Break Glass Procedure

A break glass procedure refers to a quick method for a user to gain access when needed (usually during an emergency) to a managed system who would ordinarily not have access.

The term “break glass” is a reference to someone breaking the glass door or stopper to pull a fire alarm in the event of an emergency.

break-glass-fire

Although the concept is the same, some people refer to a break glass procedure for a couple of different scenarios.

In this article, we will discuss these scenarios and how PAM provides support in the case of an emergency.

Scenario #1

User needs immediate access to a Privileged System.

In this scenario, the PAM is online and accessible however there is an emergency with a privileged system that is managed within the PAM.

John, our IT worker, needs immediate access to the Domain Controller because it is offline.

 

In this example, John would log into the PAM and as usually request access to the Domain Controller.

The Approval Workflow bound to John and this record would be configured with an Emergency approval cycle or be auto-approved.

This type of configuration would allow John to access this privileged system during this specific time frame without having to complete the typical multi-stage approval process.

As a result, John is granted access to perform his emergency task while still maintaining the integrity of the PAM workflow process.

 

To learn more about Approval Workflows, including Emergency and Auto-approval, please read System Request and Approval Workflows.

Scenario #2

User needs immediate access to a Privileged System however PAM is inaccessible.

In this scenario, the System is offline and there is an emergency with a privileged system that is managed within PAM.

Again, John, our IT worker, needs immediate access to the Domain Controller but the login credentials are stored in the PAM.

 

In this example, John (assuming he is not a System Administrator) would need to contact a System Administrator in order to extract the credentials from a previously created the System export.

Once the credentials have been extracted, John can use them to access the system using a native client like RDP or PuTTY.

 

For this Break Glass procedure which involves extracting data, including secrets, from an exported the PAM database, PAM Administrator would perform these steps:

  1. Login to the server that is hosting the PAM as an Administrator.
  2. Open a command line session.
  3. Navigate to $PAM_HOME. This is the installation folder for the PAM.
  4. Execute the following command to extract secured information from a record. The following variables will need to be replaced as necessary.
    • {EXPORT}: The full path to the exported database .ZIP file or the beginning of the .ZIP file for multi-part exports.

    • {RECORD_NAME}: The full record name.

    • {RECORD_ID}: The record ID.

    • {QUERY}: The query search for records. This query will return a list of all records (record name, ID, host and description only).

    • {MASTER_PASSWORD}: The PAM Master Password. If a – (dash) is used instead of the master password, then the command will prompt the user for the master password during execution.

      1. For Windows, substitute your {EXPORT}, {RECORD_NAME} or {RECORD_ID} and {MASTER_PASSWORD} values and issue this command.

        Copy
        bin\PamDirectory.cmd Extract {EXPORT} {RECORD_NAME} {MASTER_PASSWORD}
        Copy
        bin\PamDirectory.cmd Extract {EXPORT} {RECORD_ID} {MASTER_PASSWORD}
        Copy
        bin\PamDirectory.cmd Extract {EXPORT} {QUERY} {MASTER_PASSWORD}

        Examples:

        Copy
        bin\PamDirectory.cmd Extract c:\xtam\export\xtamexp-20180103113616-119836-0001.zip "Domain Controller" 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
        Copy
        bin\PamDirectory.cmd Extract c:\xtam\export\xtamexp-20180103113616-119836-0001.zip 168473 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
        Copy
        bin\PamDirectory.cmd Extract c:\xtam\export\xtamexp-20180103113616 168473 -
        Copy
        bin\PamDirectory.cmd Extract c:\xtam\export\xtamexp-20180103113616-119836 "Domain" -
      2. For Unix, substitute your {EXPORT}, {RECORD_NAME} or {RECORD_ID} and {MASTER_PASSWORD} values and issue:

        Copy
        bin/PamDirectory.sh Extract {EXPORT} {RECORD_NAME} {MASTER_PASSWORD}
        Copy
        bin/PamDirectory.sh Extract {EXPORT} {RECORD_ID} {MASTER_PASSWORD}
        Copy
        bin/PamDirectory.sh Extract {EXPORT} {QUERY} {MASTER_PASSWORD}

        Examples:

        Copy
        bin/PamDirectory.sh Extract ~/Documents/xton/apps/export/xtamexp-20180103113616-119836-0001.zip "Domain Controller" 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
        Copy
        bin/PamDirectory.sh Extract ~/Documents/xton/apps/export/xtamexp-20180103113616-119836-0001.zip 168473 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
        Copy
        bin/PamDirectory.sh Extract ~/Documents/xton/apps/export/xtamexp-20180103113616 168473 -
        Copy
        bin/PamDirectory.sh Extract ~/Documents/xton/apps/export/xtamexp-20180103113616 "Domain" -
  5. The command output will display this record’s information including the secret parameters. An Ok will be printed at the end of the output results.

    Output:

    Copy
    -------------------------------
    id=168473
    name=Domain Controller
    host=10.0.0.2
    description=Primary Domain Controller
    type=Windows Host
    Host=10.0.0.2
    Port=3389
    User=domain\\administrator
    Password=ZH3zFVzJ8KcZPTTE
    Ok

Extract a list of records

If you are unsure of the Record Name or ID or would simply like to extract a list of records from the Exported Database, the PAM Administrator would perform these steps:

  1. Login to the server that is hosting the PAM as an Administrator.
  2. Open a command line session.
  3. Navigate to $PAM_HOME. This is the installation folder for the PAM.
  4. Execute the following command to extract a list of records. The following variables will need to be replaced as necessary.
    • {EXPORT}: The full path to the exported database .ZIP file or the beginning of the .ZIP file for multi-part exports.

    • {QUERY}: The query search for records. This query will return a list of all records (record name, ID, host and description only):

      1. For Windows, substitute your {EXPORT} and {QUERY} values and issue this command.

        Copy
        bin\PamDirectory.cmd ListExport {EXPORT} {QUERY}

        Examples:

        Copy
        bin\PamDirectory.cmd ListExport c:\xtam\export\xtamexp-20180103113616-119836-0001.zip "Domain Controller"
        Copy
        bin\PamDirectory.cmd ListExport c:\xtam\export\xtamexp-20180103113616 "Domain"
      2. For Unix, substitute your {EXPORT} and {QUERY} values and issue this command.

        Copy
        bin/PamDirectory.sh ListExport {EXPORT} {QUERY}

        Examples:

        Copy
        bin/PamDirectory.sh ListExport ~/Documents/xton/apps/export/xtamexp-20180103113616-119836-0001.zip "Domain Controller"
        Copy
        bin/PamDirectory.sh ListExport ~/Documents/xton/apps/export/xtamexp-20180103113616 "Domain"
  5. The command output will display the record(s) returned by the query search but will only include the record’s name, ID, host, description and type. An Ok will be printed at the end of the output results.

    Single Result Output:

    Copy
    -------------------------------
    id=168473
    name=Domain Controller
    description=Primary Domain Controller
    host=10.0.0.2
    type=Windows Host
    Ok

    Multiple Result Output:

    Copy
    -------------------------------
    id=168473
    name=Domain Controller
    description=Primary Domain Controller
    host=10.0.0.2
    type=Windows Host
    -------------------------------
    id=178125
    name=Domain Controller Backup
    description=Backup Domain Controller
    host=10.0.0.3
    type=Windows Host
    -------------------------------
    id=274586
    name=Domain Administrator
    description=Shared domain Admin account
    type=Active Directory
    Ok