Get Started!

˂ Return to FAQ

XTAM Break Glass Procedure

A break glass procedure refers to a quick method for a user to gain access when needed (usually during an emergency) to a managed system who would ordinarily not have access. The term “break glass” is a reference to someone breaking the glass door or stopper to pull a fire alarm in the event of an emergency.

XTAM PAM Break Glass Procedure

Although the concept is the same, some people refer to a break glass procedure for a couple of different scenarios. In this FAQ, we will discuss these scenarios and how XTAM provides support in the case of an emergency.
 

Scenario #1: User needs immediate access to a Privileged System

In this scenario, XTAM is online and accessible however there is an emergency with a privileged system that is managed within XTAM. John, our IT worker, needs immediate access to the Domain Controller because it is offline.

In this example, John would log into XTAM and as usually request access to the Domain Controller. The Approval Workflow bound to John and this record would be configured with an Emergency approval cycle or be auto-approved. This type of configuration would allow John to access this privileged system during this specific time frame without having to complete the typical multi-stage approval process. As a result, John is granted access to perform his emergency task while still maintaining the integrity of the XTAM workflow process.

To learn more about Approval Workflows, including Emergency and Auto-approval, please read XTAM Request and Approval Workflows.

 

Scenario #2: User needs immediate access to a Privileged System however XTAM is inacessible

In this scenario, XTAM is offline and there is an emergency with a privileged system that is managed within XTAM. Again, John, our IT worker, needs immediate access to the Domain Controller but the login credentials are stored in XTAM.

In this example, John (assuming he is not a XTAM System Administrator) would need to contact a System Administrator in order to extract the credentials from a previously created XTAM export. Once the credentials have been extracted, John can use them to access the system using a native client like RDP or PuTTY.

For this Break Glass procedure which involves extracting data, including secrets, from an exported XTAM database, the System Administrator would perform these steps:

1

Login to the server that is hosting XTAM as an Administrator.

2

Open a command line session.

3

Navigate to $XTAM_HOME. This is the installation folder for XTAM.

4

Execute the following command to extract secured information from a record. The following variables will need to be replaced as necessary.

  • {EXPORT}: The full path to the exported database ZIP file or the beginning of the ZIP file for multi-part exports.
  • {RECORD_NAME}: The full record name.
  • {RECORD_ID}: The record ID.
  • {MASTER_PASSWORD}: The XTAM Master Password. If a – (dash) is used instead of the master password, then the command will prompt the user for the master password during execution.
4a

For Windows, substitute your {EXPORT}, {RECORD_NAME} or {RECORD_ID} and {MASTER_PASSWORD} values and issue this command.

bin\PamDirectory.cmd Extract {EXPORT} {RECORD_NAME} {MASTER_PASSWORD}
bin\PamDirectory.cmd Extract {EXPORT} {RECORD_ID} {MASTER_PASSWORD}

Examples:

bin\PamDirectory.cmd Extract c:\xtam\export\xtamexp-20180103113616-119836-0001.zip "Domain Controller" 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
bin\PamDirectory.cmd Extract c:\xtam\export\xtamexp-20180103113616-119836-0001.zip 168473 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
bin\PamDirectory.cmd Extract c:\xtam\export\xtamexp-20180103113616 168473 -
4b

For Unix, substitute your {EXPORT}, {RECORD_NAME} or {RECORD_ID} and {MASTER_PASSWORD} values and issue:

bin/PamDirectory.sh Extract {EXPORT} {RECORD_NAME} {MASTER_PASSWORD}
bin/PamDirectory.sh Extract {EXPORT} {RECORD_ID} {MASTER_PASSWORD}

Examples:

bin\PamDirectory.sh Extract ~/Documents/xton/apps/export/xtamexp-20180103113616-119836-0001.zip "Domain Controller" 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
bin\PamDirectory.sh Extract ~/Documents/xton/apps/export/xtamexp-20180103113616-119836-0001.zip 168473 48BRU7ikr9oIt2YKwzOYBQSoqwI22wAy
bin\PamDirectory.sh Extract ~/Documents/xton/apps/export/xtamexp-20180103113616 168473 -
5

The command output will display this record’s information including the secret parameters. An Ok will be printed at the end of the output results.

Output:

-------------------------------
id=168473
name=Domain Controller
host=10.0.0.2
description=Primary Domain Controller
type=Windows Host
Host=10.0.0.2
Port=3389
User=domain\\administrator
Password=ZH3zFVzJ8KcZPTTE
Ok

 
 
If you are unsure of the Record Name or ID or would simply like to extract a list of records from the Exported Database, the System Administrator would perform these steps:

1

Login to the server that is hosting XTAM as an Administrator.

2

Open a command line session.

3

Navigate to $XTAM_HOME. This is the installation folder for XTAM.

4

Execute the following command to extract a list of records. The following variables will need to be replaced as necessary.

  • {EXPORT}: The full path to the exported database ZIP file or the beginning of the ZIP file for multi-part exports.
  • {QUERY}: The query search for records. This query will return a list of all records (record name, ID, host and description only)
4a

For Windows, substitute your {EXPORT} and {QUERY} values and issue this command.

bin\PamDirectory.cmd ListExport {EXPORT} {QUERY}

Examples:

bin\PamDirectory.cmd ListExport c:\xtam\export\xtamexp-20180103113616-119836-0001.zip "Domain Controller"
bin\PamDirectory.cmd ListExport c:\xtam\export\xtamexp-20180103113616 "Domain"
4b

For Unix, substitute your {EXPORT} and {QUERY} values and issue this command.

bin\PamDirectory.sh ListExport {EXPORT} {QUERY}

Examples:

bin\PamDirectory.sh ListExport ~/Documents/xton/apps/export/xtamexp-20180103113616-119836-0001.zip "Domain Controller"
bin\PamDirectory.sh ListExport ~/Documents/xton/apps/export/xtamexp-20180103113616 "Domain"
5

The command output will display the record(s) returned by the query search but will only include the record’s name, ID, host, description and type. An Ok will be printed at the end of the output results.

Single Result Output:

-------------------------------
id=168473
name=Domain Controller
description=Primary Domain Controller
host=10.0.0.2
type=Windows Host
Ok

Multiple Result Output:

-------------------------------
id=168473
name=Domain Controller
description=Primary Domain Controller
host=10.0.0.2
type=Windows Host
-------------------------------
id=178125
name=Domain Controller Backup
description=Backup Domain Controller
host=10.0.0.3
type=Windows Host
-------------------------------
id=274586
name=Domain Administrator
description=Shared domain Admin account
type=Active Directory
Ok

 
 

Copyright © 2018 Xton Technologies, LLC. All rights reserved.