Imprivata Privileged Access Management Product Update 2.3.202004262312

April 26, 2020

PAM Update: Added support for long term PAM Shell sessions, updated SSL protocols and cipher suites and added content organization to record types and script libraries

This update adds support for long term PAM SSH Shell sessions, updates out of the box SSL protocols and cipher suites and improves user experience navigating record types and scripts libraries.

Added support for long term PAM Shell sessions

PAM Shell is a command-line interface to PAM server accessible using native SSH clients that allows a user to browse available assets, connect to remote servers, request access, unlock sensitive information, confirm user identity from the command line interface without a need to open a browser.

The new update adds support to keep the user in the PAM Shell after disconnecting from remote servers preserving command history between remote sessions.

The option enables continuous long term use of PAM Shell jumping between multiple servers restricted by access rules without the need to re-authenticate to PAM Shell after each connect.

Added content organization to record types and script libraries

The new update adds organization structure to record types and script libraries allowing users to find the right record type or a script faster as well as to have a quick overview of the available configurations.

Record types library groups the objects by session manager so that all record types related to Unix are grouped together separated from the record types related to Windows. In a similar way, the script library organizes scripts by Strategy Managers grouping scripts developed in the same language or for the same purpose (PowerShell, Shell, Groovy, Active Directory, CISCO, etc) in separate sections.

Updated SSL protocols and cipher suites

New update locks default deployments in TLS v1.2 and TLS v1.3 SSL protocols with the related strong-only cipher suites. The update also improves the strength of the default self-signed SSL Certificate generated during initial deployment.

The option could be removed or updated after deployment to support legacy clients by editing sslProtocol, sslEnabledProtocols and ciphers or server.xml file to include or exclude certain options.

We also recommend replacing the default generated self-signed certificate with the one trusted by the intended browsers.

This update improves the security of the default out of the box deployment on both Linux and Windows platforms.

The update also adds support for SHA2-256+ cipher suites for in-browser SSH sessions for Linux-based deployments allowing users to connect to Unix servers in the environment locking SSH protocols on certain security levels.