Configure the Lieberman ERPM Plugin for Integration with Bomgar Privileged Access
Install the Endpoint Credential Manager
The Endpoint Credential Manager (ECM) must be installed on a system with the following requirements:
- Windows Vista or newer, 64-bit only
- .NET 4.5 or newer
- To begin, download the Bomgar Endpoint Credential Manager (ECM) from Bomgar Support . Start the Bomgar Endpoint Credential Manager Setup Wizard.
- Agree to the EULA terms and conditions. Mark the checkbox if you agree, and click Install.
Note: You are not allowed to proceed with the installation unless you agree to the EULA.
If you need modify the ECM installation path, click the Options button to customize the installation location.
- Click Install.
- Choose a location for the credential manager and click Next.
- On the next screen, you can begin the installation or review any previous step.
- Click Install when you are ready to begin.
- The installation takes a few moments. On the screen, click Finish.
Note: To ensure optimal up-time, administrators can install up to five ECMs on different Windows machines to communicate with the same site on the Bomgar Appliance. A list of the ECMs connected to the appliance site can be found at /login > Status > Information > ECM Clients.
Note: When multiple ECMs are connected to a Bomgar site, the Bomgar Appliance routes requests to the ECM that has been connected to the appliance the longest.
Install and Configure the Plugin
- Once the Bomgar ECM is installed, extract and copy the plugin files to the installation directory (typically C:\Program Files\Bomgar\ECM).
- Run the ECM Configurator to install the plugin.
- The Configurator should automatically detect the plugin and load it. If so, skip to step 4 below. Otherwise, follow these steps:
- First, ensure that the DLL is not blocked. Right-click on the DLL and select Properties.
- On the General tab, look at the bottom of the pane. If there is a Security section with an Unblock button, click the button.
- Repeat these steps for any other DLLs packaged with the plugin.
- In the Configurator, click the Choose Plugin button and browse to the location of the plugin DLL LiebermanERPMPlugin.dll.
- After selecting the DLL, click the gear icon in the Configurator window to configure plugin settings.
- The following settings are available:
Setting Name Description Notes Required Endpoint URL The full URL to the ERPM SDK Web Services e.g., https://<lieberman-server-hostname>/ERPMWebService/AuthService.svc Yes API User Delegation identity created and assigned impersonate permissions for various other ERPM identities and/or roles Yes API Password Password of the above delegation identity Yes Authenticator The authenticator associated with the delegation identity Leave this blank if using an explicit account. No Default Domain for Local Bomgar Users When a value is supplied, the plugin initially attempts to retrieve credentials for the user with the username from Bomgar and the configured default domain This setting is necessary if some or all Bomgar users are local users but the corresponding accounts in ERPM are domain accounts with the same username portion. No Enable fall-back to local account if domain account not found When checked, the plugin first attempts to retrieve credentials for the user as a domain user and then, if no match is found, makes a second attempt without the domain This setting is necessary if some or all Bomgar users are domain users but the corresponding accounts in ERPM are domain accounts with the same username portion. No Map Domains Allows for the mapping of fully qualified domain names to their shorter NetBIOS names This setting is necessary to match domain users in Bomgar to domain users in ERPM. Bomgar reports the logged-in user with the fully qualified domain name (FQDN), while ERPM may expect the NetBIOS name of the domain. These mappings must be done manually and can be entered one per line as FQDN=NetBIOS (e.g., Example.local=EX). No Enable creation of password spin jobs When checked, the plugin creates password spin jobs for credentials checked out via the integration Checking out credentials via the ERPM SDK Web Services does NOT result in a spin job for managed passwords that would normally rotate when checked in via the web interface. To compensate for this, the plugin can examine the credential to see if it is set to auto-spin and then create a job to do so. No spin job is created for credentials that do not have random passwords or that are not configured to auto-spin. No Manually schedule jobs When checked, the spin job is created immediately upon checkout but is scheduled to run at a later time based on the check-out duration setting If password rotation is desired (i.e., the creation of password spin jobs is enabled), this setting should ALWAYS be used for Bomgar Privileged Access versions 16.1.1 or earlier and NEVER used for versions 16.1.2 or later. No Check-out duration in minutes The number of minutes for which a check-out is valid if not checked back in manually This value is used in determining the time the password spin job is scheduled to run. No Password Change Template Job ID The numeric ID of the template job shown in the Jobs list in ERPM Lieberman recommends creating a password change job that can be used as a template for future jobs submitted by the integration. The basic settings of this job are used for each subsequent job with only the password, endpoint-specific information, and scheduling being overridden. No Job Comment A custom job comment that can be configured to help distinguish jobs that were submitted as part of the integration The string
<username>is replaced with the username of the ERPM identity performing the check-out. It can be placed anywhere in the string or removed if desired.
No Include credentials from Shared Credential Lists When checked, the plugin includes credentials from a Shared Credential List In addition to retrieval of normal managed credentials, the integration can also retrieve endpoint-specific credentials from a Shared Credential List. No
The settings specific to Lieberman ERPM can be tested directly from the plugin configuration screen using the Test Settings button.
Enter a user account from which to retrieve credentials.
- Enter an endpoint for which the user account has one or more credentials.
- View the resulting list.
Note: No actual passwords are retrieved or displayed, only the list of credentials.
Note: The settings used for the test are the ones currently entered on the screen, not necessarily what is saved.
Clear Token Cache
To avoid excessive authentication calls to Lieberman, the plugin caches (in an encrypted form) authentication tokens for users as they attempt to retrieve secrets through the integration. Subsequent calls use the cached token until it expires. At that point, a new authentication token is retrieved and cached. The Clear Token Cache button allows an admin to clear all cached authentication tokens if such action becomes necessary for maintenance, testing, etc.