For a user to log into SecureAnyBox5, the user needs to be created and has a password entered.
If more than one domain is specified, the user must also enter the domain name when logging in.
Only one domain is specified. You only need to enter your username and password to sign in to SecureAnyBox5.
More than one domain is specified. You must also enter a domain name to log into SecureAnyBox5.
After entering the login credentials, a page for setting an Access Code displays. The Access Code is used to decrypt secure information (such as passwords, certificates) and to confirm changes.
While entering the Access Code, you can see how secure your Access Code is and also how many of the required characters you are using.
Actual/required length of the Access Code
Actual/required number of lowercase letters
Actual/required number of uppercase letters
Actual/required number of numbers
Pointer how secure the Access Code is
Button for displaying the Access Code
Time to crack the Access Code online
Actual/required entropy of the Access Code (the higher, the better)
Requirements to characters of the Access Code can be changed in the Configuration for users in all domains or in the domain details for users in that domain.
After the Access Code set, the page automatically redirects to the root level of Safe Boxes.
Full name of the logged user and a domain into which the user logged
After clicking on the menu icon (next to the name of the user), a context menu displays. In the context menu, it is possible to change user’s settings, activate the White Envelope or log out from the application.
Notification area
If any error or warning occurs or some action needs to perform, the notification displays in the area. For more information, please click the notification icon.
Main menu
The main menu of the application. Displayed menu items are dependent on the user’s role and other settings.
Information about license
Information about license displays only to users with the “Administrator” role.
Breadcrumb navigation
The breadcrumb navigation shows a path to the currently opened page. By clicking on the breadcrumb navigation element, it is possible to move to the parent level.
Page menu
The list of possible actions on the page.
Filter area
Enables filtration of items displayed on the page.
If you know your Access Code, and you need to change it (due to security reasons or you shared your Access Code with someone else, etc.), please click the menu icon (next to a name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In a menu, please click on the Change Access Code button ( ).
After clicking the button, a form for changing the Access Code displays. To change the Access Code enter a current Access Code into the first field and into other two fields, please enter a new one. While entering the new Access Code, you can see how secure your Access Code is and also how many of the required characters you are using.
To confirm the new Access Code, please click the OK button. After the new Access Code set, a success message displays.
In a case you forgot the Access Code, you may reset it. By resetting your Access Code, you will lose access to all Safe Boxes, and Safe Boxes accessed only by you will be deleted.
Before reset of the Access Code, please consult your administrator about losses.
To reset the Access Code, please click the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In a menu, please click the Reset Access Code button ( ).
You need to confirm the warning only if you have access to some Safe Box. Otherwise, you will be asked to enter a new Access Code immediately.
In the Reset Access Code form, you must confirm the warning that you will lose access to all Safe Boxes. You can also check which Safe Boxes will be deleted because after the Access Code restored, nobody will have permission for these Safe Boxes.
After the warning confirmed, a form for entering new Access Code displays. While entering the Access Code, you can see how secure your Access Code is and also how many of the required characters you are using. To confirm the new Access Code, please click the OK button.
After resetting the Access Code, you will see a message about the successful reset of the Access Code. You can confirm the changes with the new Access Code. If you had some inherited permissions for Safe Box Groups and Safe Boxes, another user could share them to you. Also, your White Envelope can be activated again, but all assigned permissions have to be assigned manually.
LDAP/Azure AD synchronized users are not allowed to changing their password in the SecureAnyBox5 because the password does not change in LDAP/Azure AD. If you are not sure whether you are syncing from LDAP/Azure AD, contact your administrator and consult the password change.
To change your login password, please click on the menu icon (next to a name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In a menu, please click on the Change Login Password button ( ).
After clicking the button, Change Login Password form displays. To change your login password, please enter the current password into the first field and to the other fields enter a new one. While entering the new password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.
To confirm the change of the password, please click the OK button. After changing the password, a success message displays.
In order to improve the security of data stored in the SecureAnyBox5, users can use Two-Factor Authentication. As a second factor is used 6-digits code from the Authenticator app, paired with SecureAnyBox5 via secret-key.
Each user can enable two-factor authentication to SecureAnyBox5. If the Two-Factor Authentication is enabled, the user has to enter a verification code every time to log in. Verification code is generated by the Authenticator app on the users mobile phone (iOS and Android).
To enable a Two-Factor Authentication, it is necessary to have the Authenticator app installed on a mobile phone.
To enable the Two-Factor Authentication, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( ).
After clicking the button, a wizard displays. To enable a Two-Factor Authentication is necessary to pair the Authenticator app with SecureAnyBox5. Please follow the steps in the wizard.
After the Two-Factor Authentication set, a user has to enter the second factor every time to log in. Two-Factor Authentication can be deactivated by the user in the Two-Factor Authentication settings or by user with the User Manager role in the user’s details.
Once the Two-Factor Authentication set and confirmed, it is possible to pair another Authenticator.
To pair another Authenticator, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( ).
After clicking the button, the wizard with two options displayed. Please click the PAIR ANOTHER AUTHENTICATOR button and follow the steps. When another Authenticator paired, all Authenticators should give you the same 6-digit code.
If you do not want to use the second factor, you can disable Two-Factor Authentication settings. But in a case, that the Two/Factor Authentication is mandatory, you will be ask to set the second factor again. Disabling the second factor will delete all user’s settings and all paired Authenticators have to be paired again.
To disable second factor, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( ).
After clicking the button, the wizard with two options displayed. Please click the Disable second factor button and enter the 6-digit code to confirm the action.
Users with the User Manager role can reset Two-Factor Authentication settings for another user by clicking the Reset Two-Factor Authentication button in the bottom of user details form.
To confirm the reset is necessary to enter the Access Code. Reset of Two-Factor Authentication settings should use when the user lost access to the paired Authenticator app and etc.
Each user can change the language of a web interface. Available options are English, Czech, German and French. To change the language of the interface, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Change Language button ( ).
After clicking the button, a form for changing the language displays. In the form, please select which language you want to set, and click the OK button. After changing the language, a page reloads in the chosen language.
Each user can modify preferences, which are applied only to him. To alter these preferences, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click the Change preferences button ( ).
After clicking on the Change Preferences button, User preferences form displays.
Field
Remember Access Code
(
) is displayed only if remembering of Access Code is set in the server configuration.
Fields in
Notification settings
part of a form (
) are displayed if e-mail notifications are enabled in the server configuration.
Field
Notification of user initialization
(
) is displayed only to users with
User Manager role.
In User preferences form, it is possible to set remembering last location, default password pattern for Safe Box Groups, Safe Boxes, and Accounts which user will create and configure e-mail notification settings. All preferences are applied only for the currently logged user. Changing preferences for all users is possible in SecureAnyBox5 configuration.
If a start page set, it is not possible to set the remembering of the last visited location.
This field is displayed if remembering of Access Code is set in the server configuration.
After entering an Access Code, SecureAnyBox5 will temporarily store your Access Code in a cache, so you don’t have to enter the Access Code repeatedly. To disable remembering your Access Code, uncheck the field.
Default password pattern for Safe boxes and Accounts where no password pattern is set.
Each letter in the pattern corresponds to letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lower case vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lower case consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lower case
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p)
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.
Selection of which data displays in the middle column of the list of records in the Safe Box – after the record name. The default value in server configuration is Description.
This field is displayed only if e-mail notifications are enabled in the server configuration.
Select if notification e-mails with a summary of changes will be sent and whether you will be notified of changes in all in Safe Box Groups, Safe Boxes, and records, or only the watched ones.
Whether users will be notified of changes in all fields or only encrypted ones and how often notification will be sent to them depends on SecureAnyBox5 server configuration.
This field is displayed only if e-mail notifications are enabled in the server configuration.
Select if notification e-mails with a summary of accesses to encrypted information will be sent and whether you will be notified of accesses to encrypted information in all currently accessible Safe Box Groups, Safe Boxes, and records, or only the watched ones.
How often notification will be sent to users depends on SecureAnyBox5 server configuration.
This field is displayed only if e-mail notifications are enabled in the server configuration.
This field is displayed only to users with
User Manager role.
Enabling e-mail notifications of user initialization, you will allow sending emails with a summary of which user set their password and/or Access Code for the first time.
By overriding the default settings from the domain, you can set the automatic watching accordingly on your preferences. If the default setting overridden, any changes in settings of automatic watching in the domain will not apply to you.
For Safe Box Groups, Safe Boxes, and records, the user creates or obtains access will be set watching changes automatically. If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of changes in the watched ones.
Safe Box Groups, Safe Boxes, and records, the user creates or obtains access will be automatically watching accesses to encrypted information in them. If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of accesses to the watched ones.
Each user can set a start page – page to which will be redirected after login into SecureAnyBox5.
To set start page, please click on the menu icon (next to the name of the user) in the top right corner of the page (
). After clicking, a context menu displays. In the displayed menu, please click the
Start page setting (
).
After clicking Start page setting , window for start page setting displays.
If you are setting up a start page for the first time, a window will appear where you confirm that you want to set the page as a start page.
In a case, the current page is set as a start page, a window will appear where it is possible to remove start page setting.
If a start page is set to different page than the current page, it is possible to check setting by clicking the link. At the same time, you can override or remove your start page settings.
From version 5.0, the Administration part of SecureAnyBox5 has been moved to its own interface. To switch to Administration, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click the Switch to Administration ( ), which will redirect you to the Administration interface.
Safe Boxes and Safe Box Groups are used to store sensitive data, such as accounts used to log in, certificates, credit cards, and other files. Safe Boxes can be divided into three types:
Safe Boxes and Safe Box Groups can be shared with other users. On shared Safe Boxes and Safe Box Groups will apply dynamic inheritance of permissions. For private Safe Boxes and SafeBox Groups, all permissions to other users have to be set manually.
Each name of Safe Box or Safe Box Group must be unique within the range of root level or Safe Box Group. However, is possible to create private Safe Box or Safe Box Group with the same name as another Safe Box (or Safe Box Group), because the private Safe Box’s name contains an owner’s name.
When the logged user is an owner of a private Safe Box, he can’t see the owner’s name in s Safe Box’s name.
As you can see in the image above, Private Safe Box’s name is displayed differently to the owner of private Safe Box and to other users who have permissions to this private Safe Box.
Safe Boxes and Safe Box Groups at the root level can be filtered by their name or description by entering a text into the filter field ( ). Safe Boxes and Safe Box Groups can also be filtered by selecting a user tag or a user into a special field ( ).
When filtering by a user tag, in the table are shown Safe Boxes and Safe Box Groups which have some permission template assigned to the selected user tag.
When filtering by user, the table shows Safe Boxes and Safe Box Groups to which the selected user has some permissions.
User can edit order of displayed Safe Boxes and Safe Box Groups by pinning the selected Safe Box (Safe Box Group) to the top of the list.
To pin the Safe Box, please click the pin icon (
) in the row of selected Safe Box, and confirm the dialog.
After the Safe Box is pinned, it displays at the top of the list with pin icon.
Order of pinned Safe Boxes can be managed in the form, which displays after clicking the Edit pinned order button. To change the order of the pinned Safe Boxes, drag the selected Safe Box to the desired position.
To unpin the Safe Box, please click the pin icon again and confirm the dialog. After unpinning, the Safe Box is displayed without the pin icon.
Access rights can be managed for each Safe Box or Safe Box Group separately. For Safe Boxes and Safe Box Groups, which are not private applies the dynamic inheritance of access rights. If Safe Box or Safe Box Group is private, then inheritance of access rights is blocked. However, permissions for the private Safe Box Group or Safe Box can be assigned manually.
Access rights can be managed at the root level too.
Managing of the access rights is possible after clicking on a link
Sharing & Permissions
.
The Sharing & Permissions button is displayed only to users with permission Access Control
At the page Sharing & Permissions is displayed a table of users who have permissions for that level (the root level, a Safe Box Group or Safe Box) and all records in it.
Each user can have three types of rights:
Inherited rights - Permissions inherited from parent Safe Box Group or the root level
Effective rights - These permissions are checked when verifying permissions to some action. Effective rights are given by assigned rights. If rights not assigned, then effective rights are given by from inherited rights. If a user has effective rights to READ for any of Safe Boxes inside a Safe Box Group, then effective rights for the Safe Box Group will be set to READ as well. In a case, that a Safe Box or a Safe Box Group is private, the owner’s effective rights will be set to full permissions (IRCMDA).
Assigned rights - Permissions explicitly assigned
In a table are displayed only permissions which can be set at the Sharing & Permissions page.
Permission | Description |
---|---|
Inherited | This permission enables dynamic inheritance of permissions. Can be set only for the root level or a Safe Box Group |
Read | User has permission to view Safe Box Groups, Safe Boxes and records in them (accounts, files, etc.) |
Create | User has permission to create new Safe Box Group, Safe Box or record (account, file, etc.) |
Modify | User has permission to modify Safe Box Groups, Safe Boxes and records in them (accounts, files, etc.) |
Delete | User has permission to delete or move Safe Box Group, Safe Box or record (account, file, etc.) |
Access Control | User has permission to manage rights for Safe Box Group, Safe Box or record (account, file, etc.) |
Apply Templates | User has permission to apply Permission templates for Safe Box Group or SafeBox. |
By assigning access rights, you can share a Safe Box or Safe Box Group with other users.
To assign permissions for Safe Box or Safe Box Group to another user, please click on the
Add User
button. After clicking, a list of users to whom is possible to share Safe Box or Safe Box Group displays. You cannot share Safe Boxes and Safe Box Groups with users who don’t have set the Access Code.
If a user is from a different domain than the currently logged user, after the user’s name is displayed a domain name.
In a list of users, please select a user with whom you want to share a Safe Box or Safe Box Group. It is possible to add multiple users at a time. After users are selected, please click the
OK
button. Adding users needs to be confirmed by entering the Access Code. Have you forgotten the Access Code?
After adding a user into a table of permissions, the user has only a permission to READ. You can assign other permissions manually by checking the appropriate checkbox.
All changes at the Sharing & Permissions’s page have to be confirmed by entering the Access Code.
The assigned rights can be managed separately for each Safe Box or Safe Box Group. If a user has any inherited rights, it is necessary to click on the blue gear icon (
). After that, it is possible to assign rights by clicking on an appropriate checkbox.
Assigned rights have precedence before inherited ones.
If a user does not have any inherited rights, assigned rights can be managed just by clicking on an appropriate checkbox.
To delete assigned rights for a user, click on the icon of a cross (
) at the end of a row and confirm applying changes. If the deleted user had the assigned rights only, then after confirmation is no longer displayed in a table.
Dynamic inheritance of permissions applies only to shared Safe Boxes or Safe Box Groups. To apply the dynamic inheritance of user access rights, the user must have assigned the Inherited permission for the root level or Safe Box Group.
When a user has the Inherited permission assigned for the root level, all of the user’s other permissions (Read, Create, Modify, Delete, Access Control) at the root level will be inherited by all shared Safe Boxes and Safe Box Groups.
If a user has the Inherited permission assigned only for a Safe Box Group, all of the user’s other permissions at a Safe Box Group will be inherited by all shared Safe Boxes within the range of Safe Box Group.
When a user modifies the Inherited permission, a warning dialog appears. To proceed with the modification, a user has to type in the confirmation code (three letters displayed boldly) and confirm the warning dialog.
Permissions for the root level are pre-set by Default Safe Box Permissions in a user detail but can be modified directly for the root level. To be able to manage permissions for the root level, logged user need to have Access Control permission for the root level and user role User Manager or Administrator. Otherwise, the Sharing & Permissions button is not going to be displayed at the root level page.
Permission templates can be managed only by users with permission Access Control
Permission templates are designed to help you assign permissions to users. Permission templates can set for root level, any Safe Box Group, and any Safe Box. Permission templates are set for user tags. For each level, you can create user tag one time only. User tags can be from the domain of the current user and even from other visible domains.
To create a permission template, please select user tag and assign permissions. Permission template will apply to all users with the same user tag as set in the template.
Permission template set for | Affected levels |
---|---|
Root level | all shared Safe Boxes and Safe Box Groups |
Safe Box Group | all Safe Boxes within the Safe Box Group |
Safe Box | Safe Box only |
If the permission template set from the parent level, it is possible to modify it by clicking the blue gear icon ( ).
To view or manage permission template(s) for parent level, click the
Up button.
After permission templates set, users with the permission
Apply templates
can apply them.
Only users with Apply templates permission can perform this action.
Permission templates can be applied when these conditions met:
When all conditions met, notification icon appears ( )
Permission templates can be applied to Safe Box Group or Safe Box. Permissions to apply are computed based on permission template in listed Safe Box Groups and Safe Boxes for each user tag assigned to a user. If computed permissions are missing some of the effective permissions, the red arrow ( ) appears.
Please review permissions in the table below.
Permissions were computed based on Permission Templates in listed Safe Boxes and Safe Box Groups depending on User tags assigned to listed users.
You can either Approve permissions, Skip permission assignment this time or Reject permission assignment. When you Reject permission assignment, SecureAnyBox5 will remember this choice. Next time Permission Templates are processed, permission record will show as rejected by default.
To completely remove a user from the permission assignment processing, you can change the user’s user tag assignment.
Computed permissions | Permissions applied to: |
---|---|
Contains permission I (Inherited) | all shared Safe Boxes and Safe Box Groups |
Does not contain permission I | all shared Safe Boxes; Safe Box Groups will have just R (read) permission applied |
For Safe Box Groups, Safe Boxes, and records, it is possible to set the watching of changes and/or accesses to encrypted information. Watching can be set for each level – the only exception is the root level.
When a user is
watching changes for some level, and e-mail notifications are enabled in the server configuration, SecureAnyBox5 sends e-mails with a summary of changes at that level. Whether the changes are watched in all fields, or encrypted ones only, it depends on the server configuration of notifications.
If the user is
watching accesses to encrypted information and e-mail notifications are enabled in the server configuration, SecureAnyBox5 sends e-mails with a summary of accesses at that level.
To access encrypted information is necessary to enter the Access Code in a record. If the Access Code is temporarily remembered, user accesses all records without entering the Access Code..
Watching of accesses and/or changes is inheritable – if user watches changes in Safe Box Group, all Safe Boxes, and records within the Safe Box Group will inherit watching of changes/accesses from the parent level.
From the root level is possible to edit watching for all currently accessible Safe Box Groups, Safe Boxes, and records by clicking the Watching... button.
Watching of changes/accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
In the Watching report , it is possible to check what the currently logged user is watching.
Changes in all Safe Box Groups, Safe Boxes, and records within them, which you can currently access, will be watched.
Watching of changes will be explicitly set for all currently accessible Safe Box Groups and Safe Boxes. Records inherit watching of changes from the Safe Box in which they are stored.
Note: Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on user’s settings and whether the level in which will be stored watches accesses, because watching of accesses may be inherited from the parent level.
After clicking the Start watching changes to everything button, it is necessary to confirm dialog window.
Accesses to encrypted information in the records stored in all Safe Boxes and Safe Box Groups to which you have access currently will be watched.
Watching of accesses will be explicitly set for all currently accessible Safe Box Groups and Safe Boxes. Records inherit the watching of accesses from the Safe Box in which they are stored.
Note: Watching of accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on user’s settings and whether the level in which will be stored watches accesses, because watching of accesses may be inherited from the parent level.
After clicking the Start watching accesses to everything button, it is necessary to confirm dialog window.
Changes in all Safe Box Groups, Safe Boxes, and records within them,
which you can access currently will no longer be watched.
Watching of changes can reactivated at any time.
Note: Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
After clicking the Stop watching changes to everything button, it is necessary to confirm dialog window.
Access to encrypted information in all Safe Box Groups, Safe Boxes, and records within them which you can access currently will no longer be watched.
Watching of accesses can reactivated at any time.
Note: Watching of accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
After clicking the Stop watching accesses to everything button, it is necessary to confirm dialog window.
After clicking Stop watching all button, the watching of changes and accesses will be deactivated for all currently accessible Safe Box Groups and Safe Boxes, and records.
Watching of accesses and/or changes can reactivated at any time.
Note: Watching of accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
After clicking the Stop watching all button, it is necessary to confirm dialog window.
Create Edit Watching... Delete
Safe Box Group is intended for associating Safe Boxes into larger units. For example, the Safe Box Group can associate all Safe Boxes related to some project, server and so on.
Access rights can be managed for each Safe Box Group separately. For Safe Box Groups, which are not private, is applied the dynamic inheritance of access rights. The inheritance permission can be set for root level or Safe Box Group. When a user has the inheritance permission for Safe Box Group, all new shared Safe Boxes inside this group will inherit his permissions from Safe Box Group.
If the user has set Inherited permission for the root level, he automatically inherits permissions for all shared Safe Box Groups and Safe Boxes within the range of the user’s domain.
When the Safe Box Group is private, the inheritance of access rights is blocked. However, the permissions to the private Safe Box Group can be assigned manually.
To create a Safe Box Group, the user needs to have assigned the Create permission for the root level.
To create a Safe Box Group click the New Safe Box Group button. In the Safe Box Group, it is necessary to set a name, a password pattern and a type (private or shared). Into a Safe Box Group can be created a new Safe Box or can be moved existing Safe Box.
If the Safe Box Group is private, all Safe Boxes in it are also considered private.
Safe Box Group name should characterize its content to work with SecureAnyBox5 more effectively and conveniently. Each name must be unique within the range of root level.
However, a user can create two Safe Box Groups with the same name, if one of the Safe Box Groups is private. The name of a private Safe Box Group is stored along with a username of its owner, so both names are unique.
The description should more precisely characterize the Safe Box Group for better distinction from others.
Select the password settings that will be applied when generating a password for records within the scope of this Safe Box Group:
A password preset will be used to generate a password. The preset has specified password requirements, such as the number of uppercase letters, characters to include/exclude, minimum entropy, etc. The password preset has to be specified first in the Administration interface.
The password pattern that is automatically preset in all Safe Boxes and records within the range of Safe Box Group.
Each letter in the pattern corresponds to a letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.
Enter an external files path that will be preset to all Safe Boxes within the Safe Box Group.
The path should be specified in MS Windows format (e.g. L:\SAB_DRIVE). If an external file path is changed, SecureAnyBox5 will store all new external files at the new location, but all previously stored files will remain at their original location.
Without
SecureAnyBox5 Launcher or
SecureAnyBox5 plugin for Total Commander it is not possible to add external files to SecureAnyBox5 or work with them.
Safe Box Group type is important for the dynamic inheritance of access rights.
When the Safe Box Group is private, none of the permissions will be inherited from a parent level. However, access rights to the private Safe Box Group can be assigned manually.
If the Safe Box Group is shared, the dynamic inheritance of access rights will be applied.
If the value is read-only (plain text), the user does not have permission to Modify a Safe Box Group type and create private Safe Box Groups.
Private – Blocks access rights inherited from parent level.
p(hide#safebox.SAFEBOX_GROUP.shared.note). Shared – Access rights are inherited from parent level.
The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.
To be able to edit the Safe Box Group, a user must have permission to Modify.
For each of Safe Box Groups, it is possible to change name, description, password pattern, external files path and Safe Box Group Type.
If an external file path is changed, SecureAnyBox5 will store all new external files at the new location, but all previously stored files will remain at their original location.
For each Safe Box Group, you can turn on two types of watching – watching changes, and watching accesses to encrypted information. In a case that someone changed the watched Safe Box Group, or Safe Box, or record within these Safe Boxes, or someone accessed encrypted information in the record within these Safe Boxes, an e-mail notification is sent to a user who watches the Safe Box Group (depending on the configuration of mail notifications).
To access encrypted information is necessary to enter the Access Code in a record. If the Access Code is temporarily remembered, user accesses all records without entering the Access Code.
The user can customize the notification settings in user preferences.
Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
To set watching for the Safe Box Group, click the Watching... button, watching menu will display.
In the
Watching report
is possible to check what the currently logged user is watching within the Safe Box Group.
Current status of watching for the Safe Box Group is displayed next to the
Watching...
button.
Watching of changes and accesses to encrypted data is set explicitly for the Safe Box Group. | |
Watching of changes is set for the Safe Box Group. Watching of accesses to encrypted data not set. | |
Watching of changes not set. Watching of accesses to encrypted data is set explicitly for the Safe Box Group. |
Safe Box Groups can have watching of accesses and/or changes set explicitly only.
By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the Safe Box Group. All Safe Boxes within this Safe Box Group, and records in them, will inherit the watching of changes/accesses from the Safe Box Group.
All Safe Boxes currently stored in this Safe Box Group will have set the watching of changes explicitly, and changes in them will remain watched even if these Safe Boxes are moved to another Safe Box Group where changes are not watched.
Records stored in Safe Boxes within this Safe Box Group will inherit watching of changes from the Safe Box.
Note: If the automatic watching of changes not set, Safe Boxes (and records in them) added into this Safe Box Group in the future will inherit watching of changes from the Safe Box Group. Otherwise, all Safe Boxes and records will have set the watching of changes explicitly.
After clicking the Start watching changes within this Safe Box Group button, it is necessary to confirm dialog window.
All Safe Boxes currently stored in this Safe Box Group will have set the watching of accesses explicitly, and accesses to encrypted information in them will remain watched even if these Safe Boxes are moved to another Safe Box Group where accesses are not watched.
Records stored in Safe Boxes within this Safe Box Group will inherit watching of accesses from the Safe Box.
Note: If the automatic watching of accesses not set, Safe Boxes (and records in them) added into this Safe Box Group in the future will inherit watching of accesses from the Safe Box Group. Otherwise, all Safe Boxes, and records will have set the watching of accesses explicitly.
After clicking the Start watching accesses within this Safe Box Group button, it is necessary to confirm dialog window.
Safe Box Group, all Safe Boxes within this Safe Box Group, and all records in them will no longer have set the watching of changes.
Watching of changes can reactivated at any time.
Note: Watching of changes for Safe Boxes, and records within this Safe Box Group that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
After clicking the Stop watching changes within this Safe Box Group button, it is necessary to confirm dialog window.
Safe Box Group, all Safe Boxes within this Safe Box Group, and all records in them will no longer have set the watching of accesses to encrypted data.
Watching of accesses can reactivated at any time.
Note: Watching of accesses for Safe Boxes, and records within this Safe Box Group that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
After clicking the Stop watching accesses within this Safe Box Group button, it is necessary to confirm dialog window.
Safe Box Group can be deleted from the root level. To be able to delete the Safe Box Group, a user must have permission
Delete. If a user has this permission, a cross icon (
) is displayed at the end of a row.
After clicking on a cross icon, a user is asked to confirm deleting of the Safe Box Group. When confirmed, the Safe Box Group is deleted and is no longer displayed.
Deleted Safe Box Group user can immediately restore by clicking on the Undo in the displayed message.
Create Edit Move Import records Watching... Connect from Safe Box Delete
Safe Boxes are intended for storing records. Different types of records - accounts, secret accounts, files, certificates, credit cards - can be stored inside a Safe Box.
Access rights can be managed for each Safe Box separately. For Safe Boxes, which are not private, is applied the dynamic inheritance of access rights. The inheritance permission can be set for root level or Safe Box Group. When a user has this permission, all new shared Safe Boxes will inherit his permissions from parent level.
When the Safe Box is private, the inheritance of access rights is blocked. However, the access rights to the private Safe Box can be assigned manually.
To be able to create a Safe Box, a user must have permissions to Create for the root level or a Safe Box Group in which the Safe Box will be created.
New Safe Box can be created at the root level or inside a Safe Box Group by clicking on the
New Safe Box
button. In the Safe Box, it is necessary to set a name, a password pattern and a type (private or shared). Private Safe Box can be created only at the root level.
When creating a Safe Box into a Safe Box Group the Safe Box Type cannot be set – is given by Safe Box Group Type.
Safe Box name should characterize its content to work with SecureAnyBox5 more effectively and conveniently. Each name must be unique within the range of a Safe Box Group or the root level.
However, a user can create two Safe Boxes with the same name at the root level, if one of the Safe Boxes is private. The name of a private Safe Box is stored along with a username of its owner, so both names are unique.
The description should more precisely characterize the Safe Box for better distinction from others.
Select the password settings that will be applied when generating a password for records within the scope of this Safe Box:
A password preset will be used to generate a password. Password requirements, such as a number of uppercase letters, characters to include/exclude, minimum entropy, etc., can be specified in the preset. Password preset has to be specified first in the Administration interface.
The default password pattern that is automatically preset in all records within the range of Safe Box.
Each letter in the pattern corresponds to a letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set a password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.
Enter an external files path that will be used as a location to store external within the Safe Box.
The path should be specified in MS Windows format (e.g. L:\SAB_DRIVE). If an external file path is changed, SecureAnyBox5 will store all new external files at the new location, but all previously stored files will remain at their original location.
Without
SecureAnyBox5 Launcher or
SecureAnyBox5 plugin for Total Commander it is not possible to add external files to SecureAnyBox5 or work with them.
Safe Box type is important for the dynamic inheritance of access rights.
When the Safe Box is private, none of the permissions will be inherited from a parent level. However, access rights to the private Safe Box can be assigned manually.
If the Safe Box is shared, the dynamic inheritance of access rights will be applied.
If the value is read-only (plain text), the user does not have permission to change a Safe Box type.
The Safe Box type cannot be set to Safe Boxes inside a Safe Box Group – for these Safe Boxes is given by the Safe Box Group type.
Private – Blocks access rights inherited from parent level.
The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.
To be able to edit the Safe Box, a user must have permission to Modify.
For each of Safe Boxes, it is possible to change name, description, password pattern, external files path and Safe Box Type.
If an external file path is changed, SecureAnyBox5 will store all new external files at the new location, but all previously stored files will remain at their original location.
If the Safe Box is not in a Safe Box Group, it is possible to change a Safe Box type also.
To be able to move the Safe Box, a user must have permission to Delete. When moving, the Safe Box is effectively deleted from an original location and created at a target location.
To move the Safe Box click the button Move Safe Box , and wait until is displayed a list of possibilities, to where it is possible to move the Safe Box.
Click on a row in a list select the destination into which the Safe Box will be moved and confirm the move by entering the Access Code. Have you forgotten the Access Code?
By moving the Safe Box, you may change permissions of other users for the Safe Box.
Into the Safe Box can be imported records from other applications. Before importing, please create target Safe Box. On the Safe Box page, then click the Import... button and in the displayed menu select SecureAnyBox5 Importer
Import utilities can be downloaded from Downloads page too.
After clicking, a dialog with a download link displays. When downloaded, extract files from the zip archive and run a utility.
In the SecureAnyBox5 Importer, the user needs to enter SecureAnyBox5 address to the appropriate field. You can get and copy SecureAnyBox5 address by clicking the Copy SecureAnyBox5 address option in the menu, that displays after clicking on the Import... button.
For each Safe Box, you can turn on two types of watching – watching changes and watching accesses to encrypted information. In a case that someone changed the watched Safe Box or record within the Safe Box or someone accessed encrypted information in the record within the Safe Box, an e-mail notification is sent to a user who watches the record (depending on the configuration of mail notifications).
If the Safe Box is watched, all records in it are watched also. The user can customize the notification settings in user preferences.
Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
In the
Watching report
is possible to check what the currently logged user is watching within the Safe Box.
Current status of watching for the Safe Box is displayed next to the
Watching...
button.
Watching of changes is set explicitly for the Safe Box. Accesses are not watched. | |
Watching of changes is inherited from the parent level. Accesses are not watched. | |
Watching of accesses to encrypted data is set explicitly for the Safe Box. Changes are not watched. | |
Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched. | |
Watching of changes and accesses to encrypted data is set explicitly for the Safe Box. | |
Watching of changes is set explicitly for the Safe Box. Watching of accesses to encrypted data is inherited from the parent level. | |
Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the Safe Box. | |
Watching of changes and accesses to encrypted data is inherited from the parent level. |
By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the Safe Box. All records within this Safe Box will inherit the watching of changes/accesses from the Safe Box.
All records currently stored in this Safe Box will have set the watching of changes explicitly and the changes will be watched even if record moved to another Safe Box that where the changes are not watched.
Note: If the automatic watching of changes not set, records added into this Safe Box in the future will inherit watching of changes from the Safe Box. Otherwise, all records will have set the watching of changes explicitly.
After clicking the Start watching changes within this Safe Box button, it is necessary to confirm dialog window.
All records currently stored in this Safe Box will have set the watching of accesses explicitly and the accesses to encrypted information will be watched even if record moved to another Safe Box where the accesses are not watched.
Note: If the automatic watching of changes not set, records added into this Safe Box in the future will inherit watching of changes from the Safe Box. Otherwise, all records will have set the watching of changes explicitly.
After clicking the Start watching accesses within this Safe Box button, it is necessary to confirm dialog window.
Changes in this Safe Box and all records within it will no longer be watched.
Note: If the Safe Box is stored in Safe Box Group, then Safe Box (and records within it) may have inherited watching of changes from the Safe Box Group.
Watching of changes for records within this Safe Box
that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.
After clicking the Stop watching changes within this Safe Box button, it is necessary to confirm dialog window.
Accesses to encrypted information in this Safe Box and all records within it will no longer be watched.
Watching of changes can be reactivated anytime.
Note: If the Safe Box is stored in Safe Box Group, then Safe Box (and records within it) may have inherited watching of accesses from the Safe Box Group.
Watching of changes for records within this Safe Box that you create or to which you obtain accesses in the future depends on the user’s settings of automatic watching.
After clicking the Stop watching accesses within this Safe Box button, it is necessary to confirm dialog window.
If any account or secret account stored in Safe Box has defined connection type, it is possible to open the connection by click on the Connect button. To open connection is necessary to have installed SecureAnyBox5 Launcher on your station.
If username (login) and password stored in the record, the user automatically connects to the target (server, station, etc.).
To be able to delete the Safe Box, a user must have permission to Delete. If a user has this permission, a cross icon ( ) is displayed at the end of a row.
Safe Box can be deleted from the Safe Box Group page or the root level page. To delete Safe Box, please click the cross icon at the end of a row. After clicking on a cross icon, a user is asked to confirm deleting of the Safe Box. When confirmed, the Safe Box is deleted and is no longer displayed.
Deleted Safe Box user can immediately restore by clicking on the Undo in the displayed message.
Create Edit Change password Password History Copy as... Watching... Connect Move Move to White Envelope Delete
Records are stored inside the Safe Boxes and are intended to store important information. By the nature of the information that will store, a user needs to select a type of record. All types of records and which information can be stored in them, are listed in the table below.
Record type | Field | ||||||||||||||||||||||
Name | Description | Tags | Note | Password settings | Password preset | Password pattern | Address | Login Site | Login | Connection Type | Connection Options | Secret Note | Password | File | Alias | Certificate | Certificate password | Number | Expiration Date | CVV | PIN | Compliance profile | |
Account | |||||||||||||||||||||||
Secret Account | |||||||||||||||||||||||
File | |||||||||||||||||||||||
Certificate | |||||||||||||||||||||||
Credit Card |
Information can be stored in this record type. Access to this information is not audited. |
|
Information can be stored for this type of record. This information will be encrypted when the record is saved. You need to enter an Access Code to access it. Access to this information is audited. |
|
Information cannot be stored in this record type. |
To be able to create a record, the user must have permission to Create for the Safe Box, into which the record will create.
At the page of Safe Box into which a record should create, click on the
Add...
button, and in the context menu, select a type of record. After that, a form for creating a new record will display.
When creating the record, it is necessary to set a name. Other fields are optional. All values can be modified later.
The account name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The account name can be modified later.
Maximum length: 255 characters
Address, link or description where the information stored in the account used.
When the address stored in a correct format (e.g.,“https://192.168.1.231”), it will appear as a link. For a location in a local network, you can use an IP address (e.g. “http://172.22.60.30”), for other webs, e-shops, etc. you can use a URL address (e.g.,“http://www.ebay.com”).
Addresses can be also stored in other formats like an SSH (e.g.,“ssh://admin@myserver.com”), FTP (e.g., “ftp://myserver.com”) and so on.
In the address field, it is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g. “172.22.88.75:8876” or “test.tdp.cz:887”).
The address is an optional value.
Maximum length: 1000 characters
e.g., URL, hostname or IP address of the server where you use the stored password.
The login site is used for better specification where the stored account can be used. The value of this field is used especially in the browser extension to edit the visibility of an account.
For example, the stored account will be used to login to Gmail. If the Address field is set to URL “https://accounts.google.com”, and the Login Site field is set to “google.com”, then the account will be visible in browser extension for all google login forms, even if the actual URL will differ from "https://accounts.google.com."
Maximum length: 1000 characters
The username that you use to log in.
Maximum length: 255 characters
The description should more specifically characterize an account.
In the description can be stored only one line of a text. A longer description can be stored as the note.
Maximum length: 2000 characters
Select the password settings that will be applied when generating a password:
A password preset will be used to generate a password. The preset has specified password requirements, such as the number of uppercase letters, characters to include/exclude, minimum entropy, etc. The password preset has to be specified first in the Administration interface.
Default password pattern for Accounts where no password pattern is set.
Each letter in the pattern corresponds to letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g., pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.
Maximum length: 255 characters
The note field is intended for multiline information about the account. For example, as the note can be stored a description of the account, a list of steps how to successfully log in, a description of the configuration and so on.
Maximum length: 4000 characters
Please select connection type. If the SecureAnyBox5 Launcher installed, is possible to open connection directly from the account page. To create a connection, SecureAnyBox5 Launcher needs to download from a secret account the values of Address and Login fields and the stored password.
In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g. “172.22.88.75:8876” or “test.tdp.cz:887”).
The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.
Maximum length: 2000 characters
The password you use to log in.
Into this field can be stored a password which you already have or you might generate a new one. The password can be generated by clicking on the
Generate password
button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname).
Generated passwords are formatted in accordance with the current password pattern. Generated passwords can be edited.
While editing the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.
After saving an account record, the password will be encrypted. The password can be decrypted after entering the Access Code only.
Maximum length: 255 characters
number of characters
number of lowercase letters
number of uppercase letters
number of digits
number of special characters
pointer how secure the password is
button for displaying the password
time to crack password offline
password entropy (the higher the better)
The secret account name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The secret account name can be modified later.
Maximum length: 255 characters
The login site is used for better specification where the stored account can be used. The value of this field is used especially in the browser extension to edit the visibility of an account.
For example, the stored account will be used to login to Gmail. If the Address field is set to URL “https://accounts.google.com”, and the Login Site field is set to “google.com”, then the account will be visible in browser extension for all google login forms, even if the actual URL will differ from "https://accounts.google.com."
Maximum length: 1000 characters
The description should more specifically characterize a secret account.
In the description can be stored only one line of a text. A longer text is possible to store as the note.
Maximum length: 2000 characters
Maximum length of one tag: 32 characters
Select the password settings that will be applied when generating a password:
A password preset will be used to generate a password. The preset has specified password requirements, such as the number of uppercase letters, characters to include/exclude, minimum entropy, etc. The password preset has to be specified first in the Administration interface.
Password pattern used when generating the password for the secret account.
Each letter in the pattern corresponds to a letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g., pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set a password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.
Maximum length: 255 characters
This field intended for multiline information about the secret account. For example, as the note is possible to store a description of the secret account, a list of steps how to successfully log in, a description of the configuration and so on.
Maximum length: 4000 characters
Please select the connection type. If the SecureAnyBox5 Launcher installed, it is possible to open a connection directly from the secret account page.
To create a connection, SecureAnyBox5 Launcher needs to download from a secret account the values of Address and Login fields and the stored password.
In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon (e.g. 172.22.88.75:8876 or test.tdp.cz:887).
The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.
Address, link or description where the information stored in the secret account used.
When the address stored in a correct format (e.g. “https://192.168.1.231”), it will appear as a link. For a location in a local network, you can use an IP address (e.g. “http://172.22.60.30”), for other webs, e-shops, etc. you can use a URL address (e.g., “http://www.ebay.com”).
Addresses can also be stored in other formats like an SSH (e.g., “ssh://admin@myserver.com”), FTP (e.g., “ftp://myserver.com”) and so on.
The address is an optional value.
In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g., 172.22.88.75:8876 or test.tdp.cz:887).
Unlike in an account, the address in a secret account will be encrypted. The address can be decrypted after entering the Access Code only.
Maximum length: 1000 characters
The username that you use to log in.
Unlike in an account, the login in a secret account will encrypt. The login can only be decrypted after entering the Access Code.
Maximum length: 255 characters
The secret note field intended for storing multiline information about the file. Unlike a note, the secret note will encrypt. The secret note can only be decrypted after entering the Access Code only.
Maximum length: 4000 characters
Maximum length: 2000 characters
The password you use to log in.
Into this field can be stored a password which you already have or you might generate a new one. The password can is possible to generate by clicking on the
Generate password
button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname).
Generated passwords are formatted by the current password pattern. Generated passwords can also be edited.
While editing the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.
After saving a secret account record, the password will encrypt. The password can only be decrypted after entering the Access Code.
Maximum length: 255 characters
number of characters
number of lowercase letters
number of uppercase letters
number of digits
number of special characters
pointer how secure the password is
button for displaying the password
time to crack password offline
password entropy (the higher the better)
The file name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The file name can be modified later.
Maximum length: 255 characters
The description should more specifically characterize a file.
In the description can be stored only one line of a text. A longer description should store as the note.
Maximum length: 2000 characters
Maximum length of one tag: 32 characters
This field is intended for multiline information about the file. For example, as the note can be stored a description of the file, a list of steps how to use it and so on.
Maximum length: 4000 characters
Into this field can be selected a file, which will be stored in this file record. Select the file from your computer or server by clicking on the
Browse...
button.
After saving the record, the stored file will encrypt. The file can be decrypted after entering the Access Code only. After the file decrypted, it will be possible to download or change the file.
The secret note field is intended for multiline information about the file. Unlike a note, the secret note will encrypt. The secret note can only be decrypted after entering the Access Code.
Maximum length: 4000 characters
Certificate name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The certificate name can be modified later.
Maximum length: 255 characters
The description should more specifically characterize a certificate.
In the description can be stored only one line of a text. A longer description should store as the note.
Maximum length: 2000 characters
Maximum length of one tag: 32 characters
The note field is intended for multiline information about the certificate. For example, like the note, it is possible to store a description of the certificate, a list of steps how to use the certificate and so on.
Maximum length: 4000 characters
The alias is used as the name under which is the certificate file stored in the repository. After saving a certificate, the alias will encrypt. . The alias will be decrypted after entering the Access Code only.
Maximum length: 255 characters
Into this field can be selected a keystore file (a certificate, a public or a private key), which will store in this record. Select the file from your computer or server by clicking on the “Browse...” button.
After saving the record, the stored file will encrypt. The file can only be decrypted after entering the Access Code. After decrypting the file, it will be possible to download or change the file..
The password that is used with the certificate. The password can be generated by clicking on the
Generate password
button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname).
Generated passwords are formatted by the current password pattern. Generated passwords can also be edited.
After saving a certificate record, the password will be encrypted. The password can be decrypted after entering the Access Code only.
Maximum length: 255 characters
The secret note field is intended for multiline information about the certificate. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the Access Code only.
Maximum length: 4000 characters
The name should characterize the credit card to work more effectively and conveniently. For example, as the name of the card can be used a name of the bank, the name of person or company which is the owner of a card, etc.
Each name must be unique inside a single Safe Box.
The credit card name can be modified later.
Maximum length: 255 characters
The description should more specifically characterize a credit card.
In the description can be stored only one line of a text. A longer description should be stored in the note field.
Maximum length: 2000 characters
Maximum length of one tag: 32 characters
The note field is intended for multiline information about the credit card. For example, as the note is possible to store a description of the credit card, the currency of a card, for which payments the card should be used and so on.
Maximum length: 4000 characters
Credit card number. After saving a record, the number will be encrypted. The number can be decrypted after entering the Access Code only.
Maximum length: 64 characters
The expiration date is the last day of the credit card validity. In case that expiration date on the card is in the format of MM/YY only, the card is valid until last day of the month (e.g., 03/16 means March 31st, 2016, 06/19 means June 30th, 2019 and so on).
After saving a record, the CVV code will encrypt. The CVV code can only be decrypted after entering the Access Code.
CVV code is usually listed at the back side of your card.
The code used when paying online with the credit card.
After saving a record, the CVV code will be encrypt. The CVV code can only be decrypted after entering the Access Code.
Storing the CVV code is optional.
Maximum length: 64 characters
PIN code of the credit card.
After saving a record, the PIN code will encrypt. The PIN code can only be decrypted after entering the Access Code.
Storing the PIN code is optional.
Maximum length: 64 characters
The secret note field is intended for multiline information about the credit card. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the Access Code only.
Maximum length: 4000 characters
To be able to edit the record, a user must have a Modify permission for a Safe Box in which the record is stored.
To modify an record, click the Edit button on a page of record. After clicking, an edit form displays. In the edit form, it is possible to change any value of record. To edit values in the Secured section of the form, is necessary to enter the Access Code first. Only passwords in account and secret account type of record have to be edited differently.
To edit account’s and secret account’s password, click the Change password button on a record’s page.
To be able to change the record’s password, a user must have a Modify permission for a Safe Box, in which the record is stored.
To change record’s password, click on the
Change password
button at record’s pag. After clicking, the form for entering a new password appears.
The password can be changed by entering a new password into fields or by generating a new one. Generated passwords are formatted by the current password pattern. Generated passwords are possible to edit.
Change of the record’s password has to be confirmed by entering the Access Code (unless the Access Code is cached). Have you forgotten the Access Code?
By clicking the Change password button, you can change passwords in an account and secret account type of record only. Certificate password can be changed in the edit form of certificate.
For each
account and
secret account is recorded a password history. The password history will display after clicking the
Password History
button at record’s page.
At the password history’s page, all of the record’s password changes display in a table.
After clicking on a row in a table and entering the Access Code, a user can view the password which was valid after that change. Have you forgotten the Access Code?
Each record can be copied, either as the same type of record or the different type of record. To make a copy, click the Copy as ... button and select the record type.
When making a copy of a record, the field values are copied to the new record – if it is possible to save such values in the selected record type. A copy of the record is created in the same Safe Box, so it is necessary to edit the name of the record.
After saving a copy of the record, the original record is displayed, and the newly created record can be accessed by clicking on the name of the new record in the displayed message.
For each record, you can turn on two types of watching – watching changes and watching accesses to encrypted information. In a case that someone changed the watched record or someone accessed encrypted information, an e-mail notification is sent to a user who watches the record (depending on the configuration of mail notifications).
The user can customize the notification settings in user preferences.
Watching settings are inheritable – if you watch changes in Safe Box Group, you also watch changes in all Safe Boxes within the Safe Box Group, as well as changes in records within all Safe Boxes.
Whether the watching is set explicitly for a specific record or inherited from the parent level can be recognized by the icon color which is displayed next to the
Watching...
button.
Watching of changes is set explicitly for the record. Accesses are not watched. | |
Watching of changes is inherited from the parent level. Accesses are not watched. | |
Watching of accesses to encrypted data is set explicitly for the record. Changes are not watched. | |
Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched. | |
Watching of changes and accesses to encrypted data is set explicitly for the record. | |
Watching of changes is set explicitly for the record. Watching of accesses to encrypted data is inherited from the parent level. | |
Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the record. | |
Watching of changes and accesses to encrypted data is inherited from the parent level. |
By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the record.
If the record (account and secret account only) has specified a connection type, it is possible to open the connection by click on the Connect button. To open connection is necessary to have installed SecureAnyBox5 Launcher on your station.
If username (login) and password is stored in the record, the user connects to the target (server, station, etc.) automatically.
To be able to move the record, a user must have a Delete permission for the Safe Box in which the record stored and Create permission for the Safe Box into which the record will move. When moving, the record will be effectively deleted from the original Safe Box and created in the target Safe Box.
To move the record, click on the Move record button. After clicking, a list of possibilities to where it is possible to move the record displays.
In the list, the name of the Safe Box Group is blue, and after clicking it, a list of Safe Boxes stored in the Safe Box Group displays. If you want to move from a Safe Box Group to the root level, click on the first line with two dots.
The names of the Safe Boxes are black and by click on them a user to select the Safe Box to which the record will be moved. Moving of the record have to be confirmed by entering an Access Code. Have you forgotten the Access Code?
All record permissions are determined by the Safe Box permissions in which the record stored. By moving the record, you may change even yours permissions, and you will not be able to return the record to the original Safe Box.
All record tags are specified for a domain in which the parent Safe Box is stored. By moving the record into Safe Box stored in another domain, all record tags will be deleted..
This option is available only if currently logged user has activated White Envelope. More about White Envelopes...
To be able to move the record into a White Envelope, a user must have a Delete permissions for Safe Box in which the record stored. When moving, the record will be effectively deleted from the original Safe Box and created in the White Envelope.
To move the record into a White Envelope, click on the appropriate button.
Before moving the record into a White Envelope, the user is asked to confirm moving the record, by entering the Access Code. Have you forgotten the Access Code?
Moving the record into a White Envelope cannot be taken back.
To be able to delete the record, a user must have a Delete permissions for Safe Box in which the record stored. If the user has this permission, a cross icon ( ) is displayed at the specific record (at the end of the row).
Record can be deleted from the Safe Box page. To delete the record, click the cross icon at the end of a row. After clicking on a cross icon, a user is asked to confirm deleting of the record. When confirmed, the record is deleted and is no longer displayed.
Deleted record user can immediately restore by clicking on the Undo in the displayed message.
User can edit order of displayed records by pinning the selected record to the top of the list.
To pin the Safe Box, please click the pin icon (
) in the row of selected record, and confirm the dialog.
After the record is pinned, it displays at the top of the list with pin icon.
Order of pinned record can be managed in the form, which displays after clicking the Edit pinned order button. To change the order of the pinned records, drag the selected record to the desired position.
To unpin the record, please click the pin icon again and confirm the dialog. After unpinning, the record is displayed without the pin icon.
At the Search page, a user can search stored records (such as Safe Boxes, Safe Box Groups, Accounts, etc.), by their name, specified tag of a field value. However, it is not possible to search record by a field value which is encrypted.
To initiate the search, start typing into a search field.
You can use regular expressions when searching.
Activate White Envelope Security Officers page Open White Envelope Close White Envelope Editing Mode of White Envelopes Recover White Envelope Reactivate White Envelope Initialize Security Officers Possible situations
White Envelope is a special type of Safe Box, which is intended to store important information for which the access must not lose. If the user who stored data in the White Envelope is unavailable, Security Officers can access this information.
The White Envelope can store the same records as any other Safe Box – accounts, files, etc.
There are two ways to add records to White Envelopes – by creating new records in the White Envelope or by moving existing records from other Safe Boxes.
Users can change stored records, but cannot delete them.
Security Officers can delete White Envelopes and the records in them, by enabling editing mode.
To be able to use the White Envelopes, it is needed to set at least a minimum count of Security Officers.
The Security Officer is a special type of user’s role. To set Security Officers, go to the Users management and in the user details form, to add the role.
Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.
After Security officers set, it is possible to activate the White Envelope.
Only if a minimum count of Security Officers set, it is possible to activate the White Envelope. To activate the White Envelope, open a context menu by clicking on the arrow next to the user’s name in the top right corner of the page and click on the Activate White Envelope button.
For each of White Envelopes is possible to display which Security Officers who have access to it. To display Security Officers with access to the White Envelope, click the Security Officers button at the White Envelope page.
At the Security Officers page, you can see which Security Officers has access to the White Envelope and their e-mail. Above the table of Security Officers, is displayed a number of Security Officers needed to work together to perform actions with White Envelopes.
It is possible to filter displayed Security Officers, by entering a part of their name into the Filter field.
Only users with a role Security Officer can open White Envelopes of other users.
Should you need view encrypted values of records in another user’s White Envelope, open the White Envelope. To open the White Envelope, minimum count (two by default) of the Security Officers have to enter their Access Code.
Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.
In an opened White Envelope the Security Officers can view even encrypted values of records such as passwords, files, secret notes and so on.
Once the Security Officers finish their work with records in open White Envelope, they should close it. Security Officers can open and close the White Envelope repeatedly.
Security Officers can enable editing mode and delete White Envelopes or records in them. To enable the editing mode, two of the Security Officers have to enter their Access Code.
Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.
When editing mode enabled, into tables of White Envelopes or records is added the first column with checkboxes. The Security Officer selects which White Envelopes or records will delete by checking appropriate row in a table. After all White Envelopes or records to delete selected, click the Delete selected button.
Deleted White Envelopes and records from them cannot be restored.
Once the Security Officers finish their editing of White Envelopes, editing mode should be disabled. To disable editing mode, click on the appropriate button.
After the user with an active White Envelope resets Access Code, the White Envelope needs to recover. Until the White Envelope recovered, the user cannot view or change stored records and move records from other Safe Boxes into the White Envelope.
A White Envelope can be restored by a minimum count of the Security Officers.
If the count of Security Officers was below the minimum and new Security Officers added, to work with the White Envelopes, their owners have to reactivate them.
To reactivate the White Envelope, go to the White Envelope page and confirm a warning message. When message confirmed, enter the Access Code. After the Access Code entered, the White Envelope successfully reactivated.
If the user has a private key backed up in a White Envelope, it is possible for their Access Code to be restored. To reset the Access Code, Security Officers must first open the White Envelope. Once the White Envelope is opened and the private key backup is stored in the White Envelope, the button
Recover Access Code
will appear in the menu of the White Envelope.
After clicking the button, the Security Officer is asked to confirm that they want to recover the Access Code of the owner of the White Envelope.
Nach der Bestätigung, dass der Sicherheitsbeauftragte eine Wiederherstellung des Access Codes durchführen möchte, wird der aktuell angemeldete Benutzer aufgefordert, seinen Access Code einzugeben. Danach ist es möglich, einen neuen Access Code für den Besitzer des White Envelopes festzulegen.
For initialization of Security Officers, are two reasons – a user became the new Security Officer, or current Security Officer resets his Access Code.
Only two other Security Officers can initialize a Security Officer. To initialize Security Officers, click on the
Initialize Security Officers
button. After that, two of the Security Officers have to enter their Access Code.
After successful initialization, the Secure Officer has access to White envelopes of other users and may do all operations with White Envelopes as others Security Officers (open, close or recover White Envelope, or initialize Security Officer).
If any Security Officer deleted and count of Security Officers is not sufficient (below the threshold – set in a domain), it is necessary to add new Security Officers. After new Security Officers added, current Security Officers, need to initialize the new ones, to share the White Envelope key parts.
If any Security Officer deleted and count of Security Officers is below the minimum (set in a domain), it is necessary to set a new Security Officers.
All White Envelopes have been reset. Reactivating them is necessary..
If some Security Officer has been deleted and then re-added, it is necessary to set him as a Security Officer again. After the user has Security Officer role set, can be initialized.
At the Downloads page, you can download SecureAnyBox5 Importer, SecureAnyBox5 Launcher, web extensions, SecureAnyBox5 Manager plugins for FAR and Total Commander, and a trial version of CBT client.
SecureAnyBox5 Importer is a utility intended to import records from CSV files and KeePass. From KeePass, it is possible to import records from kdb, kdbx, and xml files.
When importing records from CSV file, it is necessary to map account fields to columns in CSV file. After CSV file is selected, the Field map displays. When the mapping of columns to appropriate fields finished, it is possible to save a map for later usage.
When importing records from KeePass, it is possible to choose a record type, and view record values by double-clicking a record row in the Import preview.
p(#SABImporterParagraph3).After clicking the Import button, it is necessary to login to SecureAnyBox5 server (and enter 2FA code if required), enter the Access Code, and select Safe Box into which records will import. After import performed, report of import displays.
SecureAnyBox5 Launcher is a MS Windows application. In Safe Boxes is intended to be used to connect from (secret) accounts and for communication between web extensions and SecureAnyBox5 server
SecureAnyBox5 Launcher is an MS Windows (.NET Framework 4.5.2 or higher required) application delivered as a msi package. After installation, the application runs in the system tray and registers the custom URI scheme for sab:// links from the SecureAnyBox5 web interface.
In the SecureAnyBox5 account or secret account, you can set the connection type (RDP/SSH/SCP/SFTP/TELNET/WINBOX/RASDIAL). After clicking the
Connect
button at the (secret) account page, where the connection type set, web browser passes custom URI (sab://) to SecureAnyBox5 launcher.
Depending on the URI value, SecureAnyBox5 Launcher selects appropriate plugin (currently PuTTY for SSH, WinSCP for SCP/SFTP, MikroTik Winbox for WINBOX, and Remote Desktop for RDP). Then SecureAnyBox5 Launcher downloads account data using a one-time token that was received in the URI and started selected plugin.
To create a connection, SecureAnyBox5 Launcher needs to download from an account the values of Address and Login fields and the stored password.
In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g., "172.22.88.75:8876" or "test.tdp.cz:887").
The location of the WinSCP, MikroTik Winbox, and the PuTTY is detected automatically in Program Files but can be set manually in the SecureAnyBox5 Launcher settings. To open SecureAnyBox5 Launcher settings, click left mouse button on the SecureAnyBox5 Launcher icon in the system tray and in displayed context menu click Settings.
In the SecureAnyBox5 Launcher Settings, you can edit settings for Web extensions, change the location of WinSCP, MikroTik WinBox, and PuTTY or set size of Remote Desktop window, and influence settings of clipboard or printers.
If the SecureAnyBox5 server uses an SSL certificate that is not trusted in Windows, when Launcher connects to the server, a warning window will be displayed to warning about the potential security risk. This could be because the certificate is signed by a non-trusted certification authority in Windows, or because it is self-signed.
Please check with your administrator first to verify if the certificate is valid (e.g., a self-signed certificate). If so, you can accept it and approve the exception by clicking I have verified that this is a valid certificate button and then the Accept button. If you do not want this warning to appear again, you can permanently approve the exception by selecting the Accept this certificate permanently checkbox.
If this warning suddenly appears, and you have used Launcher before, it is very likely a security incident. In this case, do not approve the exception and contact your administrator!
Previously accepted exceptions can be reset in the Launcher settings in the Web Extension section, by clicking the Reset certificate exceptions button. It will remove only exceptions accepted in SecureAnyBox5 Launcher. Other exceptions for certificates that you may have approved on your system or browsers will remain.
Part of SecureAnyBox5 Launcher configuration can be enforced by setting it in the Windows registry (HKLM).
When starting SecureAnyBox5 Launcher, settings are loaded first from the Launcher and then from the Windows registry – HKLM. The setting values are overwritten as they load, and the last loaded setting is used.
In Windows registry, it is possible to store all Web extension settings and RDP gateway.
Launcher settings keys are stored in
HKEY_LOCAL_MACHINE\SOFTWARE\TDP\SecureAnyBox Launcher. For a list of keys and recommended values, download the README file.
Click to download Launcher configuration enforced by Windows registry README file
You can also download a registry example file and edit key values in the file. After the file is edited, run it.
Click to download the Windows registry example file
SecureAnyBox5 browser extensions simplify logging in to accounts on websites using stored accounts in SecureAnyBox5.
If the extension on the web page recognizes the login fields, it will offer the user to fill in credentials from one of the saved accounts in SecureAnyBox5. Also, the extension allows users to create accounts with login information directly from the website where they will be used.
Browser extension communicates with the SecureAnyBox5 Launcher, which communicates with the SecureAnyBox5 server, so to be able to work with browser extensions, it is necessary to have SecureAnyBox5 Launcher (minimum version 2.0.0.x) installed as well.
Download Firefox extension to your computer and drag and drop it to Firefox window.
Confirm installation of the extension by clicking the Add button.
SecureAnyBox5 extension for Firefox is sucessfully installed.
At the Downloads page, click the Chrome Extension for SecureAnyBox5 link and from the Chrome web store install the web extension.
When accessing a web page with a login form, the SecureAnyBox5 vault icon ( ) appears in the password entry field. For example, at paypal.com
After clicking on the vault icon, a login window will appear, asking you to log on to the SecureAnyBox5 server. Launcher remembers successful login until restart, logout, or session timeout if it set on the server.
Note: When you use the extension for the first time, you may first see the SecureAnyBox5Server Address window. Use the same address you use to access the SecureAnyBox5 web interface.
If the KeyShield SSO login configured on the SecureAnyBox5 server and the user is logged to KeyShield, this part of the authentication performs automatically.
If the user has a two-factor authentication set, the second-factor code is requested after login.
After successful authentication to SecureAnyBox5 server, a window will appear with a menu of records that can be used to log in to the web service. Displayed are all relevant accounts, from all Safe Boxes into which the user has access.
Accounts are displayed ranked by relevance calculated based on data stored by SecureAnyBox5. The default search is based on URLs in the Address and Login Site fields. If the relevant account is stored in SecureAnyBox5 but does not have a filled URL in the appropriate fields, it is still possible to search for it manually, by entering the search term (e.g., name, description, etc.) into the Find field.
After selecting the account (by double-clicking, pressing Enter, or selecting and clicking OK), you are asked to enter the Access Code.
The Access Code can be temporarily cached by Launcher (see Settings), so the Access Code will not be required for repeated accesses within the time limit.
After entering a valid Access Code, the launcher fills in the selected credentials to the login fields.
If the login is divided into several steps (e.g., Google account, etc.), or if the password field is non-standard and does not display the extension icon, you can use the context menu instead of clicking the icon. The context menu is displayed by right-clicking in the user name or password field.
Under the SecureAnyBox5 section, the Fill username, Fill password options are available (in both cases, the record selection dialog will be displayed). If an entry has already been used on this page, additional options are available: “Enter username for...” and “Enter password for...”
Using the context menu it is possible to create a new account, directly from the website, without having to use the SecureAnyBox5 web interface.
In the context menu click
Add account to display a form with a pre-filled Name, Address, and Login Site.
Into the
Create in Safe Box field, select the Safe Box into which you want to create a new account by clicking the button with three dots.
Into the
Username filed, enter the username.
Into
Password and
Repeat password fields, enter the password. In addition to manual entry, the password can be generated.
When generating the password, it is possible to choose from 2 preset modes:
Very strong (password is generated from all characters) and
Strong (special and easily interchangeable characters are omitted).
If you need to meet any specific password requirements (number of characters or numbers, special characters, etc.), you can create your own generating rule by clicking the
gear button (
) next to the
Generate button.
When all values set, an account can be saved by clicking the OK button. Depending on the settings of remembering of the access Code, it may be necessary to enter the access Code again.
SecureAnyBox5 Manager plugin allows you to work with data in Safe Boxes via Total Commander.
Open zip file in Total Commander (64-bit version). Total Commander automatically detects that it is a plugin and guides you through the installation. All dialog boxes have to be confirmed (Yes / OK).
After the SecureAnyBox5 Manager plugin installed, the SecureAnyBox5 directory is available as a Network Neighborhood place. To open the directory for the first time, it is necessary to enter the SecureAnyBox5 server address, login information and etc. Next time, the connection will be opened, the user will be asked to enter the password only.
Select “Network Neighborhood” as a disk drive
The SecureAnyBox5 directory is now available as Network Neighborhood place.
Each time you access the plugin directory, is created new directory named SecureAnyBox5-hh.mm.ss (where hh.mm.ss is the current time).
In this directory, you have to create a connection to the SecureAnyBox5 server using the F7 key.
As a first step enter a connection name.
In the next step, enter the SecureAnybox URL address. (Address can be obtained from any Safe Box detail from the menu Import... > Copy SecureAnyBox5 address).
Next, enter the user name of the user who will connect to the SecureAnyBox5
and domain name. If you are using only one domain (the default System domain), you do not have to enter its name.
The newly created connection is displayed as a folder.
You can view the saved connection details by pressing Alt + Enter.
The connection to the server is made by entering the connection folder (a password will be requested). After entering the password, a list of safeboxes is displayed.
Enter - Copies a password to the clipboard from your account, secret account, and credit card.
The plugin allows you to edit file or certificate in the appropriate program associated with the specific file type. After saving the modified file, it creates a new version of the file.
Alt+Enter - Displays properties of account, secret account etc.
F3 View - Displays the file if the record is File or Certificate.
F4 Edit - Edits a file if the record is File or Certificate.
F5 Copy - Copies the file (s) or certificate (s) from / to SecureAnyBox5. Only file and certificate records can be copied.
F6 Move - Move is not supported.
F7 New Folder - Only in connection overview. Creates a new connection and writes data (connection name, URL, domain and username) to the registry.
The plugin does not create new records.
F8 Delete - Deleting records is not supported.
At the page Deleted records, a user can manage deleted records (such as Safe Boxes, Safe Box Groups, Accounts, etc.)
Deleted records can be permanently removed or restored to the original location.
You can remove permanently multiple records at one time by selecting them and clicking on the
Remove selected
button. The button is only displayed if some of the deleted records are selected. Removing selected records have to be confirmed.
Selected deleted records can be restored by clicking the
Restore selected
button. The button is displayed if some of the deleted records are selected.
Deleted records can be also restored to the original location by clicking on the restore icon (
) at the end of a row. Restoring the record have to be confirmed.
Audit log page displays a log of users actions in Safe Boxes, Safe Box Groups, White Envelopes and all records inside them. Depending on the user role, only actions of currently logged user or actions of all users are shown.
User can filter displayed actions in the log by entering a text into the search field. Searching is possible above values of the columns IP, User, and Action.
Results of filtering the audit log can export by clicking on the
Download
button.
The audit log can be refreshed manually by clicking on the
Refresh
button or automatically by clicking on the
Enable autorefresh
button. Automatic refresh of the audit log is possible to turn off by clicking on the
Disable autorefresh
button.
Clicking the Select Safe Box button allows you to filter audit log results just for a specific Safe Box. Once the Safe Box is selected, the audit will show data only for that Safe Box. If you want to show only data for one specific record from the selected Safe Box, click the Select record button
All audit log events are specified in an Overview of Audited Events
The Access to Records report shows all records into which the selected user has entered the Access Code, to view encrypted values. To run the report, select a user.
In report results, records into which currently logged user don’t have access, won’t be displayed even though the selected user accessed them. To view all records which selected user accessed, use the report with the same name in Audit part.
In report results, you can click the record name. After clicking, a record page displays in a new tab, where you can check details or even change the encrypted values. If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.
To actualize report results, click the
Refresh
button.
The Access to Safe Box report shows all records from selected Safe Box into which users have entered the Access Code, to view encrypted values.
In this report, Safe Boxes into which currently logged user does not have access, cannot be selected. To see results for any Safe Box (even the private one) within a currently logged user’s domain, use the report with the same name in Audit part.
In report results, you can click the record name. After clicking, a record page displays in a new tab, where you can check details or even change the encrypted values. If the password has changed, the users who access to record are no longer displayed in report results because they did not access the changed password.
To actualize report results, click the
Refresh
button.
Watching report
displays Safe Box Groups, Safe Boxes, and records which is currently logged user watching on the selected level.
Following icons are used to distinguish whether the watching is set explicitly or is inherited from the parent level:
Watching of changes is set explicitly for that level. Accesses are not watched. | |
Watching of changes is inherited from the parent level. Accesses are not watched. | |
Watching of accesses to encrypted data is set explicitly for that level. Changes are not watched. | |
Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched. | |
Watching of changes and accesses to encrypted data is set explicitly for that level. | |
Watching of changes is set explicitly for that level. Watching of accesses to encrypted data is inherited from the parent level. | |
Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for that level. | |
Watching of changes and accesses to encrypted data is inherited from the parent level. |
If selected Safe Box inherits watching accesses and/or changes from the Safe Group, then the Safe Box Group will be displayed in the report results for selected Safe Box also.
Report
Permissions
displays permissions of the selected user to all Safe Boxes, Safe Box Group and domain' root level. The results are filtered by permissions of the currently logged user. It means that the currently logged user will only see selected user' permissions for Safe Boxes, Safe Box Groups and domain' root level, for which currently logged user has permissions also.
To display results, click the
Select user
button and wait for a list of users. In the displayed list, select a user for which you want to display results.
The following icons are used to distinguish the level for which permissions set:
- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box
To manage permissions for the specific level, click its name in search results. After clicking the name, in new browser tab will be opened the Sharing & Permissions page for that level. At the page can be managed permissions for other users.
Report
Permission Templates Assignment
shows all permission templates set for the selected user tag. The results are filtered by permissions of the currently logged user. It means that the currently logged user will only see permission templates for Safe Box Groups and Safe Boxes, for which the currently logged user has permissions.
To display results, click the
Select user tag
button and wait for a list of user tags. In the displayed list, select a user tag for which you want to see results.
The following icons are used to distinguish the level for which permissions set:
- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box
Report
Passwords Audit
displays all records that a logged on user has access to, and for passwords of displayed records, counts password entropy, time to crack the password, and alerts for duplicates of passwords.
To display results, select a level of audit:
When the level of audit selected, a user is prompted to enter the Access Code. Have you forgotten the Access Code?
After entering the Access Code, SecureAnyBox5 checks all records which can decrypt with an entered Access Code, obtains passwords from them and counts results of the report.
To calculate passwords entropy and other values, SecureAnyBox5 uses password strength estimator
nbvcxz
. The password strength estimator inspires by password crackers.
Strength estimation accomplishes by running a password through different algorithms and looking for matches in any part of the password on word lists (with fuzzy matching), common dates, common years, spatial patterns, repeating characters, repeating sets of characters, and alphabetic sequences.
Each of these represents a way, how an attacker may try to crack a password. More information...
The calculation of the password entropy will be more accurate if custom password dictionaries added.
We strongly recommend adding a dictionary of the commonly used passwords in your language, a dictionary with names of towns, streets in your area etc. You should also add the default passwords used by your company to the dictionaries.
A password dictionary is usually .txt file with one word per line. Should not find a suitable password dictionary, you can create a dictionary by yourself.
There are two types of password dictionaries:
Password dictionaries need to be added to "<SecureAnyBox5 folder>/files/dictionaries/<type of dictionary>" folder
Examples:
You want to add a dictionary with names of cities and streets near you. All names are text file, each one on a single line.
In that case, the dictionary is unranked (does not matter if names are alphabetically ordered or not). Please add the dictionary to
unranked folder in the dictionaries folder (e.g., “C:\\SecureAnyBox\files\dictionaries\unranked\”).
You want to add a dictionary with the most common passwords, ordered by the frequency of password usage.
In that case, the dictionary is ranked. Please add the dictionary to
ranked folder in the dictionaries folder (e.g., “C:\\SecureAnyBox\files\dictionaries\ranked\”).
When dictionaries added, it is necessary to restart the SecureAnyBox5. After restart, the dictionaries are applied to the calculation of the password entropy.
When loaded, in results are displayed Safe Box Groups and Safe Boxes, stored at the root level. By clicking on the plus icon (
), you can see more detailed results – for each Safe Box inside a Safe Box Group or each account and secret account in a Safe Box.
Results for Safe Box Group and Safe Box displays the lowest value of Password Entropy of all records inside the Safe Box or Safe Box Group and how many passwords of records inside the Safe Box or Safe Box Group are duplicit.
In order to display the report results better organized, detailed results can be collapsed into results for Safe Box or even Safe Box Group.
Results for Safe Box Group and SafeBox displays the lowest Password Entropy of all passwords inside and how many passwords of records inside the Safe Box are duplicate.
After clicking on the record name, the record page displays in the new tab. On the records page, you can also change the password to a more secure one.
To refresh the report results, click the
Run Report
button again.
Password entropy is a measurement of how unpredictable a password is. The higher the value, the better.
Based on password entropy value, SecureAnyBox5 recognizes four levels of how secure the password is.
Password security | min. | max. | Description | |
---|---|---|---|---|
really bad | 0 | 20 | password should be changed immediately | |
unsatisfactory | 20 | 35 | password does not meet security standards, should be changed | |
satisfactory | 35 | 50 | password meets security standards, but it can be better | |
really good | 50 | password is really secure |
Depending on the password strength, SecureAnyBox5 counts how long it would take to crack your password online and offline. The longer a and more unpredictable your password is, the better.
SecureAnyBox5 checks passwords for duplicity. If there are any duplicates, a number of duplicate passwords displays. Due to security, we recommend changing duplicate passwords to unique ones.
If the number of duplicates is lower or equal to five, a warning icon (
) displays. If the number of duplicates is higher than six, an error icon (
) displays.
Next, to the number of duplicates, you can click the button (
) to show records with the same password.
Date and time when the password changed last time.
The elapsed time since the last password change. If the time since change is higher or equal than two years, a warning icon ( ) displays.
Report Search for password allows the user to see which records have a particular password. To run the report, enter the password you want to search for into the search field. After the password entered, click the search button ( ) or press Enter key. The entered password can be viewed by clicking the eye button ( ) anytime.
Once the Access code entered, SecureAnyBox5 decrypts all passwords to which the user has access. Then compares each decrypted password with the searched one and all records with the same password displays in the report results. SecureAnybox also computes the entropy of the password and displays it beside the search field. More about the entropy...
Report
Compliance
allows to check whether stored passwords adhere to security requirememts.
To run the report, you need to create or open previously stored scope. Once the scope creted/opened, user is prompted to enter the access code. After the access code entered, SecureAnyBox5 server starts running the report. When report results displayed, it is possible to filter them, in the header row of result table.
Scope can be saved to use later. From report it is possible to generate PDF protocols or get RAW datan xlsx format.
The audit is a part of SecureAnyBox5 application, accessible only to users with Auditor role, for auditors are three reports and the audit log of all parts available. Each auditor can audit within a domain, in which belongs. The only exception is an auditor from the System domain which can audit all domains.
The Access to Records report shows all records into which the selected user has entered the Access Code, to view encrypted values. To run the report, select a user.
In report results, all records into which currently logged user have access, are blue. After clicking on such record, a record page displays in a new tab, where you can check details or even change the encrypted values.
If record name is black, currently logged user hasn’t access to a record and nothing happens after clicking on it.
In a case, record name is crossed out, the record is deleted but can still be restored on the Deleted page.
If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.
To actualize report results, click the
Refresh
button.
The Access to Safe Box report shows all records from selected Safe Box into which users have entered the Access Code, to view encrypted values.
In report results, all records into which currently logged user have access, are blue. After clicking on such record, a record page displays in a new tab, where you can check details or even change the encrypted values.
If record name is black, currently logged user hasn’t access to a record and nothing happens after clicking on it.
In a case, record name is crossed out, the record is deleted but can still be restored on the Deleted page.
If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.
To actualize report results, click the
Refresh
button.
Report
Permissions
displays permissions of the selected user to all Safe Boxes, Safe Box Group and domain' root level. Unlike from report in Reports part, results of this report don’t filter by permissions of the currently logged user. That means that the currently logged user will see all selected user' permissions for Safe Boxes, Safe Box Groups and domain’s root level, even for which currently logged user has no permissions.
To display results, click the
Select user
button and wait for a list of users. In the displayed list, select a user for which you want to display results.
The following icons are used to distinguish the level for which permissions set:
- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box
To manage permissions for the specific level, click its name in search results. After clicking the name, in new browser tab will be opened the Sharing & Permissions page for that level. At the page can be managed permissions for other users.
Report
Permission Templates Assignment
shows all permission templates set for the selected user tag. Unlike from report in Reports part, results of this report don’t filter by permissions of the currently logged user. That means that the currently logged user will see all selected user' permissions for Safe Boxes, Safe Box Groups and domain’s root level, even for which currently logged user has no permissions.
To display results, click the
Select user tag
button and wait for a list of user tags. In the displayed list, select a user tag for which you want to see results.
The following icons are used to distinguish the level for which permissions set:
- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box
The Audit log page displays a log of users actions in Safe Boxes and SecureAnyBox part of the application. The audit log results are filtered by domain into which currently logged user belongs. The only exception is an auditor from System domain which can see audit log of user actions from all domains.
It is possible to filter displayed actions in Audit log by clicking buttons
SecureAnyBox logs
,
Authentication logs
,
User Management logs
or
Safe Boxes logs
. The filter can be turned off by clicking the
All logs
button.
If enabled in the Configuration, auditor can archive the audit log by clicking the Archive log records button. After clicking the button, it is necessary to confirm archiving.
All audit log events are specified in an Overview of Audited Events
The Stations page intended for management of registered stations. After loading the page, users can see a table of registered stations for selected Agent Configuration.
To change the Agent Configuration, click on the
Select Config
button and in a displayed list select the configuration. After a different configuration is selected, the list of the registered domain is actualized and displays stations registered in the currently selected configuration.
Registered stations are possible to sort by any displayed column. To sort the stations, click on the column header. It is also possible to add more columns to the table of stations (IP address, Timezone, Default User, Station Registration). To configure a displaying of additional columns, go to the Agent Configuration page.
Registered stations can be filtered by the date of registration and last access. User with role SecureAnyBox Administrator from System domain can also see (and delete) inaccessible stations. Stations are inaccessible if the Agent Configuration with which the stations are registered is deleted.
As the IP address of the station displayed the address which station had during the last registration. IP addresses are not unique.
Stations have to be registered to get passwords for them. Once the station is registered, it is possible to get the password by clicking on a row in a table of stations. After clicking on a row with the registered station, the
Get Password
page will load with prefilled values according to the values specified in the registered station.
Stations may be registered by SecureAnyBox5 Agent or manually. After successful installation of SecureAnyBox5 Agent and applying the configuration, the SecureAnyBox5 Agent checks if the applied configuration matches the Agent Configuration on the server. If so, the station would be registered automatically (it might take 10 minutes). In some cases, the station on which the SecureAnyBox5 Agent installed, does not have access to the server and cannot be registered automatically. But the station can be registered manually.
To register the station manually, click on the
Register station
button and wait for displaying the station’s form.
If the station name is changed. It is necessary to re-configure SecureAnyBox5 Agent, which will later register the station with a changed name. Original station registration can be deleted manually from the SecureAnyBox5 later.
In this field select the Agent Configuration, which is the same as the configuration of a SecureAnyBox5 Agent installed on a registered computer.
Selection of incorrect configuration leads to generating passwords that do not work.
Selected Agent Configuration is pre-filled into this field and can be changed by clicking on the folder icon (
) and selecting another one from a list of Agent Configurations.
Select the platform (operating system) of a registered station.
The platform is important for identifying a username of an administrator, for whom a password will be generated. Settings of the Agent Configuration limit selection of platforms.
Station name has to be in a format selected in the Agent Configuration.
NETBIOS = use NETBIOS station name.
Fully Qualified DN = use full Active Directory station name with the domain (e.g., STATION1.domain.local).
SID = use station unique SID (e.g., S-1-5-21-3623811015-3361044348-30300820-1013).
IP address of the station entered by the user
Select a time zone which is set on the registered station. The timezone is used for the definition of station’s actual time compared to the actual time and the timezone of the server.
For example, if the server has set timezone as “(GMT) Dublin, Edinburgh, Lisbon, London” , and the station has set timezone as “(GMT -08:00) Pacific Time (US & Canada)”. The password for this station will be generated for date and time which is about 8 hours lower than the actual time of the server.
Only users with the role SecureAnyBox Admin can edit stations.
To edit the registered station, please click on the edit icon ( ) at the end of a row. After that, the edit form displays, and it is possible to edit the timezone and the Entered IP Address of the previously registered station.
Only users with the role SecureAnyBox Admin can delete stations.
To delete registered station, please click on the cross icon ( ) at the end of a row. Deleting the station have to be confirmed.
It is also possible to delete multiple stations at the same time. To select a station to delete, check the checkbox in the first column. After the selection is complete, click the Delete selected button.
At the Get Password page is possible to obtain a password for registered station. To get a password for the station is necessary to install SecureAnyBox5 Agent on the station. More about SecureAnyBox5 Agents...
To obtain the station’s password, please follow these steps:
If you click on a registered station for which you want to get a password on the Stations page, all values will be automatically prefilled.
Select the Agent Configuration which is the same as the configuration of SecureAnyBox5 Agent installed on the station.
Select an operating system of the station. Settings of the Agent Configuration limit selection of operating systems.
Please check and eventually correct the local date. The time automatically sets according to server time.
Enter the station’s name. The name has to be in a format specified in the Agent Configuration.
NETBIOS = use NETBIOS station name.
Fully Qualified DN = use full Active Directory station name with the domain (e.g.,STATION1.domain.local).
SID = use station unique SID (e.g.,S-1-5-21-3623811015-3361044348-30300820-1013).
To obtain a password, the station has to be registered. If a station with entered name is not registered, the user will be prompted to register the station before obtaining a password.
Check the User for whom the password will work. The user is pre-filled according to settings in the Agent Configuration.
Check and eventually correct a timezone set on the station. Depending on the previously set Local Date and Time and selected timezone, the Station Date and Time set.
Click on the Show password button.
After clicking on the Show password button, the Station password page loaded.
After 60 seconds you will be redirected back to the Get Password page.
At the Downloads page, it is possible to download SecureAnyBox5 Agent, its configuration, and SecureAnyBox5 Launcher.
SecureAnyBox5 Launcher is an MS Windows (.NET Framework 4.5.2 or higher required) application delivered as a msi package. After installation, the application runs in the system tray and registers the custom URI scheme for sab:// links from the SecureAnyBox5 web interface.
After SecureAnyBox5 Agent registers the station, its IP address is also registered. By clicking on the station IP address at the Stations page, SecureAnyBox5 Launcher launches Remote Desktop application and connects to the registered station.
SecureAnyBox5 Launcher is also used in Safe Boxes. More information...
SecureAnyBox5 Agent is a system service/daemon that ensures login to the station using the password obtained in SecureAnyBox5. The password can be obtained at the Get Password page or from the Ticket. Configured SecureAnyBox5 Agent works completely autonomously even without connection to the server. If a connection to the server is available, the SecureAnyBox5 Agent automatically performs station registration.
If the SecureAnyBox5 Agent sets a password for the default user of the station and has an online configuration, the SecureAnyBox5 Agent must first register the station on the server and only then set the password of the default user in the registry.
SecureAnyBox5 Agent installation steps:
Tickets are intended for sharing access to getting passwords for the stations. Once the ticket created, it can be shared with anybody (even with people without access to SecureAnyBox5). Sharing a ticket is a convenient method for giving access to
registered station passwords only for a limited time. For example, tickets can be shared with external technicians.
Shared access to passwords can be limited according to the specification of a ticket.
When the Agent Configuration is selected only, then based on the ticket is possible to get passwords for all
registered stations with the same Agent Configuration as is selected.
If the Agent OS is also selected, then through the ticket is possible to get passwords for all
registered stations with same Agent Configuration and operation system as is selected.
When the station name is specified too, then on the basis of the ticket is possible to get a password for the one station only.
The validity of the ticket is limited. The person, to whom the ticket was shared, can get a password between dates and times specified in fields
Valid from and
Valid until only.
It is possible to restrict the usage of tickets, by setting subnets. When the ticket has subnet set, it is possible to obtain a password from the ticket only if the device’s subnet is the same as is set in the ticket. In the ticket, it is possible to set multiple subnets.
To create a ticket, please click the New Ticket button. After clicking, a form for creating the ticket displays. After all values entered, please click on the OK button to confirm the ticket.
While saving the ticket, a unique identifier of the ticket generated. This identifier is displayed in a message after the ticket created.
Select the Agent Configuration. Agent Configuration must be the same as the configuration SecureAnyBox5 Agent installed on the station for which the ticket will create.
In case that a ticket will be saved with the selected Agent Configuration only, it will be possible to get the password for all the stations where the SecureAnyBox5 Agent with the same configuration installed.
The description should characterize the purpose of the ticket.
For example, if the ticket will be used by external workers, in the description can be specified for whom and why the ticket created.
In the case that the ticket will save without any description, and the description will be generated. The result of generating the description will be “Ticket {number of the ticket}” (e.g. Ticket 1, Ticket 2 and so on).
Select the operating system. Settings of the Agent Configuration limit selection of the operating systems.
Selecting the operating system is optional.
When the operating system is selected, through the ticket is possible to get passwords only for stations with the same OS.
If the operating system is not selected, then the last selected platform will be used while generating a password for the station.
Name of the
registered station, for which the ticket will be created. Station name must be in the same format as is specified in the Agent Configuration.
NETBIOS = use NETBIOS station name.
Fully Qualified DN = use full Active Directory station name with the domain (e.g.,STATION1.domain.local).
SID = use station unique SID (e.g.,S-1-5-21-3623811015-3361044348-30300820-1013).
If the station name not specified in a saved ticket, it will be possible to specify the name while getting a password for the stations. Through such a ticket will be possible to get the password for each
registered station with the same Agent Configuration and operating system as are selected in the ticket.
The user for whom will be generated the password. The user field has prefilled value base on values specified for the selected operating system in the Agent Configuration.
Date and time from which the ticket is valid, and based on the ticket, it is possible to get a password.
Date and time until which the ticket is valid, and based on the ticket, it is possible to get a password.
Ticket is only valid when accessed from specified subnets or addresses. If no subnet or address is listed, ticket access not restricted by client address.
Subnets can be entered in three formats – standalone IP address, IP address/subnet mask where subnet mask can be specified in IPv4 format or in CIDR notation format - e.g.: 172.22.38.19 or 172.22.38.1/255.255.255.0 or 172.22.38.1/24
The IP address must be in IPv4 format. IPv6 not supported.
Ticket is only valid when accessed from specified subnets or addresses. If no subnet or address is listed, ticket access is not restricted by client address.
Subnets are possible to enter in three formats – standalone IP address, IP address/subnet mask where subnet mask can be specified in IPv4 format or CIDR notation format - e.g.: 172.22.38.19 or 172.22.38.1/255.255.255.0 or 172.22.38.1/24
IP address must be in IPv4 format. IPv6 not supported.
If the ticket is not enabled, it can not be used.
To edit an existing ticket, please click the ticket’s row in a table. After clicking, an edit form displays.
In the edit form, it can be changed all values except the Agent Configuration. After all changes are made, please confirm them by clicking on the OK button.
The Audit log page displays a protocol of getting passwords for stations and using tickets. Depending on the user role are shown only actions of currently logged user or actions of all users.
All audit log events are specified in an Overview of Audited Events
At the Agent Configuration page, you can set some General setting for SecureAnyBox5 like columns at the Station page or Registration interface, or you can set Agent Configuration and the LDAP Agent. You can also change the configuration password and download the SecureAnyBox5 configuration file.
Only users with a role SecureAnyBox Manager or Administrator have access on this page.
You can configure which columns display at the Stations page and alternative interface which is only intended for registration of stations. If alternative interface enabled and set, registration interface hostname and HTTPS port exported into the SecureAnyBox5 Agent Configuration.
We recommend to enable and set registration interface because the registration of SecureAnyBox5 Agents will not be affected by any changes (e.g., of hostname, address, port) in the configuration of SecureAnyBox5 server.
Optional registered stations table columns definition
Show IP Address column
Show Time Zone column
Show Default User column
Show Station Registration date column
SecureAnyBox5 server station registration web interface/API configuration.
Enable standalone HTTPS interface used only for station registration
SecureAnyBox5 station registration (HTTPS) interface IP address.
SecureAnyBox5 station registration (HTTPS) interface port.
PKCS #12 file with a private key and corresponding certificates used for HTTPS web interface. You can create a self-signed certificate file by clicking the Create self-signed SSL certificate button in the left bottom corner of this form.
HTTPS key store password. It is used to read HTTPS keys and certificates. In a case you create the HTTPS keystore file by clicking the Create self-signed SSL certificate button, the keystore password entered automatically.
List of hostnames for SecureAnyBox5 station registration interface (HTTP).
If the HTTPS keystore certificate is imported as trusted on your Linux station, it is possible to verify in the terminal using the command:
python -c 'import urllib2; import sys; resp = urllib2.urlopen("https://your.secureanyboxserveraddress.com"); rcode = resp.getcode(); body = resp.read(); print rcode; print ""; print body;'
If certificate validation is successful, on the first row of the response is code 200.
When the certificate validation fails, an error is displayed:
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
If urllib2 not found
python ––version
Urllib2 is a built-in package of Python 2.x.x. To be able to run urllib2, it is necessary to have Python 2.x.x (recommended 2.7.18) installed properly. Some distributions of Linux may not have full version of Python 2.7.x installed. Try re-installing it.
wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz
sudo tar xzf Python-2.7.18.tgz
cd Python-2.7.18/
sudo ./configure
sudo make altinstall
To generate passwords for stations, each station must have SecureAnyBox5 Agent installed with a proper configuration. In the Agent Configuration, you can configure for which platforms can be used, a password pattern, a password seed base, for which user or user group the password will be generated.
After each modification of Agent Configuration, the SecureAnyBox5 Agent (respectively Agent Configuration) installed on stations must be updated or generated passwords might not work.
For each Agent Configuration, users in SecureAnyBox5 can be set to have the ability to manage the Agent Configuration and to use the Agent Configuration.
Users who can
manage the Agent Configuration can view/edit/delete a specific configuration on the Agent Configuration page.
In the Agent Configuration form, it is possible to check the box
Manageable by all SecureAnyBox Admins
. If the box is not checked, only users (with the role of SecureAnyBox Admin) from the domain to which the Agent Configuration is assigned can manage the Agent Configuration.
When creating an Agent Configuration, it is automatically assigned to the domain of the currently logged-in user. The assignment of the configuration to the domain can be modified in the domain form (in the administration interface).
Users who can
use the Agent Configuration can obtain passwords and use tickets for stations with a specific configuration. Users with the role of SecureAnyBox Admin, can also create tickets for a specific Agent Configuration.
By default, the usage of Agent Configuration is available to all users in the domain to which the configuration is assigned.
The ability to use the Agent Configuration can be expanded/limited by setting permitted users. If any permitted users are set, all other users will no longer have the ability to use the Agent Configuration (even if they are from the domain to which the configuration is assigned).
To add a new configuration, please click on the add Configuration button and wait for Agent Configuration form to display. After all values are set, please click on the OK button. To use a new Agent Configuration, the SecureAnyBox5 have to be restarted first.
Please enter SecureAnyBox5 Agent Configuration Name. Configuration name must start with a letter and contain only letters, numbers and underscore.
Password pattern which will be used to generate passwords for stations.
Each letter in the pattern corresponds to letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g., pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
1 – character according to Pattern Characters 1 setting
2 – character according to Pattern Characters 2 setting
3 – character according to Pattern Characters 3 setting
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set a password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.
By setting the Pattern Characters, you can specify a set of characters that will be used or omitted while generating a password.
To specify a set of characters that will be
used while generating a password, please enter them into the field without any separator. (e.g.,‘abc‘). In that case, the generated password will use only specified characters.
The set of characters that will be
omitted while generating a password must begin with
^ character (e.g.,‘^0123‘). In that case, the generated password will use allowed characters except for specified ones.
For each character which should generate according to the setting of this set of characters, enter ‘1‘ into the Password Pattern.
By setting the Pattern Characters, you can specify a set of characters that will be used or omitted while generating a password.
To specify a set of characters that will be
used while generating a password, please enter them into the field without any separator. (e.g., ‘abc‘). In that case, the generated password will use only specified characters.
The set of characters that will be
omitted while generating a password must begin with
^ character (e.g., ‘^0123‘). In that case, the generated password will use allowed characters except for specified ones.
For each character which should generate according to the setting of this set of characters, enter ‘2‘ into the Password Pattern.
By setting the Pattern Characters, you can specify a set of characters that will be used or omitted while generating a password.
To specify a set of characters that will be
used while generating a password, please enter them into the field without any separator. (e.g., ‘abc‘). In that case, the generated password will use only specified characters.
The set of characters that will be
omitted while generating a password must begin with
^ character (e.g., ‘^0123‘). In that case, the generated password will use allowed characters except for specified ones.
For each character which should generate according to the setting of this set of characters, enter ‘2‘ into the Password Pattern.
This is a secret string used as a base to generate a station password. Seed Base should be unique for your configuration and is shared between the server and SecureAnyBox5 Agent instances. You have to distribute Seed Base together with password pattern to all SecureAnyBox5 Agent managed stations.
Enable MS Windows platform
Enable Linux platform
Enable macOS platform
Enable LDAP platform
Configuration encryption password. If SecureAnyBox5 configuration is encrypted, then is required to enter the configuration password, to create or edit Agent Configuration successfully.
SecureAnyBox5 Agent Configuration for Windows Platform
SecureAnyBox5 Agent Configuration for Linux Platform
SecureAnyBox5 Agent Configuration for macOS Platform
SecureAnyBox5 Agent Configuration for LDAP Platform
It is possible to extend or limit the visibility of the Agent Configuration by setting permitted users. If permitted users not set, the Agent Configuration is visible to all users from the domain, for which the Agent Configuration set as visible. To set permitted users, please add a domain or user. If domain added, the Agent Configuration is visible to all users from that domain. If a user added, the Agent Configuration is visible for that user only.
If you add a domain, the Agent Configuration will be visible for users from that domain.
If you add a user, the Agent Configuration will be visible for that user.
To edit the Agent Configuration, please click on configuration name in a list of Agent Configurations. After clicking on configuration name, details of the configuration displays.
With any change, it is advisable to note that changes in agent configuration can have severe consequences on the functionality of SecureAnyBox5 agents on registered stations.
To open Agent Configuration edit form, please click on the
Edit
button. In the Agent Configuration, you can modify all values except the configuration name.
After changes finished, please confirm them by clicking on the
OK
button. To apply changed Agent Configuration is necessary to apply changes in the SecureAnyBox5 configuration first.
In a case, you want to create similar Agent Configuration, as is already stored, you can copy the stored one. To copy the Agent Configuration, please click on configuration name in a list of Agent Configurations. When details of the Agent Configuration displays, please click on the
Copy
button.
After clicking on the button, please enter the configuration name, modify values, which needed to be changed and confirm new Agent Configuration by clicking on the
OK
button.
Due to security reasons, we strongly recommend changing the Password Seed Base.
To use the new Agent Configuration is necessary to apply changes in the Configuration.
To remove the Agent Configuration, please click on configuration name in a list of Agent Configurations. After clicking on configuration name, details of the configuration displays and click the
Remove
button.
Removing the Agent Configuration have to be confirmed by applying changes in the SecureAnyBox5 configuration.
LDAP Agent holds LDAP server connection settings used for user password changes. Without LDAP Agent it is not possible to get passwords for LDAP users.
To add new configuration of LDAP agent, please click on the add LDAP Agent button and wait for LDAP Agent form to display. After all values set, please click on the OK button. To use a new LDAP Agent Configuration is necessary to restart the SecureAnyBox5 server first.
Unique Agent identifier. Agent ID is used when generating a password for the user from LDAP.
Enable/disable this LDAP Agent
LDAP server type.
LDAP server address or addresses of multiple LDAP servers with same directory replica/mirror (for failover).
LDAP User DN used by SecureAnyBox5 to access LDAP directory, lookup users, change passwords, etc.
Minimum access rights:
entry/object rights – browse
cn – read, compare
objectClass – read, compare
Use ‘Create SecureAnyBox objects’ button to create the manager user automatically when using NetIQ eDirectory. If you are connecting to a directory service from another vendor, please create a manager user using your directory service management console. LDAP interface on some directory services (e.g., Active Directory) doesn’t provide access rights/permissions modification.
e.g.,cn=secureanyboxmgr,o=org or cn=secureanyboxmgr,cn=Users,dc=DOMAIN,dc=local
Please enter SecureAnyBox5 mgr user password.
LDAP container used as a search base for LDAP synchronization search query. When the search base not set,the search starts at the root of the LDAP tree.
e.g.,o=org or leave empty to search from the root of the tree
Uncheck to search only the immediate subordinates of the specified search base.
An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.
There are four modes of dereferencing aliases:
When set to greater than zero, SecureAnyBox5 will use Simple Paged Result extended control to retrieve LDAP search results in pages of a given number of entries. Some LDAP servers have a default server-side limit for the number of entries returned in the single response. For example, Active Directory servers have a default limit of 1000 objects for a single search request. Setting Search Page Size to 1000 or lower will allow SecureAnyBox5 to retrieve more results (than the server limit) using multiple requests. When set to 0 no paging is used and an only single request is used to retrieve all results.
When using embedded LDAP from KeyShield SSO, this value must be set to 0.
Please select the Agent Configuration for this LDAP Agent. Selected Agent Configuration has to contain settings for LDAP platform.
The domain of default user is necessary for identifying the default user while generating a password. Default user domain must be the same as set in the workstation registry otherwise login of default user via SecureAnyBox5 Agent won’t work.
e.g., Default user on a station is set to “COMPANY/user1” - the default user domain is “COMPANY”.
This field is available only if Active Directory set as LDAP directory service.
LDAP attribute used by LDAP authentication for user lookup. This field is available only if Active Directory set as LDAP directory service.
To edit the LDAP Agent, please click the Agent name in a list of LDAP Agents. After clicking on Agent name, details of the Agent displays.
To open LDAP Agent edit form, please click on the
Edit
button. In the LDAP Agent, you can modify all values except the configuration name.
After changes made, please confirm them by clicking on the
OK
button. To apply changed LDAP Agent is necessary to apply changes in the SecureAnyBox5 configuration first.
In a case, you want to create similar LDAP Agent, as is already stored, you can copy the stored one. To copy the LDAP Agent, please click the Agent name in a list of LDAP Agent. When details of the LDAP Agent displays, please click on the
Copy
button.
After clicking on the button, please enter the Agent ID, modify values, which needed to be changed and confirm new LDAP Agent by clicking on the
OK
button.
To use a new LDAP Agent is necessary to apply changes in the Configuration.
To remove the LDAP Agent, please click the Agent name in a list of LDAP Agents. After clicking on Agent name, details of the LDAP Agent display and click on the
Remove
button.
Removing the LDAP Agent have to be confirmed by applying changes in the SecureAnyBox5 configuration.
By executing LDAP Agent, you change the password(s). Which passwords are changed depends on settings of Agent Configuration.
The Agent Configuration can be set to change a password of:
If any of users to whom should be changed password is set as SecureAnyBox5 mgr for any LDAP connector or LDAP Agent, then the password of that user will not be changed.
To execute the LDAP Agent, please click the Agent name in a list of Agent Configurations. After clicking on Agent name, details of the LDAP Agent display and click on the Execute button.
A configuration of the SecureAnyBox5 application is divided into several sections. Each section can be independently edited. To change settings in the section, click on the edit button at the top of a section.
After clicking on the edit button a section’s form displays. At the bottom of each form are displayed three buttons – Test, OK, Cancel.
When changes are made, you can test the new values (by clicking on the
Test
button), if they’re in the correct format and so on. If the test of values was successful, you can confirm the changes by clicking on the
OK
button.
Changed sections of the configuration will display marked with a blue checkmark.
To apply changes in the configuration, you need to restart the application by clicking on the Apply button. If changes should not be applied, click on the Revert button.
After clicking the Configuration button in the menu, a Summary page of Configuration displays. At this page, configured LDAP connectors and server messages are displayed.
For each of LDAP connectors, a status is displayed – whether communication with connector is working. After clicking on the connector’s name, settings of the connector displays.
At the Summary page, it is also possible to download the configuration.
General SecureAnyBox5 server configuration and Web interface/API configuration.
SecureAnyBox5 web (HTTP) interface address. At this address is SecureAnyBox5 web interface accessible from the local network.
SecureAnyBox5 web interface HTTP port.
Web interface HTTP (plaintext) mode. Possible values: enabled (default), disabled, API (only JSON/XML API is accessible). When HTTP mode is disabled, it is possible to set redirecting to HTTPS mode.
SecureAnyBox5 web interface HTTPS port.
PKCS #12 file with the private key and corresponding certificates used for HTTPS web interface. You can create a self-signed certificate file by clicking on the Create self-signed SSL certificate button in the left bottom corner of this form.
The certificate alias is used as an alias inside a keystore and as a filename for stored encrypted PKCS12 file.
The common name of the certificate represents the hostname protected by the SSL certificate. The certificate is valid only if the hostname is the same as the common certificate name.
Use the domain name of your server as the common name of the certificate. If the server is available on the Internet using the “https://secureanybox.domain.com:8996” URL, use “secureanybox.domain.com” as a common name.
Enter the certificate validity in years (1-10).
The RSA key size indicates the length of the encryption key of the corresponding encryption algorithm. The RSA key size is given in bits. The minimum recommended RSA key size is 2048 bits.
Organization unit name used in certificate subject – leave empty if not needed.
Organization name used in certificate subject – leave empty if not needed.
Country code used in certificate subject – leave empty if not needed.
Alternative Subject Names – additional domain names or IP addresses used to access SecureAnyBox5 SSL interface
HTTPS key store password. It is used to read HTTPS keys and certificates.
SecureAnyBox5 web (HTTP) interface hostnames. Setting multiple hostnames is possible. All hostnames specified in the hosts files on stations must be specified here. Otherwise, the user with an unknown hostname, cannot access SecureAnyBox5.
Base application URL. For example, if you set the app path to ‘/sab’, SecureAnyBox5 will be accessible at http://server:port/sab/. New app path will apply after restarting the SecureAnyBox5.
App URL. At this address is SecureAnyBox5 web interface accessible for users.
When SecureAnyBox5 is behind a reverse proxy server, it is necessary to enter the trusted proxy IP address (or multiple addresses) to enable KeyShield SSO integration.
The server will not send Content-Security-Policy header for login.page. This can be used for example to allow third-party SSO solutions (like NetIQ NAS) to use custom login.page or insert inline scripts.
PKCS # 12 file that contains the private key and corresponding certificate for the HTTPS reverse proxy server interface. This file must be uploaded if users access the SecureAnyBox5 server through the HTTPS interface of a reverse proxy server and want to use the public HTTPS key API.
Reverse proxy server HTTPS key store password. Used to read the public key of the reverse proxy server. The public key is available through the HTTPS public key API.
Please select the default language of the SecureAnyBox5 web interface. This language will be automatically pre-set to all users. Each user can change the language in the User Preferences.
Diagnostic log configuration. You can set the log level for specific parts of SecureAnyBox5 or a count of lines loaded into the browser into the current log view.
Default log level. If the log level for a specific part not set, the default log level used.
Core engine log level
Internal SecureAnyBox5 services and database log level
API calls log level
Authentication and authorization log level
KeyShield SSO authentication and WebSockets log level
Limits number of lines loaded into the browser in current log view.
Configure settings of the connection between SecureAnyBox5 and Syslog server. You can also set syslog facility, event source and log level of records sent to the syslog server. You can establish multiple syslog connections — for each syslog server, one for audit log and second for diagnostic log and so on.
If you send audit messages to the SIEM syslog server, you can choose from two formats in which to send the messages:
Please enter unique ID of connection with a Syslog server
Enable/disable this connection.
Syslog server address. The server address can be entered as an IP address (e.g., “172.22.13.1”) or as a domain name (e.g., “syslog.tdp.cz”)
Syslog server port.
Desired facility value for log messages sent to syslog. A facility code is used to specify the type of program that is logging the message. Messages with different facilities may be handled differently.
Please, select an audit record format (CSV or CEF) sent to the syslog target.
Records in
CSV (Comma-separated values) contains the same information as records in the Audit log of application.
Records in
CEF (Common Event Format) contains the most relevant event information, making it easy for event consumers to parse and use them. CEF format of records can be more detailed.
Examples of audit log in both formats are in the documentation.
Examples:
Aug 7 10:27:43 172.22.78.100 [SecureAnyBox-audit] “SWB”,“172.22.100.105”,“System\\admin”,“GET PASSWORD”,TDPPRG,kiosek,DomAgent
Aug 7 10:27:58 172.22.78.100 [SecureAnyBox-audit] “SAFE”,“172.22.100.105”,“System\\admin”,“GET PASSWORD”,Firm,"Cisco ASR 1006 Router"
Aug 7 10:28:12 172.22.78.100 [SecureAnyBox-audit] “SAFE”,“172.22.100.105”,“System\\admin”,“VIEW ACCOUNT”,Firm,"Bank Certificate"
Aug 7 10:29:34 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SWB.GET_PASSWORD|get password|3|src=172.22.100.105 suser=System\\admin act=GET_PASSWORD station=TDPPRG user=kiosek config=DomAgent
Aug 7 10:29:47 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SAFE.GET_PASSWORD|get password|3|src=172.22.100.105 suser=System\\admin act=GET_PASSWORD safe=Firm rec=Cisco ASR 1006 Router
Aug 7 10:29:58 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SAFE.VIEW_ACCOUNT|view account|3|src=172.22.100.105 suser=System\\admin act=VIEW_ACCOUNT safe=Firm rec=Bank Certificate
Send messages with this or higher log level to syslog. It is possible to set the different log level for messages sent to the syslog and for messages sent to the log of application. For records sent to the syslog server, it is not possible to set multiple logging levels for each part of the application, as in the SecureAnyBox5 diagnostic log. The selected logging level applies to all parts of the application.
To configure the log level of messages sent to the log of application, go to Logging part of SecureAnyBox5 configuration.
Log level | Value | Log level of sent messages |
---|---|---|
TRACE | 0 | TRACE,DEBUG,INFO,WARN,ERROR |
DEBUG | 1 | DEBUG,INFO,WARN,ERROR |
INFO | 2 | INFO,WARN,ERROR |
WARN | 3 | WARN,ERROR |
ERROR | 4 | ERROR |
Archiving of audit log can be done manually or automatically. Manual archiving can be started at the Audit log page in the Audit part of the SecureAnyBox5.
Archived audit log records will be stored in separate files on the server. Once records are archived, they cannot be viewed in SecureAnyBox5.
If enabled, an auditor can run the archiving from the audit log page (in the Audit part). During the archiving, older records (than a number of months set below) will be saved in separate files and removed from the database. You will no longer be able to view them from SecureAnyBox5.
Records older than the specified number of months will be archived (within the range of 1 to 240)
Enable automatic archiving of audit log records. The auditor can still start archiving audit log records on the audit log page.
Frequency of automatic archiving (daily, weekly, monthly, quarterly, semiannually, yearly)
The day of the week when archiving will start. At weekly frequency, it will be every week. At a shorter frequency, it will be the selected day in the first week of the period.
Server time in whole hours (within the range of 0 and 23), when archiving of audit records will run.
At this tab of the Configuration, it is possible to configure users and security oriented parameters of the SecureAnyBox5. Such as a maximum number of login attempts, duration of the login ban and login password policy, etc.
User Authentication and Security configuration
Disclaimer message shown on login page.
User is banned (cannot log into application) after this number of unsuccessful attempts. Set to 0 to turn this feature off.
User is banned (cannot log into application) for this amount of minutes.
Inactivity timeout for user session. After this timeout expires with no user activity, the user will be logged-out.
Use of second factor (authenticator application) is either optional – enabled by user in the top right menu, or mandatory.
Enabling the login password policy allows you to set minimum password requirements – minimum length, minimum entropy, minimum number of uppercase or lowercase letters, and so on.
Login password policy determines minimum requirements for the login password.
This fields are displayed only if the Enable Login Password Policy field is checked.
Minimum length of the login password.
Minimum number of uppercase letters in login password.
Minimum number of lowercase letters in login password.
Minimum number of digits in login password.
Minimum number of special characters in login Password.
Permissions to manage users and domains
If not allowed, user manager from other than the System domain can only manage its own domain. If allowed, It can manage all visible domains.
After manually create a user who does not have a password, send this user an invitation e-mail with a link to set the password.
Settings of preferences for selecting the full name of users. The full name displays in the top right corner of the web interface and is also used in e-mail invitations, e-mail notifications and messages.
If the full name could not be selected according to settings in the first preference, the second preference settings would be tried. In a case, selecting of the full name according to both preferences is unsuccessfull, username will be displayed as the full name.
Most preferred settings how the full name of users will be selected.
Settings to apply if the first preference result is empty.
the username will be displayed as the user’s full name
Settings of preferences for selecting the short full name of users. The short full name displays in lists with users – e.g. in the users management, when adding permissions for Safe Boxes to other users, in the names of private Safe Boxes shared from another user, in reports, etc.
If the short name could not be selected according to settings in the first preference, the second preference settings would be tried. In a case, selecting of the short name according to both preferences is unsuccessfull, username will be displayed as the short name.
Most preferred settings how the short name of users will be selected.
Settings to apply if the first preference result is empty.
the username will be displayed as the user’s short name.
The SecureAnyBox5 server is backed up at the set time (if the server is running) or at the earliest possible opportunity. The default setting is midnight. It is possible to set a configuration of backup and check if the backup ran.
Backup of the SecureAnyBox5 server can also be started manually.
View how to restore SecureAnyBox5 data from a backup
To edit the configuration of Backup, click on the edit button and wait for a form to display.
The path to the location where the backup files created. The default path is the backup directory in the SecureAnyBox5 installation directory. By default: /opt/tdp/secureanybox/backup or C:\SecureAnyBox\backup
A time stamp in the rrrr-mm-dd format is automatically added after the prefix (e.g., secureanybox-backup-2018-05-17.zip). The default prefix is secureanybox-backup.
The number of maintained backups. When a count of backups exceeds the number set here, the oldest backups automatically deleted. The default number of backups is 7.
Allows you to edit the default user rights of the backup file.
User account which will be set as the owner when creating the backup file (e.g., root, Administrators).
This field displayed if SecureAnyBox5 server runs on Windows platform
Group of users with permissions to backup files.
This field displayed if SecureAnyBox5 server runs on Linux platform
Permissions that are set to backup files. The Unix symbolic notation in the rw-rw--— format is used for the setting (see https://en.wikipedia.org/wiki/File_system_permissions). By default, only the owner has permission to read and write (rw-------).
This field displayed if SecureAnyBox5 server runs on Linux platform
Table with information about backups displays below the backup configuration details.
The Connector holds server connection settings used for communication with the LDAP/Azure AD server to synchronize users from LDAP/Azure AD to the SecureAnyBox5, and vice versa. Three types of Directory services are supported – eDirectory, Active Directory, generic LDAP, and Azure AD.
By clicking the
sync
button, a user starts manual synchronization with the connector server. User is also redirected to the
Connector synchronization log page, where is possible to see synchronization results.
By clicking the
view
button, a user is redirected to the
Connector Viewer page, where he can view which users can be synchronized from the LDAP/Azure AD server after filtration specified in the LDAP/Azure AD connector is applied.
For each connector, it is possible to set more than one LDAP server for backup or load balancing purposes. All servers set to one connector need to be the same type (eDirectory, Active Directory, or generic LDAP).
To create a new LDAP connector, click on the add LDAP Connector button and wait for a form to display.
Unique connector identifier. Connector ID must start with a letter and contain only letters, numbers and underscore.
Uncheck (false) to disable this connector.
LDAP server type.
LDAP server address or addresses of multiple LDAP servers with same directory replica/mirror (for failover).
To add an LDAP server, click on the button with the plus symbol and wait for a form to display.
In a form, enter the
Server address
and
Port
of LDAP server. The server address can be entered as an IP address (e.g.,“172.22.13.1”) or as a domain name (e.g.,“ldapsrv.tdp.cz”). Port is set to 636 by default along with using the
SSL
.
We recommend using the SSL protocol to communicate between SecureAnyBox5 and LDAP server.
To successfully add new LDAP server address, confirm entered values by clicking on the
OK
button.
Server address
Please enter LDAP server address. Server address can be entered as an IP address (e.g. “172.22.13.1”) or as a domain name (e.g. “ldapsrv.tdp.cz”)
Port
Port on which SecureAnyBox5 communicates with LDAP server. For connection with SSL protocol is used port 636 and for connection without SSL protocol is used port 389.
SSL
Enable/disable SSL protocol during communication between SecureAnyBox5 and LDAP server. We strongly recommend using SSL protocol.
When enabled, LDAP requests will be distributed among available LDAP servers (for load balancing). When not enabled, SecureAnyBox5 will connect to the first server available. Servers are tried in the order in which they are defined.
LDAP User DN used by SecureAnyBox5 to access LDAP directory, lookup users, change passwords, etc.
Minimum access rights:
entry/object rights – browse
cn – read, compare
objectClass – read,compare
Use
Create SecureAnyBox objects
button to create manager user automatically when using NetIQ (Novell) eDirectory. If you are connecting to a directory service from another vendor, create a manager user using your directory service management console. LDAP interface on some directory services (e.g.,Active Directory) doesn’t provide access rights/permissions modification...
e.g.,cn=secureanyboxmgr,o=org or cn=secureanyboxmgr,cn=Users,dc=DOMAIN,dc=local
LDAP container used as a search base for LDAP synchronization search query. When the search base not set, the search starts at the root of the LDAP tree.
e.g.,o=org or leave empty to search from the root of the tree
Uncheck to search only the immediate subordinates of the specified search base.
An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.
There are four modes of dereferencing aliases:
When set to greater than zero, SecureAnyBox5 will use Simple Paged Result extended control to retrieve LDAP search results in pages of a given number of entries. Some LDAP servers have a default server-side limit for a number of entries returned in the single response. For example, Active Directory servers have a default limit of 1000 objects for a single search request. Setting Search Page Size to 1000 or lower will allow SecureAnyBox5 to retrieve more results (than the server limit) using multiple requests. When set to 0 no paging is used, and an only single request is used to retrieve all results. This setting is used when importing users and in Connector Viewer.
When using embedded LDAP from KeyShield SSO, this value must be set to 0.
List of FDNs included in user synchronization.
List of FDNs excluded from user synchronization.
e.g.,(objectClass=person)
A number of LDAP connections SecureAnyBox5 will keep alive to improve the performance of LDAP requests.
An attribute used as UUID (Universally unique identifier) attribute. This attribute value is used to uniquely identify the user object in connector and must be unique across domains and LDAP connector. Usually, GUID (eDirectory) or objectGUID (Active Directory) attributes are used and recommended, because they are generated to be unique globally.
Attribute used as a first name.
Attribute used as a middle name.
Aattribute used as a surname.
Enable mapping to Display name
Field is displayed only if the Display Name Mapping field is checked.
Attribute used as a display name.
Enable mapping to Short display name
Field is displayed only if the Short Display Name Mapping field is checked.
Attribute used as a short display name.
You can set source attribute for reading user e-mail address and optional regex to pick correct e-mail address if source attribute is multi-valued.
Fields below are displayed only if the Custom Mail Attribute field is checked.
Source attribute used to read user e-mail address.
Mapping method used to read e-mail value, for example, when the source attribute is multivalue. The default mapping method (First value) reads the first value of the attribute as is returned by the server.
This field is displayed only if the Mapping method field is set as First match or First match or first value.
Regular expression used to find the value of the user’s e-mail address. For example use regex .*@yourdomain.com to match e-mail address from yourdomain.com.
Synchronized user objects are created in this domain.
Enable periodic synchronization of users from connector.
The delay between the synchronization of users from this connector.
To complete the configuration of the LDAP connector, please confirm the form by clicking the OK button. The application must be restarted for the LDAP connector to function properly.
While configuring new eDirectory LDAP connector, you can click on the Create SecureAnyBox objects button, to proceed eDirectory installation directly from SecureAnyBox5 web interface. After clicking on the button wait for the eDirectory Installation form to displays.
LDAP server address. The address can be specified in various formats (e.g. 172.22.40.68, localhost, mail.tdp.cz), but cannot be specified along with the type of connection (e.g. smtp://127.0.0.1).
The port on which SecureAnyBox5 communicates with the LDAP server. For SSL connection, use port 636 and for SSL-free connections use port 389.
Enable/disable the use of SSL for communication between SecureAnyBox5 and LDAP. We strongly recommend using SSL.
LDAP container used as a search base for LDAP synchronization search query. When the search base not set, the search starts at the root of the LDAP tree.
e.g.,o=org or leave empty to search from the root of the tree
LDAP container where SecureAnyBox5 objects (like a SecureAnyBox5 manager) should create.
Enter FDN of LDAP admin (e.g.,cn=admin,o=org). LDAP admin credentials are necessary to create SecureAnyBox5 objects in LDAP.
Enter admin password
When enabled, you can override User DN and password for SecureAnyBox5 mgr user. Otherwise will be used default values.
LDAP User DN used by SecureAnyBox5 to access LDAP directory.
Password pattern for generating a SecureAnyBox5 manager password. Each letter in the pattern corresponds to letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as “wEHe063heFme4p”).
For example, you can set a password pattern as “\p\a\s\sddddddd” and this might generate password such as “pass1762885” or “pass5687412”.
Please set SecureAnyBox5 manager password. The password can be generated by clicking on the Generate button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname). Generated passwords are formatted by the current password pattern. Generated passwords can also be edited.
Once all required values set, click on the OK button and wait until the installation process successfully. If no error occurs, eDirectory Installation form is no longer displayed, and in the LDAP connector form is displayed a message Success.
To create a new Azure AD connector, click on the add Azure AD Connector button and wait for a form to display.
Uncheck (false) to disable this connector.
Primary domain of your Azure Active Directory – it is used to form a userPrincipalName (@ used to login into Azure AD.
Tenant ID of your Azure AD
ID of application registered in Azure AD used for SecureAnyBox5 synchronization and authentication.
Secret code (id) of application client
In this part of SecureAnyBox5 configuration, you can set integration with the KeyShield SSO. SecureAnyBox5 support two types of Keyshield authentication – by IP address and by certificate using Client API.
KeyShield SSO integration for clients with the unique IP address using KeyShield SSO web REST API.
KeyShield SSO authentication is disabled by default. You can enable it for all users or non-admin users only.
KeyShield SSO server URL (syntax: http://address:port).
If you are connecting to Keyshield SSO server using SSL (via HTTPS instead of HTTP), you need to import a certificate from KeyShield SSO server to your Java Keystore. More...
KeyShield SSO server URL (syntax: http://address:port).
If you are connecting to Keyshield SSO server using SSL (via HTTPS instead of HTTP), you need to import a certificate from KeyShield SSO server to your Java Keystore. More...
http://127.0.0.1:8485
Key used to authenticate against KeyShield SSO API. To obtain the API key, go to the KeyShield SSO Administration.
When SecureAnyBox5 is behind a reverse proxy server, it is necessary to enter the trusted proxy IP address (or multiple addresses) to enable KeyShield SSO integration.
Determines the timeout in seconds until a connection to KeyShield SSO server established.
Select the authentication type. This value determines, whether the authentication through login form enabled, or whether the two-factor authentication used.
Copy this URL and use it in notification configuration within KeyShield SSO Server. Keyshield SSO will notify SecureAnyBox5 Server, that user is logged in logged out, even if user is authenticated to SecureAnyBox5 server by using the GUID.
Integration with Keyshield SSO for clients with the non-unique IP address. This authentication uses KeyShield SSO client API and requires browser extension to work. Using KeyShield SSO (Windows) client in TLS mode is also required.
Enables SSO through KeyShield SSO Client API
Upload KeyShield SSO API certificate which can be downloaded from KeyShield SSO configuration in the API section.
Configuration of Default password pattern, which is used in Safe Boxes and Records, offering of previously entered labels, maximum file size, policy of the Access Code and applying of permission templates.
Selection of which data displays in the middle column of the list of records in the Safe Box – after the record name. The default value is
Description.
This value is set for the server and can be overridden in the domain and the user preferences.
When using the API (/safe/boxes/{boxId}/records), it is possible to create new record tags directly when creating a record using the ‘forceCreateTags’ parameter. This setting determines who can use this parameter.
Note: Global setting can be overridden by domain setting
When entering a tag in the record’s form, previously typed tags will not offer.
This value determines the maximum size of the file which is possible to store in a record (file or certificate type of record).
Sets whether the user who has delete permission for Safe Box can delete the Safe Box or only content inside.
Select White Envelope mode. If the White Envelope is mandatory, a sufficient number of Security Officers must be set up.
If the private key is backed up in the White Envelope, a forgotten Access Code can be recovered with the help of Security Officers and does not need to be reset. When recovering the Access Code, unlike a resetting, the user does not lose the keys to the Safe Boxes, and it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.
Note: The domain settings can override this setting.
Enable resetting the Access Code even though the Access Code can be recovered with the help of Security Officers. When recovering the Access Code, unlike when resetting, the user does not lose the keys to the Safe Boxes. So, it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.
Note: The domain settings can override this setting.
Settings of the default password generation method
Select the setting that will be the default for all users. The selected setting will be used when generating a password:
A password preset will be used to generate a password. The preset has specified password requirements, such as the number of uppercase letters, characters to include/exclude, minimum entropy, etc. The password preset has to be specified first in the Administration interface.
Default password pattern for Safe Boxes and Records where no password pattern set.
Each letter in the pattern corresponds to letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set a password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.
Configuration of enhanced client-side encryption of Access Code and record data. This is additional encryption inside the already encrypted and secure SSL/TLS connection.
Minimum length of the Access Code.
Minimum number of uppercase letters in Access Code.
Minimum number of lowercase letters in Access Code.
Minimum number of digits in Access Code.
Minimum number of special characters in Access Code.
By setting the Access Code Timeout, you will enable temporary remembering of the Access Code. The last entered valid Access Code will be temporarily stored in a cache (for the specified amount of time), so users will not have to enter the Access Code repeatedly.
To turn this feature off, set the Access Code Timeout to 0.
User Access Code is temporarily disabled after this number of unsuccessful attempts. Set to 0 to turn this feature off.
User cannot use his/her Access Code for this amount of minutes
Default value | Minimum value | |
---|---|---|
Minimum length | 8 | 5 |
Uppercase letters | 1 | 0 |
Lowercase letters | 1 | 0 |
Digits | 3 | 0 |
Special characters | 0 | 0 |
Minimum Entropy | 20 | 0 |
Configuration of e-mail notifications. Notifications will be sent when some user makes changes in the records (Safe Boxes, Accounts and so on).
Please enter the SMTP server address from which notification emails will send. The host address can be specified in various formats (e.g. 172.22.40.68, localhost, mail.tdp.cz), but cannot be specified along with the type of connection (e.g. smtp://127.0.0.1).
Please enter the port of the SMTP server. Usual SMTP ports are 25, 587 or 2525.
Please enter a username of SMTP account which the SecureAnyBox5 will be using to connect to the SMTP server.
Please enter a password for SMTP account which the SecureAnyBox5 will be using to connect to the SMTP server.
Enter an e-mail address from which the notification emails will send.
By enabling the e-mail notification, you will allow sending notification emails with a summary of changes in the records.
When the notifications enabled, it is possible to set options when and to whom the emails will be send.
If this field checked or the value is “yes” notification emails will be sent only if some encrypted fields (in records) changes.
If this field checked or the value is “yes” notification emails will send only to watchers of Safe Box in which the changed record stored.
If this field checked or the value is “yes” notification email will send even to the user who made changes.
Set the time (in minutes), during which the SecureAnyBox5 will aggregate changes. After the set time, SecureAnyBox5 will send an e-mail with the summary of all changes in the record.
Configuration of external files. External files are encrypted by SecureAnyBox5 and stored on another server. In this part of the Configuration, it is possible to set default external files path.
Create domain Edit domain Disable domain Delete domain Show Domain Users
The page intended to manage domains. Only users with a role User Manager or Administrator have access on this page.
Domains can be used to divide a SecureAnyBox5 into several parts. Each domain has its users management and it is possible to create a hierarchical structure of domains.
The structure of domains can copy the structure of your company, and it is possible to create a hierarchy by setting the visibility of one domain for other domains, which are on the higher spot in a company structure.
For example, here can be created two domains named "Management" and "Technical support". Because users of the domain "Management" have a higher position in the structure of the company, the domain "Technical Support" will be set as a visible for users of the domain "Management".
This setting allows the domain users "Management" to grant access to Safe Boxes to users of both domains, but users of the domain "Technical support" can grant access to Safe Boxes only to users of their domain.
Domains can also copy the structure of containers in LDAP. When setting an LDAP connector is required to select the domain, into which users will import from that connector. Each LDAP connector can have only one domain.
Only users with a role Administrator from System domain can create a domain. Users with a role User Manager can only edit their domain.
To create a domain click on the New Domain button at the Domain page. After clicking on the button, the domain’s form displays.
All fields are going to display after entering a domain name.
When enabled, users from this domain can log in.
The name should characterize the domain. Each domain name must be unique.
If more than one domain is specified, it will be required to fill the domain name at the login page.
By clicking on the Login page link button, is possible to get a link to the login page, where the domain name will be prefilled.
The description should more specifically characterize the domain.
If this limit reached, non-initialized users will not be able to set the Access Code.
Select a language which users of this domain will have set by default. The language can be changed anytime.
List of domains visible for users of this domain.
Users of this domain can share their Safe Boxes and Safe Box Groups also with users of visible domains.
Agent Configurations assigned to this domain.
When the Agent Configuration assigned, by default users with a role SecureAnyBox Admin can modify or remove Agent Configuration. Management of the Agent Configuration can be enabled to SecureAnyBox Admins from all domains in the Agent Configuration settings.
SecureAnyBox Admins from other domains (if the Agent Configuration is visible for them) can copy Agent Configuration only.
Assigned Agent Configuration can be used by users from this domain by default. The ability to use the Agent Configuration can be expanded/limited by setting permitted users in the Agent Configuration settings.
Agent Configuration can be assigned to one domain only.
After manually create a user who does not have a password, send this user an invitation e-mail with a link to set the password.
Use of second factor (authenticator application) is either optional – enabled by user in the top right menu, or mandatory.
Selection of which data displays in the middle column of the list of records in the Safe Box – after the record name. The default value in server configuration is
Description.
This value is set for the domain and can be overridden in the user preferences.
Choose a default Safe Box type for all new Safe Boxes and Safe Box Groups which will be created in this domain.
Shared – Access rights are inherited from parent level.
Private – Blocks access rights inheritance from parent level.
When using the API (/safe/boxes/{boxId}/records), it is possible to create new record tags directly when creating a record using the ‘forceCreateTags’ parameter. This setting determines who can use this parameter.
Note: This setting overrides global setting
Check this box to override the maximum file size. The default value is 15 MB.
This value determines the maximum size of file which is possible to store in a record (file or certificate type of record).
Enables/ Disables sharing of permissions for Safe Boxes to other users
Checking this box will override ‘Access Code Timeout’ settings, and for users of this domain, the Access Code will not be remembered.
For Safe Box Groups, Safe Boxes, and records users from this domain create or obtain access will be set the watching of changes automatically by default.
Each user can change whether changes will be watched automatically in the user preferences form.
If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of changes to the watched ones.
For Safe Box Groups, Safe Boxes, and records users from this domain create or obtain access will have set the watching of accesses to encrypted information automatically by default.
Each user can change whether accesses to encrypted information will be watched automatically in the user preferences form.
If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of accesses to encrypted information to the watched ones.
Select the password setting that will be the default for users from this domain. Password settings are used when generating a password:
Select the password setting that will be the default for users from this domain. Password settings are used when generating a password:
Default password pattern for Safe Boxes and Records which will create in the domain, where no password pattern set.
Each letter in the pattern corresponds to letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p )
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.
The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.
Selected compliance profile would be default for all users within this domain.
By overriding the Login Password Policy, you can set the policy only for this domain. If not override, login password policy from the Configuration (if specified) will apply.
Fields below are displayed only if the Override Password Policy field is checked.
Minimum length of the login password.
Minimum number of uppercase letters in login password.
Minimum number of lowercase letters in login password.
Minimum number of digits in login password.
Minimum number of special characters in login password.
By overriding the Access Code Policy, you can set the policy only for this domain. If not override, the Access Code Policy from the Configuration will apply.
Fields below are displayed only if the Override Access Code Policy field is checked.
Minimum length of the Access Code.
Minimum number of uppercase letters in Access Code.
Minimum number of lowercase letters in Access Code.
Minimum number of digits in Access Code.
Minimum number of special characters in Access Code.
Select White Envelope mode. If the White Envelope is mandatory, a sufficient number of Security Officers must be set up.
If the private key is backed up in the White Envelope, a forgotten Access Code can be recovered with the help of Security Officers and does not need to be reset. When recovering the Access Code, unlike a resetting, the user does not lose the keys to the Safe Boxes, and it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.
Enable resetting the Access Code even though the Access Code can be recovered with the help of Security Officers. When recovering the Access Code, unlike when resetting, the user does not lose the keys to the Safe Boxes. So, it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.
The number of Security Officers required to open White Envelope. Count of configured Security Officers has to be greater than this.
If this limit reached, non-initialized users will not be able to set the Access Code.
Number of Security Officers appointed in your organization. SecureAnyBox5 will warn you if the Security Officer Count falls below this value.
These settings of Default Safe Box permissions are used as default settings of permissions while creating a new user into the domain.
By checking the fields below, new users created (not updated during LDAP synchronization) in this domain will be granted access to licensed features – CBT client (Custom Branded Trusted client) or File manager plugin. A number of users with access to Licensed features cannot exceed the number of licenses.
CBT (Custom Branded Trusted) client is a native Windows application simplifying work with SecureAnyBox5 file records. For more information, contact your distributor .
File Manager plugin for Total Commander or FAR allows working with Safe Boxes and records in them from these applications.
To edit a domain, click on the row in a list of domains. After clicking, the domain form will display. In the form can be changed any value.
To apply changes, click on the
OK
button.
By clicking on the
Cancel
button, all changes will revert.
By disabling a domain, you can block login of all users in the domain. To disable the domain, open domain’s form by clicking on the row in a list of domains and uncheck the
Enabled
field. After saving, the domain is disabled.
The domain which was disabled can be enabled anytime.
The domain can be deleted only if it does not contain users. To delete the domain, click on the cross icon (
) at the end of a row in a table of domains.
Deleting the domain have to be confirmed.
It is possible to view users from a specific domain by clicking the appropriate icon ( ) in the domain table. After clicking the icon, a list of users of the domain will show in the new tab.
Create user Edit user Disable user Enable user Unban user Export a list of users Delete user Invite user Send message Move user
The Users page is intended for the users management. Only users with a role User Manager have access to this page.
Users are filtered by domain by default. To change a domain by which users are filtered, click on the Select domain button and in a list of domains choose a domain whose users should be displayed. It is possible to have displayed all users from all domains by clicking on the All Domains in a list of domains.
Users can be created manually or can be imported from LDAP.
Before creating a new user is important to select the domain into which a user will create.
To create a new user, click the New User button. After clicking on the button, a user form displays.
Fields Security Officer ( ) and Inherited ( ) can be edited after the new user sets an Access Code.
A domain in which the user belongs.
To change the domain into which a new user created, you must select a different domain on the Users page.
Once the user created, it is possible to move the user to a different domain.
Username which the user will use to log in.
By clicking on the
Login page link
button, it is possible to get a link to the login page, where the domain name and the username will pre-fill.
Once the user created, this value cannot be changed.
When the field is checked (or a value of this field is “yes”), the user will be synchronized with LDAP.
Once the user created, this value cannot be changed.
Set a password. When the password is not set, the user cannot log in.
User password.
While entering the password, there is shown how long the password is, how many lowercase and uppercase letters, numbers, and other symbols it contains and how much secure the password is.
The password will be displayed after clicking on the eye icon behind this field.
Repeat the password
Enables/disables user account login.
Select a language that the user will use in the application. The language can be changed anytime.
By checking the fields below, the user will be granted access to licensed features – CBT client (Custom Branded trusted client) or File manager plugin.
CBT (Custom Branded Trusted) client is a native Windows application simplifying work with SecureAnyBox5 file records. For more information, please contact your distributor.
File Manager plugin for Total Commander or FAR allows working with Safe Boxes and records in them from these applications.
This part of the form is displayed if the user is synchronized with LDAP
User GUID (entryUUID or objectGUID) used to match user with LDAP object during LDAP synchronization (hexadecimal format in lowercase e.g.,950aea900084d311aef800e029255247). Use Connector Viewer to get user GUID in the correct format if you for some reason need to link existing user record with LDAP.
Name of the LDAP connector with which the user is synchronized.
LDAP user DN (distinguished name).
Assigning this permission is recommended only for users who manage/are responsible for all Safe Boxes/Safe Box Groups within a domain. Assigning other permissions for Safe Boxes/Safe Box Groups within a domain can be fully automated using Permission Templates.
User role | Description |
---|---|
Administrator | User administers SecureAnyBox5 server configuration – domains, URLs, LDAP, SSO, email, SIEM, diagnostic logs, etc. |
Auditor | User is approved to access the complete audit log through a set of reporting tools. This doesn’t include any access to the encrypted data. |
SecureAnyBox User | User is generally allowed to get passwords managed by agents, can be limited by access rights. |
SecureAnyBox Admin | User is approved to administer configuration of agents. |
User Manager | User is approved to manage domains, user accounts, assign roles and default rights. |
Security Officer | User, only together with other Security Officers, can open White Envelopes within his/her domain |
Safe Boxes User | User is allowed to use Safe Boxes (must have valid Access Code) |
Safe Boxes Manager | The user has extended permissions to manage Safe Boxes within their domain |
Security Policy Admin | The user can manage security policies (record tags, password presets and compliance profiles) |
The user role also determines to which parts of SecureAnyBox5 the user have access to and what actions he can perform. A basic overview of what actions and parts of SecureAnyBox5 are accessible for a user with specific user role is in the table below.
User role | SecureAnyBox | Safe Boxes | Reports | Audit | Administration | |
---|---|---|---|---|---|---|
Administrator | Access | yes | yes | yes | no | yes |
Extra access | Access to Agent Configuration, Configuration. Only Administrator has access to them | |||||
Auditor | Access | no | no | no | yes | no |
Note | The auditor who belongs to System domain can do an audit over all domains | |||||
SecureAnyBox User | Access | yes | no | no | no | no |
Actions | View registered stations, obtain passwords for stations | |||||
SecureAnyBox Admin | Access | yes | no | no | no | no |
Actions | All actions with stations, tickets, passwords | |||||
User manager | Access | no | no | no | no | yes |
Actions | View and edit domains and all actions with users | |||||
Security Officer | Access | no | yes | yes | no | no |
Actions | Can open White Envelopes of other users (in co-op with other Security Officers) | |||||
Safe Box User | Access | no | yes | yes | no | no |
Actions | Can use Safe Boxes | |||||
Safe Box Manager | Access | no | yes | yes | no | yes |
Actions | Can force the creation of record tags when creating a record through API | |||||
Security Policy Admin | Access | no | yes | yes | no | yes |
Actions | Can force the creation of record tags when creating a record through API |
When setting up a user role, other roles can be automatically set to the user too. It happens if user role includes all features of another role.
For example, user role
Administrator includes all features of
SecureAnyBox User,
SecureAnyBox Admin, and
User Manager user roles and even some extra features (access to the Configuration and can create a domain). So when user has an
Administrator user role, he also has
SecureAnyBox User,
SecureAnyBox Admin,
Safe Box Manager, and
User Manager user roles.
To edit the user, click the user’s name in a list of users. After clicking, a user details displays.
If the user is imported from LDAP, different fields display in a user detail.
User can be also edited from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Edit .
After changes finished, confirm them by clicking the OK button in the user details form. Depending on changes, you can be asked to enter the Access Code. Have you forgotten the Access Code?
If you only want to prevent the user from login to SecureAnyBox5, you can disable the user’s account. Once disabled, the user cannot access SecureAnyBox5, but all his records are still stored. Unlike deleting, this action can be taken back anytime.
To disable the user, uncheck
Enable
field in user details form.
User can be also enabled from the user’s actions menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Disable .
It’s also possible to disable multiple users at one time. Please check all users which should be disabled and click on the Disable button. After clicking, all selected users are disabled.
The user must be enabled, to be able to log in to SecureAnyBox5. To enable the individual user, check the Enabled field in the user details form.
User can be also enabled from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Enable .
It is also possible to enable multiple users at once. Please select all users to be enabled and click the Enable button. After clicking, all selected users will be enabled.
If the user enters Access Code or login password incorrectly for many times, then the user is temporarily banned to enter the Access Code or to login. Banned users have an icon with a red lock in the list of users.
- Built-in administrator account, login is banned.
- Manually created user, login is banned.
- User is disabled, login is banned.
- Synchronized from LDAP connector, login is banned.
- Access code entry is temporarily banned because it was entered incorrectly several times.
The number of unsuccessful attempts of entering the Access Code or the login password, and how long the user is banned, is set in the Configuration.
To unban banned users, select all users to be unbanned and click the Unban button.
At the Users page, it is possible to filter displayed users by checking/unchecking filter fields ( ). The filtered list of users is possible to export in CSV format by clicking on the Export to CSV button.
Into a file are exported values displayed in a list of users (name, username, email, domain, LDAP connector and roles).
User can be deleted from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Delete .
If the user is the only one, who has permissions for some Safe Box, the Safe Box will be deleted with the user. If you don’t want to delete the Safe Boxes, assign permissions for these Safe Boxes to a different user.
After users created, you can send them an e-mail invitation to SecureAnyBox5. In the invitation will be a link to set the password. Once the password is set, the user can log in and set the Access Code.
To send invitations to users, select (by checking) users you want to invite to the SecureAnyBox5 and click the Invite users button.
To send the invitations, you have to configure mail server in the Configuration first.
User can be also invited from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Invitation .
After clicking Invitation in the user’s actions menu, the dialog Invitation displays. If the user has set e-mail address, you can create and send invitation to user’s e-mail or you can create invitation without sending it.
If the invitation is only created and does not have been sent, in the invitation dialog appears an invitation link which is possible to copy to clipboard.
After users created, you can send them an e-mail invitation to SecureAnyBox5. In the invitation will be a link to set the password. Once the password is set, the user can log in and set the Access Code.
To send invitations to users, select (by checking) users you want to invite to the SecureAnyBox5 and click the Invite users button.
To send the invitations, you have to configure mail server in the Configuration first.
User can be also invited from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Invitation .
After clicking Invitation in the user’s actions menu, the dialog Invitation displays. If the user has set e-mail address, you can create and send invitation to user’s e-mail or you can create invitation without sending it.
If the invitation is only created and does not have been sent, in the invitation dialog appears an invitation link which is possible to copy to clipboard.
If users have an email address specified, you can send them a message from SecureAnyBox5.
To send a message to users, select (by checking) users you want to send a message and click the
Send message
button.
To send the messages, you have to configure mail server in the Configuration first.
After clicking the Send message button, a window for entering message text displays. To send a message, click the Ok button.
Users can be moved between the domains. To move users, select all users which should be moved and click on the Move button.
Moved user lose all inherited permissions to Safe Boxes. All assigned permissions stay valid.
After clicking on the button, a list of domains into which you can move selected users displays. Please select a domain into which selected users move, by clicking the domain name.
The move of users has to be confirmed.
Only users with a role User Manager have access to this page.
The White Envelope Status page is intended to see if the Security Officer has keys to White Envelopes of users within the Security Officer’s domain.
Only users with a role User Manager have access to this page.
User tags intended for easier management of users and their permissions. To each domain, it is possible to assign an unlimited number of tags. User tags can be added to users with same domain only.
User tag can be assigned to:
User tag is used to create a Permission template for users who have the user tag assigned.
Only users with a role Administrator have access to this page.
Connector Viewer allows you to browse the LDAP tree / Azure AD structure of any of configured connectors.
When viewing the LDAP tree, Connector Viewer uses the “SecureAnyBox manager” account defined within the selected LDAP connector configuration. This means, that LDAP objects and their attributes you see with the Connector Viewer correspond to what the selected authentication connector ‘sees’. If you don’t see what you expect (a specific user object or its attributes), then the access rights of the “SecureAnyBox manager” account for the particular LDAP tree are not sufficient. Please check the access rights assigned to the search base or root of the LDAP tree as well as possible inheritance filters.
To use Connector Viewer is necessary to configure at least one LDAP / Azure AD connector. After opening the page, a list of connectors displays. By clicking the connector name, you can view objects in a search base (as configured in the connector).
Displayed objects are folders (containers) and users. Click the folder name to view users and folders inside the folder. Click the username to view details about the user.
It is possible to filter the displayed objects by entering their name in the search field above the table. Should you need filter the displayed objects by LDAP search expression, click the Lookup object(s) button and use the filter field instead.
Audit log page displays a log of users actions in User management.
All audit log events are specified in an Overview of Audited Events
Only users with a role Security policy admin have access to this page.
Record tags are intended for easier management of records stored in Safe Boxes. To each domain, it is possible to assign an unlimited number of tags. Record tags can be added to records within the same domain only.
User with role
Security policy admin
can manage record tags for all domains which are visible to him. To switch domain, which record tags should be managed, click
Select domain button and from displayed list; please select a domain.
Currently selected domain determines into which domain a new tag will be created. If “All domains” are selected, a new tag will be created for the current user’s domain.
Existing tags can be converted to other ones to reduce the usage of similar tags and simplify the search for relevant records. To convert the tag to another one, the original tag has to be used at least once. To convert the tag, please open the action menu by clicking the three dots button at the end of the row and select
Delete and convert to another tag in the records
action.
The record tag can be removed by clicking the three dots button at the end of the row and selecting the
Delete tag
action.
To record tag can be assigned a Password preset and/or a Compliance profile, which will be default for all records where the record tag is used.
Only users with a role Security policy admin have access to this page.
The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.
To create a new compliance profile, click New compliance profile button and in the displayed form, specify requirements for password security.
Name of the compliance profile
Description of the compliance profile
Minimum length of a password.
Minimum entropy
Maximum age (days)
The number of password changes after which it is permissible to reuse a previously used password.
Select complexity rules which will be applied:
This fieldset is displayed only if Basic comlexity rules are selected
Minimum of uppercase letters a password must contain.
Minimum number of lowercase letters a password must contain.
Minimum decimal digits (0-9) a password must contain.
Minimum number of special characters a password must contain.
Only users with a role Security policy admin have access to this page.
Password presets can be used when generating a password for records. In the password preset, it is possible to use a password pattern or specify detailed password requirements—such as which character sets to use, which characters to include or exclude, minimum length, and minimum entropy.
Fort is possible to set its priority—the position in the list. To change the priority of the preset, please click the Reorder priorities button and drag the preset into the desired position.
Name of the password preset
Description of the password preset
Select whether a new password will be generated using a password pattern or a set of password requirements.
This field is displayed if the Password pattern is selected in the Generate password using field.
Password pattern for Safe Boxes and Records where this Password preset is set (or inherited).
Each letter in the pattern corresponds to letter in the generated password.
See examples of the password pattern
Characters allowed in the password pattern and their meaning:
v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p )
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.
This fieldset is displayed if the Password requirements are selected in the Generate password using field.
Minimum number of lowercase letters.
Minimum number of uppercase letters.
Minimum number of digits.
Minimum number of special characters.
Characters that must be included in the generated password.
Characters that must be omitted in the generated password.
This fieldset is displayed if the Password requirements are selected in the Generate password using field.
Minumum length of the generated password.
Minumum entropy of the generated password.
SecureAnyBox5, uses a list of dictionaries for the estimation of password entropy. This list includes both default (built-in) dictionaries and customly added dictionaries by the administrator. These dictionaries contribute significantly to the process of calculating Password Entropy during a new password entry or for the Password Audit report and the Compliance Report generation.
The custom dictionaries are stored in two locations on the SecureAnyBox5 server – in 'files/dictionaries/ranked' and 'files/dictionaries/unranked' folders.
After starting the database diagnostics, all records of type ‘file’ and ‘certificate’ will be checked to see if they are missing uploaded files or have more.
The complete path (with domain) to the record and another user with permission to record is displayed for each inconsistent record.
Database diagnostics can be started at any time. It should be completed in a few minutes max.
Only users with a role Administrator have access to this pages.
In the Logs part of the application, it is possible to see diagnostic log or Connector synchronization log. Different log levels in displayed messages are visually distinqished:
Log levels: | INFO | WARNING | DEBUG | ERROR |
On the Diagnostic log page a current log is automatically displayed.
The current log can be refreshed manually by clicking on the
Refresh
button or automatically by clicking on the
Enable autorefresh
button. Automatic refresh of the log is possible to turn off by clicking on the
Disable autorefresh
button.
To change a log level or log browser line limit, click on the
Configure logging
. After changes are confirmed, it is necessary to restart the SecureAnyBox5 for applying the changes.
To download the current log, click on the button
Download
and confirm the download.
If you need older than current log, click on the
Logs
button to display a list of available logs.
In the first table are displayed application logs for each day. To download the log, click on the log file name and confirm the download.
On the Connector sync log page, is displayed a table with names of specified Connectors. Click on the connector name to view details of the last synchronization with connector.
The synchronization log can be refreshed manually by clicking on the
Refresh
button or automatically by clicking on the
Enable autorefresh
button. Automatic refresh of the synchronization log is possible to turn off by clicking on the
Disable autorefresh
button.
Synchronization of users can be started manually by clicking on the
Synchronize
button.
Settings of the synchronization can be changed anytime by clicking on the
Configure <Connector name>
button.
To download the log of the last synchronization, click on the button
Download
and confirm the download.
To filter skipped users during the synchronization with LDAP, click on the button
Show only skipped users
.
Server status page intended for displaying problems with SecureAnyBox5 server. If any error or warning occurs, users will be warned by the number of errors and/or warnings in the top right corner of the page.
On the SecureAnyBox5 server occurred 1 error, and 2 warnings | |
On the SecureAnyBox5 server occurred 1 warning | |
On the SecureAnyBox5 server occurred 1 error |
After clicking on the number of errors and/or warnings, the Server status page loads. On the Server status page are shown three sections – Server Messages, Station registrations, and White Envelopes. In accordance with the user’s role, the SecureAnyBox5 determines which sections will display.
Section | User role | ||||
Administrator | User manager | SecureAnyBox Admin | Security Officer | other roles | |
Server Messages | yes | no | no | no | no |
Station Registrations | yes | no | yes | no | no |
White Envelopes | yes | no | no | yes | yes |
Server messages section displays only to the user with role Administrator. To handle messages from this section, go to the Configuration page.
Station registration section displays only to the user with role SecureAnyBox Admin. To handle messages from this section, go to the SecureAnyBox5 part of the application.
White Envelopes section displays only to the user with role User manager, and Security Officers
On the License page, users can see information about the currently used licenses. Users can check a number of remaining licenses for Safe Boxes, Safe Box Groups, records, users, domains, applications, etc.
Manually created users can be synced with the LDAP server additionally, without losing saved data. It is possible to associate a user with an existing LDAP account or create a new LDAP account.
To synchronize a user with LDAP, the user must pass these conditions:
We also recommend setting the username in SecureAnyBox5 same as username (UID) in LDAP.
During the synchronization, the users' information should be updated according to information in LDAP and fields LDAP connector, and LDAP DN should fill. Otherwise, synchronization was unsuccessful and please refer to the log of synchronization.
To view the synchronization protocol, go to the
Logs > Connector sync log section in the Administration interface and click on the connector name in the table. On the Connector sync log page, you can view the protocol of the last synchronization with the connector, start synchronization, and open the connector configuration.
All issues that occurred during the synchronization have the WARNING logging level and have yellow coloring.
While entering the GUID into manually created user details, an error message that the GUID not unique appears.
A user account may have been already imported from LDAP to SecureAnyBox5. You can search users by GUID on the Users management page. A user with the same GUID can even be in another domain. To search for users in all domains, please click the
Find users button.
In a case, the user already imported from LDAP, please delete the imported account. Then enter the GUID into user details of the user who should be synchronized with LDAP and run the synchronization with LDAP.
To determine the cause of the failure, please go to the synchronization log page and enter the username of the synchronized user in the search field.
Possible situations:
Example:
existing user with uid=‘peter’ (but different UUID) found in database -> skipping cn=peter,o=org
A user with the username “peter” is manually created and should be synchronized with LDAP. However, the user account in LDAP has a different GUID (UUID) than the user in SecureAnyBox5. To successfully synchronize “peter” with LDAP, you need to modify the GUID according to UUID in LDAP.
Example:
existing user ‘mbriggs’ cannot be renamed to ‘monica’ username not unique -> skipping cn=monica,o=org
The user with username “mbriggs” is manually created and should synchronize with LDAP. In LDAP, the user with the same GUID (UUID) has different UID - “monica”. During the synchronization, SecureAnyBox5 tries to change username “mbriggs” to “monica”, so the username will be the same as is UID in LDAP. To successfully synchronize the user “mbriggs” with LDAP, it is necessary to edit or delete the user with username “monica”.
Linux Standard Base (lsb) must be installed, otherwise, the SecureAnyBox5 can’t register for automatic start. Linux Standard Base is available through various online repositories.
The installation procedure depends on your distribution, it can be for example sudo yum install redhat-lsb-core for SUSE/RedHat/CentOS Linux(rpm based) or sudo apt-get install lsb-core for Ubuntu Linux, Debian (deb package based distributions).
For SUSE Linux Enterprise Server 15 SP4 distribution and OES 2023 distribution of Linux you can use:
wget https://download.opensuse.org/repositories/openSUSE:/Factory/standard/noarch/lsb-release-3.3-1.3.noarch.rpm
and after the package is downloaded install it by running the command:
rpm -ihv lsb-release-3.3-1.3.noarch.rpm --nodeps
On some Linux distributions (e.g. Open SUSE) it is also necessary to install
insserv-compat package (for more information about the package, please refer to this page) to enable init scripts and start SecureAnyBox5 automatically. Installation of Linux Standard Base can be done manually by running the command:
sudo zypper install insserv-compat
If you decide not to install LSB or it is not available for your system, you still can register the starting script manually. We always create it in /etc/init.d/
We don’t support other JVMs than Oracle or Temurin Java. You can install Oracle/Temurin JVM manually, locate and use existing
installation or choose private Temurin JVM installation. Tested and approved
OpenJDK distribution from Adoptium – Eclipse Temurin JVM is always a part of the installation package. Optionally you can also select custom preinstalled Java runtime.
The default installation path is /opt/tdp/secureanybox, but you can choose whatever path/device you need.
Installation script then needs the IP address and port - this can be changed later, but you have to choose address:port combination which will not cause any conflict with other services running on the box. Thus we recommend starting with the default port. Once you enter the management console, you can change it or add more interfaces on a different address:port combinations. If a conflict will be detected, the system reverts to the last “good” configuration which allows you to continue.
It is highly recommended to switch to SSL (https) as soon as possible. You can use a built-in function for generating a self-signed certificate, or you can import your existing certificate with a private key (usually available in PKCS12 format). Please keep in mind, that interfaces are virtualized - it is necessary to set both IP address and URL otherwise system is not able to accept a request.
Please note – When using a custom JVM installation (such as Oracle), encryption policies may be restricted by default. You can download and apply unlimited encryption policies if it is legal in your country ( please refer to www.oracle.com for detailed information). You can’t use a password longer than 7 characters without application of unlimited policies.
In a case of upgrading the SecureAnyBox, the same installation script is used. Please confirm the same installation path like before and choose the default option NOT to overwrite the configuration file.
SecureAnyBox5 upgrade is provided by the installation script which is a part of the new release package downloaded from the website. Download the .bin package from the Downloads section at www.secureanybox5.com. Then start the installation by ./inst_secureanybox…
If your installation is standard with the embedded Oracle Java (recommended), answer No.
Then the script gets the path used for the previous installation and offers it as default. Confirm this path because this is an upgrade and the goal is to upgrade the existing installation – running instance.
The configuration.properties file must be preserved to upgrade the running system.
Confirm default answer N = not to overwrite
Now you are ready to start the new installed release – it will stop SecureAnyBox5 and rerun it. Once the new release is running, it will convert the database (if alteration is a part of the upgrade) seamlessly.
Don’t miss to authenticate to the system console and enter the configuration password if applied – otherwise, Agent support will not work.
If the HTTPS keystore certificate is imported as trusted on your Linux station, it is possible to verify in the terminal using the command:
python -c 'import urllib2; import sys; resp = urllib2.urlopen("https://your.secureanyboxserveraddress.com"); rcode = resp.getcode(); body = resp.read(); print rcode; print ""; print body;'
If certificate validation is successful, on the first row of the response is code 200.
When the certificate validation fails, an error is displayed:
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
If urllib2 not found
python ––version
Urllib2 is a built-in package of Python 2.x.x. To be able to run urllib2, it is necessary to have Python 2.x.x (recommended 2.7.18) installed properly. Some distributions of Linux may not have full version of Python 2.7.x installed. Try re-installing it.
wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz
sudo tar xzf Python-2.7.18.tgz
cd Python-2.7.18/
sudo ./configure
sudo make altinstall
To successfully install SecureAnyBox5 Agent, it is necessary to download the Agent Configuration file (from the Downloads page in the SecureAnyBox section of the web interface). Please download the appropriate configuration file by clicking the configuration name. If the required configuration does not display in the list of downloads for your platform, please verify that the Agent Configuration also includes settings for that platform.
Requirements for installing and successfully running the SecureAnyBox5 Agent on Linux:
Linux Standard Base (lsb) must be installed. Linux Standard Base is available through various online repositories.
The installation procedure depends on your distribution. It can be, for example sudo yum install redhat-lsb-core for SUSE/RedHat/CentOS Linux(rpm based) or sudo apt-get install lsb-core for Ubuntu Linux, Debian (deb package-based distributions).
For SUSE Linux Enterprise Server 15 SP4 distribution and OES 2023 distribution of Linux, you can use:
wget https://rpmfind.net/linux/opensuse/distribution/leap/15.2/repo/oss/x86_64/lsb-4.0-lp152.4.4.x86_64.rpm
and after the package is downloaded, install it by running the command:
rpm -ihv lsb-4.0-lp152.4.4.x86_64.rpm --nodeps
On some Linux distributions (e.g. Open SUSE), it is also necessary to install
insserv-compat package to enable init scripts and start SecureAnyBox5 Agent automatically. Installation of Linux Standard Base can be done manually by running the command:
sudo zypper install insserv-compat
In the case of problems with SecureAnyBox5 Agent, please refer to the log. Logging of the SecureAnyBox5 Agent on the Linux and macOS platforms runs automatically into a file var/log/secureanybox-agent.log. On Linux, you can even enable detailed debug logging in /etc/secureanybox/settings by renaming (or copying) the “settings.example” file to “settings” and uncommenting the "export SECUREANYBOX_AGENT_DEBUG = true" line.
The log file on the macOS platform can be viewed in the Console. The log file on the MS Windows platform is possible to view by using SecureAnyBox5 Monitor utility (download in SecureAnyBox/Downloads) or in the Windows Event Viewer.
If the station was previously registered but cannot be registered after changes to the station, please first check that the station has the correct Agent Configuration uploaded. If the Agent Configuration on the station is correct, please go to the Station page in the SecureAnyBox part and remove the original registration of the station. The station should re-register automatically within 10 minutes. Alternatively, you can manually re-register the station.
If the station was previously registered but cannot be registered after change of its station name, please go to the Station page in the SecureAnyBox part and remove the original registration of the station. The station should re-register automatically within 10 minutes. Alternatively, you can manually re-register the station.
If the station is not registered even though the station has access to the server, the most likely reason is an incorrect configuration of the Agent (e.g. the configuration has been changed on the server but not on the station) or a problem with HTTPS certificate verification. The HTTPS certificate must be imported as trusted on the Agent station. On Linux, it must be located in a Keystore that uses Python for certificate verification. This can be checked in the terminal using the command:
python -c 'import urllib2; import sys; resp = urllib2.urlopen(“https://your.secureanyboxserveraddress.com”); rcode = resp.getcode(); body = resp.read(); print rcode; print ""; print body;'
If certificate validation is successful, on the first row of the response is code 200.
When the certificate validation fails, an error is displayed:
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
If urllib2 not found
python --version
or
python -v
Urllib2 is a built-in package of Python 2.x.x. To be able to run urllib2, it is necessary to have Python 2.x.x (recommended 2.7.18) installed properly. Some distributions of Linux may not have a full version of Python 2.7.x installed. Try reinstalling it.
wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz
sudo tar xzf Python-2.7.18.tgz
cd Python-2.7.18/
sudo ./configure
sudo make altinstall
To install SecureAnyBox5 Agent on macOS platform, please run installer (secureanybox-agent-1.x.pkg).
After running the installer, proceed to the next installation steps. In the second step, you must select the target location (disk) where the SecureAnyBox5 Agent will be installed.
At the third step of the installation, it is possible to change an install location by clicking the appropriate button ( ). To proceed with the installation, please click the Install button ( )
After clicking Install , you must enter your password to allow the application to install.
After the installation is complete, you will see information about the successful installation of the SecureAnyBox5 Agent.
After closing the installer window, go to the list of applications where you can find the sab-config application.
Launch the app by double-clicking on its icon. Once the application is running, please select the downloaded agent configuration file by clicking on the Select Configuration File button. After the configuration file is selected, you need to apply the configuration by clicking the Apply Configuration button.
In order for the configuration to be applied, a user password must be entered.
After the configuration is uploaded, information about the successful application of the configuration is displayed and the SecureAnyBox5 Agent is completely installed.
After the installation is complete, the SecureAnyBox5 Agent verifies that the uploaded agent configuration matches the configuration on the SecureAnyBox5 server. If so, it will automatically register the station.
If the SecureAnyBox5 Agent does not have access to the server, it is possible to register the station manually in the SecureAnyBox5 interface. In order for the agent to register the station, the SecureAnyBox5 server’s SSL certificate for macOS must be trusted. If the certificate is not issued by a CA that is already considered trusted in macOS, an error will occur when attempting to register:
2023-06-20 09:54:51 [ERROR] station registration failed – HTTP status = -1
2023-06-20 10:54:51 [ERROR] Error Code: -1202, Description: The certificate for
this server is invalid. You might be connecting to a server that is pretending
to be “172.22.78.78” which could put your confidential information at risk.
(see the log that can be viewed in the Console application – secureanybox.log, or directly in the log file in /var/log/secureanybox.log)
V tomto případě je potřeba exportovat příslušný certifikát z rozhraní serveru SecureAnyBox5, a to buď z Administračního rozhraní > Konfigurace > Obecné/Webové rozhraní, nebo pokud máte nastavené samostatné registrační rozhraní pro agenty, exportujte příslušné certifikát z SecureAnyBox > Konfigurace agenta > Obecné.
Import the downloaded certificate (by tapping or dragging it) in macOS into Keychain – System (!) section and set it as trusted. Then restart the agent from the terminal using the command:
launchctl stop com.tdp.secureanybox-agent
In order for an agent to set a password for a configured account or group of accounts, those accounts must not have a Secure Token set on macOS. Secure Token is automatically set to the account created with Apple’s Setup Assistant, and then any other accounts created under that account via the Users and Groups preference pane in System Preferences. If the account whose password is to be managed by the SecureAnyBox5 agent has a Secure Token set, an error occurs when the agent attempts to set the password:
2023-06-20 08:54:46 [ERROR] err4001 0x7fe9cc70a210
2023-06-20 08:54:46 [ERROR] Failed to change password for ‘sab5’ (Uknown)!
You can verify that an account has a Secure Token set up by using the following command in Terminal:
sysadminctl -secureTokenStatus
It can be deactivated using the command:
sudo sysadminctl -secureTokenOff
and restart the agent with the command:
launchctl stop com.tdp.secureanybox-agent
After successful installation, the SecureAnyBox5 starts and the initialization page displays. To login into a web interface, is required to set the admin password first.
In the
Security Code
field, is pre-filled unique code for your installation.
If the installation code is not pre-filled, it can be found in the inst.id file in the directory where SecureAnyBox5 server was installed.
While entering the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.
The password has to be confirmed by clicking on the
OK
button. After confirming the password, the login page displays.
Automatic login by SecureAnyBox5 can be set for station default user only. Other users have to log in manually. This setting can be convenient for stations on which works more than one user, but the station primarily is used by a user with the lowest permissions. That user can be set as default and will automatically log on.
To set automatic login SecureAnyBox5 Agent on stations, please follow these steps:
Create Agent Configuration, where will be settings for all platforms of stations, on which you want install SecureAnyBox5 Agent.
At the Downloads page (in the SecureAnyBox section of the web interface), please select appropriate Agent Configuration and download the SecureAnyBox5 Agent and it’s configuration.
Install SecureAnyBox5 Agent on a station.
Installation steps of SecureAnyBox5 Agent:
If in the Agent Configuration is set to change the password of a group, is necessary to have set local users group in which will be all users, who will be able to obtain the password from SecureAnyBox5. Default user has to be set as one of them.
To create a local group of users in MS Windows, please follow these steps:
On the desktop, right-click My Computer, and then click Manage.
In the Computer Management window, under System Tools, expand Local Users and Groups.
Right-click Groups, and then click New Group.
In the New Group dialog box, do the following:
Use this | To do this |
---|---|
Group name | Type the name of the group that you want to create. |
Description | Optionally, type a description for this group account. |
Add | Click Add to select members to add to the group. Add all the user accounts that you want to the group. |
Click Create.
Repeat steps 4 and 5 for the other required groups.
Click Close.
Click the Groups folder and verify that the group that you wanted to create are in the list.
Please set default user on your station.
If you want to update default user password by SecureAnyBox5 Agent, you need to have set a default user. Default user can log in to Windows automatically without entering his password.
To set default user for your station, please enter “netplwiz” into the Windows search field and click on the program in search results.
After clicking, User Accounts form displays. In a list of Users for this computer, please click on a user which will be set as default ( ), uncheck Users must enter a user name and password to use this computer ( ) and confirm this modification by clicking on the OK button ( ).
After the restart of the station, the first automatic login should go through – the SecureAnyBox5 Agent sets the user’s password and changes it in the registers where the automatic login is stored. Password for default user can be obtained in SecureAnyBox at the Get Password page as for any other user.
In a case, that same default user set on more than one station; it is convenient to set changing a password for default user in the Active Directory domain. When all is set correctly, after the change of password of LDAP user, SecureAnyBox5 LDAP Agent checks all registered stations and where the user to whom the password changed set as default, the SecureAnyBox5 LDAP Agent changes a password for the station.
To update a password for default user in Active the Directory domain, please follow these steps:
Set Agent Configuration for stations. In Agent Configuration for LDAP platform set field Change password of to value default users in domain .
If you not have set App URL in general configuration of SecureAnyBox,it is necessary to set it in the Agent Configuration. App URL has to be accessible from the internet (out of local network). Without setting of App URL, the SecureAnyBox5 Agent can have problems with connection to SecureAnyBox5 server.
Configure LDAP Agent. In LDAP Agent select Active Directory as Directory service and prepare Active Directory server.
Into LDAP Agent select the Agent Configuration, which you created in the first step.
Into the Default user domain field, enter Active Directory domain name into which default user belongs, and if necessary, modify the User id attribute . Please configure other required values in LDAP Agent form and create LDAP Agent by clicking on the OK button. To apply the LDAP Agent is necessary restarting SecureAnyBox5.
At the Downloads page, please select the Agent Configuration created in a first step and download the SecureAnyBox5 Agent and it’s configuration.
Please set default user on your station.
If you want to update default user password by SecureAnyBox5 Agent, you need to have set a default user. Default user can log in to Windows automatically without entering his password.
To set default user for your station, please enter “netplwiz” into the Windows search field and click on the program in search results.
After clicking, User Accounts form displays. In a list of Users for this computer, please click on a user which will be set as default ( ), uncheck Users must enter a user name and password to use this computer ( ) and confirm this modification by clicking on the OK button ( ).
Install SecureAnyBox5 Agent on a station.
After successful installation of SecureAnyBox5 Agent, a station should automatically register in the SecureAnyBox5. Please check at the Stations page, that registration of the station ran successfully.
While registering, the SecureAnyBox5 Agent (for Windows), if the default user is enabled, sends default user information when registering (including the domain if it is a domain user). If the default user is a domain user, the SecureAnyBox5 Agent does not set the password – because it does not have permission to change the password of a domain user. In that case, a password of a domain user is set by the LDAP Agent.
The LDAP Agent scans all registered stations and retrieves from them default users whose domain is the same as default user domain specified in the LDAP Agent Configuration. LDAP Agent generates and sets new passwords for these default users. This process takes place when you start the SecureAnyBox5 server, then every hour and after a click on the Execute button.
Depending on your configuration, users can authenticate via KeyShield SSO. For the automatic authentication, it is necessary to install the KeyShield SSO client on the station.
Instructions for unattended installation are at KeyShield_server/static/kshield_msi.page. For manual installation/configuration please follow screenshots:
The OES client for Windows integration works in a similar manner like former ClientTrust for BorderManager – KeyShield server creates a token and stores it as a value of an attribute of the user’s object. KeyShield client reads the value through the OES client for Windows API, uses it as a challenge, generates a response and sends it to the KeyShield server. Then the KeyShield server validates it and if OK, accepts the client authentication request and sends confirmation back to the client. Client changes the color of the icon in the taskbar to green to inform the user that authentication finished. Here is the related setting in the related eDirectory connector of the KeyShield server (keep in mind, you can use as many eDirectory trees, AD forests, etc. as you need at the time).
This is a so-called custom setup, but it is not necessary. The best practice is to let the KeyShield server to configure eDirectory connector automatically by choosing.
First, enter Connector ID and provide LDAP server IP and port.
Then click "Create KeyShield SSO objects"
KeyShield SSO will create own mgr account (proxy account used to access eDirectory), extend schema by auxiliary class (can be removed) for tokens and assign minimum access rights the mgr account needs.
Once you are done with this setting, the automatic authentication with the OES client for Windows should work. If not, consult Diagnostic log.
Importing the certificate is necessary for automatic registration of the station into SecureAnyBox5 via HTTPS protocol.
To import the certificate, please follow these steps:
Click Start and into Windows search field please enter “mmc” (
) and click on the program in the search results (
).
In the Console window, please click the
File (
) ->
Add/Remove Snap-in(
).
Select
Certificates (
) in the left panel and click
Add (
) to move a selection into the right panel. Then click the
OK button (
).
In the Certificates snap-in window, select
Computer account option (
) and click
Next button (
). At the next window click the
Finish button (
).
In the Add or Remove Snap-ins window click
OK button (
).
In the Console window, expand
Certificates, and right-click
Trusted Root Certificates ->
All tasks ->
Import
In Certificate Import Wizard window click
Next (
), and at the next screen please select certificate to import (
). When certificate select, please click
Next (
).
Please enter the certificate password (
) and click
Next (
) and at the next windows click
Next (
) and
Finish (
).
After import completed, the station should be registered into SecureAnyBox5 automatically (it may take 10 minutes). For immediate registration, you can restart SecureAnyBox5 Agent service.
To install the certificate on a Mac platform, please download the certificate on your station and follow these steps:
To open Keychain Access, start by clicking on Go in the Finder menu and then select Utilities.
When the
Utilities window opens up, look for and click on the icon named
Keychain Access.
Note: Alternatively, you can open the
Keychain Access by typing “Keychain Access” in the
Spotlight search field at the top.
In the Keychains window select System.
Within the Keychain Access menu select File > click Import Items.
Browse to the .p12 or .pfx file that you want to import and open it.
Enter your admin password to authorize the changes and click Modify Keychain.
Enter the password that you entered when you created your .p12 or .pfx file.
Your SSL certificate should now be installed, and the station should be automatically registered.
Download KeyShield SSO certificate from the Certificate section of KeyShield SSO server.
On the server where SecureAnyBox5 installed please run a script in the format:
<SecureAnyBox5 Java folder>/bin/keytool -importcert -file <certificate file> -keystore <SecureAnyBox5 Java folder>/jre/lib/security/cacerts
where:
<SecureAnyBox5 Java folder> - is location of Java on which runs SecureAnyBox5 server (e.g.: /opt/tdp/secureanybox/jdk8/)
<certificate name> - is location of certificate file (if the script is running from a folder where the certificate file stored, just enter the name of the certificate file).
After certificate imported, it is possible to connect with KeyShield SSO server and save SecureAnyBox5 configuration successfully.
At first, install Chrome policy templates.
Run GPEDIT (gpedit.msc)
In the GPEDIT go to
Computer Configuration > Administrative templates > Google Chrome > Extensions > Configure the list of force-installed apps and extensions
(Extensions in the list are installed silently, without user interaction, and cannot be uninstalled nor disabled by the user)
Add SecureAnyBox5 Extension to the list in the following format:
jmjiclmedngjhklhcafhkmbhmdiecgif;https://clients2.google.com/service/update2/crx
Where text
jmjiclmedngjhklhcafhkmbhmdiecgif is the extension ID. For example, you can verify extension ID from the Chrome store address
Instead of using GPEDIT, you can write the settings directly into the windows registry.
Into key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist enter the value:
“1”="jmjiclmedngjhklhcafhkmbhmdiecgif;https://clients2.google.com/service/update2/crx"
At first, install Firefox policy templates.
Run GPEDIT (gpedit.msc)
In the GPEDIT go to
Computer Confguration > Administrative templates > Mozilla > Firefox > Extensions > Extensions to install
(Extensions in the list are installed automatically)
Add path to SecureAnyBox5 Extension file in one of following formats:
In the GPEDIT go to
Computer Configuration > Administrative templates > Mozilla > Firefox > Extensions > Prevent extensions from being disabled or removed
(Extensions in the list cannot be uninstalled nor disabled by the user)
Add SecureAnyBox5 Extension ID: sab_login@secureanybox.com
Instead of using GPEDIT, you can write the settings directly into the windows registry.
Into key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install enter the value:
“1”="http://<yourssecureanyboxserver.com>/swb/down/secureanybox-1.1.14-fx.xpi"
And into the key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Locked enter the value:
“1”="sab_login@secureanybox.com"
Restoring data from a backup will overwrite/add:
The uploaded database includes all synchronized LDAP/Azure AD user accounts. If the user has previously logged into SecureAnyBox5, he or she can access SecureAnyBox5 without connecting to the LDAP/Azure AD server.
To restore SecureAnyBox5 data from backup, follow these steps:
Stop SecureAnyBox5 server
If you want to restore data from a backup to a new installation of SecureAnyBox5, do not start the server after installation, do not configure anything and stop the server if necessary.
In case you need to change the IP address in the configuration (for example because of moving to another server), use the
changeaddress utility, which is in the SecureAnyBox5 server folder.
After starting the utility, confirm the introductory note by pressing the Enter key.
Set the new IP address and ports for HTTP and HTTPS and save the changes (use the Tab key to move around the utility).
After saving, you will be informed that the changes have been saved.
Select the backup zip file from which the data is to be restored.
Extract the files from the backup zip file to the SecureAnyBox5 server folder
Files can also be extracted using the command line (e.g. on a Linux server)
$ unzip <SecureAnyBox backup file> -d <SecureAnyBox folder>
The user account that runs the script must have sufficient permissions.
Start SecureAnyBox5 server
When restoring data to a new SecureAnyBox5 server installation, you must also upload the license file.
If you have a problem with encrypting on Windows 11, while working with external files, please see if:
You have the latest version of Windows 11.
- In particular, the initial version of Windows 11 is most likely to be affected.
You are not using Windows Home Edition
- Encrypted File System (EFS) is not available in the Windows Home edition. To be able to encrypt the files, you have to upgrade the Windows to Education, Enterprise, or Pro edition.
System drive if NTFS drive and not FAT32
- If you find that your system disk is formatted as FAT32, please change the format to NTFS to use the EFS function.
Open the Registry Editor
(Press
Windows + R to open Run dialog box, type
regedit and click OK.)
Once the Registry editor window opens, switch to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Find the NtfsDisableEncryption and double-click on it to edit the value to 1. Once edited, press the Enter and hit OK button.
Start the Command Line as Administrator.
(Press
Windows, type
cmd (into the search bar) and click the
Run as administrator option.)
When the Command Prompt window appears, enter fsutil behavior query disableEncryption to get status of the encryption.
To turn
on the encryption, enter fsutil behavior set disableencryption 0.
To apply the new setting, it is necessary to reboot the station.
SecureAnyBox5 stores subnets in the CIDR notation format.
The CIDR number comes from the number of 1’s in the subnet mask when converted to binary. You can refer to the following table to find the CIDR equivalent of your subnet mask.
CIDR notation format | Dotted decimal format | Binary format |
---|---|---|
32 | 255.255.255.255 | 1111 1111 1111 1111 1111 1111 1111 1111 |
31 | 255.255.255.254 | 1111 1111 1111 1111 1111 1111 1111 1110 |
30 | 255.255.255.252 | 1111 1111 1111 1111 1111 1111 1111 1100 |
29 | 255.255.255.248 | 1111 1111 1111 1111 1111 1111 1111 1000 |
28 | 255.255.255.240 | 1111 1111 1111 1111 1111 1111 1111 0000 |
27 | 255.255.255.224 | 1111 1111 1111 1111 1111 1111 1110 0000 |
26 | 255.255.255.192 | 1111 1111 1111 1111 1111 1111 1100 0000 |
25 | 255.255.255.128 | 1111 1111 1111 1111 1111 1111 1000 0000 |
24 | 255.255.255.0 | 1111 1111 1111 1111 1111 1111 0000 0000 |
23 | 255.255.254.0 | 1111 1111 1111 1111 1111 1110 0000 0000 |
22 | 255.255.252.0 | 1111 1111 1111 1111 1111 1100 0000 0000 |
21 | 255.255.248.0 | 1111 1111 1111 1111 1111 1000 0000 0000 |
20 | 255.255.240.0 | 1111 1111 1111 1111 1111 0000 0000 0000 |
19 | 255.255.228.0 | 1111 1111 1111 1111 1110 0000 0000 0000 |
18 | 255.255.192.0 | 1111 1111 1111 1111 1100 0000 0000 0000 |
17 | 255.255.128.0 | 1111 1111 1111 1111 1000 0000 0000 0000 |
16 | 255.255.0.0 | 1111 1111 1111 1111 0000 0000 0000 0000 |
15 | 255.254.0.0 | 1111 1111 1111 1110 0000 0000 0000 0000 |
14 | 255.252.0.0 | 1111 1111 1111 1100 0000 0000 0000 0000 |
13 | 255.248.0.0 | 1111 1111 1111 1000 0000 0000 0000 0000 |
12 | 255.240.0.0 | 1111 1111 1111 0000 0000 0000 0000 0000 |
11 | 255.224.0.0 | 1111 1111 1110 0000 0000 0000 0000 0000 |
10 | 255.192.0.0 | 1111 1111 1100 0000 0000 0000 0000 0000 |
9 | 255.128.0.0 | 1111 1111 1000 0000 0000 0000 0000 0000 |
8 | 255.0.0.0 | 1111 1111 0000 0000 0000 0000 0000 0000 |
7 | 254.0.0.0 | 1111 1110 0000 0000 0000 0000 0000 0000 |
6 | 252.0.0.0 | 1111 1100 0000 0000 0000 0000 0000 0000 |
5 | 248.0.0.0 | 1111 1000 0000 0000 0000 0000 0000 0000 |
4 | 240.0.0.0 | 1111 0000 0000 0000 0000 0000 0000 0000 |
3 | 224.0.0.0 | 1110 0000 0000 0000 0000 0000 0000 0000 |
2 | 192.0.0.0 | 1100 0000 0000 0000 0000 0000 0000 0000 |
1 | 128.0.0.0 | 1000 0000 0000 0000 0000 0000 0000 0000 |
An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.
There are four modes of dereferencing aliases:
In the directory have been set up two aliases:
In container “ou=People” are set up two other entries:
The following table summarizes the results of searching “ou=Employees” in different modes.
Dereference mode | Results |
---|---|
Never | no entries (because the “ou=Employees” alias never dereferenced) |
Dereference while finding the base object | no entries (because the “ou=Employees” alias never dereferenced) |
Dereference while retrieving objects according to search scope | two entries: “cn = Marie Smith, ou=People” and “cn = Robert Norman, ou=People” (because the “cn=Newbie, ou=People” alias never dereferenced) |
Always | three entries: “cn = Marie Smith, ou=People”, “cn = Robert Norman, ou=People” and "cn= James Black, ou=NewHires" |
Password pattern | Entropy* | Generated passwords (examples) | |||
17 characters | |||||
CvddcVcAzduldAAvl | 74.01 | zi02gIfKT5Ah7frys | Qo60histH3Pd4OQez | hi82xOpGQ7Ft1Lzef | |
ZuAcVdAddcVlduldA | 72.65 | YLjvU9c67tol3Lc0P | ETGgO0B66zek9Xi3M | AIivE7q60kUr7Rt5y | |
uzVcsAnVdACCvdAnC | 76.45 | NCur]g6o5Ygru3Y[t | CMul#F.A6mMfi8D(c | BMEx/y_A9SFTy4S5X | |
dCVAAAAAdscVnuAnV | 76.70 | 7siJIsnK0/ce$Cy*E | 4WyKKsnr7$ky&Fu6A | 4koceFZL7;wo<Wm[u | |
CvdscVcAznuldAAvl | 77.13 | Cy7)zYnVL5Vd4CYuo | Za0&tEmAW4Qc7Lbon | li7$rejUN*Og6Ixon | |
15 characters | |||||
vddcVcAZduldAvl | 64.19 | o56xYtWU6He9Sal | a93vucrO8Gj5Oap | u58xYnAI5Be5uic | |
AcdVAAVlCuldAdl | 66.02 | rz0ogHefmIf5A3w | Eh1aSfegCYt7t5w | pb1oPLYtPRg7P3n | |
uZcdVCVCZuAVcdA | 65.94 | ZIn7eMawIHDYk5W | KAz9OCYgILLaz0t | GYx0YCyfYWpiv2c | |
ZnAcVdnlAundCAV | 66.65 | A-LzI3:cPD;7SMy | U$Xby2:ecG45nlU | O4bpY6]wrQ71pMA | |
dCVAccAdcVduAdV | 64.62 | 2gufrgC5by1Mm8u | 3ZeFtbv7pa2NY9A | 2Mavcqg2fO7Fa4u | |
12 characters | |||||
CulllduCldVz | 53.25 | rHevf4DXy1EZ | bBuud7YKz2UM | cCbtg8Zsy5IB | |
VAn*dAcVdlsu | 53.50 | Aj;O3mcy9b.H | Ex2<7gmE8i-O | UA2S8wry4y(W | |
ZVdAsCVndldA | 52.34 | UA2p/SU58k7b | EO0C%HO@4s7r | OI5c:Se*8e2r | |
uCldVdAsCVVA | 52.56 | Yxo8i3K>rUEF | ZNs3U6g/BuAX | Qwb6u6n&luYK | |
AcVdlsCuldAd | 52.10 | lty8i%JHy6F5 | Cqu6t@xZk9m7 | Ymu9i$XRh9t0 | |
Easier to remember (alternating consonants and vowels) | |||||
cVcZdCvcddC | 46.32 | rumE9Zes04L | kurA7jas53d | tUlE8xiz14V | |
cvVcdVddzZzV | 50.18 | hyoh6Y78DUPO | weyp8u59TYFA | viyr8u33PIQI | |
cvcsdddcvcs | 45.35 | qab/141qor/ | cyh/582wut@ | guv$451vof@ | |
CvcVsdcVcvd | 46.45 | GohI>5zini7 | juny/7xYdi3 | HamY&7dyqa4 | |
zZzVdsdzZzV | 47.03 | PELa4[7TOQY | GIKo1@5KAKU | XAHa6#4NULa |
* Password pattern entropy is counted as an average entropy of a hundred passwords that were generated based on the password pattern.
Password entropy is a measurement of how unpredictable a password is. The higher the value, the better.
Based on password entropy value, SecureAnyBox5 recognizes four levels of how secure the password is.
Password security | min. | max. | Description | |
---|---|---|---|---|
really bad | 0 | 20 | password should be changed immediately | |
unsatisfactory | 20 | 35 | password does not meet security standards, should be changed | |
satisfactory | 35 | 50 | password meets security standards, but it can be better | |
really good | 50 | password is really secure |
To specify a set of characters that will be
used while generating a password, please enter them into the field without any separator. (e.g., ‘abc’). In that case, the generated password will use only specified characters.
The set of characters that will be
omitted while generating a password must begin with ^ character (e.g., ‘^0123’). In that case, the generated password will use allowed characters except for specified ones.
In the Agent Configuration, it is possible to use a combination of 3 different Pattern Characters settings. Each character of the generated password can use only one setting.
Recommended steps:
lowercase vowels | aeiouy |
mixed case vowels | AEIOUYaeiouy |
uppercase vowels | AEIOUY |
lowercase consonants | bcdfghjklmnpqrstvwxz |
uppercase consonants | BCDFGHJKLMNPQRSTVWXZ |
mixed case consonants | bcdfghjklmnpqrstvwxzBCDFGHJKLMNPQRSTVWXZ |
lowercase alphabet characters | abcdefghijklmnopqrstuvwxyz |
uppercase alphabet characters | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
mixed alphabet characters | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ |
digits | 0123456789 |
special charaters | .@&*()<>_][%$#/\?;-: |
You want to generate passwords that are user-friendly, without easily interchangeable characters (like 0 and O, or I and l and 1).
For such a password, enter
^0O1Il into Pattern Characters 1 field and into Password Pattern field enter as many ‘1’ as the number of characters the generated password should have.
This setting will generate passwords such as: vZ\Z7q@hoqiPK, C_6wsK((AujbG, K(_H-T*C]c%fq
If you want to ommit all special characters also, just add all special charaters to the text in Pattern Characters 1 field.
This setting will generate passwords, such as: 2a5CMpdGUXytD, Zs7aPYqSUV8ps, AxnXkr5KZhFYw
You want to generate easily readable passwords (with alternating consonants and vowels)
For passwords where characters are alternating is necessary to set two pattern characters settings. Into the first pattern characters enter all consonants and into the second one enter all vowels. The password pattern field will be set as alternations of 1 and 2. A number of 1 and 2 depend on how many characters the new password should have.
This setting will generate passwords, such as: fABOqucimac, minITafeJAl, NidedYvOKAt
You want to generate passwords that conform to the password requirements (for example, at least two capital letters, one number, or a special character)
For passwords that conform to the password requirements, it is necessary to set all characters that can be used in the generated passwords as Pattern Characters 1, upper case characters as Pattern Characters 2, digits, and special characters as Pattern characters 3.
As you can see on the image, in some cases, it can be simplier to specify characters to ommit. Text '^.&()<>_][%$#\?;:' has same effect as text 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@-*/'
This setting will generate passwords, such as: vaDB3/smCVR, oFhV62MQEvI, RWXZl2HiGth