ERPM Installation Guide 5.5.1

Enterprise Random Password Manager
Installation Guide
5.5.1
Copyright 20032016 Lieberman Software Corporation.
All rights reserved.
The software contains proprietary information of Lieberman Software Corporation; it is provided
under a license agreement containing restrictions on use and disclosure and is also protected by
copyright law. Reverse engineering of the software is prohibited.
Due to continued product development this information may change without notice. The
information and intellectual property contained herein is confidential between Lieberman Software
and the client and remains the exclusive property of Lieberman Software. If there are any
problems in the documentation, please report them to Lieberman Software in writing. Lieberman
Software does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise without the
prior written permission of Lieberman Software.
Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Other brands and product names are trademarks of their respective owners.
Lieberman Software Corporation

1875 Century Park East, Suite 1200
Los Angeles, CA 90067
(310) 550-8575
Internet E-Mail: support@liebsoft.com
Website: http://www.liebsoft.com
iii
Contents
CHAPTER 1 INTRODUCTION ...................................................................................................5
1.1 Overview...................................................................................................................................5
1.2 Performance Notes ..................................................................................................................6
1.3 Background and Goals ..............................................................................................................7
1.4 Limited Warranty .....................................................................................................................9
1.5 License Agreement ...................................................................................................................9
CHAPTER 2 START HERE: ROADMAPS ................................................................................... 11
2.1 Installation Roadmap .............................................................................................................11
2.2 Upgrade Roadmap..................................................................................................................14
CHAPTER 3 INSTALLING ERPM PREREQUISITES ..................................................................... 17
3.1 Understanding Prerequisites ..................................................................................................18
3.1.1 Recommended Knowledge ............................................................................................18
3.1.2 Product Requirements Overview ...................................................................................18
3.1.3 Component Overview.....................................................................................................19
3.1.4 Host System Requirements ............................................................................................19
3.1.5 Web Application Requirements .....................................................................................22
3.1.6 Solution Database Requirements ...................................................................................25
3.1.6.1 SQL Server Requirements for ERPM ........................................................................................ 25
3.1.6.2 Oracle Database Requirements for ERPM ............................................................................... 26
3.1.7 Service Account Requirements ......................................................................................28
3.1.8 Port Requirements .........................................................................................................30
3.1.9 Managed Computers and Devices Prerequisites ...........................................................32
3.1.10 Managed Database Prerequisites ..............................................................................34
3.2 Installing and Configuring IIS ..................................................................................................37
3.2.1 Installing IIS.....................................................................................................................38
3.2.1.1 Required Web Components on a Non-Web Server ................................................................. 45
3.2.1.2 Enable ASP Support ................................................................................................................. 51
3.2.1.3 Enable ASP.NET Support .......................................................................................................... 55
3.2.1.4 Enable IIS6 Compatibility Support ........................................................................................... 59
3.2.2 Configuring SSL on IIS .....................................................................................................63
3.2.2.1 SSL with IIS - With an Existing Cert .......................................................................................... 63
3.2.2.2 SSL with IIS - No Existing Cert .................................................................................................. 66
3.3 Installing SQL Server or Oracle Database ...............................................................................76
3.3.1 SQL Server Installation ...................................................................................................76
3.3.2 Configuring SQL Server for use With ERPM ...................................................................94
3.3.3 Oracle 11g Installation....................................................................................................95
3.4 Installing Database Providers (Connectors) .........................................................................110
iv Contents
3.4.1 Installing the Microsoft SQL Server Provider ...............................................................110

3.4.2 Installing the Oracle Provider .......................................................................................110
3.4.3 Installing the Sybase ASE Provider ...............................................................................118
3.4.4 Installing the MySQL & MariaDB Provider ...................................................................129
3.4.5 Installing the IBM DB2 Provider ...................................................................................135
3.4.6 Installing the PostgreSQL Provider ...............................................................................143
3.4.7 Installing the Teradata Provider ...................................................................................145
3.5 Enabling Remote COM+ and IIS Access ................................................................................158
3.5.1 Windows 2008 & Later Remote COM+ Access.............................................................158
3.6 Configuring the COM Object and Deferred Processor Account ...........................................165
3.6.1 Granting Rights to the Database ..................................................................................180
CHAPTER 4 INSTALLING AND CONFIGURING ERPM ............................................................. 183
4.1 ERPM Management Console Installation Notes ..................................................................183
4.2 Install the Enterprise Random Password Manager 5.5.1 Management Console ................185
4.3 Complete the Mini-Setup Wizard .........................................................................................193
CHAPTER 5 UPGRADING ERPM TO VERSION 5.5.1 .............................................................. 201
5.1 Upgrade Notes......................................................................................................................201
5.2 Upgrade ERPM to Version 5.5.1 ...........................................................................................202
5.3 Upgrade the ERPM Web Client Application .........................................................................220
5.4 Upgrade the Zone Processor(s) ............................................................................................227
5.5 Upgrade the PowerShell Cmdlets.........................................................................................232
5.6 Upgrade the Legacy SDK Files ..............................................................................................233
5.7 Upgrade the Application Launcher.......................................................................................233
CHAPTER 6 INSTALLING THE WEB SERVICE ......................................................................... 235
6.1 Installing Prerequisites for the Web Service on Windows Server 2012 ...............................235
6.2 Installing Prerequisites for the Web Service on Windows Server 2008 R2 ..........................242
6.3 Install / Upgrade the ERPM Web Service .............................................................................247
6.4 Running the Web Service Tester ..........................................................................................257
5
Chapter 1 Introduction
This chapter includes an overview of Enterprise Random Password Manager (ERPM), what problems
it is designed to solve, performance information, expected prerequisite knowledge, and some
background information on Windows.
This chapter also includes the license and warranty information for ERPM.
IN THIS CHAPTER
Overview ................................................................................................... 5
Performance Notes ................................................................................... 6
Background and Goals ............................................................................... 7
Limited Warranty ...................................................................................... 9
License Agreement .................................................................................... 9
1.1 OVERVIEW
Enterprise Random Password Manager (ERPM) fills the gaps found in other privileged identity
management (PIM) and identity and access governance solutions. ERPM builds a configuration
management database (CMDB) for the networks that it can access. It catalogs systems and devices,
their user accounts, attributes, SSH keys, and certificates, and manages credentials and keys, as well
as user access to them.
Historically, the core functionality of ERPM revolves around its ability to randomize and store
passwords for accounts on target systems on a regular recurring basis. ERPM expanded its
capabilities with True Discovery technology, which determines where service accounts are used,
and when executing password change jobs for these accounts, propagates changed passwords to
every location where an account is used. This provides the mechanism and methods to maintain not
only company up-time during service account changes, but also makes it possible for risk-averse
companies to follow proper security practices and achieve a state of continuous compliance rather
than point-in-time compliance.
6 Introduction
Because privileged passwords are stored and managed by ERPM, they can be retrieved using a thick
client, a thin (web) client, an orchestration system, and more. Access to the password store and
other web interface features can be limited to specific groups, users, explicit accounts, and other
identities, with or without two-factor authentication.
ERPM provides more functionality beyond password management, password vaulting, and session
management. ERPM also provides for:
Account escalation The ability to add a user to a pre-defined group with higher privileges than
the user would normally have on a target system, and then automatically remove that access.
Secure file storage The ability to upload and store as an encrypted data blob in the program's
secure data store any file, such as password spread sheets, digital certificates, instructions, and
more. After the files are uploaded, an ACL system identifies what users will be able to retrieve
the files while auditing access to the files.
Orchestration ERPM can run headless and can be controlled programmatically. This permits
tight integration with other systems, such as work-flow engines, run-book orchestration for user
and system provisioning and de-provisioning, programmatic access to almost all functions, and
much more. This control is provided using either a SOAP-based or REST-based web service
and/or using PowerShell commands. Users may tie into ERPM using any program or language
that can call a web service or interact with PowerShell.
Privileged Account Management ERPM provides session-based control over privileged
accounts to run specific programs against specific hosts. Using the optional Application Launch
Server model, any program, website, or script may be run in a controlled and secured
environment and give users access to specific systems or networks using specific tools with
specific feature sets. This allows access to the tool set needed to get a job done, but without
providing access to the credential or direct physical access to the system.
Session Recording When using the optional Application Launch Server, administrative sessions
can be recorded for later playback. Screen recording audits the user's actions during a session
and can be helpful when developing training procedures. Visually recording an administrator's
actions can help satisfy the requirements of auditing mandates.
1.2 PERFORMANCE NOTES

Enterprise Random Password Manager is multi-threaded and supports automatic retry for failed
systems in an operation. At the default settings of 100 threads (100 simultaneous connections) on a
well-connected network (100Mbps) where all systems are accessible, password change
performance is typically 400 machines per minute for a simple password change (not including
propagation steps). This is not a guarantee of service because off-line systems, high-latency,
Introduction 7
low-bandwidth, and unhealthy systems can affect performance. That said, a single ERPM node,
hosted on Windows Server 2012 R2 or later, can easily scale to 1,000 to 2,000 nodes per minute just
by changing one setting in ERPM to boost the maximum thread count.
Note: It is highly recommended to run this product on Windows Server 2012 R2 for best
performance. With the introduction of SMB 3.0, Windows management and
threading performance was significantly enhanced with most customers able to
spawn 250-300 threads or more simultaneously rather than only 100 threads.
Windows 2008 R2 or earlier will likely encounter thread loss and abandonment
past 200 threads when managing other Windows systems due to limitations in the
SMB 2.0 stack.
You can tune threading options up or down by changing the maximum number of threads that will
be dispatched from the Program Options dialog under Settings > Program Options. Variances in
customer environments and provided hardware may permit more simultaneous threads or may
require a reduced number of threads.
All scheduled operations and job retries are handled in the background by a deferred processor
service. The effect on network traffic during an operation using the default settings is about 2% of
available bandwidth. (In Windows environments this is equivalent to WINS type traffic.) Typically,
target machine impact will not be noticed (CPU, Memory, Hard Disk, Network) but will vary based
on the type of operation performed (for example, changing an account password or restarting a
service).
1.3 BACKGROUND AND GOALS

The Need for Strong Local Credentials
Organizations with a need for the most basic access security should use unique local logon
credentials customized for each workstation and server in their environment. Unfortunately, most
organizations use common credentials (same user name and password for the built-in administrator
account) for each system for the ease of creating and managing those systems by the IT Department
without any concern as to the consequences to the organization should these common credentials
be compromised.
With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security
Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the
implementation of reasonably hard to compromise local logon credentials is mandatory for most
8 Introduction
organizations as a means for protecting not only the confidentiality of their data, but also to protect
against tampering.
Creating Strong Local Credentials

Enterprise Random Password Manager can change any common account on all workstations and
servers in just a few minutes without the need for scripts or any other type of program. The new
common credentials can be stored in a local or remote SQL Server database and can be recovered
on demand using the web client.
ERPM can be configured to regularly change the passwords of common accounts on all target
systems (i.e. workstation built-in administrator account) according to a schedule so that each
account receives a fresh cryptographically strong password regularly. This product feature protects
the overall security of an organization so that the compromise of a single machines local
administrator password does not lead to the total compromise of the entire organizations security.
ERPM further builds on these concepts by automatically discovering all references to the specified
account, such as services, tasks, COM and DCOM objects, and more, and following a password
change for a user's account, whether domain or local, propagating the new password to all those
references.
Delegated Password Recovery

ERPM also contains a web client to allow the remote recovery of passwords, access to privileges
sessions, and more. The web client is a web application comprised of ASP and ASP.NET web pages
that allows any user with the appropriate group memberships the right to use the application, as
well as the right to recover passwords for accounts managed by the program. All access to the
ERPM web client and all actions taken therein are logged, and the history is also available via the
same web interface to authorized users.
Because this application protects and provides extremely sensitive information, it is essential that
particular attention be payed to the security settings of the application and also use appropriate
encryption such as SSL based on the scope of access provided.
For more information on security hardening, please refer to the proposed options for server
hardening:
http://forum.liebsoft.com/forum/products/enterprise-random-password-manager/enterprise-rand
om-password-manager-knowledgebase/180-server-hardening-guide
Introduction 9
1.4 LIMITED WARRANTY

The media (optional) and manual that make up this software are warranted by Lieberman Software
Corporation to be free of defects in materials and workmanship for a period of 30-days from the
date of your purchase. If you notify us within the warranty period of such defects in material and
workmanship, we will replace the defective manual or media (if either were supplied).
The sole remedy for breach of this warranty is limited to replacement of defective materials and/or
refund of purchase price and does not include any other kinds of damages.
Apart from the foregoing limited warranty, the software programs are provided "AS-IS," without
warranty of any kind, either expressed or implied. The entire risk as to the performance of the
programs is with the purchaser. Lieberman Software does not warrant that the operation will be
uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind
for errors in the programs or documentation of/for consequences of any such errors.
This agreement is governed by the laws of the State of California.
Should you have any questions concerning this Agreement, or if you wish to contact Lieberman
Software, please write:
You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or
e-mail us at: sales@liebsoft.com.
1.5 LICENSE AGREEMENT

This is a legal and binding contract between you, the end user, and Lieberman Software
Corporation. By using this software, you agree to be bound by the terms of this agreement. If you
do not agree to the terms of this agreement, you should return the software and documentation, as
well as all accompanying items promptly for a refund.
1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of
Enterprise Random Password Manager to control the licensed number of systems and/or devices.
2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by
United States copyright law and international treaty provisions. Therefore, you must treat the
software like any other copyrighted material (e.g. a book or musical recording) except that you may
either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer
10 Introduction
the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival
purposes. The manual is a copyrighted work. Alsoyou may not make copies of the manual for any
purpose other than the use of the software.
3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,
de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE
files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.
When used lawfully, this software periodically transmits to us the serial number and network
identification information of the machine running the software. No personally identifiable
information or usage details are transmitted to us in this case. The program does not contain any
spyware or remote control functionality that may be activated remotely by us or any other third
party.

310.550.8575
Internet E-Mail: support@liebsoft.com
Website: http://www.liebsoft.com
11
Chapter 2
Start Here: Roadmaps
This chapter lists installation and upgrade tasks.
IN THIS CHAPTER
Installation Roadmap .............................................................................. 11

Upgrade Roadmap................................................................................... 13
2.1 INSTALLATION ROADMAP

The following roadmap outlines the steps to follow to install Enterprise Random Password Manager.
1) Understand the product requirements before installation.
a. Read the Release Notes.
b. Review Understanding Prerequisites (on page 18).
2) Install the ERPM prerequisites.

For details, see Installing ERPM Prerequisites (on page 17).
3) Install the base Enterprise Random Password Manager program.

This step will install the ERPM management console and the core ERPM components. See Install
the Enterprise Random Password Manager 5.5.1 Management Console (on page 185) for
details.
4) Configure and register Enterprise Random Password Manager.

a. Complete the Mini-Setup Wizard.
12 Start Here: Roadmaps
The first time Enterprise Random Password Manager is run, a mini-setup wizard will run
through a series of pages that handle the configuration of the various components of the
tool. See Complete the Mini-Setup Wizard (on page 193) for details.
b. Register Enterprise Random Password Manager.
Completing the "Registration" dialog activates the commercial version from the demo
version.See Register in the ERPM Admin Guide for details.
c. Configure permissions to launch the ERPM management console.
Following installation, any user who is an administrator of the system where the console is
installed who also has rights to the SQL database, will have the ability to launch the
application. See Controlling Access to the Admin Console in the ERPM Admin Guide for
details.
d. Further configure database settings. (Optional)
Basic database set-up is completed in the Mini-Setup Wizard. For advanced settings and
information about high-availability configurations see Configuring Database Settings in the
ERPM Admin Guide.
e. Configure encryption settings. (Optional)
Passwords generated during a password change job can be stored encrypted in the
database. ERPM supports software-based encryption and hardware-based (HSM)
encryption. See Configuring Encryption Settings in the ERPM Admin Guide for details.
5) Install the ERPM web client. (Optional)

The web client (also called the web app or, previously, the password retrieval web site) provides
delegated access to all credentials that are stored and managed by ERPM. The web client is
deployed from within the ERPM management console. See ERPM Web Client Installation in the
ERPM Admin Guide for details.
If you install the web client on a remote server, you may also need to install the Integration
Components. The Integration Components provide support for email, event sinks, and help desk
ticketing systems. See Installing the ERPM Web Client / ERPM Web Application in the ERPM
Admin Guide for details.
6) Install one or more zone processors. (Optional)

A zone processor is a remotely deployed scheduling service designed to handle larger
distributed environments and DMZ scenarios where normal communication mechanisms are
not allowed. Zone processing is an ERPM add-on and requires a separate license.
Start Here: Roadmaps 13
See Installing a Zone Processor in the ERPM Admin Guide for details.
7) Install the ERPM web service. (Optional)

Install the web service if you require any of the following:
The SOAP-based or REST-based ERPM web service.
The PowerShell cmdlets for ERPM.
The Application Launcher and Session Recording components.
Federated login support using either SAML or Active Directory Federation Services (ADFS).
Install the web service after you install the base ERPM program and management console.
See Installing the Web Service (on page 235) for details.
8) Install the PowerShell cmdlets for ERPM. (Optional)

PowerShell cmdlets extend the management of Enterprise Random Password Manager to a
command line / scripting environment.
Install the PowerShell Cmdlets after you install the ERPM web service.
See Installing the PowerShell Cmdlets for details.
9) Install the application launching and session recording components. (Optional)

Application launching and session recording are ERPM add-ons and require a separate license.
See Installing the Application Launcher and Session Recording Features in the Application
Launching & Session Recording Guide for details.
10) Install the SYSLOG Forwarder service. (Optional)

This service listens for UDP traffic and retransmits it using SSL or TCP/IP for greater security and
reliability when forwarding events to loggers and SIEMs.
See Using the SYSLOG Forwarder to Send Syslog Events via TCP and SSL in the ERPM Admin
Guide for details.
14 Start Here: Roadmaps
2.2 UPGRADE ROADMAP

The following roadmap outlines the steps that you should follow to upgrade Enterprise Random
Password Manager.
Note: You can directly upgrade from any prior version of Enterprise Random Password
Manager to version 5.5.1.
1) Understand the product requirements before upgrading.

a. Read the Release Notes.
b. Review the Upgrade Notes (on page 201).
c. Review the Understanding Prerequisites (on page 18) topic.
2) Install any missing ERPM prerequisites.

For details, see Installing ERPM Prerequisites (on page 17).
3) Upgrade the base Enterprise Random Password Manager program, backup your database,
install the new ERPM web client, and update zone processors.
See Upgrading ERPM to Version 5.5.1 (on page 201) for details.
4) Upgrade the ERPM web client.

See Upgrade the ERPM Web Client Application (on page 220) for details.
5) Upgrade the zone processor(s).

See Upgrade the Zone Processor(s) (on page 227) for details.
6) Upgrade the ERPM Web Service. (Optional)

Upgrade the web service if you require any of the following:

Start Here: Roadmaps 15
The Application Launcher and Session Recording components.
Federated login support using either SAML or Active Directory Federation Services (ADFS).
See Install / Upgrade the ERPM Web Service (on page 247) for details.
7) Upgrade PowerShell. (Optional)

PowerShell cmdlets extend the management of Enterprise Random Password Manager to a
command line / scripting environment.
Upgrade the PowerShell Cmdlets after you upgrade the ERPM web service.
See Upgrade the PowerShell Cmdlets (on page 232) for details.
8) Upgrade the Legacy SDK Files. (Optional)

See Upgrade the Legacy SDK Files (on page 233) for details.
9) Upgrade the application launching and session recording components. (Optional)

Application launching and session recording are ERPM add-ons and require a separate license.
See Upgrade the Application Launcher (on page 233) for details.
10) Install the SYSLOG Forwarder service. (Optional)

This service listens for UDP traffic and retransmits it using SSL or TCP/IP for greater security and
reliability when forwarding events to loggers and SIEMs.
See Using the SYSLOG Forwarder to Send Syslog Events via TCP and SSL in the ERPM Admin
Guide for details.
17
Chapter 3
Installing ERPM Prerequisites
This chapter documents how to install the required prerequisites. Actual installation experience
may vary. Note that the following topics are not covered:
Installation of .NET Framework

Installation of Java SDK
See the Installation Roadmap (on page 11) for a complete list of installation tasks.
IN THIS CHAPTER
Understanding Prerequisites ................................................................... 18

Installing and Configuring IIS ................................................................... 37
Installing SQL Server or Oracle Database ................................................ 76
Installing Database Providers (Connectors) .......................................... 110
Enabling Remote COM+ and IIS Access ................................................. 158
Configuring the COM Object and Deferred Processor Account ............ 165
18 Installing ERPM Prerequisites
3.1 UNDERSTANDING PREREQUISITES

This section describes the requirements and prerequisites necessary to install Enterprise Random
Password Manager, and to manage target systems and devices.
3.1.1 Recommended Knowledge

While Lieberman Software provides documentation and support to set up and configure ERPM in
conjunction with the various technologies that it uses, ERPM administrators should have knowledge
in the following areas:
Knowledge of the program data store (SQL Server or Oracle database) and all target databases
IIS web server technologies
Network administration
ERPM uses a management console application in conjunction with a local service to set up recurring
discovery jobs and password change jobs. The ERPM web client (also called the ERPM web
application) provides administrative access using a web browser. The ERPM web client is deployed
as an IIS web application. It includes COM objects and a collection of ASP and ASP.NET files that are
set up in a virtual directory on the web server. The web server must be Microsoft Internet
Information Services. A Microsoft SQL Server or Oracle database is required to store program data.
Required ERPM components should be patched, secured, and properly configured to ensure that
the password store system will not be compromised.
3.1.2 Product Requirements Overview

The solution is an n-tier product where individual components can and should be (resources
permitting) distributed across multiple systems. The primary ERPM components are:
Management Console
Web Services
Database
If any components will be shared on a single host, then simply combine the requirements. The
database in particular should be placed on a separate system to keep the encrypted data
segregated from the encryption key.
Installing ERPM Prerequisites 19
The product is supported in a physical, virtual (cloud), or physical-virtual mixed environment. The
virtual host platform is irrelevant to the support of the product. All virtualization platforms are
supported. Virtual host configurations, however, can severely impact or impede the ability of the
product to work because virtual host and guest configurations do affect every component of the
virtual guest that is running the product.
3.1.3 Component Overview

Enterprise Random Password Manager core components include the following:
1) The management console application Required. Installed with the download package.
2) The deferred processing service Required to utilize scheduled jobs and automatic retry
options. Comes with the download package.
3) An installation of SQL Server or Oracle Database Required.
4) Cross Platform Support Library (CrossPlatformSupportLibrary.msi) Required to manage
passwords on Linux, UNIX, and Cisco IOS devices from zone processors (optional component).
Comes with the download package.
5) An email server Optional. The configuration of the email server (including enabling SSL and
establishing a certificate trust) is done outside ERPM.
6) A web server (IIS 7.5 or later) with ASP (Active Server Pages) processing and ASP.NET enabled
Required to utilize the ERPM web client.
7) Web application components for the ERPM web client Required to use the ERPM web client.
Comes with the download package in the SupplementalInstallers folder.
8) Email templates used to generate reports and alerts. Comes with the download package.
3.1.4 Host System Requirements

This section covers requirements for the management console and deferred processing tier of
ERPM.
Platform Requirements
A Windows Server operating system is required for a production installation of Enterprise Random
Password Manager. The solution will work fine on a physical server or a virtual machine. For
lab/testing environments, a workstation-class operating system, such as Windows Vista Business, or
Windows 7 Professional will suffice. All service pack levels and editions are supported except where
specifically noted. We recommend using Windows Server 2012 R2 as the host platform.
Supported versions of Windows Server are:
Windows Server 2012 R2

Windows Server 2012
Windows Server 2008 R2
The following versions are suitable for testing only. These host systems are not supported in
production environments. (Note that ERPM is a 32-bit application and will run in a WOW64
environment on 64-bit systems. Microsoft certifies WOW64 to run on these versions.)
Windows 10 Professional or higher, 64-bit version

Windows 8.1 Professional or higher, 64-bit version
Note: ERPM v4.83.8 and later is not supported on Windows Server 2008 (non-R2
revisions) and earlier operating systems due to inconsistencies in the OS.
Generally, these are compatibility problems, and in some cases, incomplete APIs.
For Windows Server 2003, it is due to the lack of future compatibility, and
Microsoft's decision to end-of-life the product.
Earlier versions of ERPM were supported on Windows Server 2008 x64 edition
only. The 32-bit versions were not properly supported for installation of ERPM.
Hardware Requirements
In addition to the requirements needed to support the host system and database, ERPM itself
requires at least the following:
512MB of RAM.
Approximately 500MB of hard drive space to install.
Note that this does not include space required by logging files. Log files are enabled by default
and can consume enormous amounts of space over time.
Intel or AMD multi-core processor or multi-CPU system.
.NET Framework version 3.5 with service pack 1 and .NET Framework 4.5.2 or higher.
Windows Management Framework v4.0 or later for Windows 2008 R2 or Windows 2012. This is
part of Windows 2012 R2 (https://www.microsoft.com/en-us/download/details.aspx?id=40855
(https://www.microsoft.com/en-us/download/details.aspx?id=40855)).
The suggested minimum configuration is:
Windows Server 2012 R2.

2GB of RAM for the ERPM application in addition to the host OS and other applications.
4GB+ of hard drive space for local log files.
Intel or AMD multi-core or multi-proc/multi-core processors.
4GB+ RAM for the program database.
.NET Framework version 3.5 with service pack 1 and .NET Framework version 4.6 or later.
At least 32-bit Java v1.5. (Optional.)
Windows Management Framework v4.0 or later for Windows 2008 R2 or Windows 2012. This is
part of Windows 2012 R2 (https://www.microsoft.com/en-us/download/details.aspx?id=40855
(https://www.microsoft.com/en-us/download/details.aspx?id=40855)).
Note: This manual does not cover installing or administering Windows.
Notes
If using a Windows Server 2008 R2 or later host operating system for ERPM, there will be
inconsistencies with remote COM+ management interfaces when managing COM+ on Windows
2000 target machines. This is by Microsoft's security design. For further information on this
matter, including how to address the issues, please read the following article:
http://forum.liebsoft.com/forum/products/enterprise-random-password-manager/enterprise-r
andom-password-manager-knowledgebase/152-stub-received-bad-data-when-propagating-to-
windows-2000
If attempting to manage databases other than Microsoft SQL Server, the most recent 32-bit
OLEDB providers, typically available from the database vendor or installation media, will be
required to be installed on any component that will manage the target database. This should
include the management console as well as any remote deferred or zone processors.
Before successfully installing ERPM, the Microsoft .NET Framework must also be installed.
Specifically, version 3.5 SP1 and version 4.x. .NET version 3.5 SP1 is included in server 2008 R2.
Version 4.x must be installed on operating systems prior to Windows Server 2012. Windows
Server 2012 includes.NET version 4.x and will require additional steps to install version 3.5 SP1.
The .NET Framework is leveraged for some of the propagation types, such as Microsoft SCOM,
and some of the cross-platform support features. We recommend using the latest version and
service pack of the .NET Framework.
ERPM also ships with an optional Java-based SDK for application-to-application and
application-to-database secure password management. This is available for both Windows and
non-Windows operating systems. Java 1.5 or higher, 32-bit edition is required to make use of
this. If Java 1.5+ is not installed, the program's Java-based SDK will not be available to ERPM. If
there are no plans to make use of the program's Java-based SDK, then there is no need to install
Java on the host system or target systems.
If attempting to integrate System Center Service Manager (SCSM), the SCSM SDK binaries will
need to be obtained from the installation directory of SCSM and placed into the installation
directory of ERPM.
If attempting to manage System Center Operations Manager (SCOM), the SCOM SDK binaries
will need to be obtained from the installation directory of SCOM and placed into the installation
directory of ERPM.
Virtual environments are fully supported for all components of the solution. However, there
may be severe performance limitations depending on the virtual environment versus the
environment being managed. Typically, the application(s) and website(s) are virtualized while
the database is a physical system.
Please refer to the following knowledge base article for more information on HA, DR, and basic
comments on security:
andom-password-manager-knowledgebase/85-disaster-recovery-security-and-high-availability
(http://forum.liebsoft.com/forum/products/enterprise-random-password-manager/enterprise-r
andom-password-manager-knowledgebase/85-disaster-recovery-security-and-high-availability)
3.1.5 Web Application Requirements

This section covers requirements for the ERPM web client tier of Enterprise Random Password
Manager. (The ERPM web client is also called the ERPM web application.) Requirements for the
management console/deferred processor are covered in Host System Requirements (on page 19).
Web Application Server Requirements

The system hosting the ERPM web client tier requires the following components:
At least IIS 7.5 (See below for detailed requirements.)

.NET Framework version 3.5 with service pack 1

At least .NET Framework 4
Internet Information Services (IIS) with support for Active Server Pages and ASP.NET must be
installed on the system that will host the Enterprise Random Password Manager web site.
Supported versions of IIS include:
IIS 7.5
IIS 8.0
IIS 8.5
IIS 7.5 and 8.x require the following role services be included when configuring IIS:
Static Content
Default Document
HTTP Errors (Required for file vault.)
At least ASP.NET v 4.5
ASP (Active Server Pages)
Static Content
Static compression (Optional)
IIS Management console (Not the IIS6 version.)
IIS6 Metabase compatibility
Windows authentication (Required if using Windows integrated authentication. Optional,
otherwise.)
For more information, see Installing and Configuring IIS (on page 37).
The management console can push out the ERPM web client website to a remote web server. If the
website will be hosted on a remote system (relative to the management console), enable remote
COM+ access on the web server to support an automated installation of the website. For
information about how to enable this access, see Enabling Remote COM+ and IIS Access (on page
158).
Supported Web Browsers

Version 5.5.1 of the ERPM web client is compatible with the following browsers:
Internet Explorer 9, 10, and 11

Microsoft Edge
Firefox
Google Chrome
Safari
Konqueror
Opera
3.1.6 Solution Database Requirements

A database is required at the time of installation. We recommend not sharing database instances
with other applications. The following databases are supported:
At least Microsoft SQL Server 2008 or Oracle 11g database. SQL Express is fine for testing.
For details, see SQL Server Requirements for ERPM (on page 25) or Oracle Database Requirements
for ERPM (on page 26).
Note: Oracle is no longer offered as a back-end data store for ERPM. Lieberman
Software will continue to support customers who purchased Oracle support prior
to January 1, 2015. For details, contact your Lieberman Software account
representative.
The database serves as the Enterprise Random Password Manager storage and configuration
datastore. Systems lists, system information, account information, stored passwords, event sinks,
answer files, email files, and more are stored in the database. Use an existing installation of a
database server, or implement a new instance on an existing database server or a different
database server. We recommend placing the database on a separate system to keep the encrypted
data segregated from the encryption key.
Connections to the chosen database are treated the same, meaning that after the database is setup
and the connection has been made, there are no configuration differences regarding Lieberman
Software's tools when operating against a SQL Server, SQL Express, or Oracle database.
3.1.6.1 SQL SERVER REQUIREMENTS FOR ERPM
Supported Versions for Production Environments

We strongly recommend using at least SQL Server 2012. The following versions of Microsoft SQL
Server are supported for both test environments and production environments:
Microsoft Azure SQL Database

Note: Microsoft Azure SQL Database requires ERPM to use the latest version of the SQL Native
Client. As of this writing, that is version 11.
Microsoft SQL Server 2016

Microsoft SQL Server 2008 R2
Both 32 and 64-bit versions of Microsoft SQL Server database are supported. Standard and
Enterprise editions are supported. Installation and configuration of SQL Server 2008 is covered in
the next section.
Supported Versions for Test Environments Only

SQL Express is a lightweight version of SQL Server that is made available for free download from the
Microsoft website. SQL Express should be used for testing scenarios only. The following versions are
supported:
Microsoft SQL Server 2016 Express

Microsoft SQL Server 2008 R2 Express
SQL Express configures itself to a random port number during installation. The port number is
required to complete the installation of ERPM.
3.1.6.2 ORACLE DATABASE REQUIREMENTS FOR ERPM

The following documentation is provided for customers who have purchased support to use Oracle
database as a back-end ERPM data store.
representative.
Supported versions of Oracle database include:
Oracle Database 11g R1, 32-bit


Standard Edition One, Standard Edition, Enterprise Edition are supported. The Oracle database may
be hosted on a Windows or non-Windows platform.
Enterprise Random Password Manager requires its own table space and must be granted an
unlimited quota on this table space.
The following rights are required by the account used to connect to the Oracle database:
CONNECT
CREATE TRIGGER
CREATE SEQUENCE
CREATE TABLE
CREATE VIEW
Oracle uses overly-conservative initial configurations for a heavily threaded product such as ERPM.
In a default configuration where ERPM is spawning at least 100 threads to the database, this can
cause the database to run out of resources, resulting in failed jobs (specifically, incomplete
password changes). This behavior is easily seen and replicated by trying to do things such as
changing passwords across a largish number of systems. One way to combat this is to drop the
thread count down to 40 (Settings > Program Options) for ERPM. This has the effect of slowing
down job processing while increasing the likelihood of a successful job (as far as the database is
concerned).
Another highly recommended option is to change the memory and thread allocation to the Oracle
database. Start with:
show parameter memory

show parameter process
This will give you your baseline settings. To change the allocations use:
alter system set memory_target=xxxxM scope=spfile;
alter system set processes=yyyy scope=spfile;
Where xxxx is the amount of memory allocated to the database, and yyyy is the number of threads.
We recommend a value of 2000 or much higher for the memory, and a minimum value of 1000
threads.
Note: The Oracle 11g R2 OLEDB provider (version 11.2.0.3) does not properly register on
Windows servers. If using this version of the OLEDB provider, please also run the
following command after installing the Oracle OLEDB provider on your Windows
server:
regsvr32 <OracleHome>\bin\OraOLEDB11.dll
When configuring an the Oracle 32-bit OLEDB provider, although not a strict requirement, it may be
helpful to configure the local provider to use a tnsnames file because this will greatly simply the
server lookup and naming requirements that the ERPM database configuration will require. If the
Oracle database is on a non-standard port (other than 1521), use of the tnsnames file will prevent
the ERPM admin from having to use a custom connection string where the Oracle account password
must also be supplied in clear text.
3.1.7 Service Account Requirements

Enterprise Random Password Manager is an n-tier architecture that consists of the following tiers:
database, management console, web server, and zone processors. All tiers may be on a single
system or spread across multiple systems. The web site, management console, and zone processors
are mutually exclusive in their operation. The web site and zone processors may use the same
service account or use separate service accounts with different permissions.
ERPM use a COM+ object for its interactions from the web server to the application database. This
object requires the use of a privileged account. This account should be a domain member (as
applicable) and have the following rights and memberships:
Administrator of the web server host system
Domain User*
Log on as a batch job
DBO rights for the application database if using integrated authentication
*If multiple domains trusting domains will be managed by a single implementation of ERPM or RPM,
the COM account must be a trusted user for the target domain(s) as well or manual configuration of
an authentication bridge will be required. If using a directory other than active directory for user
authentication, this requirement may be skipped.
Pre-configuration of this account will be covered in the next section.
ERPM and RPM perform all scheduled jobs such as password change jobs or password verification
reports by using a service on the management console host system or a standalone service called a
zone processor. The account should be a domain member (as applicable) and have the following
rights and memberships:
Administrator of the management console host system
Log on as a service*
DBO rights for the application database (system admin of the DB not required) if using integrated
authentication
Administrative rights over target managed systems**
This account used to run the deferred processing service cannot be managed automatically by
ERPM! Managing this account by ERPM will cause the job being run to be stopped mid-process
which will leave the job in a locked and incomplete state. This will likely cause all scheduled jobs to
stop running until manual intervention is taken. An alternative to using a service account for the
scheduling service is to configure the service to run as LocalSystem. This will negate password
management requirements for the service. However, to be successful in using this method, you
must also grant permissions to the database for the computer account (ComputerAccountName$) as
well as ensuring the computer account is seen as an administrator of all managed systems.
Note: If the computer account is added to a new group in Active Directory in order to
provide these administrative rights, the computer must be restarted.
The website COM object must be configured to run as a user account, but this account can be
automatically managed by ERPM.
* If the service account/interactive user account cannot be administrators of the target systems,
then alternate administrative accounts will need to be configured for use by the tool. Please see the
administrator's guide for steps on configuring alternate administrator accounts. If possible, avoiding
the use of alternate administrator accounts within Enterprise Random Password Manager when
managing COM+ and DCOM objects, including scheduled tasks should be avoided as these
interfaces do not allow for impersonation.
**The COM account, if using a separate account than the deferred processing account, may need
administrative rights over target Windows systems. This right becomes a requirement IF the website
option to Block password Check-in if account is in use is turned on. Enabling this option allows the
COM object to enumerate all active sessions and determine if the specified account is still "logged
in."
3.1.8 Port Requirements

The following ports may be used by Enterprise Random Password Manager: Actual port usage will
vary based on the options used and the systems managed. The defined port directions refer to the
direction relative to the ERPM system.
Note: The following ports are the standard well known ports for the various protocols.
These ports may have been changed on the target systems. It is the solution
Administrator's responsibility to determine if any of the target ports have been
changed and reflect that changed port when password change jobs or account
discovery jobs are performed.
Port 22 SSH, TCP, outbound Used for managing non-Windows devices that support SSH.
Non-Windows devices only.
Port 23 Telnet, TCP, outbound Used for managing non-Windows devices that support Telnet.
Non-Windows devices only.
Port 25 SMTP, TCP, outbound Port for e-mail support. Only required if email notifications will be
allowed from the solution.
Port 80/443 HTTP/S, inbound Password recovery and ERPM administration tasks performed
using the ERPM web client.
Port 135 Remote DCOM management port and secondary ports typically provided by granting
access to DLLHOST.EXE in the %systemroot%\system32 directory, TCP/UDP, outbound. This port is
also required to support automated installation of the ERPM web client. The web client can be
manually installed on the target web server, so this port does not need to be open on the web
server unless you are also managing DCOM objects on the web server, or IIS websites and virtual
directories. For Enterprise Random Password Manager, this port is required to be able to set
credentials for COM+, and DCOM applications, IIS websites and virtual directories, as well as
Scheduled Tasks (iTask interface). Remote COM/DCOM may require the use of additional ports
(1024+), so check your system configuration.
Port 137 NetBIOS name service, UDP, outbound. This port or port 445 (SMB) is required. If
NetBIOS is disabled, port 445 is required for management of Windows systems.
Port 138 NetBIOS datagram distribution service, UDP, outbound. This port or port 445 (SMB) is
required. If NetBIOS is disabled, port 445 is required for management of Windows systems.
Port 139 NetBIOS Name Service Ports, TCP, outbound. This port or port 445 (SMB) is required. If
NetBIOS is disabled, port 445 is required for management of Windows systems.
Port 389/636 LDAP/LDAPS, TCP, outbound. LDAP-compliant directories such as Active Directory or
Oracle Internet Directory.
Port 443 ESXi native management, TCP, outbound.
Port 445 Alternate NetBIOS Name Service port, TCP, outbound. This port is not required unless
the normal NetBIOS Name Service ports are closed (137, 138, 139). Be aware that this alternate port
for the NetBIOS Name Service will not work on Windows NT 4 or earlier.
Port 514 ArcSight / QRadar / Syslog, UDP, outbound.
Port 623 IPMI, UDP, outbound.
Port 80/443/Other HTTP/HTTPS, TCP, inbound. When configuring the ERPM web client, it will
default to using HTTP (port 80) without the use of SSL. SSL is highly recommended for use with the
ERPM web client, but is the responsibility of the administrator to configure. If HTTP + SSL is
configured (HTTPS) then the default ports requirement for the web server is port 443. Whether
HTTP or HTTPS is used, the administrator of the website can also choose to redirect web traffic to
any port other than 80 or 443.
Port 1025 Teradata, TCP, outbound.
Port 1433 SQL Server, TCP, outbound. Ports used for connecting to SQL Server must be accessible
from the machine running Enterprise Random Password Manager, as well as any instances of the
web interface. This port is typically a custom TCP/IP port and can be configured through the SQL
Server database provider. If MS SQL is using a different port, then specify it on the database
connection configuration dialog.
Port 1521 Oracle, TCP, outbound.
Port 2002 Java SDK remote connection, TCP, outbound.
Port 3306 MySQL, TCP, outbound.
Port 3389 Remote Desktop Protocol (RDP), TCP, outbound.
Port 5000 Sybase, TCP, outbound.
Port 5432 PostgreSQL, TCP, outbound.
Port 50000 DB2, TCP, outbound.
Port Other, depending on the application being managed, such as SharePoint. If additional
external items/processes are leveraged, additional ports will be required. Please refer to the
following requirements for known port connection requirements:
BMC Remedy TCP/UDP, outbound, BMC_AR_Port.

HP Service Manager TCP, outbound, HPSM Port.

Microsoft SharePoint Server TCP outbound, the SharePoint administrative port.
Microsoft System Center Configuration Manager TCP, outbound. Typically Microsoft File and
Printer Sharing or Remote management ports.
Oracle WebLogic TCP outbound.
IBM WebSphere TCP outbound.
3.1.9 Managed Computers and Devices Prerequisites

This section lists the services and expected configurations for target managed computers and
devices.
Windows
See port requirements for further information:
File and Print Services for Microsoft Networks

Server Service
Remote Registry is optional and allows for further system information gathering such as MAC
address retrieval
If using Enterprise Random Password Manager and propagating/managing the following items,
remote management support to:
COM+/MTS Requires application server role with network COM+ access

DCOM
IIS If you intend to manage on a target system, IIS must also be installed on the host system.
The application server role with network COM+ access is required.
WMI For System Center Operations Manager, run as account management. Also required is
placement of the SCOM SDK binaries (from the SCOM server) in the Enterprise Random
Password Manager installation directory.
Enabling remote access to COM+ and IIS requires additional configuration steps on the target
systems. These steps are outlined in the Enabling Remote COM+ and IIS Access (on page 158)
section.
Linux / UNIX / OS X
Determine the current SSH port Required for password change and account enumeration.
Login password for a root level account, or the root account being managed.
Low powered login account Optional. Used if root accounts are not permitted to SSH to the
target system.
Some distributions of Solaris, AIX, or other Linux/UNIX distributions may require password
authentication be enabled in the /etc/ssh/sshd_config file. This will be obvious as there will be
errors to reflect this during a password change job in the ERPM log. To enable password
authentication, open the /etc/ssh/sshd_config file and set the PasswordAuthentication
directive to yes. Then, restart the SSH daemon. How to restart the daemon will be distro specific.
Following are examples of various restart commands:
FreeBSD: /etc/rc.d/sshd restart
Solaris: svcadm restart network/ssh
Suse: rcsshd restart
Ubuntu: sudo /etc/init.d/ssh restart
Red Hat/Fedora/CentOS: /etc/init.d/sshd restart OR service sshd restart
Cisco
Login account password
Current password for enable
SSH or Telnet port if changed from the default
IPMI
Login account password; Root or Admin level password
SSH/Telnet Devices
Actual requirements will vary based on target type and embedded operating system.
Login account password; Root or Admin level password

SSH or Telnet port if changed from the default
You may need to give special consideration to these devices with regards to the process used to
update stored passwords. Please review the Admin Guide for information about modifying the XML
files used for SSH/Telnet targets.
3.1.10 Managed Database Prerequisites

Various databases can be managed within Enterprise Random Password Manager. In order to
connect to and manage these databases, the appropriate database provider will need to be
installed on the ERPM host system. The providers may be downloaded from the database
manufacturer. A provider for Microsoft SQL Server is already provided with Windows.
Note: ERPM requires 32-bit database providers. 64-bit providers are not supported.
The following databases require database-specific providers to allow for management of their
privileged identities from the Enterprise Random Password Manager host system.
DB2
MySQL
Oracle
PostgreSQL
Sybase - Sybase ASE OleDB provider
Teradata
The rights required to change a target account's password will vary from database to database. The
rights required will also vary depending on the target account being changed. You will need other
information, such as instance or service name. Refer to your database provider's documentation for
the most up-to-date description of rights required to change various identities. Following is a partial
list of possible rights required for various databases:
DB2 The rights required to change rights for accounts associated with a DB2 instance depends on
whether database is hosted on Windows or Linux/UNIX. If hosted on Windows, the ERPM
interactive login account and/or deferred processing account will require Account Operators unless
the target account (account being managed) is also a local administrator. If the target account is a
local administrator, then the ERPM interactive login account and/or deferred processing account
will require local Administrators membership, as well. If the target account is hosted on Linux/UNIX,
ERPM will be configured to connect to the target system as the target user for this password change
job. Any user should be able to change their own password. See the Admin Guide for configuring
password changes on Linux/UNIX systems. Follow the steps for changing accounts on Windows or
Linux/UNIX.
To enumerate accounts in a DB2 database instance (accounts store view), the login account will
require:
CONNECT TO DB
GRANT SELECT on SYSIBM.SYSDBAUTH
Note: Enterprise Random Password Manager can enumerate the local accounts
associated with the DB2 Instance. For this process to work, the DB2 database
OLEDB provider must be installed. Changing DB2 account passwords does not
require a specialized provider, however, because DB2 utilizes the database host
system's local account store rather than providing its own internal account store
as does Microsoft SQL, Oracle, or MySQL.
Microsoft SQL Microsoft SQL can leverage explicit SQL accounts or integrated authentication
accounts. Accounts using integrated authentication will be local computer accounts or accounts
from a trusted domain. In order for either of these account types to manage account passwords
within MS SQL, the following rights must be granted to the desired account or group:
GRANT VIEW ANY DEFINITION

GRANT CONTROL SERVER
The interactive login account and/or the deferred processing account requires these rights to
change passwords and enumerate accounts within the SQL database. Rights must be granted to a
Windows user or group for Integrated Windows authentication. The database instance name and
port (if different than the default) will be required.
Note: If the sysadmin right is given, no other rights will be required on the MS SQL
server.
MySQL / MariaDB A MySQL login account will be required when configuring a MySQL password
change job. This login account must have sufficient rights to change the desired target account's
password. Assuming the login account can connect to the specified MySQL service and target
database, the following global privilege must be granted to the desired login account:
UPDATE
To enumerate the user accounts in a MySQL instance (Account Store View in Enterprise Random
Password Manager), the following global privilege must be granted to the desired login account for
the appropriate database:
SELECT
Sybase A login account will be required when configuring a Sybase password change job. This
login account must have sufficient rights to change the desired target account's password.
Presuming the login account can connect to the specified Sybase service (and instance, if
applicable), the login account must belong to the either of the following roles:
SSO_ROLE
SA_ROLE
To enumerate the user accounts in a Sybase instance (Account Store View in Enterprise Random
Password Manager), the following access must be granted to the desired login account:
SELECT access to the password column of the SYSLOGINS table in the MASTER database
Oracle An Oracle login account is required when configuring an Oracle password change job. This
login account must have sufficient rights to change the desired target account's password. Assuming
the login account can connect to the specified Oracle service (and instance, if applicable), the
following rights must be granted to the desired login account:
ALTER USER
To enumerate the user accounts in an Oracle instance (Account Store View in Enterprise Random
Password Manager), the following rights must be granted to the desired login account:
SELECT ANY DICTIONARY

PostgreSQL A PostgreSQL login account will be required when configuring a PostgreSQL password
change job. The login account must have sufficient rights to change the desired target account's
password as well as connect/login.
3.2 INSTALLING AND CONFIGURING IIS

The following sections detail how to install and configure IIS.
Even if the ERPM web client is not installed locally on the ERPM host system, you must install IIS to
be able to remotely install the web client to a remote server, and also to be able to manage the
remote IIS installations. Only a couple of elements are required, however, as outlined in the
following sections.
3.2.1 Installing IIS

Important! The Enterprise Random Password Manager web interface does not work properly on
32-bit editions of Windows 2008 and is not supported.
The installation experience for IIS 7.5 and 8.0 on Windows Server 2008 R2 and Windows Server
2012 is identical and the same procedures can be followed.
IIS requires the following role services be included when installing IIS:
Static Content
Default Document
HTTP Errors
ASP.NET
ASP
Static compression - optional
IIS6 metabase compatibility
Any items that these components want to add will also need to be included.
To install Internet Information Services, open Server Manager and select the Roles node. In the
details pane (right side), click the Add Roles link to start the Server Roles Wizard.
From the Add Roles Wizard dialog, select Web Server (IIS) and click Next.
Click Next on the description page.
On the Select Role Services page, under the Application Development header, select ASP and
ASP.NET.
By default Windows 2008 or later does not enable support for Active Server Pages, it is added
during the installation of IIS by following these steps. If using an existing installation of IIS where
support for Active Server Pages has not been enabled, please see Enable ASP Support (on page 51)
to enable support for it.
By default Windows 2008 or later does not enable support for ASP.NET, it is added during the
installation of IIS by following these steps. If using an existing installation of IIS where support for
Active Server Pages has not been enabled, please see Enable ASP.NET Support (on page 55) to
enable support for it.
If prompted to Add role services required for ASP? and/or Add roles services required for ASP.NET,
click Add required role services.
On the Select Role Services page, under the Management Tools header, select IIS 6 Metabase
Compatibility. Click Next to continue.
By default Windows 2008 and later does not enable support for IIS 6 Metabase Compatibility, it is
added during the installation of IIS by following these steps. If using an existing installation of IIS
where support for IIS 6 has not been enabled, please see Enable IIS6 Compatibility Support (on
page 59) to enable support for it.
On the Confirm Installation Selections page, click Install.

Windows will begin the setup and configuration of IIS. When the file operations are complete, click
Close to close the wizard.
The IIS administrators console may be launched by selecting Internet Information Services (IIS)
Manager from the Administrative Tools menu, by selecting Web Server under the Roles node in
Server Manager, or by typing inetmgr at the command prompt or run menu.
3.2.1.1 REQUIRED WEB COMPONENTS ON A NON-WEB SERVER

Enterprise Random Password Manager is an N-tier product consisting of web services, a
management console, a database, and scheduling services (zone processor or default deferred
processor). It is a recommended practice to separate out the product into at least three tiers
consisting of:
1) Web Services
2) Management console & scheduling service
3) Database
When the machine hosting the management console will NOT also function as a web server, certain
portions of IIS may still be required. In the modular paradigm of Windows, if IIS is not installed,
neither are the binaries to be able to manage and talk to remote instances of IIS. Therefore to
perform a remote installation of the web services (push) or to manage IIS 6 and IIS 7.x, it will be
required to install these binaries.
The installation experience for IIS 7.5 on Server 2008 R2 is identical and the same procedures can be
followed.
IIS 7 requires the following additional role services be included when installing IIS 7 for remote web
service installations and remote IIS management:
IIS6 management compatibility - if also managing web servers that run IIS 6
Note: If IIS 6 web servers will not also be managed, then simply add IIS with no options.
To install Internet Information Services in Windows 2008, open Server Manager and select the
Roles node. In the details pane (right side), click the Add Roles link to start the Server Roles Wizard.
From the Add Roles Wizard dialog, select Web Server (IIS) and click Next.
Click Next on the description page.
On the Select Role Services page, under the Management Tools header, select IIS Management
Console (required for IIS 7), IIS 6 Metabase Compatibility, and IIS 6 Management Console. All other
items may be deselected. Click Next to continue.
By default Windows 2008 does not enable support for IIS 6 Management Compatibility, it is added
during the installation of IIS by following these steps. If using an existing installation of IIS where
support for IIS 6 has not been enabled, please see Enable IIS6 Compatibility Support (on page 59) to
enable support for it.
On the Confirm Installation Selections page, click Install.

Windows will begin the setup and configuration of IIS. When the file operations are complete, click
Close to close the wizard.
The IIS administrators console may be launched by selecting Internet Information Services (IIS)
Manager from the Administrative Tools menu, by selecting Web Server under the Roles node in
Server Manager, or by typing inetmgr at the command prompt or Run menu.
3.2.1.2 ENABLE ASP SUPPORT

If installing this application onto an existing web server and Active Server Pages was not previously
enabled, turn it on by using following the procedure.
In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add
Role Services link.
On the Select Role Services page, under the Application Development header, select ASP.
If prompted to Add role services required for ASP?, click Add required role services. This will
automatically add ISAPI Extensions.
On the Select Role Services page, click Next. On the Confirm Installation Selections page, click
Install. Windows will begin the setup and configuration of IIS. When the file operations are
complete, click Close to close the wizard.
There are no further actions to perform once the wizard completes.
3.2.1.3 ENABLE ASP.NET SUPPORT

If installing this application onto an existing web server and ASP.NET was not previously enabled,
turn it on by using following the procedure.
In Server Manager select the Roles node, expand the Web Server (IIS) heading and click on the Add
Role Services link.
On the Select Role Services page, under the Application Development header, select ASP.NET.
T
If prompted to Add role services required for ASP.NET?, click Add required role services. This will
automatically add ISAPI Extensions.
Install. Windows will begin the setup and configuration of IIS. When the file operations are
3.2.1.4 ENABLE IIS6 COMPATIBILITY SUPPORT

If installing this application onto an existing web server and IIS 6 compatibility was not previously
enabled, turn it on by using the following procedure.
In Server Manager, select the Roles node, expand the Web Server (IIS) heading, and click on the
Add Role Services link.
On the Select Role Services page, under the Management Tools header, select IIS 6 Metabase
Compatibility. Click Next to continue.
Install. Windows will start the setup and configuration of IIS. When the file operations are

3.2.2 Configuring SSL on IIS

This product does not ship with an SSL certificate for encryption between the ERPM web client and
the client browser. This means it is up to the web server admin to configure SSL and determine
which certificate to use.
See the following pages for configuring SSL on IIS 7+.
3.2.2.1 SSL WITH IIS - WITH AN EXISTING CERT

In order to encrypt transmissions between the web server (IIS) and the client browser, and to
protect the privileged passwords while they are in transit, you have to configure SSL. This product
does not ship with a pre-configured SSL certificate. You can obtain a certificate from a public
certification authority, an internal private certificate authority, or by using a free utility. You can also
use a self-signed certificate in IIS, versions 7.x and later. The following steps assume that a
certificate is already installed on the host web server and must be requested.
Open Internet Information Services (IIS) Manager from Administrative Tools. Go the server's node
and open Server Certificates.
If certificates are installed on the system, they will be listed in the Server Certificates area.
Go the website that hosts the Enterprise Random Password Manager web pages, or hosts the
virtual directory for the web pages. In the Actions pane, click Bindings.
Click Add.
Specify HTTPS as the protocol Type and assign the preferred SSL Port. If an alternate port number is
specified, this must be reflected in the URL as HTTPS://address:port_number/.
Select the appropriate certificate from the SSL certificate drop-down list. Click OK.
Note that the HTTPS binding is now appended to the website. Click Close.
To require the website to use SSL, go to either the website that hosts the Enterprise Random
Password Manager web pages, or go to the virtual directory that hosts the web pages, and open SSL
Settings (located in the IIS area).
Select Require SSL. Click Apply. No other configuration options are required.
3.2.2.2 SSL WITH IIS - NO EXISTING CERT

In order to encrypt transmissions between the web server (IIS) and the client browser, and to
protect the privileged passwords while they are in transit, you have to configure SSL. This product
does not ship with a pre-configured SSL certificate. You can obtain a certificate from a public
certification authority, an internal private certificate authority, or by using a free utility. You can also
use a self-signed certificate in IIS, versions 7.x and later. The following steps assume that a
certificate is NOT already installed on the host web server and must be requested.
Open Internet Information Services (IIS) Manager from the Administrative Tools. Go the server's
node and open Server Certificates.
To create a self-signed certificate, on the Actions pane, click Create Self-Signed Certificate.
Type a friendly name for easy identification and click OK. The certificate will be created and added
to the list of certificates installed on the server.
To create a certificate request to a third-party CA or an off-line CA, click Create Certificate Request.
To create a certificate request to an on-line Enterprise CA, click Create Domain Certificate.
On the Distinguished Name Properties dialog, specify the Common name (for easy identification)
and all other properties, then click Next.
If this is going to an off-line CA, select the appropriate Cryptographic Service Provider Properties. If
this is going to an on-line CA, this page will not be presented. Click Next.
If this is going to an off-line CA, a prompt for the name of the certificate request will be presented.
This text file will be sent to the CA for processing. Once the certificate is approved, simply follow the
wizard through the Complete Certificate Request screen, then examine the next section to
configure SSL with an existing certificate. Click Finish.
If this is going to an on-line CA, select the name of the CA by clicking the Select button. Then supply
the friendly name of the website. The friendly name is the name of the server specified in the URL.
Click Finish.
Once the certificates are installed on the system, they will be listed in the Server Certificates area.
Go the website that hosts either the Enterprise Random Password Manager web pages or hosts the
virtual directory for the web pages. In the Actions pane, click Bindings.
Click Add.
Select the protocol Type to be HTTPS and assign the preferred SSL Port. If an alternate port is
selected, this must be reflected in the URL as HTTPS://address:port_number/. Select the
appropriate certificate from the SSL certificate drop-down list. Click OK.
Note the HTTPS binding is now appended to the website. Click Close.
To require the website use SSL, go to either the website that hosts the Enterprise Random Password
Manager web pages, or the virtual directory that hosts the web pages. Open SSL Settings (in the IIS
section).
Select Require SSL. Click Apply. No other configuration options are required.
3.3 INSTALLING SQL SERVER OR ORACLE DATABASE

See Solution Database Requirements (on page 25) for a list of supported database versions.
representative.
To complete the installation of Enterprise Random Password Manager, an instance of SQL Server,
SQL Express, or Oracle 11g must already be installed and accessible. We recommend creating an
isolated database (a separate named instance) but it is not a requirement. If a full version of SQL
Server is unavailable to use during evaluation, use SQL Express 2014.
3.3.1 SQL Server Installation

For evaluation purposes, Microsoft's free version of its SQL product, SQL Express will work
sufficiently well. Download SQL Express from Microsoft:
http://www.microsoft.com/express/download/. Check the documentation for your chosen
database to determine if all the prerequisites are met.
The common criteria for any version of SQL Server are:
If SQL Server is hosted on another server, allow network access via TCP or named pipes to the
instance.
If using Windows Integrated Authentication, ensure that the COM+ and/or service account used
by the application has DBO rights over the database that the tool will use. Read more about
Granting Rights to the Database (on page 180).
If using SQL Authentication instead of Windows Integrated Authentication, it is a good practice
to create a new account (instead of using the SA account) and grant this account the
appropriate rights.
The following steps show a SQL Server 2008 installation. The steps are identical for a basic SQL
Server 2008 R2 installation and comparable for SQL Server 2012.
Start the installation process and select the Installation link on the top left corner of the dialog.
Click on the New SQL Server stand-alone installation or add features to an existing installation
link.
On the Setup Support Rules page fix any errors that are found, then continue by clicking OK.
Click NEXT past the Product Key page.

Read and accept the EULA to continue installing SQL Express. Then click Next.
Click Install to start the installation of the required SQL 2008 Express Support Files.
On the Setup Support Rules page, note and warning or errors presented and fix them as necessary.
Click Next when ready to continue.
On the Feature Selection page, choose Database Engine Services then click Next to continue.
On the Instance Configuration Page, choose to configure a Default Instance or a Named Instance. If
no other instances of SQL Server are installed on this system, choose either option. A default
instance will use the name of the server for all SQL Server connections. A named instance will use
the name of the server appended with a \Instance_Name. For example, if defining a named
instance called LSC and the software is being installed on a machine named UTILS01, then the server
connection to this instance of SQL would be UTILS01\LSC.
Click Next to continue.

On the Disk Space Requirements page, click Next.

On the Server Configuration page, Choose the service account that will run the SQL Server services.
If no replication or clustering will be utilized, then set the account name to NT AUTHORITY\SYSTEM
and the startup type to Automatic. Choose the default collation from the Collation tab. Click Next
to continue.
On the Database Engine Configuration page, choose an authentication mode that the database
should allow. Windows authentication mode will require the credentials of the person using the
tool as well as its various service and COM identities to have certain rights to the database and is
the recommended setting to use. Mixed Mode will allow for the most flexibility in scope of
application that can be used with the database and will allow specification of accounts that only
exist in the context of the database (no Windows or AD) to access the database information.
Configurations configured with Mixed Mode authentication still must create and allow user
accounts access to the database. Windows Authentication will require identifying the Windows
users and/or groups that can access the database services. Click Add to supply those users and
groups here. No other changes need to be made here.

On the Error Usage and Reporting page, elect to send Microsoft any error or usage information if
desired, then click Next to continue.
On the Installation Rules page, fix any error or warning that are presented at this time, then click
Next to continue.
On the Ready to Install page, review the configurations, then click Install to continue.
The installation routine will continue to install SQL Server.

When installation is complete, click Next to continue.

Click Close on the Complete page.
3.3.2 Configuring SQL Server for use With ERPM

Both SQL Server and SQL Express have two different modes of authenticating users. They can be
configured to support integrated authentication, which will use the credentials of the user account
currently accessing the database, or they can use a mixed mode, which allows both Windows user
accounts and explicit SQL accounts to have permissions to a database. It is recommended to use
Windows Integrated Authentication only because it does not require storage of any connection
credentials by the host system.
If using a dedicated instance of SQL Server with ERPM, grant:
SYSADMIN = user role
or
Control Server = database server right
This allows the granted users the rights to perform all actions within that instance of SQL Server,
including creating the required databases, stored procedures, all other features in the main
application, as well as backup and restoration.
If you choose not to grant SYSADMIN or Control Server to the SQL Server instance, then the
database that ERPM uses must be pre-created in SQL Server by the DBA. Either the SQL Server
account or a Windows user/group will need to be granted the following roles/rights over the ERPM
database:
DBO = user role
View Server State = server permission
or
db_datareader = user role
db_datawriter = user role
db_ddladmin = user role
View Server State = server permission
Execute = database permission
Create tables = database permission
Create views = database permission
3.3.3 Oracle 11g Installation

While the ERPM console and website must be hosted from the Windows platform, when using an
Oracle database, it is possible to host the database from a Windows or a non-Windows system.
Check the Oracle documentation for the appropriate prerequisites.
to January 1, 2015.
Oracle database requirements will vary based on the target platform. Please refer to Oracle
documentation for specific requirements.
The common criteria for any version of Oracle are:
If hosted on another server, allow network access via TCP.

Oracle databases require that a connection account be used to connect to the database. Ensure
that the connection account as the rights and limits as defined in these pages.
The following steps show a basic Oracle 11g installation on Windows.
Start by identifying the installation bath for the Oracle base files and the home location (default
location) for created databases. Identify the installation type (Oracle Database Edition), global
database name (Oracle Service Name), and database password. This password will be the default
password for the SYS, SYSTEM, SYSMAN, and DBSNMP accounts. These accounts provide initial and
ongoing administrative access to the database.
If desired, specify an email address to receive security update notifications. Click Next to continue.
If an email address was not specified, a prompt will appear informing so. Choose Yes to continue or
No to provide an email address.
The Oracle installer will now perform a prerequisite check. If there are no major problems, click
Next to continue.
Click Install on the summary screen to let the installation proceed.

The installation will continue until it is finished.

When installation is complete a summary screen will appear. Click OK to continue.

Click Exit to close the installation.
The database server is now configured. Following are the additional steps required to allow ERPM
or RPM to work with the Oracle server. The steps can be performed by copying the text between
the five-slash lines into a file with a .SQL extension and running them on the SQL server or by
following the steps outlined after.
/////
-- CREATE TABLESPACE
CREATE SMALLFILE TABLESPACE [tablespace_name] DATAFILE '[full_path_to_tablespace_name]'

SIZE 100M AUTOEXTEND ON NEXT 10M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL SEGMENT
SPACE MANAGEMENT AUTO
-- USER SQL
CREATE USER [user_name]
IDENTIFIED BY [user_name_password]
DEFAULT TABLESPACE [tablespace_name]
TEMPORARY TABLESPACE TEMP;
-- ROLES
GRANT CONNECT TO [user_name];
-- SYSTEM PRIVILEGES
GRANT CREATE TRIGGER TO [user_name];
GRANT CREATE SEQUENCE TO [user_name];
GRANT CREATE TABLE TO [user_name];
GRANT CREATE VIEW TO [user_name];
-- QUOTAS
ALTER USER [user_name] QUOTA UNLIMITED ON [tablespace_name];
/////
In the preceding text, replace:
[tablespace_name] with the name of the tablespace (location where the solution tables go)
[full_path_to_tablespace_name] with the full path to where the Oracle tablespace datafile will
be kept such as "c:\app\oracle11g\rpm"
[user_name] with the name of the user account to be created
[user_name_password] with the password desired for the user_name being created
Rather than creating a script as referenced above, the web interface can be used to create the
necessary items. First, configure a default table space. Open the Oracle Manager website and go to
Server > Storage > TableSpaces. Click the Create button on the bottom right area to create a new
table space.
Define a name and set the desired options. The default settings of locally managed, permanent, and
read write will be sufficient.
Provide a file name, initial size, and choose to Automatically extend datafile when full
(AUTOEXTEND). Set the auto growth increment and click Continue. The previous page will be
displayed with the data file added.
Click Continue to add the tablespace.
The table space will now be listed in the available table spaces.
Finally, create a user in Oracle for the solution to use and set the default table space for that user.
Select Server > Security > Users. In the top right area, click Create.
Provide a name for the account, set the desired profile and authentication. Set the default
tablespace to the tablespace created in the previous steps. Set the temporary tablespace to TEMP.
Set the status to Unlocked when ready to use the account. Click OK to create the user.
Go to System Privileges and add the following system privileges:
Create Any Sequence

Create Any Table
Create Any Trigger
Create Any View
Next go to the Quotas area.

Set the default table space (created and assigned in previous steps) to have an Unlimited quota.
Click OK to create the user account
A summary screen will then appear. The user account is now setup.
3.4 INSTALLING DATABASE PROVIDERS (CONNECTORS)

For each supported database target, a specific OLEDB connector needs to be installed. These
connectors (or providers) are supplied by the database vendorfor example, Oracle for Oracle, IBM
for DB2, Sybase for Sybase ASE, and MySQL for MySQL. For SQL Server, Microsoft provides the
required connectors with the operating system.
After you install the proper OLEDB connector, it is available to ERPM and is visible in the Add Target
dialog when you add a new database target.
As of version 4.83.6 of ERPM, ERPM supports the SQL Server Native Client for Microsoft SQL Server
only. We recommend using the latest SQL Server Native Client provider available. Version 10 of the
SQL Server Native Client can provide undesirable behavior and we recommended using the SQL
Server 2012 Native Client (v11) instead.
The following sections provide guidelines for installing the required providers. Links are provided,
but note that these links can become obsolete at any time. Some vendors may require a login, a
licensing agreement, and other prerequisites. Lieberman Software is not responsible for third-party
installations. All licensing and use restrictions surrounding these providers are the responsibility of
the end-user.
3.4.1 Installing the Microsoft SQL Server Provider

Microsoft provides the required OLEDB provider with the operating system, so there is nothing to
install or configure if you opt to use the OLEDB provider.
Starting with version 4.83.6 of the ERPM product, support for the Microsoft SQL Server Native Client
is also provided. It is recommended to use the latest SQL Server Native Client provider available. It
has been found that version 10 of the SQL Server Native Client can provide undesirable behavior, so
use the SQL Server 2012 Native Client (v11) instead. The version 11 SQL Native Client can be
downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=29065
3.4.2 Installing the Oracle Provider

To manage and discover Oracle database instances requires the Oracle database provider. This can
be downloaded from the Oracle downloads website:
http://www.oracle.com/technology/software/products/database/index.html
(Registration required for download.)
ERPM only works with the 32-bit provider for Oracle, regardless of the host operating system or
target database. Be sure to use only the 32-bit Oracle provider. This is not to be confused with the
Oracle back-end database, which can be a 32 or 64-bit database. ERPM can manage accounts in an
Oracle database. Supported Oracle database versions start at version 9i and later.
For ERPM to manage Oracle databases, use version 11g or later of the OLEDB provider for Windows.
Version 11g R2 x86 is recommended.
This section details the Oracle 11g R2 installation.
Launch the installer, select Custom, and click Next to continue.
Select any appropriate languages and click Next.

Choose the installation directories and click Next.

The only required item is Oracle Provider for OLE DB. Select Oracle Provider for OLE DB and click
Next.
On the summary page, click Finish to begin the installation.

The installation will proceed to copy new files.

When the installation is complete, click Close.

When the Oracle provider is installed, it will be listed as an available "Database Provider" when
adding an Oracle database to the Account Store View.
3.4.3 Installing the Sybase ASE Provider

To manage and discover Sybase database instances requires the Sybase database provider. This is
not available for general download. You will be required to use your existing Sybase source files to
perform the provider installation.
Launch the installer and click Next to continue.

Choose the installation directory for the Sybase files and click Next to continue.
If the directory does not exist, a prompt requesting to create the directory will appear.
All that is required is the OLEDB providers. Choose the Custom option and click Next.
De-select all options except for:
ASE Data Providers > ASE ODBC Driver

ASE Data Providers > ASE OLE DB Driver

Choose the Sybase license use as is appropriate to your company. Click Next to continue.
Select the licensing region and agree to the license agreement to continue installing the software.
On the summary screen, click Next to continue.

Files will be copied to the host system.

When the installation is finished, click Next to continue the wizard.

When the installation wizard is finished, click Finish to close the wizard.
When the Sybase provider is installed, it will be listed as an available "Database Provider" when
adding a Sybase database to the Account Store View.
3.4.4 Installing the MySQL & MariaDB Provider

To manage and discover MySQL or MariaDB database instances requires the MySQL database
provider. This can be downloaded from the MySQL downloads website (Registration required for
download):
http://www.mysql.com/downloads/connector/odbc/
Download the provider appropriate to your version of Windows such as the "Windows (x86, 32-bit),
MSI Installer" for Windows. At this time, the product is still a 32bit product thus necessitating the
need for 32bit OLEDB/ODBC drivers.
Launch the installer and click Next to continue.

Select the Complete setup type and click Next to continue.

On the installation summary page, click Install to continue.

The installation will proceed to copy new files.

When the installation is complete, click Finish.
When the MySQL provider is installed, it will be listed as an available "Database Provider" when
adding a MySQL database to the Account Store View.
3.4.5 Installing the IBM DB2 Provider

IBM DB2 does not use an internal/explicit account store as do SQL Server, Sybase, MySQL, Oracle,
and other database systems. Rather, DB2 databases leverage the local account store of the host
system. This means that in order to change a password for an account associated with DB2, it must
be determined if DB2 is hosted on a Windows, Linux, or UNIX platform and choose that platform as
the target platform when managing DB2 accounts.
Additional OLEDB drivers are not required to manage passwords within DB2.
Accounts associated with DB2 can be enumerated from the Account Store View. To determine (for
display purposes only) the accounts associated with DB2 will require the DB2 OLEDB driver be
installed on the host system. This is not a required step to change passwords.
ERPM support for DB2 is limited to using the Microsoft provider for DB2 available from the
Microsoft SQL 2005 or SQL 2008 feature packs. Search from http://microsoft.com/downloads for
DB2 OLEDB or as of this writing, download the file directly from here:
http://download.microsoft.com/download/0/E/6/0E67502A-22B4-4C47-92D3-0D223F117190/DB2
OLEDB.exe
The installation routine has two prerequisites:
1) You have a version of Enterprise or Developer edition of Microsoft SQL 2005 or 2008, or some
component thereof which also implies that the version is licensed for use by your corporation.
2) The installer checks for the existence of certain registry keys and/or files to validate the
installation before the provider will install.
The presumption is that installing SQL server components to make use of the Microsoft supplied
DB2 provider is not permissible. The following steps document a registry manipulation which will
lead the installer to believe the requisites it looks for during installation are present.
Caution! Use of the registry editor can lead to system instability or loss of functionality.
Perform these steps at your own risk.
1) Open the registry editor on the ERPM host system.

2) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
Server\90\Tools\Setup
3) Add a new string value called: Version
4) Modify the new "version" value and make its data: 10.0.1600
5) Add a new string value called: EditionType
6) Modify the new "version" value and make its data: Enterprise Edition
7) Add a new string value called: Edition
8) Modify the new "version" value and make its data: Enterprise Edition
Once the registry is configured, the installation of the Microsoft Provider for DB2 can proceed.
Launch the installer and click Microsoft OLE DB Provider for DB2.
Enter the user name and organization name and click Next to continue.
Choose to accept the licensing agreement if the requirements of licensing agreement are met and
click Next to continue.
Click Next past the installation location page.

Click the Install button to begin the installation.

The installation routine will run.

Click Finish when prompted.

When the DB2 provider is installed, it will be listed as an available "Database Provider" when adding
a DB2 database to the Account Store View.
3.4.6 Installing the PostgreSQL Provider

Download the PostgreSQL provider from here: http://www.postgresql.org/ftp/odbc/versions/msi/
(http://www.postgresql.org/ftp/odbc/versions/msi/). Get the latest 32-bit version (64-bit versions
include x64 in their name).
ERPM has been tested with the 9.x PostgreSQL database providers.
Run the installer and read and accept the licensing agreement, then click Install.
Click Close when the setup has completed successfully.

When the PostgreSQL provider is installed, it will be listed as an available "Database Provider" when
adding a PostgreSQL database to the Account Store View.
3.4.7 Installing the Teradata Provider

This section describes how to install the 32-bit Teradata base components, and the Teradata 32-bit
OLEDB provider for Windows, both of which are required. ERPM requires a 32-bit Teradata
connector/provider to manage a Teradata database. ERPM has been tested with the 15.n Teradata
database providers.
To Download the 32-bit Teradata Drivers

Download the Teradata Tools and Utilities for Windows (approx 500MB) here:
https://downloads.teradata.com/download/tools/teradata-tools-and-utilities-windows-installat
ion-package
Download the Teradata OLEDB Provider (approx 17MB) here:
https://downloads.teradata.com/download/connectivity/ole-db-provider
To Install Teradata Tools and Utilities for Windows

1) Launch the installer and click Next.
2) Click Next on the welcome page
.
3) Read and accept the licensing agreement, then click Next.

4) Define the installation location, then click Next.

5) Be sure to select the OLEDB Access Module. Select other modules as required, then click Install.
6) Click Finish.
To Install the OLEDB Provider

1) Launch the installer, select your language (only English was tested), then click OK.
2) Click Next on the welcome page.

3) Read and accept the licensing agreement, then click Next.

4) Confirm the installation location and click Next.

5) Choose the Complete setup option, then click Next.

6) Click Install.
7) When the install is complete, click Finish.
The Teradata provider will now be listed as an available database provider when you add a Teradata
database to the Account Store View.
Related Topics
See Enrolling Teradata Database in the ERPM Admin Guide.
3.5 ENABLING REMOTE COM+ AND IIS ACCESS

Enabling remote management access to COM+ and IIS is, permissions aside, an act of installing the
application server role and enabling Network COM+ access. This section details how to do this in
Windows Server 2008 R2 and later. If Network COM+ access is not installed, remote management of
COM+ and IIS will fail as will account usage discovery on those operating systems for those
particular subsystems.
For the ERPM host servers, the web server specifically, installing the application server role with
COM+ Network Access is only required on the ERPM web server if the web server is a remote
system. If the web server is on the same machine as the ERPM console, then it is not necessary to
install this role to simply deploy the website.
For servers that will be managed by ERPM, it is necessary to install this role if attempting to
discovery or manage anything from COM+/DCOM/MTS system. Failure to install this access on
remote systems will prevent ERPM from discovering and managing these components which could
lead to a service outage. Many applications use COM+ and DCOM applications such as web
applications and many distributed applications.
3.5.1 Windows 2008 & Later Remote COM+ Access

To manage COM+ and related components remotely, remote COM+ access must be enabled. This
can be accomplished by adding the server role or by editing the registry. If dealing with a server
core instance of Windows, registry is the only option.
To make the change via the registry...
1) Run regedit.exe
2) In the registry, locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3.
3) Locate the key: RemoteAccessEnabled
4) Right-click RemoteAccessEnabled, and then click Modify.
5) In the Edit DWORD Value dialog box, type 1, then click OK.
6) No further action is necessary.
These same steps can also be performed via group policy preferences.
If a GUI is available and it is desired to use the server roles wizard, these steps will help guide the
installation process.
To install network COM+ access in Windows 2008 requires installing the Application Server role.
Open Server Manager and select the Roles node. In the details pane (right side), click the Add Roles
link to start the Server Roles Wizard.
On the Select Server Roles page, select Application Server. A second dialog will immediately appear
prompting to install additional components. These are mandatory items. Click Add Required
Features to continue.
On the Select Server Roles page, click Next to continue.

On the Application Server page, click Next to continue.

On the Select Role Services page, select COM+ Network Access. Then click Next to continue.
On the Confirm Installation Selections page, click Install to continue.

On the Installation Results page, click Close to finish the installation.

3.6 CONFIGURING THE COM OBJECT AND DEFERRED

PROCESSOR ACCOUNT
This section may not apply to you. Review the following conditions before continuing:
Skip this section if you are installing ERPM on Windows Server 2012 or higher. This section only
applies if you are installing Enterprise Random Password Manager on Windows Server 2008 R2.
Skip this section if there is already an account that meets the following requirements:
Administrator on the host system(s)
Account granted Logon as a batch job and Logon as a service on the host system(s)
Domain Admin or Administrators group membership in the domain to be managed or delegated

control based on the following outline:
If the solution will be managing local systems only and will not at all manage domain accounts, the
account will only need administrative rights on the host system (web server, application server). If
the account will be managing accounts in a domain, add it to the administrators or domain admins
group within the domain, or delegate control of an OU to "reset" passwords. If this account will be
managing services, tasks, COM objects, and so on on your domain controllers, it must be an
administrator or domain admin within the domain.
To Create the User Account and Complete the Configuration

To create the user in the domain, use Active Directory Users and Computers from the
Administrative Tools of your domain controller or from the local system if the remote server
administration tools (RSAT) have been installed.
To create a user account in Active Directory, right click on the organizational unit or container to
create the account and select New > User.
Note: The following screen shots show the procedure for Lieberman Software's "Account
Reset Console" product. The same procedure also applies to Enterprise Random
Password Manager.
It is helpful to provide the account a semi-descriptive first name as this is what will be visible in
Active Directory. Provide the account with a unique logon name. Click Next to continue.
Provide a password for this account. It is recommended to provide a password that is 15 characters
or longer as this will highly minimize the potential for a compromise of the password of this
account. Clear the User must change password at next logon flag or this account will not work as
any installations utilizing this account will fail because the account will be unable to logon. It is
recommended to also set the Password never expires flag for this account to avoid loss of
functionality should the password expire. This password should still change and can be changed at
any time.

Click Finish to create the account and close the wizard.

Now that the account is created, right click on the account and select Properties then select the
Member Of tab and click Add.
Type in the name of the domain group to add this account to. At a minimum this account will need
to be a member a Domain User. However, if will also manage users of the domain's Administrators
group or Domain Admins group or Enterprise Admins group, this account will also need to be a
member of either one of those groups.
Click OK to add the user to the group.

Click OK to close the properties dialog.
On the system which will host the management and web Consoles, ensure that this account has
certain rights. Specifically because this user will need to run as a COM object on the host system,
this user account will also need to be seen as an administrator of the host system and have the log
on as a batch job right. If this account was added to the Domain Admins group, there is no need to
also add the account to the host system's local administrators group. Skip to assigning the user the
right to log on as a batch job. If the user was not added to the domain's domain administrators, add
this user to the host system's administrators group.
Open computer management on the host system by typing compmgmt.msc from the RUN menu or
by choosing Computer Management from Administrative Tools. Under System Tools expand Local
Users and Groups then select the Groups node. In the details pane, right click on Administrators
and choose Properties.
Click Add...
From the Select Users, Computer, or Groups dialog, type in the user account's name or use the
Advanced... option to search the user account. Click OK once to add the user to the local
administrators group.
Click OK to finalize the change and add the account to the administrators group.
On the host system type gpedit.msc at the RUN menu. This will open the local system's security
configuration. Navigate to Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment and choose Log on as a batch job from the details pane.
Right-click Log on as a batch job and select Properties. Click on Add User or Group....
From the Select Users, Computer, or Groups dialog, type in the user account's name or use the
Advanced... option to search the user account. Click OK once to add this user to the list.
Click OK to close the properties dialog. Then close the group policy editor.
To ensure that the policy is updated immediately and doesn't conflict with any other domain
policies, from a CMD prompt, type gpupdate /target:computer /force.
Re-check the policy and ensure that the user account is still listed in the list. If it is not listed then
you have a domain level policy that is removing your settings. Work with the group policy
administrator to determine which policy is causing the conflict.
3.6.1 Granting Rights to the Database

There are at least three objects in Enterprise Random Password Manager that access the database:
Website COM object
Deferred Processor / Zone Processors

Main application
If using an Oracle database please see Oracle 11g Installation (on page 95) within the prerequisites
section for configuring the Oracle account's necessary rights.
There are at least two ways to authenticate to a Microsoft SQL database
SQL Authentication / Explicit Database Authentication
Integrated Windows Authentication for MS SQL
The solution may use either authentication method, though Integrated Windows Authentication is
recommended. Whichever method is chosen will also be the method used by the website COM
object as well as the Deferred Processor (and zone processors).
Windows Integrated Authentication is recommended as this permits much more granular control
when providing access to the information within ERPM and also allows for additional logging. If
using SQL authentication, all access to the database server happens in the context of the SQL
account rather than the user performing the action. Whatever method is chosen for authentication,
access will need to be provided for the solution database to the SQL account, the Windows user
account, or to a Windows group containing the Windows users.
If using a dedicated instance of SQL to provide to ERPM, simply grant:
SYSADMIN = user role
or
Control Server = database server right
This allows the granted users the rights to perform all actions within that instance of SQL including
creating the required databases, stored procedures, all other features in the main application, as
well as backup and restoration.
If it is not desired or permitted to grant SYSADMIN or Control Server to the SQL instance, then the
database that ERPM will use must be pre-created within SQL by the DBA. The SQL account or
Windows users/groups will need to be granted the following roles/rights over the ERPM database:
DBO = user role
or
db_datareader = user role
db_datawriter = user role
db_ddladmin = user role

Execute = database permission
Create Tables = database permission needed during install/upgrade
Create Views = database permission needed during install/upgrade
Additionally, if using SQL 2008 or later, ERPM can take advantage of the performance
recommendations made by SQL (for auto-index creation). To be able to make use of this the
account or Windows users/groups will need to be granted the View Server State right on the host
SQL server. To do this, open SQL manager and the properties of the account/group, select
Securables, add the database server, and scroll down the list to View Server State and select the
grant option next to that right.
If using the explicit DB permissions rather than granting sysadmin or DBO, once the user account
has been granted the db_datareader, db_datawriter, and db_ddladmin roles, the EXECUTE
permission is granted via SQL statement such as GRANT EXECUTE TO user_name.
183
Chapter 4 Installing and

Configuring ERPM
The chapter documents how to install Enterprise Random Password Manager and perform
post-installation configuration tasks.
Important: See the Installation Roadmap (on page 11) for a complete list of
installation tasks.
IN THIS CHAPTER
ERPM Management Console Installation Notes ................................... 183

Install the Enterprise Random Password Manager 5.5.1 Management
Console .................................................................................................. 185
Complete the Mini-Setup Wizard .......................................................... 193
4.1 ERPM MANAGEMENT CONSOLE INSTALLATION NOTES

Quick Notes
Prior to installation, review Host System Requirements (on page 19) to verify that system
prerequisites have been met.
If the system will host the website, a full installation of IIS with all of its prerequisites is
required. See Web Application Requirements (on page 22) for details.
If the web server will be hosted on a remote system and the website will be pushed out from
the console host to the remote web server, then IIS management and IIS6 Metabase
compatibility are required on the ERPM console host.
184 Installing and Configuring ERPM
If the console host will manage other IIS web servers running IIS 7 (2008) or later (including
2012 R2), then IIS Management is required.
Admin privileges are required on the ERPM host.
Installing and Configuring ERPM 185
4.2 INSTALL THE ENTERPRISE RANDOM PASSWORD

MANAGER 5.5.1 MANAGEMENT CONSOLE
Follow these steps to install the Enterprise Random Password Manager management console. To
complete this installation you must be able to log in to the server with an account that has local
administrative rights.
Before you Begin

Carefully review the Release Notes. The Release Notes contain important information regarding
prerequisites for the release, as well as known issues and workarounds.
Check the Understanding Prerequisites (on page 18) section of this manual. Consult Host System
Requirements (on page 19) specifically to verify that your host server meets the current
installation requirements.
Launch the Installer

1) Launch the installer and follow the prompts to choose an installation directory.
2) The Welcome screen displays.
Click Next.
3) The "License Agreement" screen displays.

Read the license agreement and click I accept the license agreement to continue.
Click Next.
4) The "User Information" screen displays.
Enter the registration information and click Next.
5) The "Select Features" screen displays.

Enterprise Random Password Manager Installs the ERPM application.
Additional options are:

RSA SecurID (64-bit) Installs support for RSA SecurID.
AutoIT Script Application Launch Scripting Used when the optional application launcher is
installed and it is desired to automate launching of thick client applications for which there are
no command line parameters.
PuTTy Terminal Emulator Installs the free and open-source terminal emulation program. This
is helpful for connecting to non-WIndows targets, such as Linux and UNIX hosts. It may also be
used for application launching to non-Windows systems.
PDF Encoder (wkhtmltopdf) Installs wkhtmltopdf,, an open source utility that renders HTML
into PDF. Used to output compliance reports as PDF files.
Choose the installation directory and click Next.

6) The "CLR COM+ Identity Information" screen displays.

Specify a user account to be used by the Liebsoft CLR application. This identity is used to
connect ERPM to cloud services, such as Amazon Web Services (AWS), Microsoft Azure,
RackSpace Public Cloud, and others. This is not the login credential used to connect to the target
cloud service. Rather, this credential is for the intermediary COM+ application that ERPM
requires to make connections to the Internet. This identity may also require file system access
depending on the cloud services to be managed.
We recommend choosing either Network Service or defining a specific user identity to run the
application because these options can be configured with minimal rights.
Choose from the following:
Interactive User Use the same logon information as the calling identity. This is an
administrator-level account because the calling identity will either be the admin running the
console, or the ERPM deferred processor service account. This option requires the least
configuration, but provides significantly more privileges than is required.
Network Service (Recommended, however, do not choose this option if you need proxy server
support for cloud account stores.) Use the network service account. For this option you do not
have to manage a password or grant additional rights.
Local Service Use the local service account. For this option you do not have to manage a
password or grant additional rights, although in some cloud management cases, you may need
to grant additional permissions on the file system. The local service account has many more
rights and privileges than the Network Service.
This User (If ERPM will go through a proxy server to manage cloud account stores, choose this
option. See Configuring ERPM to Manage Cloud Account Stores Through a Proxy Server for
more information.) Use the supplied user name and password. This user could be a local
account that is configured to never authenticate to any other machine in the network (unlike
Network Service or Local Service), but it does represent another account to manage a credential
for. In some cloud management cases, you may need to grant additional permission to it on the
file system. This account also needs Logon as a batch rights granted to it.
Click Next.
7) If you opted to install support for RSA SecurID, the "RSA COM+ Identity Information" screen
displays.
Specify the user account and password to be used by the Liebsoft SecurID COM+ application.
Click Next.
8) The installer is now ready to install Enterprise Random Password Manager.
Click Next to start the installation.

The installer will copy to the destination directory all the required files and components needed
to run the application. It will also install the ERPM web client and the deferred processing
service. Finally, the installer will create shortcuts on the Windows desktop and Start menu.
The following status screen displays.
Click Finish to close the installer.
Note: We recommend not deleting the Roulette.MSI installer until all ERPM
functionality has been exercised and confirmed to work.
Next Steps
Launch the application after installation is complete to start the mini-setup wizard. See
Complete the Mini-Setup Wizard (on page 193) for more information.
4.3 COMPLETE THE MINI-SETUP WIZARD

The first time Enterprise Random Password Manager is run, a mini-setup wizard will run through a
series of pages that handle the configuration of the various components of the tool. Each page of
the wizard allows configuration of a different component and all of the component setup steps are
optional except the first, which configures the database for the program data store. This setup
wizard can be run again after completing it from the Settings > Re-Run Setup Wizard menu item.
The first page is the database setup page. This step is mandatory but can be changed later by
re-running the setup wizard from the settings menu or can be changed at any time by going to
Settings > Datastore Configuration...
This page will show the current database settings used by the solution and whether or not the
database can be contacted using those settings. Of the pages in the setup wizard, this is the only
required step, as the solution cannot operate without a connection to the database it will use for its
data store. When ERPM is run for the first time, these settings will not be initialized and must be
provided by clicking the Change Settings button to configure ERPM to use the preferred database.
In the Database Datastore Configuration dialog, the connection to the database must be
configured. Settings and options are described in the Data Store Configuration subsection of this
document.
When finished configuring the database settings, click OK to save the settings and return to the
main console. ERPM will verify that it can connect to the database specified in the settings and that
all the table formats are current and correct. If a connection cannot be made or if the database
format is not correct, an error message indicating the problem will appear.
When this step is complete, the required steps for setup are complete. Click Next to continue.
The deferred processor service handles all background activity preformed by the solution such as
scheduled password change jobs and dynamic group updates. This is an optional component. The
deferred processor manages scheduled and automatic retries for password changes, password spins
performed by the ERPM web client, dynamic group update jobs, alerting, and periodic reporting.
Supply a Windows account for the service to run under. This account must have local administrative
rights and the right to logon as a service as well as administrative rights on the systems being
managed. Once the account information is provided, click Launch Service to install and start the
deferred processor. After completing this step, the final optional step is e-mail setup.
Note: Configuration of the service account will cause ERPM to attempt to auto-grant the
required rights to the account to run as a service.
Alerts on program behavior or daily activity can be sent out via e-mail detailing activity. This is an
optional feature. In order to take advantage of these features, provide valid e-mail server settings.
For more information about setting up the e-mail settings, see the E-mail Server Settings Overview
section in the Administrators guide (included with the solution). After completing this step, proceed
to the alerting setup. If the step is skipped, a warning dialog will appear.
The only way to sent the email settings if to generate a report from ERPM. The easiest way to
generate a report from ERPM is once the console is installed, go to the SystemsList menu and select
the option to Generate a report from display and email the report.
Enterprise Random Password Manager periodically checks the status of stored passwords and will
send out e-mail alerts detailing when the passwords were last changed, whether they currently are
valid, and when they are next scheduled to be changed again. These alerts can be turned on or off,
and depend on the deferred processing service being installed and running as well as the e-mail
settings being valid.
Once the setup wizard has completed the setup of the mandatory components, the Setup Complete
dialog is presented. From here, the encryption settings can be configured now and the website can
be configured now. For more information on these items, see the Configuring Encryption Settings
and ERPM Web Client Installation sections later in this manual.
Note: It is recommended to not deploy the website until after encryption has been
enabled and the license key has been applied.
Once setup is completed, click Finish and the management console will open with an empty default
group. To manage systems, the list must be populated with machines (see the admin guide for more
information).
Next Steps
Register Enterprise Random Password Manager after the product is installed and the Mini-Setup
is completed. Choose Help > Register and complete the form. See Register in the ERPM Admin
Guide for details.
To configure which users have rights to launch the console application, see Controlling Access to
the Admin Console.
201
Chapter 5
Upgrading ERPM to
Version 5.5.1
This chapter describes how to upgrade Enterprise Random Password Manager to version 5.5.1.
Important: See the Upgrade Roadmap (on page 13) for a complete list of upgrade
tasks.
IN THIS CHAPTER
Upgrade Notes ...................................................................................... 201

Upgrade ERPM to Version 5.5.1 ............................................................ 202
Upgrade the ERPM Web Client Application .......................................... 220
Upgrade the Zone Processor(s) ............................................................. 227
Upgrade the PowerShell Cmdlets ......................................................... 232
Upgrade the Legacy SDK Files ............................................................... 233
Upgrade the Application Launcher........................................................ 233
5.1 UPGRADE NOTES

You can directly upgrade from any prior version of Enterprise Random Password Manager to version
5.5.1. For example, you can upgrade from version 4.83.0 to version 5.5.1 without first having to
upgrade to an intermediate version of ERPM.
202 Upgrading ERPM to Version 5.5.1
Note: Upgrading ERPM causes your saved preferences to reset to default values. If you
configured EPRM to hide certain account store types, plan on reapplying those
settings following the upgrade.
Prior to upgrading, be sure to backup the program's database. During the upgrade, structures within
the database are updated and may not be compatible with older versions of the product.
If the program database is still running on SQL Server 2005 (or older), the database will need to
be re-hosted to SQL Server 2008 or newer prior to upgrade. For tips on how to move the
program database from one Microsoft SQL server to another, please refer to the following
article:
andom-password-manager-knowledgebase/185-how-to-move-your-program-database-to-a-ne
w-server
If upgrading from version 4.83.4 or older and you are running ERPM on a Windows 2003 Server,
it is necessary to migrate the installation to a Windows Server 2008 R2 or later operating
system. Enterprise Random Password Manager is not supported on Windows Server 2008 (non
R2) and earlier. Contact a Lieberman Software account representative for more information.
Versions of the product prior to version 4.83.4 did not use ASP.NET. The ASP.NET IIS role feature
must be installed/enabled prior to upgrading to this version.
Starting with version 4.83.4, there are now charting and visualization controls available in the
user interface. These controls make use of Ajax, .NET, and jQuery. The product expressly makes
a call to .NET 4. Therefore, .NET 4 is a requirement for the ERPM web server.
5.2 UPGRADE ERPM TO VERSION 5.5.1

Complete these steps in the following order to ensure a proper upgrade to Enterprise Random
Password Manager 5.5.1. We recommend upgrading ERPM during a planned maintenance window
because some components either may not be available during the upgrade or should not be used
during the upgrade.
Before you Begin

Carefully review the Release Notes. The Release Notes contain important information regarding
prerequisites for the release, as well as known issues and workarounds.
Upgrading ERPM to Version 5.5.1 203
Check the Understanding Prerequisites (on page 18) section of this manual to verify that your
host server meets the current installation requirements. Requirements are subject to change
between versions.
In a multi-console environment where not all consoles have configured email settings, configure
a console with configured email settings first. Otherwise, email settings will be lost until manual
intervention is taken. See the "Known Issues and Workarounds" section in the Release Notes for
details.
Stop the Website(s) in IIS

Disable the parent website that hosts the ERPM website.
1) Make note of all deployed web sites and open Internet Information Services Manager on those
systems:
a. Open the Run dialog using the Win+R keyboard shortcut.
b. Type inetmgr and press OK.
The Internet Information Services (IIS) Manager console opens.
2) In IIS 7, select the parent website and choose Stop from the right-hand actions pane.
The purpose is to stop all new connections and operations to the database and release the locks
on the COM object. If the website is stopped, it will need to be started following the upgrade.
Shutdown the COM Object in Component Services

1) On the web server host system, open the Component Services console:
b. Type dcomcnfg and press OK.
The Component Services console opens.
2) Expand the tree to COM+ Applications. (For example, choose Console Root > Component
Services > Computers > My Computer > COM+ Applications).
3) Find the PWCWebComApp COM application.
4) Right-click and choose Shutdown, then close the Component Services console.
This will stop the COM object from running and allow it to be updated. Once re-installed, the
COM object will start automatically following the first access to the password recovery website.
End rouletteproc.exe After it Finishes Running Jobs

An executable named rouletteproc.exe will be running in the task manager if a scheduled job was
running when the process started. It is best to wait for the job to finish before performing an
upgrade. If rouletteproc.exe is terminated, it will leave the job in an inconsistent state.
1) If there is no activity from rouletteproc.exe in the form of CPU or memory usage, and you
have monitored the process for a reasonable amount of time, select End process tree for
rouletteproc.exe.
2) Check the JOBS dialog for any jobs that are listed as running.
Clear the job locks prior to upgrade. Simply viewing the jobs will prompt to remove the lock if
the job is locked.
Stop the Deferred Processor

Stop the deferred processor (also referred to as the scheduling service) using the services snap-in or
the management console:
To use the services snap-in to stop the deferred processor:

b. Type services.msc and press OK.
The Services console opens.
c. The service name is Enterprise Random Password Manager Deferred Processing Service.
Right-click the service and choose Stop.
To stop the service from within the management console:

a. Choose Deferred Processing > Jobs Monitor.
The "Stored Jobs" dialog opens.
b. Click Deferred Processor on the left side of the screen.
The "Deferred Processor Status and Configuration" dialog opens.
c. Click Remove.
Stop all Zone Processors

All zone processors need to be updated as part of the upgrade process. For now, stop all of the zone
processors.
1) In the management console, click Jobs in the Action pane.
2) Click Zone Processors on the left side of the screen.
The "Processing Services" dialog opens.

If no items are listed in this dialog, then no zone processors are installed.
3) Click to select all the zone processors, then right-click and choose Stop Service.
4) Close the ERPM management console.
Backup Your Database

We strongly recommend backing up your database. Refer to the documentation for your database
for details.
Run the Setup Installer

1) The Welcome screen displays.
2) The License Agreement screen displays.

Read the licensing agreement (EULA) and click I accept the license agreement to continue.
Click Next.
3) The Upgrade Check screen displays.
This screen prompts you to verify that you have taken the required steps to prevent installation
issues. Click READ ME! and read the instructions. Select each check box to verify that you have
performed each required step.
Click Next.
4) The User Information screen displays.

If the registration information has changed, re-enter it here.
Click Next.
5) The "Select Features" screen displays.

Enterprise Random Password Manager Installs the ERPM application.
Additional options are:

RSA SecurID (64-bit) Installs support for RSA SecurID.
AutoIT Script Application Launch Scripting Used when the optional application launcher is
installed and it is desired to automate launching of thick client applications for which there are
no command line parameters.
PuTTy Terminal Emulator Installs the free and open-source terminal emulation program. This
is helpful for connecting to non-WIndows targets, such as Linux and UNIX hosts. It may also be
used for application launching to non-Windows systems.
PDF Encoder (wkhtmltopdf) Installs wkhtmltopdf, an open source utility that renders HTML
into PDF. Used to output compliance reports as PDF files.
Click Browse to choose the installation folder. This should be the same folder where ERPM is
currently installed.
Click Next.

Click Next.
7) If you opted to install support for RSA SecurID, the "RSA COM+ Identity Information" screen
displays.
Specify the user account and password to be used by the Liebsoft SecurID COM+ application.
Click Next.
8) The installer is now ready to install Enterprise Random Password Manager.
Click Next. The new files will be copied to your system.

The following status screen displays.
Click Finish to close the install wizard.
Note: We recommend not deleting the Roulette.MSI installer until all ERPM
functionality has been exercised and confirmed to work.
Open the Management Console and Verify the Installation

After the upgrade is complete, open the console. This step will upgrade the database and may take
some time. Previously scheduled recurring jobs may fail if this step is not taken.
Choose Help > About and validate the new version number and build number.
Go to Settings > Application Components and validate that all components are listed as valid.
Next Steps
See the Upgrade Roadmap (on page 13) for the complete list of upgrade steps.
Upgrade the ERPM Web Client Application (on page 220)

Upgrade the Zone Processor(s) (on page 227)
Install / Upgrade the ERPM Web Service (on page 247)
Upgrade the PowerShell Cmdlets (on page 232)
Upgrade the Legacy SDK Files (on page 233)

Upgrade the Application Launcher (on page 233)
5.3 UPGRADE THE ERPM WEB CLIENT APPLICATION

Start IIS
1) Open Internet Information Services Manager.
b. Type inetmgr and press OK.
The Internet Information Services (IIS) Manager console opens.
2) In IIS 7, select the parent website and choose Start from the right-hand actions pane.
Install the ERPM Web Client Application

The web client installation must be re-run to update the COM objects and web pages associated
with the web application. The web application may be installed over existing versions of the web
application, assuming that the COM+ application name and the virtual directory names are the
same. To change the name or path of installed components, remove the existing installation first
and then perform a re-install of the web application.
To Install the ERPM Web Client Application

1) Open the console and choose Delegation > Authentication Servers.
The "Authentication Servers" dialog opens.
Click OK to close the dialog.
This step populates the database with the proper authentication options for the web client.
2) In the management console, click Manage Web App on the Actions pane.
The "Manage Web Application Instances" dialog opens.
3) Click Install to begin the upgrade of the web client.
The "Install Web Application" dialog opens.
4) Locate the COM+ application password field and enter the password for the COM+ application
account.
5) Review the other fields on the form and verify that the settings are correct.
6) Click Install at the bottom of the dialog.
ERPM will replace/update all the files associated with the website, including the COM object.
7) Click Yes when the installer asks if you would like to launch the web application in a browser.
Note: You can close the browser after verifying that the web application opened properly.
INSTALL THE ERPM WEB CLIENT INTEGRATION COMPONENTS (OPTIONAL)

If you installed the web client to a remote system, be aware that several features require additional
components that can only be installed by copying the IntegrationComponents.msi installer to the
target server and then running the installer locally. The Integration Components provide support
for:
Email
Event Sinks
Help desk ticketing systems, such as SCSM, HPSM, BMC Remedy, JIRA, OTRS, ServiceNow, and
CA Service Desk
If you previously installed the integration components, upgrade them to the latest version now.
To Install the Integration Components

1) Copy the IntegrationComponents.msi installer from the SupplementalInstallers folder and
install it on the target web host system.
The SupplementalInstallers folder is typically located here:
\Program Files (x86)\Lieberman\Roulette\SupplementalInstallers
2) Double-click IntegrationComponents.msi to run the installer.
The Welcome screen displays.
Click Next.
3) The "License Agreement" screen displays.
Read the license agreement and click I accept the license agreement to continue.
Click Next.
4) The "Destination Folder" screen displays.
Select a folder where the Integration Components should be installed.
5) Click Next.
7) Click Next.
8) The installer is now ready to install the Integration Components..
Click Next to start the installation.
5.4 UPGRADE THE ZONE PROCESSOR(S)

Complete the steps in this section to install the Version 5.5.1 zone processor updates.
Note: Before updating a zone processor, see the Release Notes to learn about the .NET
Framework version requirements.
STOP THE DEFAULT DEFERRED PROCESSOR

Before installing a zone processor, stop the default deferred processor from processing password
change jobs. The default deferred processor has no concept of zones and will attempt to handle all
scheduled password change jobs. The default deferred processor will preempt the zone processor,
causing the WAN utilization to be higher, and there may be issues with fire walls blocking
communications, which will cause scheduled jobs to fail.
To Stop the Default Deferred Processor

Stop the deferred processor (also referred to as the scheduling service) using the services snap-in or
To use the services snap-in to stop the deferred processor:

Right-click the service and choose Stop.
To stop the service from within the management console:

c. Click Remove.
UPDATING VERSION 5.4 ZONE PROCESSOR FILES TO VERSION 5.5.1

If you are upgrading to version 5.5.1 from version 5.4, you can manually copy the following zone
processor executables from the ERPM host system to each zone processor system:
o rouletteProc.exe
o rouletteSked.exe
o ipwork8.dll
o ipworksssh8.dll
UPDATING ZONE PROCESSOR FILES OLDER THAN VERSION 5.4

If you are upgrading from a version older than version 5.4, use the following steps to upgrade zone
processors.
1) Uninstall the zone processor(s). See Uninstalling a Zone Processor in the ERPM Admin Guide for
details.
2) Read Determining Which Method to use to Install Zone Processors in the ERPM Admin Guide.
3) Install the zone processor on each system. See Installing a Zone Processor in the ERPM Admin
Guide for installation steps.
4) Install the version 5.5.1 Cross-Platform Support Library on each zone processor (if required).
See Configuring Zone Processors in the ERPM Admin Guide for details.
5) Install the version 5.5.1 Integration Components on each zone processor (if required). See
Configuring Zone Processors in the ERPM Admin Guide for details.
6) Configure zone processors to work with response files and system integrations. See Configuring
Zone Processors in the ERPM Admin Guide for details.
Start the Deferred Processor

After updating the zone processor(s), start the deferred processor.
To Start The Default Deferred Processor

Start the deferred processor (also referred to as the scheduling service) using the services snap-in or
To use the services snap-in to start the deferred processor:

Right-click the service and choose Start.
To start the service from within the management console:


c. Click Install.
Following installation a prompt asks you to start the service. Click Yes.
Start all Zone Processors

After starting the default deferred processor, start the zone processor(s).
To Start the Zone Processor(s)

1) Open the management console and click Jobs in the Action pane.
2) Click Zone Processors on the left side of the screen.
The "Processing Services" dialog opens.
3) Ctrl+click to select one or more zone processors, then right-click and choose Start Service.
5.5 UPGRADE THE POWERSHELL CMDLETS

This task is only required if you are using (or plan to use) the PowerShell cmdlets for ERPM. Perform
this task after you upgrade ERPM to version 5.5.1.
1) Upgrade the ERPM Web Service.

Before you upgrade the PowerShell cmdlets, complete the ERPM web service upgrade task. See
Install / Upgrade the ERPM Web Service (on page 247) for details.
2) Close all PowerShell Sessions.
All PowerShell sessions must be closed before performing the next step.
3) Distribute the DLLs.
The PowerShell cmdlets DLL file is located in the following location:
<ERPM Installation
Directory>\SupplementalInstallers\LSCPowerShellCmdlets\LSClientAgentCommandlets\LSClie
ntAgentCommandlets.dll
Simply copy over and replace the file on any systems or user profiles that use the PowerShell
cmdlets, for example:
copy "C:\Program Files
(x86)\Lieberman\Roulette\SupplementalInstallers\LSCPowerShellCmdlets\LSClientAgentCom
mandlets\LSClientAgentCommandlets.dll"
"C:\Users\lscadmin\Documents\WindowsPowerShell\Modules\LSClientAgentCommandlets\LSCli
entAgentCommandlets.dll"
5.6 UPGRADE THE LEGACY SDK FILES

This task is only required if you are using (or plan to use) the legacy SDK. Perform this task after you
upgrade ERPM to version 5.5.1.
The legacy SDK files are located in the ERPM installation directory. Simply copy over and replace the
following files on any client systems using the ERPM legacy SDK components.
RouletteCilentAgentConsole.exe
RouletteClientAgentDll.dll
5.7 UPGRADE THE APPLICATION LAUNCHER

This task is only required if you are using (or plan to use) the application launcher and session
recording components. Perform this task after you upgrade ERPM to version 5.5.1.
1) Upgrade the ERPM Web Service.
Before you upgrade the application launcher and session recording components, complete the
ERPM web service upgrade task. See Install / Upgrade the ERPM Web Service (on page 247) for
details.
2) Run the ERPM Remote Launcher Installer.

Run ERPMRemoteLauncherInstaller.exe on the application launcher server and video
transcoder servers. All previous settings are maintained. During the installation you will need
the service account password used for the ERPM services.
235
Chapter 6
Installing the Web Service
The web service portion of the Enterprise Random Password Manager program must be installed
separately (unlike the legacy SDK). Install the web service prerequisites first, then install the web
service with the installation wizard.
See the Installation Roadmap (on page 11) for a complete list of installation tasks.
IN THIS CHAPTER
Installing Prerequisites for the Web Service on Windows Server 2012 235
Installing Prerequisites for the Web Service on Windows Server 2008
R2........................................................................................................... 242
Install / Upgrade the ERPM Web Service .............................................. 247
Running the Web Service Tester ........................................................... 257
6.1 INSTALLING PREREQUISITES FOR THE WEB SERVICE ON

WINDOWS SERVER 2012
The web service requires that the Microsoft .NET Framework version 4.x be installed.
The web service must be installed on a system that either has the ERPM web client installed, or that
has the ERPM web client registry installed. If the ERPM web client is already installed, there is no
need to import an additional registry configuration. If the SDK web server will not host the ERPM
web client, export the web client configuration from the ERPM management console and import it
to the system hosting the web service.
236 Installing the Web Service
To update the web client settings, open the management console and go to Settings > Manage Web
Application > Manage Web Application instances. Select the web client instance and choose Export
Web App Registry Config from the Advanced menu. This will save the configuration to a registry file
that can then be manually imported into the desired web server(s).
Installing the Web Service 237
Important! ERPM is a 32-bit application, as is the web service. The registry paths
that are exported from the management console will point to an
incorrect location if this step is performed. Specifically, on a 64-bit
system, 64-bit applications will point to
HKLM\Software\-ApplicationName-\. Conversely, a 32-bit
application will configure its registry settings at
HKLM\Software\WoW6432Node\-Application-\. To manually import
this registry file onto another 64-bit system, modify the exported file
with a text editor by changing file paths with the string
Software\Lieberman to use the replacement string
Software\WoW6432Node\Lieberman. Then import the file.
Any time you change ERPM encryption settings or change any of the web client options, you must
update the web client settings. See Updating ERPM Web Client Settings in the ERPM Admin Guide
for details.
Configure the ERPM Web Host for Web Services

The SDK web service requires that additional supporting roles/features be available on the
Enterprise Random Password Manager web host.
1) For Windows Server 2012, open Server Manager and choose to Add roles and features.
2) On the "Select installation type" dialog, select Role-based or feature-based installation, and
click Next.
3) On the "Select destination server" dialog, choose the ERPM server and click Next.
4) On the "Select server roles" dialog, expand the Application Server role and select the following
options:
Web Server (IIS) Support
HTTP Activation, which is located under Windows Process Activation Service Support
5) If prompted, click Add Features to add anything missing. Then click Next.
6) Click Next on the Features page.

7) Click Install on the Confirm installation selections page.
8) Click Close when the installation is complete

Now install the web service. See Installing the Web Service With the Installation Wizard.
6.2 INSTALLING PREREQUISITES FOR THE WEB SERVICE ON

WINDOWS SERVER 2008 R2
The web service requires that the Microsoft .NET Framework version 4.x be installed.
The web service must be installed on a system that either has the ERPM web client installed, or that
has the ERPM web client registry installed. If the ERPM web client is already installed, there is no
need to import an additional registry configuration. If the SDK web server will not host the ERPM
web client, export the web client configuration from the ERPM management console and import it
to the system hosting the web service.
To update the web client settings, open the management console and go to Settings > Manage Web
Application > Manage Web Application instances. Select the web client instance and choose Export
Web App Registry Config from the Advanced menu. This will save the configuration to a registry file
that can then be manually imported into the desired web server(s).
Note: ERPM is a 32-bit application as is the web service. The registry paths that are
exported from the management console will point to an incorrect location if this
step must be performed. Specifically, on a 64-bit system, 64-bit applications will
point to HKLM\Software\-ApplicationName-\. Conversely, a 32-bit application
will configured its registry settings at
HKLM\Software\WoW6432Node\-Application-\. To manually import this registry
file onto another 64-bit system, modify the exported file with a text editor and
replace all paths that are Software\Lieberman to
Software\WoW6432Node\Lieberman. Then import the file.
Any time you change ERPM encryption settings or change any of the web client options, you must
update the web client settings. See Updating ERPM Web Client Settings in the ERPM Admin Guide
for details.
Usage of the SDK web service requires additional supporting roles/features to be available on the
ERPM web host.
For Windows Server 2008 R2, Open Server Manager and choose to Add roles and features. Expand
the Application Server Role and select select HTTP Activation under Windows Process Activation
Service Support.
If prompted to, click Add Features to add anything missing. Then click Next.
Click Install on the Confirm installation selections page.
Click Close when the installation is complete

Now install the web service. See Installing the Web Service With the Installation Wizard.
6.3 INSTALL / UPGRADE THE ERPM WEB SERVICE

The ERPM web service is only required if you are using (or plan to use) any of the following:

The application launcher and session recording components.
Install or upgrade the ERPM web service after you install ERPM version 5.5.1.
Shutdown the COM Object in Component Services

If you are upgrading the ERPM web service, you will need the password of the COM identity (if it is
running as a real user account) later in the upgrade process.
1) On the web server host system, open the Component Services console:
b. Type dcomcnfg and press OK.
The Component Services console opens.
2) Expand the tree to COM+ Applications. (For example, choose Console Root > Component
Services > Computers > My Computer > COM+ Applications).
3) Find the Lieberman ERPM Web Service COM application.
4) Right-click and choose Shutdown, then close the Component Services console.
This will stop the COM object from running and allow it to be updated. Once re-installed, the
COM object will start automatically on the next call to the application.
Run the ERPM Web Service Installer

1) Open the SupplementalInstallers directory in the product installation directory (typically
\Program Files (x86)\Lieberman\Roulette\SupplementalInstallers).
2) Open ERPMWebService.exe to launch the installation wizard.
If you previously installed the web service your previous settings are remembered except for the
logon identity.
3) Click Next on the Welcome screen.
4) On the "COM+ object identity" screen, specify the account to use to run the web service COM
object. The account defined here is used to run the COM+ application that accesses the ERPM
database. If the database uses database local authentication (Oracle or SQL Server without
integrated authentication, for example), then use an account that complies with your
organization's security policy and that has the rights to access the database network driver. The
account chosen here has nothing to do with the interactive user of the website.
Network Service (default) should be chosen when authentication to the database is performed
using explicit authentication, such as when using Oracle or SQL Server with explicit
authentication. Network Service may also be used with Windows Integrated Authentication
when the database server (server_name$) has been granted appropriate rights into the ERPM
database. This account is the default option because it has minimal rights and there is no
password to actively manage.
Interactive User should be chosen when authentication to the database should be performed in
the context of the user who is directly accessing the web service using Windows Integrated
Authentication and additional login credentials are not specified.
Specific User should be chosen when the COM+ application will access the ERPM database using
Windows Integrated Authentication. This option may be more desirable than Network Service
when using integrated authentication because compromise of the system (in the case of
Network Service) may grant more access to the database than desired. The downside of using a
specific user is that the password must be managed (which ERPM can do automatically).
5) If you previously installed the ERPM web service, click Next on the "Web Installation Type"
screen to keep your previous setting.
If you are installing the ERPM web service for the first time, choose whether to install the web
service to a virtual directory or the root of a site. This option will ultimately effect the web
service URL and has possible security implications. Virtual directories are often safer to install to
if the web server hosts multiple applications. This is because the virtual directory has no
possibility of overwriting a parent directory's settings and affecting another application. It is also
harder to guess where virtual directories are located because one cannot simply supply the
servername to get to it. The downside is that if security changes or functionality changes are
made to a parent site, those changes will typically automatically filter down to the web service,
which may affect the web service availability. Installing to a parent site offers the easiest way to
access the application because you only need to supply the name of the server. Moreover, you
don't need to worry about property inheritance with the parent site because all property
changes will be made at the parent site. That generally means another application cannot
accidentally update the web service settings.
Make a selection and click Next.
6) Refer to the following bullets if you selected Virtual Directory in the previous step:
If you previously installed the ERPM web service, click Next on the "Parent Site" screen to keep
your previous setting.
If you are installing the ERPM web service for the first time, a virtual directory named
ERPMWebService will be created under the parent directory and automatically inherit the
parent directory's security and authentication attributes.
Refer to the following bullets if you selected the Site option in the previous step:
If you previously installed the ERPM web service, click Next on the "Web Site Configurations"
screen to keep your previous setting.
If you are installing the ERPM web service for the first time and you selected the Site option,
configure the web service parent bindings. If the web server will host multiple websites on the
same server at the same port, the web server should have multiple IP addresses. Specify that IP
address in the IP field. If this is the only website, or the websites are on different ports, it is fine
to leave the binding as *. Change the default Port number from 80 to an alternate value if the
web service URL should not listen on port 80. If SSL is configured, this port number should be
changed to reflect the SSL port number to be used (the default HTTP/S port number is 443).
Typically, you do not need to change port numbers. Use the Host field to specify a host header
for the website. This option is used when the website should only respond to one name. This
option can be used in lieu of a specific IP or port number when multiple websites are present on
the web server.
7) If you previously installed the ERPM web service, click Next on the "Authentication Type" screen
to keep your previous setting.
If you are installing the ERPM web service for the first time, configure the IIS authentication
type. If the website or virtual directory does not have SSL bindings, only options for
authentication without SSL will appear. If the website or virtual directory is configured to use
SSL, then authentication options that use SSL will appear.
Non-SSL options include:

o Anonymous Auth without SSL This option requires a user name and password and
authenticator (domain, RADIUS, etc) be supplied for entry.
o Integrated Auth without SSL This option uses the Windows login token for
authorization. It is still possible to enter a username and password.
SSL options include:

o Anonymous Auth with SSL This option requires a user name and password and
authenticator (domain, RADIUS, etc) be supplied for entry.
o Integrated Auth with SSL This option uses the Windows login token for
authorization. It is still possible to enter a username and password.
o SSL with User Certificates This option requires the authenticating user to present a
valid user certificate for authentication. This certificate must have already been
delegated permissions within ERPM.
8) If you previously installed the ERPM web service, click Next on the "Destination Folder" screen
to keep your previous setting.
If you are installing the ERPM web service for the first time, choose which directory to install the
web service to, then click Next. The location will default to the directory the parent website is
configured for.
9) Click Install to begin the installation.

The installer will configure a COM+ application. This application will be named Lieberman ERPM
WebService and configured to run using the system account, Network Service. It is this account
that will provide network access for the web service to access the program database.
10) Click Finish when the installer is complete.

The Web Service Tester opens. See Running the Web Service Tester (on page 257) for more
information.
The ERPM Web Service starts automatically with the next call to the application.
The installation wizard installs a REST-based web service, a SOAP-based web service, and the Web
Launcher Back-end Service. (The Web Launcher Back-end Service is required for application
launching. For details, see Configure ERPM Web Settings in the Application Launching & Session
Recording Guide.)
Following installation, open the following four URLs in a browser to test the web service:
REST http(s)://<ERPM server name>/ERPMWebService/json/v2/AuthService.svc

Service
base URI
REST http(s)://<ERPM server name>/ERPMWebService/json/v2/AuthService.svc/help

Service
Help
SOAP http(s)://<ERPM server name>/ERPMWebService/AuthService.svc

Service
base URI
Web http(s)://<ERPM server name>/ERPMWebService/WebLauncherBackendService.svc

Launcher
Back-end
Service
6.4 RUNNING THE WEB SERVICE TESTER

Use the Web Service Tester to verify that the service is installed properly and responding to
requests.
Complete the form fields and click Test Login.
MFA token code If multi-factor authentication is enabled, enter the token code. Otherwise,
leave this field empty.
If successful, the Web Service Tester displays the following information in a dialog box:
Web service version (and build number)

Web service DLL version (and build number)
The authentication token that the Web Service Tester received back from the web service
Running the Web Service Tester Manually

The installer leaves a copy of the Web Service Tester in the web service installation directoryfor
example, C:\inetpub\wwwroot\ERPMWebService\WebServiceTester.exe.
To run the Tester Manually

1) Launch the WebServiceTester.exe file.
The Web Service Tester dialog opens.
2) Complete the form and click Test Login.
Running the Web Service Tester on a Remote System

If you run WebServiceTester.exe on a system that has all of the registry settings for the web service
present, the tester configuration settings are filled in automatically. If, however, you need to run
the tester manually and the services entries are not presentfor example, if you run the tester
from a workstation to test connectivityyou must run the command from a command prompt and
include the option parameter. See the following section for details.
To run the Tester on a Remote System

1) Open a Windows command prompt and enter the command using the following format:
C:\inetpub\wwwroot\ERPMWebService\WebServiceTester option url
where:
option is one of the following integers:
o 1 Anonymous auth with SSL

o 2 Anonymous auth without SSL

o 3 Windows integrated auth with SSL
o 4 Windows integrated auth without SSL
o 5 Certificate-based authentication with SSL
url is the URL to the web service endpoint.
The following is an example:

C:\inetpub\wwwroot\ERPMWebService\WebServiceTester 1
https://localhost/erpmwebservice
2) The Web Service Tester dialog opens.

Complete the form and click Test Login.
261
ERPM MANAGEMENT CONSOLE

Index INSTALLATION NOTES 183
G
B
GRANTING RIGHTS TO THE DATABASE
BACKGROUND AND GOALS 7 76, 180
C H
COMPLETE THE MINI-SETUP WIZARD 12, HOST SYSTEM REQUIREMENTS 19, 22, 183,
192 185
COMPLETE THE MINI-SETUP WIZARD 193 I

COMPONENT OVERVIEW 19 INSTALL / UPGRADE THE ERPM WEB
SERVICE 15, 219, 233
CONFIGURING SQL SERVER FOR USE WITH
ERPM 94 INSTALL / UPGRADE THE ERPM WEB
SERVICE 247
CONFIGURING SSL ON IIS 63
INSTALL THE ENTERPRISE RANDOM
CONFIGURING THE COM OBJECT AND PASSWORD MANAGER 5.5.1
DEFERRED PROCESSOR ACCOUNT 165 MANAGEMENT CONSOLE 11
E INSTALL THE ENTERPRISE RANDOM

ENABLE ASP SUPPORT 40 PASSWORD MANAGER 5.5.1
MANAGEMENT CONSOLE 185
ENABLE ASP SUPPORT 51
INSTALLATION ROADMAP 17, 183, 235
ENABLE ASP.NET SUPPORT 41
INSTALLATION ROADMAP 11
ENABLE ASP.NET SUPPORT 55
INSTALLING AND CONFIGURING ERPM
ENABLE IIS6 COMPATIBILITY SUPPORT 43, 183
49
INSTALLING AND CONFIGURING IIS 23
ENABLE IIS6 COMPATIBILITY SUPPORT 59
INSTALLING AND CONFIGURING IIS 37
ENABLING REMOTE COM+ AND IIS ACCESS
23, 32 INSTALLING DATABASE PROVIDERS
(CONNECTORS) 110
ENABLING REMOTE COM+ AND IIS ACCESS
158 INSTALLING ERPM PREREQUISITES 11, 14,
17
INSTALLING IIS 38 MANAGED DATABASE PREREQUISITES 34
INSTALLING PREREQUISITES FOR THE WEB O

SERVICE ON WINDOWS SERVER 2008 R2
ORACLE 11G INSTALLATION 95, 181
242
ORACLE DATABASE REQUIREMENTS FOR
INSTALLING PREREQUISITES FOR THE WEB
ERPM 25
SERVICE ON WINDOWS SERVER 2012
235 ORACLE DATABASE REQUIREMENTS FOR
ERPM 26
INSTALLING SQL SERVER OR ORACLE
DATABASE 76 OVERVIEW 5
INSTALLING THE IBM DB2 PROVIDER 135 P

INSTALLING THE MICROSOFT SQL SERVER PERFORMANCE NOTES 6
PROVIDER 110
PORT REQUIREMENTS 30
INSTALLING THE MYSQL & MARIADB
PROVIDER 129 PRODUCT REQUIREMENTS OVERVIEW 18
INSTALLING THE ORACLE PROVIDER 110 R

RECOMMENDED KNOWLEDGE 18
INSTALLING THE POSTGRESQL PROVIDER
143 REQUIRED WEB COMPONENTS ON A
NON-WEB SERVER 45
INSTALLING THE SYBASE ASE PROVIDER
118 RUNNING THE WEB SERVICE TESTER 256
INSTALLING THE TERADATA PROVIDER RUNNING THE WEB SERVICE TESTER 257
145
S
INSTALLING THE WEB SERVICE 13, 235
SERVICE ACCOUNT REQUIREMENTS 28
INTRODUCTION 5
SOLUTION DATABASE REQUIREMENTS 25,
L 76
LICENSE AGREEMENT 9 SQL SERVER INSTALLATION 76
LIMITED WARRANTY 9 SQL SERVER REQUIREMENTS FOR ERPM 25
M SQL SERVER REQUIREMENTS FOR ERPM 25

MANAGED COMPUTERS AND DEVICES SSL WITH IIS - NO EXISTING CERT 66
PREREQUISITES 32
SSL WITH IIS - WITH AN EXISTING CERT UPGRADE THE ZONE PROCESSOR(S) 14,
63 219
START HERE UPGRADE THE ZONE PROCESSOR(S) 227
Roadmaps 11 UPGRADING ERPM TO VERSION 5.5.1 14,

201
U
UNDERSTANDING PREREQUISITES 11, 14, W
185, 203 WEB APPLICATION REQUIREMENTS 22,
183
UNDERSTANDING PREREQUISITES 18
WINDOWS 2008 & LATER REMOTE COM+
UPGRADE ERPM TO VERSION 5.5.1 202 ACCESS 158
UPGRADE NOTES 14
UPGRADE NOTES 201
UPGRADE ROADMAP 201, 219
UPGRADE ROADMAP 14
UPGRADE THE APPLICATION LAUNCHER

15, 220
UPGRADE THE APPLICATION LAUNCHER

233
UPGRADE THE ERPM WEB CLIENT

APPLICATION 14, 219
UPGRADE THE ERPM WEB CLIENT

APPLICATION 220
UPGRADE THE LEGACY SDK FILES 15, 220
UPGRADE THE LEGACY SDK FILES 233
UPGRADE THE POWERSHELL CMDLETS 15,

219
UPGRADE THE POWERSHELL CMDLETS

232

ERPM Installation Guide 5.5.1

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ERPM Installation Guide 5.5.1

Diunggah oleh

Hak Cipta:

Format Tersedia

Enterprise Random Password Manager

Lieberman Software Corporation

3.4.1 Installing the Microsoft SQL Server Provider ...............................................................110

1.2 PERFORMANCE NOTES

1.3 BACKGROUND AND GOALS

Creating Strong Local Credentials

Delegated Password Recovery

1.4 LIMITED WARRANTY

1.5 LICENSE AGREEMENT

Lieberman Software Corporation

Installation Roadmap .............................................................................. 11

2.1 INSTALLATION ROADMAP

b. Review Understanding Prerequisites (on page 18).

2) Install the ERPM prerequisites.

3) Install the base Enterprise Random Password Manager program.

4) Configure and register Enterprise Random Password Manager.

5) Install the ERPM web client. (Optional)

6) Install one or more zone processors. (Optional)

7) Install the ERPM web service. (Optional)

The PowerShell cmdlets for ERPM.

The Application Launcher and Session Recording components.

8) Install the PowerShell cmdlets for ERPM. (Optional)

9) Install the application launching and session recording components. (Optional)

10) Install the SYSLOG Forwarder service. (Optional)

2.2 UPGRADE ROADMAP

1) Understand the product requirements before upgrading.

b. Review the Upgrade Notes (on page 201).

c. Review the Understanding Prerequisites (on page 18) topic.

2) Install any missing ERPM prerequisites.

4) Upgrade the ERPM web client.

5) Upgrade the zone processor(s).

6) Upgrade the ERPM Web Service. (Optional)

The PowerShell cmdlets for ERPM.

The Application Launcher and Session Recording components.

7) Upgrade PowerShell. (Optional)

8) Upgrade the Legacy SDK Files. (Optional)

9) Upgrade the application launching and session recording components. (Optional)

10) Install the SYSLOG Forwarder service. (Optional)

Installation of .NET Framework

Understanding Prerequisites ................................................................... 18

3.1 UNDERSTANDING PREREQUISITES

3.1.1 Recommended Knowledge

3.1.2 Product Requirements Overview

3.1.3 Component Overview

3.1.4 Host System Requirements

Windows Server 2012 R2

Windows 10 Professional or higher, 64-bit version

Windows Server 2012 R2.

Note: This manual does not cover installing or administering Windows.

3.1.5 Web Application Requirements

Web Application Server Requirements

At least IIS 7.5 (See below for detailed requirements.)

.NET Framework version 3.5 with service pack 1

Supported Web Browsers

Internet Explorer 9, 10, and 11

3.1.6 Solution Database Requirements

3.1.6.1 SQL SERVER REQUIREMENTS FOR ERPM

Supported Versions for Production Environments

Microsoft Azure SQL Database

Microsoft SQL Server 2012

Supported Versions for Test Environments Only

Microsoft SQL Server 2016 Express

3.1.6.2 ORACLE DATABASE REQUIREMENTS FOR ERPM

Supported versions of Oracle database include: