Configure the Lieberman ERPM Plugin for Integration with Bomgar Privileged Access

Install the Endpoint Credential Manager

The Endpoint Credential Manager (ECM) must be installed on a system with the following requirements:

  • Windows Vista or newer, 64-bit only
  • .NET 4.5 or newer
  1. To begin, download the Bomgar Endpoint Credential Manager (ECM) from Bomgar Support . Start the Bomgar Endpoint Credential Manager Setup Wizard.

    Bomgar ECM EULA

  2. Agree to the EULA terms and conditions. Mark the checkbox if you agree, and click Install.

    Note: You are not allowed to proceed with the installation unless you agree to the EULA.

    If you need modify the ECM installation path, click the Options button to customize the installation location.

  3. Click Install.

     

  4. Bomgar ECM Destination Folder

  5. Choose a location for the credential manager and click Next.
  6. On the next screen, you can begin the installation or review any previous step.
  7.  

    ECM Installation

  8. Click Install when you are ready to begin.
  9.  

    ECM Installation Complete

  10. The installation takes a few moments. On the screen, click Finish.
  11.  

    Note: To ensure optimal up-time, administrators can install up to five ECMs on different Windows machines to communicate with the same site on the Bomgar Appliance. A list of the ECMs connected to the appliance site can be found at /login > Status > Information > ECM Clients.

    Note: When multiple ECMs are connected to a Bomgar site, the Bomgar Appliance routes requests to the ECM that has been connected to the appliance the longest.

Install and Configure the Plugin

  1. Once the Bomgar ECM is installed, extract and copy the plugin files to the installation directory (typically C:\Program Files\Bomgar\ECM).
  2. Run the ECM Configurator to install the plugin.
  3. The Configurator should automatically detect the plugin and load it. If so, skip to step 4 below. Otherwise, follow these steps:

    Unblock DLL

    1. First, ensure that the DLL is not blocked. Right-click on the DLL and select Properties.
    2. On the General tab, look at the bottom of the pane. If there is a Security section with an Unblock button, click the button.
    3. Repeat these steps for any other DLLs packaged with the plugin.
    4. In the Configurator, click the Choose Plugin button and browse to the location of the plugin DLL LiebermanERPMPlugin.dll.
  4. After selecting the DLL, click the gear icon in the Configurator window to configure plugin settings.

     

  5. The following settings are available:

     

    Setting NameDescriptionNotesRequired
    Endpoint URLThe full URL to the ERPM SDK Web Servicese.g., https://<lieberman-server-hostname>/ERPMWebService/AuthService.svcYes
    API UserDelegation identity created and assigned impersonate permissions for various other ERPM identities and/or roles Yes
    API PasswordPassword of the above delegation identity Yes
    AuthenticatorThe authenticator associated with the delegation identityLeave this blank if using an explicit account.No
    Default Domain for Local Bomgar UsersWhen a value is supplied, the plugin initially attempts to retrieve credentials for the user with the username from Bomgar and the configured default domainThis setting is necessary if some or all Bomgar users are local users but the corresponding accounts in ERPM are domain accounts with the same username portion.No
    Enable fall-back to local account if domain account not foundWhen checked, the plugin first attempts to retrieve credentials for the user as a domain user and then, if no match is found, makes a second attempt without the domainThis setting is necessary if some or all Bomgar users are domain users but the corresponding accounts in ERPM are domain accounts with the same username portion.No
    Map DomainsAllows for the mapping of fully qualified domain names to their shorter NetBIOS namesThis setting is necessary to match domain users in Bomgar to domain users in ERPM. Bomgar reports the logged-in user with the fully qualified domain name (FQDN), while ERPM may expect the NetBIOS name of the domain. These mappings must be done manually and can be entered one per line as FQDN=NetBIOS (e.g., Example.local=EX).No
    Enable creation of password spin jobsWhen checked, the plugin creates password spin jobs for credentials checked out via the integrationChecking out credentials via the ERPM SDK Web Services does NOT result in a spin job for managed passwords that would normally rotate when checked in via the web interface. To compensate for this, the plugin can examine the credential to see if it is set to auto-spin and then create a job to do so. No spin job is created for credentials that do not have random passwords or that are not configured to auto-spin.No
    Manually schedule jobsWhen checked, the spin job is created immediately upon checkout but is scheduled to run at a later time based on the check-out duration settingIf password rotation is desired (i.e., the creation of password spin jobs is enabled), this setting should ALWAYS be used for Bomgar Privileged Access versions 16.1.1 or earlier and NEVER used for versions 16.1.2 or later.No
    Check-out duration in minutesThe number of minutes for which a check-out is valid if not checked back in manuallyThis value is used in determining the time the password spin job is scheduled to run.No
    Password Change Template Job IDThe numeric ID of the template job shown in the Jobs list in ERPMLieberman recommends creating a password change job that can be used as a template for future jobs submitted by the integration. The basic settings of this job are used for each subsequent job with only the password, endpoint-specific information, and scheduling being overridden.No
    Job CommentA custom job comment that can be configured to help distinguish jobs that were submitted as part of the integrationThe string <username> is replaced with the username of the ERPM identity performing the check-out. It can be placed anywhere in the string or removed if desired.No
    Include credentials from Shared Credential ListsWhen checked, the plugin includes credentials from a Shared Credential ListIn addition to retrieval of normal managed credentials, the integration can also retrieve endpoint-specific credentials from a Shared Credential List.No

Test Settings

The settings specific to Lieberman ERPM can be tested directly from the plugin configuration screen using the Test Settings button.

Enter a Secret Server User ID

  1. Enter a user account from which to retrieve credentials.

     

    Enter an Endpoint

  2. Enter an endpoint for which the user account has one or more credentials.

     

     

    Test Results

  3. View the resulting list.

    Note: No actual passwords are retrieved or displayed, only the list of credentials.

    Note: The settings used for the test are the ones currently entered on the screen, not necessarily what is saved.

 

Clear Token Cache

To avoid excessive authentication calls to Lieberman, the plugin caches (in an encrypted form) authentication tokens for users as they attempt to retrieve secrets through the integration. Subsequent calls use the cached token until it expires. At that point, a new authentication token is retrieved and cached. The Clear Token Cache button allows an admin to clear all cached authentication tokens if such action becomes necessary for maintenance, testing, etc.