Imprivata Privileged Access Management Product Update 2.3.202105022207

May 2, 2021

PAM Update: Added multiple Duo Security MFA providers support for Proxy Sessions, added support to exclude archived records from the search result

This update added multiple Duo Security MFA providers support for Proxy Sessions, added support to exclude archived records from the search result, and added support for an alternative SSH job execution using the extended cryptography framework.

Added multiple Duo Security MFA providers support for Proxy Sessions

The update extended the option to support multiple Duo Security providers to SSH and RDP Proxy connections made using native clients.

The option allows Managed Service Providers to define different MFA options for their clients while still allowing them to use native clients (ssh, scp, PuTTY, mstsc, etc) to connect to destination end-points.

The option respects cas.authn.mfa.duo[X].xxxx configuration with X being an index (0, 1, 2, …) defining multiple Duo Security tenants as described in the guide below.

System administrators assign Duo configuration to groups of users using the Administration / MFA screen.

Added support to exclude archived records from the search result

The update starts to exclude archived records from the search results, Favorites and Shared with Me areas.

Archive records are still included in the record list during folder browsing in main our personal vaults.

Users can search archived records using a combination of Query with Archived Records search criteria.

Added support for an alternative SSH job execution

The update adds support for an alternative SSH job execution provider using the extended cryptography framework.

Alternative SSH job execution option allows executing jobs on the broader range of devices that restrict access using extended cryptography algorithms to supplement recently introduced SSH Proxy to establish sessions to such devices.

Use global parameter SSH Connector Type to switch between default (Jsch Connector) and extended (SSHD Connector) provider to execute all SSH and Interactive SSH jobs in the system.

Alternatively, use record level field SSHConnectorType (Display name: SSH Connector Type, Choice values: Jsch Connector, SSHD Connector) to switch to default or extended provider for each individual record.

Added configuration parameters for SSH Proxy keep alive interval and count

The update adds global parameters to control SSH Proxy keep alive function for client-size communication.

SSH Proxy server uses a keep-alive mechanism to detect disconnected client applications in time to close their SSH Proxy sessions.

In some cases of network transport failure such as VPN disconnects SSH Proxy server does not receive a regular TCP disconnect signal.

To process session completion in such situations, SSH Proxy server sends periodic keep-alive packets to the client application.

When the client does not respond after several consequent keep-alive messages, the SSH Proxy server marks the session as completed and disconnects the client.

The update adds the option to control the frequency and count of keep-alive packets to declare the particular session to be disconnected. The update also enables the option to disable the client-side keep-alive mechanism for the networks that benefit from disabling this feature.

Use global parameter SSH Proxy Keep Alive Count to define the number of keep-alive messages allowed without a response from the client.

SSH Proxy will disconnect the stale session after the specified number of unconfirmed keep-alive packets.

The value 0 in this parameter disables the client-size keep-alive mechanism.

Use global parameter SSH Proxy Keep Alive Interval to specify the frequency of the keep-alive messages in seconds.

The value 0 in this parameter disables the client-size keep-alive mechanism.