable to disable an enabled token or click Enable to enable a disabled token.

    • Delete: Click Delete to delete a token.

API-Token-List1