Creating a secret
To create a secret:
-
Go to Secrets > Secret List.
Alternatively, go to Personal Folder/Public Folder in Secrets, select Open Tree, locate the folder where you intend to add the secret, and click Open Folder.
From the Create dropdown, select Secret, and skip to step 6.
- In Secret List, select Create.
The Create New Secret in: dialog appears.
- Select the folder where you intend to add the secret.
The folder is already selected if you are creating secret from inside a folder.
- Select Create Secret.
The General tab opens.
- To switch to either Service Setting or Secret Permission tab, select the tab.
- Enter the following information:
Name
Name of the secret.
Folder
The folder where the secret is added. See Personal/public folder.
The folder is already selected in step 2. Use the dropdown, if you want to change the folder.
Template
From the dropdown, select a template.
Select Create to create a new template. See Creating secret templates.
To change the template after selecting one:
- Select the pen icon.
- In the Convert Secret Template pane, select a template to transfer old field values to new fields where applicable.
- Click OK.
Associated Secret
Enable and then from the dropdown, select an associated secret for the new secret being created.
When enabled, changing password or verifying password requires credentials from the associated secret.
Note: The option is disabled by default.
Description
Optionally, enter a description.
Fields
Enter a value in a field.
The options in the fields depend on the selected template.
For fields where a host is required when using the FortiPAM browser extension, enter the URL instead.
Secret Setting
Some settings may not be configurable as they are protected by the policy that applies to the folder where the secret is added.
The owner of the secret must configure password verification and change settings before the secret utilizes the password changer and password verification. However, a user can manually trigger these actions if they have sufficient permissions.
Automatic Password Changing
Enable/disable automatic password changing.
When enabled, password changer for secrets is activated to periodically change the password.
Recursive
Displays the password changing schedule based on your selections for the related settings.
Start Time
The date and time when the recurring schedule begins.
Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.
Recurrence
From the dropdown, select from the following three frequencies of recurrence:
Daily
Weekly
Monthly
Repeat every
The number of days/weeks/months after which the password is changed (1- 400).
Occurs on
Select from the following days of the month when the password is automatically changed:
First
Second
Third
Last
Last Day
Day
When you select Day, select + to add days of the month when the password is automatically changed.
Select days of the week when the password is automatically changed.
Note: The option is only available when Recurrence is set as Weekly or Monthly.
Automatic Password Verification
Enable/disable automatic password verification.
When enabled, password changer for secrets is activated to periodically verify the password, and check if the target server is still available.
Interval (min)
The time interval at which the secret passwords are tested for accuracy, in minutes (default = 60, 5 - 44640).
Start Time
The date and time when the Interval(min) begins.
Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.
Session Recording
Enable/disable session recording.
When enabled, user action performed on the secret is recorded.
The video file is available in the log for users with appropriate permission.
Proxy Mode
Enable/disable the proxy mode.
When enabled, FortiPAM is responsible to proxy the connection from the user to the secret.
In the proxy mode:
Web launcher is available to users who have the permission to view the secret password.
Web launcher is disabled for users who do not have the permission to view the secret password.
When disabled, the non-proxy (direct) mode is used. See Modes of operation.
In the non-proxy mode:
Web launcher is available to users who have the permission to view the secret password.
Web launcher is disabled for users who do not have the permission to view the secret password.
When launchers are disabled, the Launch option is unavailable and a tooltip is displayed instead:
Tunnel Encryption
Enable/disable tunnel encryption.
When launching a native launcher, FortiClient creates a tunnel between the endpoint and FortiPAM. The protocol stack is HTTP/TLS/TCP.
The HTTP request gives information on the target server then FortiPAM connects to the target server. After that, two protocol options exist for the tunnel between FortiClient and FortiPAM. One is to clear the TLS layer for better throughput and performance. The other is to keep the TLS layer. The launcher's protocol traffic is inside the TLS secure tunnel.
If the launcher's protocol is not secure, like VNC, it is strongly recommended to enable this option so that the traffic is in a secure tunnel.
When there is an HTTPS Man In The Middle device, e.g., FortiGate or FortiWeb between FortiClient and FortiPAM, you must enable the Tunnel Encryption option. Otherwise, the connection will be disconnected, and the launching will fail.
DLP Status
Enable/disable DLP. See Data loss prevention (DLP) protection for secrets.
DLP Profile
From the dropdown, select a DLP profile.
Antivirus Scan
Enable/disable antivirus scan.
When enabled, it enforces an antivirus profile on the secret. See AntiVirus.
Antivirus Profile
From the dropdown, select an antivirus profile.
Requires Checkout
Enable/disable requiring checkout.
When enabled, a user has exclusive access to a secret for a limited time.
At a given time, only one user can check out a secret. Other approved users must wait for the secret to be checked in or wait for the checkout duration to lapse before accessing the secret.
Checkout Duration
The checkout duration, in minutes (default = 30, 3 - 120).
Checkin Password Change
Enable/disable automatically changing the password when the user checks in.
Renew Checkout
Enable/disable renewing checkouts.
Max Renew Count
When Renew Checkout is enabled, enter the maximum number of renewals allowed for the user with exclusive access to the secret (default = 1, 1 - 5).
Requires Approval to Launch Secret
Enable/disable requiring approval to launch a secret.
When enabled, users must request permission from the approvers defined in the approval profile before gaining access. From the dropdown, select an approval profile.
Use the search bar to look up an approval profile.
Use the pen icon next to the approval profile to edit it.
See Make a request and Approval flow.
Requires Approval to Launch Job
When enabled, users must request permission from the approvers defined in the approval profile before executing a job on a secret.
From the dropdown, select an approval profile.
Use the search bar to look up an approval profile.
Use the pen icon next to the approval profile to edit it.
See Make a request and Approval flow.
Bypass Approval
Enable/disable secret owners to bypass the secret request/approval process, i.e., secret owners do not require approval to launch secrets they own, given that Bypass Approval is enabled.
Note: The option is disabled by default and only available when Requires Approval to Launch Job is enabled.
TOTP Setting
Enable/disable TOTP (Time-based one-time password) for the secret.
TOTP is used when the target server requires TOTP as the 2FA.
To configure TOTP settings via the CLI, see Configuring TOTP settings via the secret CLI commands Example.
See Limitations of TOTP on FortiPAM.
Note: The option is disabled by default.
Verification Code with
The verification code issued by:
3rd Party (default)
FortiToken
Note: The option is only available when TOTP status is enabled.
Shared Key
The TOTP key from the target server or any other 3rd party authenticator.
The TOTP key is usually a binary string and delivered in
base64
/base32
encoding format.Use the eye icon to hide/unhide the shared key.
Note: The option is only available when the Verification Code with is set as 3rd Party.
Activation Code
The FortiToken activation code.
When using FortiToken as a TOTP, an activation code from the FortiToken issuer is required to activate the token. In that case, you must provide the activation token, and FortiPAM then acts as a mobile app.
FortiToken TOTP can only be configured via the GUI.
Note: The option is only available when Verification Code with is set as FortiToken.
Service Setting
Turn on/off the service settings.
You can individually toggle on or off each service, controlling whether or not FortiPAM is allowed to use the specific service to connect to the secret.
The port used by each service specified in the template can also be overridden to use a custom port specific to the secret.
SSH Service
Enable/disable SSH service.
The SSH Service toggle controls Web SSH, Web SFTP, PuTTY, and the WinSCP launchers.
Note: SSH Filter, RSA Sign Algorithm, and Connect over SSH with, and SSH Auto-Password options are only available when Template is already selected.
Use Template Default Port
Use the template default port or disable and enter a port number.
SSH Filter
Enable/disable using an SSH filter profile. See SSH filter profiles.
SSH Filter Profile
From the dropdown, select an SSH filter profile.
Note: The option is only available when SSH Filter is enabled.
Use the search bar to look up an SSH filter profile.
RSA Sign Algorithm
To improve compatibility with different SSH servers, select a sign in algorithm for RSA-based public key authentication:
RSA SHA-256 signing algorithm
RSA SHA-512 signing algorithm
RSA SHA-1 signing algorithm (default)
Connect over SSH with
If the setting is set to Self (default), the secret launches SSH with its own username and password.
If the setting is set to Associated Secret, the secret launches SSH with the associated secret's username and password.
SSH Auto-Password
Enable or disable automatically delivering passwords to the server when the user enters privileged commands (e.g.,
sudo
in Unix system andenable
in Cisco devices) in the SSH shell terminal.For secrets using Cisco server info template, an associated secret must be set to enable this feature.
Note: The option only works when Proxy Mode is enabled.
RDP Service
Enable/disable RDP service.
The RDP Service toggle controls Web RDP and the Remote Desktop-Windows launchers.
Note: Block RDP Clipboard, RDP Security Level, RDP Restricted Admin Mode, and Keyboard Layout options are available only when Template is already selected.
Use Template Default Port
Use the template default port or disable and enter a port number.
Block RDP Clipboard
Enable/disable allowing users to copy/paste from the secret launcher.
RDP Security Level
Select a security level when establishing a RDP connection to the secret:
Best Effort (default): If the server supports NLA, FortiPAM uses NLA to authenticate. Otherwise, FortiPAM conducts standard RDP authentication with the server through RDP over TLS.
NLA: Network Level Authentication (CredSSP).
When an RDP launcher is launched, FortiPAM is forced to use CredSSP (NLA) to authenticate with the target server.
RDP: FortiPAM uses the standard RDP encryption provided by the RDP protocol without using TLS (Web-RDP only).
TLS: RDP over TLS.
FortiPAM uses secured connection with encryption protocol TLS to connect with the target server.
RDP Restricted Admin Mode
Enable/disable RDP restricted admin mode.
Restricted admin mode prevents the transmission of reusable credentials to the remote system to which you connect using remote desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromised.
Note: The option is only available when RDP Security Level is set as Best Effort or NLA.
Keyboard Layout
From the dropdown, select a keyboard layout (default = English, United States)
VNC Service
Enable/disable VNC service.
The VNC Service toggle controls the Web VNC, VNC Viewer, and TightVNC launchers.
Use Template Default Port
Use the template default port or disable and enter a port number.
Note: The port number you enter is used to connect to the VNC launcher.
Display Number
Enter the display number to be added to the VNC port defined in the template (default = 0).
Notes:
The display number can only be set if the custom port on the template is the VNC default port, i.e., port
5900
, and the secret uses the default template for VNC. Otherwise, the display number option is the custom port option.The display number cannot be set with a custom port.
The option is only available when Use Template Default Port is enabled.
SAMBA Service
Enable/disable SAMBA service.
The SAMBA Service toggle controls the Web SMB launcher.
Use Template Default Port
Use the template default port or disable and enter a port number.
SFTP Service
Enable/disable SFTP service.
The SFTP Service toggle controls the Web SFTP launcher.
Use Template Default Port
Use the template default port or disable and enter a port number.
Secret Permission
By default, secret permission is the same as the folder where they are located.
When customizing secret permission, ensure that you log in with an account with Owner or Edit permission to the secret or the folder where the secret is located.
Inherit ZTNA Control
Enable to inherit ZTNA control access permission from the parent folder.
By default, secrets in a folder follow the ZTNA control set up in the parent folder. However, when creating or editing a secret you can customize the ZTNA control in the Secret Permission tab.
ZTNA Control
Enable to limit the permission of launching by
ztna-ems-tag
.You can choose whether to match all the tags or only one of them.
The option is only available when Inherit ZTNA Control is disabled.
Device Tags
Select + to add ZTNA tags or groups.
Use the search bar to look up a ZTNA tag or ZTNA tag group.
Only permitted devices with the selected tags are allowed to launch.
Device Match Logic
Define the match logic for the device tags:
OR: Devices with any of the selected tags are allowed to launch.
AND: Devices must acquire all the selected tags to launch.
Inherit Permission
Enable to inherit permissions that apply to the folder where the secret is located.
The option is enabled by default.
User Permission
The level of user access to the secret. See User Permission.
This option is only available when Inherit Permission is disabled.
For column settings, see Tables.
Group Permission
The level of user group access to the secrets. See Group Permission.
This option is only available when Inherit Permission is disabled.
For column settings, see Tables.
Address Filter
Enable/disable filtering addresses.
When enabled, Allow/Deny addresses, i.e., create a list of allowed or blocked addresses.
Creating allowlist/blocklist helps you improve security by allowing/blocking IP addresses.
Select +, from the Select Entries list, select addresses, and click Close.
Use the search bar to look up an address.
Click the delete icon to delete all the addresses and reset the list.
Note:
The option is disabled by default and only available when editing a secret that has one of its fields set as Domain.
For information on setting up allowlist/blocklist using the CLI, see Launching a secret.
-
Click Submit.
See Launching a secret and Example secret configurations example.
User Permission
-
In step 5 when Creating a secret, select Create in User Permission.
The New User Permission window opens.
- Enter the following information:
Users
Select + and from the list, select users in the Select Entries window.
To add a new user:
- From the Select Entries window, select Create and then select +User Definition.
The New User Definition wizard opens.
- Follow the steps in Creating a user, starting step 2 to create a new user.
Use the search bar to look up a user.
Use the pen icon next to a user to edit it.
Permission
From the dropdown, select an option:
None: No access.
List: Ability to list secrets. You cannot see detailed information on secrets.
View: Ability to view secret details and launch a secret.
Edit: Ability to create/edit secrets and launch the secrets.
Owner: The highest possible permission level with the ability to create, edit, delete, and launch secrets.
- From the Select Entries window, select Create and then select +User Definition.
- Click OK.
From the list, select a user permission entry and then select Edit to edit it. From the list, select user permission entries and then select Delete to delete them. |
Group Permission
-
In step 5 when Creating a secret, select Create in Group Permission.
The New Group Permission window opens.
- Enter the following information:
Groups
Select + and from the list, select user groups in the Select Entries window.
To add a new user group:
- From the Select Entries window, select Create.
The Create New User Group window opens.
- Follow the steps in Creating user groups, starting step 3.
Use the search bar to look up a user group.
Use the pen icon next to a user group to edit it.
Permission
From the dropdown, select an option:
None: No access.
List: Ability to list secrets. You cannot see detailed information on secrets.
View: Ability to view secret details and launch a secret.
Edit: Ability to create/edit secrets and launch the secrets.
Owner: The highest possible permission level with the ability to create, edit, delete, and launch secrets.
- From the Select Entries window, select Create.
- Click OK.
From the list, select a user group permission entry and then select Edit to edit it. From the list, select user group permission entries and then select Delete to delete them. |
Configuring TOTP settings via the secret CLI commands Example
To configure TOTP settings via the CLI:
- In the CLI console, enter the following commands to use the secret template TOTP settings for the secret:
config secret database
edit 1
config totp-setting
set status enable
set use-template-setting enable
set shared-key xxxxxxxxxxxx
end
end
To configure TOTP settings via the CLI:
- In the CLI console, enter the following commands to disable the secret template TOTP settings and instead configure a custom TOTP setting for the secret:
config secret database
edit 1
config totp-setting
set status enable
set use-template-setting disable
set totp-length 6
set totp-duration 30
set hash-type hmac-sha1
set shared-key xxxxxxxxxxxx
end
end