Contents

First steps and user settings

First login

For a user to log into SecureAnyBox, the user needs to be created and has a password entered.
If more than one domain is specified, the user must also enter the domain name when logging in.

After entering the login credentials, a page for setting an access code displays. The access code is used to decrypt secure information (such as passwords, certificates) and to confirm changes.

While entering the access code, you can see how secure your access code is and also how many of the required characters you are using.

Requirements to characters of the access code can be changed in the Configuration for users in all domains or in the domain details for users in that domain.

After the access code set, the page automatically redirects to the root level of Safe Boxes.

User interface – controls

Change Access Code

If you know your access code, and you need to change it (due to security reasons or you shared your access code with someone else, etc.), please click the menu icon (next to a name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In a menu, please click on the Change Access Code button ( ).

After clicking the button, a form for changing the access code displays. To change the access code enter a current access code into the first field and into other two fields, please enter a new one. While entering the new access code, you can see how secure your access code is and also how many of the required characters you are using.

To confirm the new access code, please click the OK button. After the new access code set, a success message displays.

Forgotten Access Code

In a case you forgot the access code, you may reset it. By resetting your access code, you will lose access to all Safe Boxes, and Safe Boxes accessed only by you will be deleted.

Before reset of the access code, please consult your administrator about losses.

To reset the access code, please click the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In a menu, please click the  Reset Access Code button ( ).

You need to confirm the warning only if you have access to some Safe Box. Otherwise, you will be asked to enter a new access code immediately.

In the Reset Access Code form, you must confirm the warning that you will lose access to all Safe Boxes. You can also check which Safe Boxes will be deleted because after the access code restored, nobody will have permission for these Safe Boxes.

After the warning confirmed, a form for entering new access code displays. While entering the access code, you can see how secure your access code is and also how many of the required characters you are using. To confirm the new access code, please click the OK button.

After resetting the access code, you will see a message about the successful reset of the access code. You can confirm the changes with the new access code. If you had some inherited permissions for Safe Box Groups and Safe Boxes, another user could share them to you. Also, your White Envelope can be activated again, but all assigned permissions have to be assigned manually.

Change Login Password

LDAP synchronized users are not allowed to changing their password in the SecureAnyBox because the password does not change in LDAP. If you are not sure whether you are syncing from LDAP, contact your administrator and consult the password change.

To change your login password, please click on the menu icon (next to a name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In a menu, please click on the Change Login Password button ( ).

After clicking the button, Change Login Password form displays. To change your login password, please enter the current password into the first field and to the other fields enter a new one. While entering the new password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.

To confirm the change of the password, please click the OK button. After changing the password, a success message displays.

Two-Factor Authentication

In order to improve the security of data stored in the SecureAnyBox, users can use Two-Factor Authentication. As a second factor is used 6-digits code from the Authenticator app, paired with SecureAnyBox via secret-key.

Enable Two-Factor Authentication

Each user can enable two-factor authentication to SecureAnyBox. If the Two-Factor Authentication is enabled, the user has to enter a verification code every time to log in. Verification code is generated by the Authenticator app on the users mobile phone (iOS and Android).

To enable a Two-Factor Authentication, it is necessary to have the Authenticator app installed on a mobile phone.

To enable the Two-Factor Authentication, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( ).

After clicking the button, a wizard displays. To enable a Two-Factor Authentication is necessary to pair the Authenticator app with SecureAnyBox. Please follow the steps in the wizard.

After the Two-Factor Authentication set, a user has to enter the second factor every time to log in. Two-Factor Authentication can be deactivated by the user in the Two-Factor Authentication settings or by user with the User Manager role in the user’s details.

Pair another Authenticator

Once the Two-Factor Authentication set and confirmed, it is possible to pair another Authenticator.

To pair another Authenticator, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( ).

After clicking the button, the wizard with two options displayed. Please click the PAIR ANOTHER AUTHENTICATOR button and follow the steps. When another Authenticator paired, all Authenticators should give you the same 6-digit code.

Disable second factor

If you do not want to use the second factor, you can disable Two-Factor Authentication settings. But in a case, that the Two/Factor Authentication is mandatory, you will be ask to set the second factor again. Disabling the second factor will delete all user’s settings and all paired Authenticators have to be paired again.

To disable second factor, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( ).

After clicking the button, the wizard with two options displayed. Please click the Disable second factor button and enter the 6-digit code to confirm the action.

Reset Two-Factor Authentication settings

Users with the User Manager role can reset Two-Factor Authentication settings for another user by clicking the Reset Two-Factor Authentication button in the bottom of user details form.

To confirm the reset is necessary to enter the access code. Reset of Two-Factor Authentication settings should use when the user lost access to the paired Authenticator app and etc.

Change language

Each user can change the language of a web interface. Available options are English, Czech, German and French. To change the language of the interface, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click on the Change Language button ( ).

After clicking the button, a form for changing the language displays. In the form, please select which language you want to set, and click the OK button. After changing the language, a page reloads in the chosen language.

User Preferences

Each user can modify preferences, which are applied only to him. To alter these preferences, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click the Change preferences button ( ).

After clicking on the Change Preferences button, User preferences form displays.

Field Remember Access Code ( ) is displayed only if remembering of Access Code is set in the server configuration.

Fields in Notification settings part of a form ( ) are displayed if e-mail notifications are enabled in the server configuration.

Field Notification of user initialization ( ) is displayed only to users with User Manager role.

In User preferences form, it is possible to set remembering last location, default password pattern for Safe Box Groups, Safe Boxes, and Accounts which user will create and configure e-mail notification settings. All preferences are applied only for the currently logged user. Changing preferences for all users is possible in SecureAnyBox configuration.

Start page setting

Each user can set a start page – page to which will be redirected after login into SecureAnyBox.

To set start page, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click the Start page setting ( ).

After clicking Start page setting , window for start page setting displays.

First setting of a start page

If you are setting up a start page for the first time, a window will appear where you confirm that you want to set the page as a start page.

Start page is set to the current page

In a case, the current page is set as a start page, a window will appear where it is possible to remove start page setting.

Start page is set to different page

If a start page is set to different page than the current page, it is possible to check setting by clicking the link. At the same time, you can override or remove your start page settings.

Switch to Administration

From version 5.0, the Administration part of SecureAnyBox has been moved to its own interface. To switch to Administration, please click on the menu icon (next to the name of the user) in the top right corner of the page ( ). After clicking, a context menu displays. In the displayed menu, please click the Switch to Administration ( ), which will redirect you to the Administration interface.

Safe Boxes

Menu

Filtering of Safe Boxes and Safe Box Groups

p(#FilteringOfSafeBoxesAndSafeBoxGroupsParagraph1).Safe Boxes and Safe Box Groups at the root level can be filtered by their name or description by entering a text into the filter field ( ). Safe Boxes and Safe Box Groups can also be filtered by selecting a user tag or a user into a special field ( ).

When filtering by a user tag, in the table are shown Safe Boxes and Safe Box Groups which have some permission template assigned to the selected user tag.
When filtering by user, the table shows Safe Boxes and Safe Box Groups to which the selected user has some permissions.

Pinned Safe Boxes and Safe Box Groups

User can edit order of displayed Safe Boxes and Safe Box Groups by pinning the selected Safe Box (Safe Box Group) to the top of the list.
To pin the Safe Box, please click the pin icon ( ) in the row of selected Safe Box, and confirm the dialog.

After the Safe Box is pinned, it displays at the top of the list with pin icon.

Order of pinned Safe Boxes can be managed in the form, which displays after clicking the Edit pinned order button. To change the order of the pinned Safe Boxes, drag the selected Safe Box to the desired position.

To unpin the Safe Box, please click the pin icon again and confirm the dialog. After unpinning, the Safe Box is displayed without the pin icon.

Sharing & Permissions

Access rights can be managed for each Safe Box or Safe Box Group separately. For Safe Boxes and Safe Box Groups, which are not private applies the dynamic inheritance of access rights. If Safe Box or Safe Box Group is private, then inheritance of access rights is blocked. However, permissions for the private Safe Box Group or Safe Box can be assigned manually.
Access rights can be managed at the root level too.

Managing of the access rights is possible after clicking on a link Sharing & Permissions .

The Sharing & Permissions button is displayed only to users with permission Access Control

At the page Sharing & Permissions is displayed a table of users who have permissions for that level (the root level, a Safe Box Group or Safe Box) and all records in it.

Permissions overview

In a table are displayed only permissions which can be set at the Sharing & Permissions page.

Sharing Safe Box or Safe Box Group

By assigning access rights, you can share a Safe Box or Safe Box Group with other users.

To assign permissions for Safe Box or Safe Box Group to another user, please click on the Add User button. After clicking, a list of users to whom is possible to share Safe Box or Safe Box Group displays. You cannot share Safe Boxes and Safe Box Groups with users who don’t have set the access code.

If a user is from a different domain than the currently logged user, after the user’s name is displayed a domain name.

In a list of users, please select a user with whom you want to share a Safe Box or Safe Box Group. It is possible to add multiple users at a time. After users are selected, please click the  OK  button. Adding users needs to be confirmed by entering the access code. Have you forgotten the access code?

After adding a user into a table of permissions, the user has only a permission to READ. You can assign other permissions manually by checking the appropriate checkbox.

All changes at the Sharing & Permissions’s page have to be confirmed by entering the access code.

Assigned rights

The assigned rights can be managed separately for each Safe Box or Safe Box Group. If a user has any inherited rights, it is necessary to click on the blue gear icon ( ). After that, it is possible to assign rights by clicking on an appropriate checkbox.

Assigned rights have precedence before inherited ones.

If a user does not have any inherited rights, assigned rights can be managed just by clicking on an appropriate checkbox.

To delete assigned rights for a user, click on the icon of a cross ( ) at the end of a row and confirm applying changes. If the deleted user had the assigned rights only, then after confirmation is no longer displayed in a table.

Dynamic inheritance

Dynamic inheritance of permissions applies only to shared Safe Boxes or Safe Box Groups. To apply the dynamic inheritance of user access rights, the user must have assigned the Inherited permission for the root level or Safe Box Group.

When a user has the Inherited permission assigned for the root level, all of the user’s other permissions (Read, Create, Modify, Delete, Access Control) at the root level will be inherited by all shared Safe Boxes and Safe Box Groups.

If a user has the Inherited permission assigned only for a Safe Box Group, all of the user’s other permissions at a Safe Box Group will be inherited by all shared Safe Boxes within the range of Safe Box Group.

When a user modifies the Inherited permission, a warning dialog appears. To proceed with the modification, a user has to type in the confirmation code (three letters displayed boldly) and confirm the warning dialog.

Permissions for the root level

Permissions for the root level are pre-set by Default Safe Box Permissions in a user detail but can be modified directly for the root level. To be able to manage permissions for the root level, logged user need to have Access Control permission for the root level and user role User Manager or Administrator. Otherwise, the Sharing & Permissions button is not going to be displayed at the root level page.

Share inherited permissions

If any user resets his access code or to some user was assigned permission Inherited for the root level, it is necessary to share inherited permissions with them.
In a case that situation occurs, a warning message displays to you, after loading the root level page. To share permissions, please click the OK button and enter the access code.

Permission templates

Permission templates can be managed only by users with permission Access Control

Permission templates are designed to help you assign permissions to users. Permission templates can set for root level, any Safe Box Group, and any Safe Box. Permission templates are set for user tags. For each level, you can create user tag one time only. User tags can be from the domain of the current user and even from other visible domains.

To create a permission template, please select user tag and assign permissions. Permission template will apply to all users with the same user tag as set in the template.

If the permission template set from the parent level, it is possible to modify it by clicking the blue gear icon ( ).

To view or manage permission template(s) for parent level, click the Up button.

After permission templates set, users with the permission Apply templates can apply them.

Apply permission templates

Only users with Apply templates permission can perform this action.

Permission templates can be applied to Safe Box Group or Safe Box. Permissions to apply are computed based on permission template in listed Safe Box Groups and Safe Boxes for each user tag assigned to a user. If computed permissions are missing some of the effective permissions, the red arrow ( ) appears.

Please review permissions in the table below.

Permissions were computed based on Permission Templates in listed Safe Boxes and Safe Box Groups depending on User tags assigned to listed users.

You can either Approve permissions, Skip permission assignment this time or Reject permission assignment. When you Reject permission assignment, SecureAnyBox will remember this choice. Next time Permission Templates are processed, permission record will show as rejected by default.

To completely remove a user from the permission assignment processing, you can change the user’s user tag assignment.

Watching...

For Safe Box Groups, Safe Boxes, and records, it is possible to set the watching of changes and/or accesses to encrypted information. Watching can be set for each level – the only exception is the root level.

When a user is watching changes for some level, and e-mail notifications are enabled in the server configuration, SecureAnyBox sends e-mails with a summary of changes at that level. Whether the changes are watched in all fields, or encrypted ones only, it depends on the server configuration of notifications.

If the user is watching accesses to encrypted information and e-mail notifications are enabled in the server configuration, SecureAnyBox sends e-mails with a summary of accesses at that level.
To access encrypted information is necessary to enter the access code in a record. If the access code is temporarily remembered, user accesses all records without entering the access code..

Watching of accesses and/or changes is inheritable – if user watches changes in Safe Box Group, all Safe Boxes, and records within the Safe Box Group will inherit watching of changes/accesses from the parent level.

From the root level is possible to edit watching for all currently accessible Safe Box Groups, Safe Boxes, and records by clicking the Watching... button.

Watching of changes/accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

In the Watching report , it is possible to check what the currently logged user is watching.

Start watching changes to everything

Changes in all Safe Box Groups, Safe Boxes, and records within them, which you can currently access, will be watched.

Start watching accesses to everything

Accesses to encrypted information in the records stored in all Safe Boxes and Safe Box Groups to which you have access currently will be watched.

Stop watching changes to everything

Changes in all Safe Box Groups, Safe Boxes, and records within them, which you can access currently will no longer be watched.

Stop watching accesses to everything

Access to encrypted information in all Safe Box Groups, Safe Boxes, and records within them which you can access currently will no longer be watched.

Stop watching all

After clicking Stop watching all button, the watching of changes and accesses will be deactivated for all currently accessible Safe Box Groups and Safe Boxes, and records.

Safe Box Group

Create Edit Watching... Delete

Create New Safe Box Group

To create a Safe Box Group, the user needs to have assigned the Create permission for the root level.

To create a Safe Box Group click the New Safe Box Group button. In the Safe Box Group, it is necessary to set a name, a password pattern and a type (private or shared). Into a Safe Box Group can be created a new Safe Box or can be moved existing Safe Box.

If the Safe Box Group is private, all Safe Boxes in it are also considered private.

Edit Safe Box Group

To be able to edit the Safe Box Group, a user must have permission to Modify.

For each of Safe Box Groups, it is possible to change name, description, password pattern, external files path and Safe Box Group Type.

If an external file path is changed, SecureAnyBox will store all new external files at the new location, but all previously stored files will remain at their original location.

Watching...

For each Safe Box Group, you can turn on two types of watching – watching changes, and watching accesses to encrypted information. In a case that someone changed the watched Safe Box Group, or Safe Box, or record within these Safe Boxes, or someone accessed encrypted information in the record within these Safe Boxes, an e-mail notification is sent to a user who watches the Safe Box Group (depending on the configuration of mail notifications).

To access encrypted information is necessary to enter the access code in a record. If the access code is temporarily remembered, user accesses all records without entering the access code.

The user can customize the notification settings in user preferences.

Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

To set watching for the Safe Box Group, click the Watching... button, watching menu will display.

In the Watching report is possible to check what the currently logged user is watching within the Safe Box Group.

Current status of watching for the Safe Box Group is displayed next to the Watching... button.

	Watching of changes and accesses to encrypted data is set explicitly for the Safe Box Group.
	Watching of changes is set for the Safe Box Group. Watching of accesses to encrypted data not set.
	Watching of changes not set. Watching of accesses to encrypted data is set explicitly for the Safe Box Group.

Safe Box Groups can have watching of accesses and/or changes set explicitly only.

By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the Safe Box Group. All Safe Boxes within this Safe Box Group, and records in them, will inherit the watching of changes/accesses from the Safe Box Group.

Start watching changes within this Safe Box Group

All Safe Boxes currently stored in this Safe Box Group will have set the watching of changes explicitly, and changes in them will remain watched even if these Safe Boxes are moved to another Safe Box Group where changes are not watched.

Start watching accesses within this Safe Box Group

All Safe Boxes currently stored in this Safe Box Group will have set the watching of accesses explicitly, and accesses to encrypted information in them will remain watched even if these Safe Boxes are moved to another Safe Box Group where accesses are not watched.

Stop watching changes within this Safe Box Group

Safe Box Group, all Safe Boxes within this Safe Box Group, and all records in them will no longer have set the watching of changes.

Stop watching accesses within this Safe Box Group

Safe Box Group, all Safe Boxes within this Safe Box Group, and all records in them will no longer have set the watching of accesses to encrypted data.

Delete Safe Box Group

Safe Box Group can be deleted from the root level. To be able to delete the Safe Box Group, a user must have permission Delete. If a user has this permission, a cross icon ( ) is displayed at the end of a row.
After clicking on a cross icon, a user is asked to confirm deleting of the Safe Box Group. When confirmed, the Safe Box Group is deleted and is no longer displayed.

Deleted Safe Box Group user can immediately restore by clicking on the Undo in the displayed message.

Safe Box

Create Edit Move Import records Watching... Connect from Safe Box Delete

Safe Boxes are intended for storing records. Different types of records - accounts, secret accounts, files, certificates, credit cards - can be stored inside a Safe Box.

Access rights can be managed for each Safe Box separately. For Safe Boxes, which are not private, is applied the dynamic inheritance of access rights. The inheritance permission can be set for root level or Safe Box Group. When a user has this permission, all new shared Safe Boxes will inherit his permissions from parent level.

When the Safe Box is private, the inheritance of access rights is blocked. However, the access rights to the private Safe Box can be assigned manually.

Create Safe Box

To be able to create a Safe Box, a user must have permissions to Create for the root level or a Safe Box Group in which the Safe Box will be created.

New Safe Box can be created at the root level or inside a Safe Box Group by clicking on the New Safe Box button. In the Safe Box, it is necessary to set a name, a password pattern and a type (private or shared). Private Safe Box can be created only at the root level.
When creating a Safe Box into a Safe Box Group the Safe Box Type cannot be set – is given by Safe Box Group Type.

Edit Safe Box

To be able to edit the Safe Box, a user must have permission to Modify.

For each of Safe Boxes, it is possible to change name, description, password pattern, external files path and Safe Box Type.

If an external file path is changed, SecureAnyBox will store all new external files at the new location, but all previously stored files will remain at their original location.
If the Safe Box is not in a Safe Box Group, it is possible to change a Safe Box type also.

Move Safe Box

To be able to move the Safe Box, a user must have permission to Delete. When moving, the Safe Box is effectively deleted from an original location and created at a target location.

To move the Safe Box click the button Move Safe Box , and wait until is displayed a list of possibilities, to where it is possible to move the Safe Box.

Click on a row in a list select the destination into which the Safe Box will be moved and confirm the move by entering the access code. Have you forgotten the access code?

By moving the Safe Box, you may change permissions of other users for the Safe Box.

Import records into Safe Box

Into the Safe Box can be imported records from other applications. Before importing, please create target Safe Box. On the Safe Box page, then click the Import... button and in the displayed menu select SecureAnyBox Importer

Import utilities can be downloaded from Downloads page too.

After clicking, a dialog with a download link displays. When downloaded, extract files from the zip archive and run a utility.

In the SecureAnyBox Importer, the user needs to enter SAB address to the appropriate field. You can get and copy SAB address by clicking the Copy SAB address option in the menu, that displays after clicking on the Import... button.

Watching

For each Safe Box, you can turn on two types of watching – watching changes and watching accesses to encrypted information. In a case that someone changed the watched Safe Box or record within the Safe Box or someone accessed encrypted information in the record within the Safe Box, an e-mail notification is sent to a user who watches the record (depending on the configuration of mail notifications).

If the Safe Box is watched, all records in it are watched also. The user can customize the notification settings in user preferences.

Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

In the Watching report is possible to check what the currently logged user is watching within the Safe Box.

Current status of watching for the Safe Box is displayed next to the Watching... button.

	Watching of changes is set explicitly for the Safe Box. Accesses are not watched.
	Watching of changes is inherited from the parent level. Accesses are not watched.
	Watching of accesses to encrypted data is set explicitly for the Safe Box. Changes are not watched.
	Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
	Watching of changes and accesses to encrypted data is set explicitly for the Safe Box.
	Watching of changes is set explicitly for the Safe Box. Watching of accesses to encrypted data is inherited from the parent level.
	Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the Safe Box.
	Watching of changes and accesses to encrypted data is inherited from the parent level.

By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the Safe Box. All records within this Safe Box will inherit the watching of changes/accesses from the Safe Box.

Start watching changes within this Safe Box

All records currently stored in this Safe Box will have set the watching of changes explicitly and the changes will be watched even if record moved to another Safe Box that where the changes are not watched.

Start watching accesses within this Safe Box

All records currently stored in this Safe Box will have set the watching of accesses explicitly and the accesses to encrypted information will be watched even if record moved to another Safe Box where the accesses are not watched.

Stop watching changes within this Safe Box

Changes in this Safe Box and all records within it will no longer be watched.

Stop watching accesses within this Safe Box

Accesses to encrypted information in this Safe Box and all records within it will no longer be watched.

Connect

If any account or secret account stored in Safe Box has defined connection type, it is possible to open the connection by click on the Connect button. To open connection is necessary to have installed SecureAnyBox Launcher on your station.

If username (login) and password stored in the record, the user automatically connects to the target (server, station, etc.).

Delete Safe Box

To be able to delete the Safe Box, a user must have permission to Delete. If a user has this permission, a cross icon ( ) is displayed at the end of a row.

Safe Box can be deleted from the Safe Box Group page or the root level page. To delete Safe Box, please click the cross icon at the end of a row. After clicking on a cross icon, a user is asked to confirm deleting of the Safe Box. When confirmed, the Safe Box is deleted and is no longer displayed.

Deleted Safe Box user can immediately restore by clicking on the Undo in the displayed message.

Records

Create Edit Change password Password History Copy as... Watching... Connect Move Move to White Envelope Delete

Records are stored inside the Safe Boxes and are intended to store important information. By the nature of the information that will store, a user needs to select a type of record. All types of records and which information can be stored in them, are listed in the table below.

Record type

Field

Name

Description

Tags

Note

Password pattern

Address

Login Site

Login

Connection Type

Connection Options

Secret Note

Password

File

Alias

Certificate

Certificate password

Number

Expiration Date

CVV

PIN

Account

Secret Account

File

Certificate

Credit Card

	Information can be stored in this record type. Access to this information is not audited.
	Information can be stored for this type of record. This information will be encrypted when the record is saved. You need to enter an access code to access it. Access to this information is audited.
	Information cannot be stored in this record type.

Create record

       

To be able to create a record, the user must have permission to Create for the Safe Box, into which the record will create.

At the page of Safe Box into which a record should create, click on the Add... button, and in the context menu, select a type of record. After that, a form for creating a new record will display.

When creating the record, it is necessary to set a name. Other fields are optional. All values can be modified later.

Edit record

       

To be able to edit the record, a user must have a Modify permission for a Safe Box in which the record is stored.

To modify an record, click the Edit button on a page of record. After clicking, an edit form displays. In the edit form, it is possible to change any value of record. To edit values in the Secured section of the form, is necessary to enter the access code first. Only passwords in account and secret account type of record have to be edited differently.

To edit account’s and secret account’s password, click the Change password button on a record’s page.

Change password

 

To be able to change the record’s password, a user must have a Modify permission for a Safe Box, in which the record is stored.

To change record’s password, click on the Change password button at record’s pag. After clicking, the form for entering a new password appears.

The password can be changed by entering a new password into fields or by generating a new one. Generated passwords are formatted by the current password pattern. Generated passwords are possible to edit.

Change of the record’s password has to be confirmed by entering the access code (unless the access code is cached). Have you forgotten the access code?

By clicking the Change password button, you can change passwords in an account and secret account type of record only. Certificate password can be changed in the edit form of certificate.

Password history

 

For each account and secret account is recorded a password history. The password history will display after clicking the Password History button at record’s page.

At the password history’s page, all of the record’s password changes display in a table.

After clicking on a row in a table and entering the access code, a user can view the password which was valid after that change. Have you forgotten the access code?

Copy as...

       

Each record can be copied, either as the same type of record or the different type of record. To make a copy, click the Copy as ... button and select the record type.

When making a copy of a record, the field values are copied to the new record – if it is possible to save such values in the selected record type. A copy of the record is created in the same Safe Box, so it is necessary to edit the name of the record.

After saving a copy of the record, the original record is displayed, and the newly created record can be accessed by clicking on the name of the new record in the displayed message.

Watching...

       

For each record, you can turn on two types of watching – watching changes and watching accesses to encrypted information. In a case that someone changed the watched record or someone accessed encrypted information, an e-mail notification is sent to a user who watches the record (depending on the configuration of mail notifications).

The user can customize the notification settings in user preferences.

Watching settings are inheritable – if you watch changes in Safe Box Group, you also watch changes in all Safe Boxes within the Safe Box Group, as well as changes in records within all Safe Boxes.
Whether the watching is set explicitly for a specific record or inherited from the parent level can be recognized by the icon color which is displayed next to the Watching... button.

	Watching of changes is set explicitly for the record. Accesses are not watched.
	Watching of changes is inherited from the parent level. Accesses are not watched.
	Watching of accesses to encrypted data is set explicitly for the record. Changes are not watched.
	Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
	Watching of changes and accesses to encrypted data is set explicitly for the record.
	Watching of changes is set explicitly for the record. Watching of accesses to encrypted data is inherited from the parent level.
	Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the record.
	Watching of changes and accesses to encrypted data is inherited from the parent level.

By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the record.

Connect

 

If the record (account and secret account only) has specified a connection type, it is possible to open the connection by click on the Connect button. To open connection is necessary to have installed SecureAnyBox Launcher on your station.

If username (login) and password is stored in the record, the user connects to the target (server, station, etc.) automatically.

Move record

       

To be able to move the record, a user must have a Delete permission for the Safe Box in which the record stored and Create permission for the Safe Box into which the record will move. When moving, the record will be effectively deleted from the original Safe Box and created in the target Safe Box.

To move the record, click on the Move record button. After clicking, a list of possibilities to where it is possible to move the record displays.

In the list, the name of the Safe Box Group is blue, and after clicking it, a list of Safe Boxes stored in the Safe Box Group displays. If you want to move from a Safe Box Group to the root level, click on the first line with two dots.

The names of the Safe Boxes are black and by click on them a user to select the Safe Box to which the record will be moved. Moving of the record have to be confirmed by entering an access code. Have you forgotten the access code?

All record permissions are determined by the Safe Box permissions in which the record stored. By moving the record, you may change even yours permissions, and you will not be able to return the record to the original Safe Box.

Move to White Envelope

       

This option is available only if currently logged user has activated White Envelope. More about White Envelopes...

To be able to move the record into a White Envelope, a user must have a Delete permissions for Safe Box in which the record stored. When moving, the record will be effectively deleted from the original Safe Box and created in the White Envelope.

To move the record into a White Envelope, click on the appropriate button.
Before moving the record into a White Envelope, the user is asked to confirm moving the record, by entering the access code. Have you forgotten the access code?

Moving the record into a White Envelope cannot be taken back.

Delete record

       

To be able to delete the record, a user must have a Delete permissions for Safe Box in which the record stored. If the user has this permission, a cross icon ( ) is displayed at the specific record (at the end of the row).

Record can be deleted from the Safe Box page. To delete the record, click the cross icon at the end of a row. After clicking on a cross icon, a user is asked to confirm deleting of the record. When confirmed, the record is deleted and is no longer displayed.

Deleted record user can immediately restore by clicking on the Undo in the displayed message.

Search page

At the Search page, a user can search stored records (such as Safe Boxes, Safe Box Groups, Accounts, etc.), by their name, specified tag of a field value. However, it is not possible to search record by a field value which is encrypted.

To initiate the search, start typing into a search field.

White Envelopes

Activate White Envelope Security Officers page Open White Envelope Close White Envelope Editing Mode of White Envelopes Recover White Envelope Reactivate White Envelope Initialize Security Officers Possible situations

White Envelope is a special type of Safe Box, which is intended to store important information for which the access must not lose. If the user who stored data in the White Envelope is unavailable, Security Officers can access this information.

The White Envelope can store the same records as any other Safe Box – accounts, files, etc.
There are two ways to add records to White Envelopes – by creating new records in the White Envelope or by moving existing records from other Safe Boxes.
Users can change stored records, but cannot delete them.
Security Officers can delete White Envelopes and the records in them, by enabling editing mode.

To be able to use the White Envelopes, it is needed to set at least a minimum count of Security Officers.

The Security Officer is a special type of user’s role. To set Security Officers, go to the Users management and in the user details form, to add the role.

Minimum count of Security Officers depends on settings in the SecureAnyBox configuration and settings in a domain. Please check how many Security Officers are needed.

After Security officers set, it is possible to activate the White Envelope.

Activate White Envelope

Only if a minimum count of Security Officers set, it is possible to activate the White Envelope. To activate the White Envelope, open a context menu by clicking on the arrow next to the user’s name in the top right corner of the page and click on the Activate White Envelope button.

Security Officers page

For each of White Envelopes is possible to display which Security Officers who have access to it. To display Security Officers with access to the White Envelope, click the Security Officers button at the White Envelope page.

At the Security Officers page, you can see which Security Officers has access to the White Envelope and their e-mail. Above the table of Security Officers, is displayed a number of Security Officers needed to work together to perform actions with White Envelopes.

It is possible to filter displayed Security Officers, by entering a part of their name into the Filter field.

Open White Envelope

Only users with a role Security Officer can open White Envelopes of other users.

Should you need view encrypted values of records in another user’s White Envelope, open the White Envelope. To open the White Envelope, minimum count (two by default) of the Security Officers have to enter their access code.

Minimum count of Security Officers depends on settings in the SecureAnyBox configuration and settings in a domain. Please check how many Security Officers are needed.

In an opened White Envelope the Security Officers can view even encrypted values of records such as passwords, files, secret notes and so on.

Close White Envelope

Once the Security Officers finish their work with records in open White Envelope, they should close it. Security Officers can open and close the White Envelope repeatedly.

Editing mode of White Envelopes

Security Officers can enable editing mode and delete White Envelopes or records in them. To enable the editing mode, two of the Security Officers have to enter their access code.

Minimum count of Security Officers depends on settings in the SecureAnyBox configuration and settings in a domain. Please check how many Security Officers are needed.

When editing mode enabled, into tables of White Envelopes or records is added the first column with checkboxes. The Security Officer selects which White Envelopes or records will delete by checking appropriate row in a table. After all White Envelopes or records to delete selected, click the Delete selected button.

Deleted White Envelopes and records from them cannot be restored.

Once the Security Officers finish their editing of White Envelopes, editing mode should be disabled. To disable editing mode, click on the appropriate button.

Recover White Envelope

After the user with an active White Envelope resets access code, the White Envelope needs to recover. Until the White Envelope recovered, the user cannot view or change stored records and move records from other Safe Boxes into the White Envelope.

A White Envelope can be restored by a minimum count of the Security Officers.

Reactivate White Envelope

If the count of Security Officers was below the minimum and new Security Officers added, to work with the White Envelopes, their owners have to reactivate them.
To reactivate the White Envelope, go to the White Envelope page and confirm a warning message. When message confirmed, enter the access code. After the access code entered, the White Envelope successfully reactivated.

Initialize Security Officers

For initialization of Security Officers, are two reasons – a user became the new Security Officer, or current Security Officer resets his access code.

Only two other Security Officers can initialize a Security Officer. To initialize Security Officers, click on the Initialize Security Officers button. After that, two of the Security Officers have to enter their access code.

After successful initialization, the Secure Officer has access to White envelopes of other users and may do all operations with White Envelopes as others Security Officers (open, close or recover White Envelope, or initialize Security Officer).

Possible situations

Count of Security Officers is not sufficient

If any Security Officer deleted and count of Security Officers is not sufficient (below the threshold – set in a domain), it is necessary to add new Security Officers. After new Security Officers added, current Security Officers, need to initialize the new ones, to share the White Envelope key parts.

Count of Security Officers is below the minimum

If any Security Officer deleted and count of Security Officers is below the minimum (set in a domain), it is necessary to set a new Security Officers.

All White Envelopes have been reset. Reactivating them is necessary..

Deleted Security Officer has been re-added

If some Security Officer has been deleted and then re-added, it is necessary to set him as a Security Officer again. After the user has Security Officer role set, can be initialized.

Downloads

At the Downloads page, you can download SAB Importer, SAB Launcher, web extensions, SAB Manager plugins for FAR and Total Commander, and a trial version of CBT client.

SecureAnyBox Importer

SecureAnyBox Importer is a utility intended to import records from CSV files and KeePass. From KeePass, it is possible to import records from kdb, kdbx, and xml files.

SecureAnyBox Launcher

SecureAnyBox Launcher is a MS Windows application. In Safe Boxes is intended to be used to connect from (secret) accounts and for communication between web extensions and SecureAnyBox server

Approval of exceptions for SSL Certificates

If the SecureAnyBox server uses an SSL certificate that is not trusted in Windows, when Launcher connects to the server, a warning window will be displayed to warning about the potential security risk. This could be because the certificate is signed by a non-trusted certification authority in Windows, or because it is self-signed.

Launcher configuration enforced by Windows registry

Part of SecureAnyBox Launcher configuration can be enforced by setting it in the Windows registry (HKLM).
When starting SecureAnyBox Launcher, settings are loaded first from the Launcher and then from the Windows registry – HKLM. The setting values are overwritten as they load, and the last loaded setting is used.
In Windows registry, it is possible to store all Web extension settings and RDP gateway.

Launcher settings keys are stored in HKEY_LOCAL_MACHINE\SOFTWARE\TDP\SecureAnyBox Launcher. For a list of keys and recommended values, download the README file.

Click to download Launcher configuration enforced by Windows registry README file

You can also download a registry example file and edit key values in the file. After the file is edited, run it.

Click to download the Windows registry example file

SAB browser extensions for Mozilla Firefox and Google Chrome

SAB browser extensions simplify logging in to accounts on websites using stored accounts in SecureAnyBox.

If the extension on the web page recognizes the login fields, it will offer the user to fill in credentials from one of the saved accounts in SecureAnyBox. Also, the extension allows users to create accounts with login information directly from the website where they will be used.

Browser extension communicates with the SecureAnyBox Launcher, which communicates with the SecureAnyBox server, so to be able to work with browser extensions, it is necessary to have SecureAnyBox Launcher (minimum version 2.0.0.x) installed as well.

SAB Manager plugin for Total Commander

SAB Manager plugin allows you to work with data in Safe Boxes via Total Commander.

Installation

Open zip file in Total Commander (64-bit version). Total Commander automatically detects that it is a plugin and guides you through the installation. All dialog boxes have to be confirmed (Yes / OK).

Configuration

After the SecureAnyBox Manager plugin installed, the SecureAnyBox directory is available as a Network Neighborhood place. To open the directory for the first time, it is necessary to enter the SecureAnyBox server address, login information and etc. Next time, the connection will be opened, the user will be asked to enter the password only.

Shortcut Keys

Enter - Copies a password to the clipboard from your account, secret account, and credit card.

The plugin allows you to edit file or certificate in the appropriate program associated with the specific file type. After saving the modified file, it creates a new version of the file.

Alt+Enter - Displays properties of account, secret account etc.

F3 View - Displays the file if the record is File or Certificate.

F4 Edit - Edits a file if the record is File or Certificate.

F5 Copy - Copies the file (s) or certificate (s) from / to SecureAnyBox. Only file and certificate records can be copied.

F6 Move - Move is not supported.

F7 New Folder - Only in connection overview. Creates a new connection and writes data (connection name, URL, domain and username) to the registry.
The plugin does not create new records.

F8 Delete - Deleting records is not supported.

Deleted records

At the page Deleted records, a user can manage deleted records (such as Safe Boxes, Safe Box Groups, Accounts, etc.)

Deleted records can be permanently removed or restored to the original location.

You can remove permanently multiple records at one time by selecting them and clicking on the Remove selected button. The button is only displayed if some of the deleted records are selected. Removing selected records have to be confirmed.

Selected deleted records can be restored by clicking the Restore selected button. The button is displayed if some of the deleted records are selected.
Deleted records can be also restored to the original location by clicking on the restore icon ( ) at the end of a row. Restoring the record have to be confirmed.

Audit log

Audit log page displays a log of users actions in Safe Boxes, Safe Box Groups, White Envelopes and all records inside them. Depending on the user role, only actions of currently logged user or actions of all users are shown.

User can filter displayed actions in the log by entering a text into the search field. Searching is possible above values of the columns IP, User, and Action.

Results of filtering the audit log can export by clicking on the Download button.

The audit log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the audit log is possible to turn off by clicking on the Disable autorefresh button.

Reports

Access to Records

The Access to Records report shows all records into which the selected user has entered the access code, to view encrypted values. To run the report, select a user.

In report results, records into which currently logged user don’t have access, won’t be displayed even though the selected user accessed them. To view all records which selected user accessed, use the report with the same name in Audit part.

In report results, you can click the record name. After clicking, a record page displays in a new tab, where you can check details or even change the encrypted values. If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.

To actualize report results, click the Refresh button.

Access to Safe Box

The Access to Safe Box report shows all records from selected Safe Box into which users have entered the access code, to view encrypted values.

In this report, Safe Boxes into which currently logged user does not have access, cannot be selected. To see results for any Safe Box (even the private one) within a currently logged user’s domain, use the report with the same name in Audit part.

In report results, you can click the record name. After clicking, a record page displays in a new tab, where you can check details or even change the encrypted values. If the password has changed, the users who access to record are no longer displayed in report results because they did not access the changed password.

To actualize report results, click the Refresh button.

Watching report

Watching report displays Safe Box Groups, Safe Boxes, and records which is currently logged user watching on the selected level.

• If you want to display all watched Safe Box Groups, Safe Boxes, and records click the Select Safe Box Group button and in the displayed list of Safe Box Groups select Root level.
  
• If you want to display all watched Safe Boxes, and records in specific Safe Box Group, click the Select Safe Box Group button and in the displayed list of Safe Box Groups select for which Safe Box Group results should display.
  
• If you want to display all watched records in specific Safe Box, click the Select Safe Box button and in the displayed list of Safe Boxes select for which Safe Box results should display.
  

Following icons are used to distinguish whether the watching is set explicitly or is inherited from the parent level:

	Watching of changes is set explicitly for that level. Accesses are not watched.
	Watching of changes is inherited from the parent level. Accesses are not watched.
	Watching of accesses to encrypted data is set explicitly for that level. Changes are not watched.
	Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
	Watching of changes and accesses to encrypted data is set explicitly for that level.
	Watching of changes is set explicitly for that level. Watching of accesses to encrypted data is inherited from the parent level.
	Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for that level.
	Watching of changes and accesses to encrypted data is inherited from the parent level.

If selected Safe Box inherits watching accesses and/or changes from the Safe Group, then the Safe Box Group will be displayed in the report results for selected Safe Box also.

Permissions

Report Permissions displays permissions of the selected user to all Safe Boxes, Safe Box Group and domain' root level. The results are filtered by permissions of the currently logged user. It means that the currently logged user will only see selected user' permissions for Safe Boxes, Safe Box Groups and domain' root level, for which currently logged user has permissions also.

To display results, click the Select user button and wait for a list of users. In the displayed list, select a user for which you want to display results.

The following icons are used to distinguish the level for which permissions set:

- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box

To manage permissions for the specific level, click its name in search results. After clicking the name, in new browser tab will be opened the Sharing & Permissions page for that level. At the page can be managed permissions for other users.

Permission Templates Assignment

Report Permission Templates Assignment shows all permission templates set for the selected user tag. The results are filtered by permissions of the currently logged user. It means that the currently logged user will only see permission templates for Safe Box Groups and Safe Boxes, for which the currently logged user has permissions.

To display results, click the Select user tag button and wait for a list of user tags. In the displayed list, select a user tag for which you want to see results.

The following icons are used to distinguish the level for which permissions set:

- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box

Passwords Audit

Report Passwords Audit displays all records that a logged on user has access to, and for passwords of displayed records, counts password entropy, time to crack the password, and alerts for duplicates of passwords.

To display results, select a level of audit:

• If you want to run an audit of all records, click the Select Safe Box Group button and in the displayed list of Safe Box Groups select Root level.
  
• If you want to run an audit for records in specific Safe Box Group, click the Select Safe Box Group button and in the displayed list of Safe Box Groups select for which Safe Box Group the audit should be performed.
  
• In a case, you want to run an audit for records in specific Safe Box, click the Select Safe Box button and in the displayed list of Safe Boxes select for which Safe Box the audit should be performed.
  

When the level of audit selected, a user is prompted to enter the access code. Have you forgotten the access code?

After entering the access code, SecureAnyBox checks all records which can decrypt with an entered access code, obtains passwords from them and counts results of the report.

To calculate passwords entropy and other values, SecureAnyBox uses password strength estimator nbvcxz . The password strength estimator inspires by password crackers.
Strength estimation accomplishes by running a password through different algorithms and looking for matches in any part of the password on word lists (with fuzzy matching), common dates, common years, spatial patterns, repeating characters, repeating sets of characters, and alphabetic sequences.
Each of these represents a way, how an attacker may try to crack a password. More information...

When loaded, in results are displayed Safe Box Groups and Safe Boxes, stored at the root level. By clicking on the plus icon ( ), you can see more detailed results – for each Safe Box inside a Safe Box Group or each account and secret account in a Safe Box.

Results for Safe Box Group and Safe Box displays the lowest value of Password Entropy of all records inside the Safe Box or Safe Box Group and how many passwords of records inside the Safe Box or Safe Box Group are duplicit.

In order to display the report results better organized, detailed results can be collapsed into results for Safe Box or even Safe Box Group.
Results for Safe Box Group and SafeBox displays the lowest Password Entropy of all passwords inside and how many passwords of records inside the Safe Box are duplicate.
After clicking on the record name, the record page displays in the new tab. On the records page, you can also change the password to a more secure one.

To refresh the report results, click the Run Report button again.

Password entropy

Password entropy is a measurement of how unpredictable a password is. The higher the value, the better.
Based on password entropy value, SecureAnyBox recognizes four levels of how secure the password is.

Password security		min.	max.	Description
really bad		0	20	password should be changed immediately
unsatisfactory		20	35	password does not meet security standards, should be changed
satisfactory		35	50	password meets security standards, but it can be better
really good		50		password is really secure

Time to crack online/offline

Depending on the password strength, SecureAnyBox counts how long it would take to crack your password online and offline. The longer a and more unpredictable your password is, the better.

Duplicity

SecureAnyBox checks passwords for duplicity. If there are any duplicates, a number of duplicate passwords displays. Due to security, we recommend changing duplicate passwords to unique ones.

If the number of duplicates is lower or equal to five, a warning icon ( ) displays. If the number of duplicates is higher than six, an error icon ( ) displays.
Next, to the number of duplicates, you can click the button ( ) to show records with the same password.

Last password change

Date and time when the password changed last time.

Time since change

The elapsed time since the last password change. If the time since change is higher or equal than two years, a warning icon ( ) displays.

Search for password

Report Search for password allows the user to see which records have a particular password. To run the report, enter the password you want to search for into the search field. After the password entered, click the search button ( ) or press Enter key. The entered password can be viewed by clicking the eye button ( ) anytime.

Once the Access code entered, SecureAnyBox decrypts all passwords to which the user has access. Then compares each decrypted password with the searched one and all records with the same password displays in the report results. SecureAnybox also computes the entropy of the password and displays it beside the search field. More about the entropy...

Audit

The audit is a part of SecureAnyBox application, accessible only to users with Auditor role, for auditors are three reports and the audit log of all parts available. Each auditor can audit within a domain, in which belongs. The only exception is an auditor from the System domain which can audit all domains.

Access to Records

The Access to Records report shows all records into which the selected user has entered the access code, to view encrypted values. To run the report, select a user.

In report results, all records into which currently logged user have access, are blue. After clicking on such record, a record page displays in a new tab, where you can check details or even change the encrypted values.
If record name is black, currently logged user hasn’t access to a record and nothing happens after clicking on it.
In a case, record name is crossed out, the record is deleted but can still be restored on the Deleted page.

If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.

To actualize report results, click the Refresh button.

Access to Safe Box

The Access to Safe Box report shows all records from selected Safe Box into which users have entered the access code, to view encrypted values.

In report results, all records into which currently logged user have access, are blue. After clicking on such record, a record page displays in a new tab, where you can check details or even change the encrypted values.
If record name is black, currently logged user hasn’t access to a record and nothing happens after clicking on it.
In a case, record name is crossed out, the record is deleted but can still be restored on the Deleted page.

If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.

To actualize report results, click the Refresh button.

Permissions

Report Permissions displays permissions of the selected user to all Safe Boxes, Safe Box Group and domain' root level. Unlike from report in Reports part, results of this report don’t filter by permissions of the currently logged user. That means that the currently logged user will see all selected user' permissions for Safe Boxes, Safe Box Groups and domain’s root level, even for which currently logged user has no permissions.

To display results, click the Select user button and wait for a list of users. In the displayed list, select a user for which you want to display results.

The following icons are used to distinguish the level for which permissions set:

- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box

To manage permissions for the specific level, click its name in search results. After clicking the name, in new browser tab will be opened the Sharing & Permissions page for that level. At the page can be managed permissions for other users.

Permission Templates Assignment

Report Permission Templates Assignment shows all permission templates set for the selected user tag. Unlike from report in Reports part, results of this report don’t filter by permissions of the currently logged user. That means that the currently logged user will see all selected user' permissions for Safe Boxes, Safe Box Groups and domain’s root level, even for which currently logged user has no permissions.

To display results, click the Select user tag button and wait for a list of user tags. In the displayed list, select a user tag for which you want to see results.

The following icons are used to distinguish the level for which permissions set:

- Root level of domain
- Shared (non-private) Safe Box Group
- Private Safe Box Group
- Shared (non-private) Safe Box
- Private Safe Box

Audit Log

The Audit log page displays a log of users actions in Safe Boxes and SecureAnyBox part of the application. The audit log results are filtered by domain into which currently logged user belongs. The only exception is an auditor from System domain which can see audit log of user actions from all domains.

It is possible to filter displayed actions in Audit log by clicking buttons SecureAnyBox logs or Safe Boxes logs . The filter can be turned off by clicking the All logs button.

You can also filter displayed actions in the log, by entering a text into the search field.

Searching runs above values of the columns IP, User, and Action.

Results of filtering the audit log can be exported by clicking on the Download button.

The audit log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the audit log is possible to turn off by clicking on the Disable autorefresh button.

If enabled in the Configuration, auditor can archive the audit log by clicking the Archive log records button. After clicking the button, it is necessary to confirm archiving.

SecureAnyBox

Stations

The Stations page intended for management of registered stations. After loading the page, users can see a table of registered stations for selected Agent Configuration.

To change the Agent Configuration, click on the Select Config button and in a displayed list select the configuration. After a different configuration is selected, the list of the registered domain is actualized and displays stations registered in the currently selected configuration.

Registered stations are possible to sort by any displayed column. To sort the stations, click on the column header. It is also possible to add more columns to the table of stations (IP address, Timezone, Default User, Station Registration). To configure a displaying of additional columns, go to the Agent Configuration page.

Registered stations can be filtered by the date of registration and last access. User with role Administrator from System domain can also see (and delete) inaccessible stations. Stations are inaccessible if the Agent Configuration with which the stations are registered is deleted.

As the IP address of the station displayed the address which station had during the last registration. IP addresses are not unique.

Register station

Stations have to be registered to get passwords for them. Once the station is registered, it is possible to get the password by clicking on a row in a table of stations. After clicking on a row with the registered station, the Get Password page will load with prefilled values according to the values specified in the registered station.

Stations may be registered by SecureAnyBox agent or manually. After successful installation of SecureAnyBox Agent and applying the configuration, the SecureAnyBox Agent checks if the applied configuration matches the Agent configuration on the server. If so, the station would be registered automatically (it might take 10 minutes). In some cases, the station on which the SecureAnyBox Agent installed, does not have access to the server and cannot be registered automatically. But the station can be registered manually.

To register the station manually, click on the Register station button and wait for displaying the station’s form.

If the station name is changed. It is necessary to re-configure SecureAnyBox Agent, which will later register the station with a changed name. Original station registration can be deleted manually from the SecureAnyBox later.

Delete station

To delete registered station, please click on the cross icon ( ) at the end of a row. Deleting the station have to be confirmed.

It is also possible to delete multiple stations at the same time. To select a station to delete, check the checkbox in the first column. After the selection is complete, click the Delete selected button.

Get Password

At the Get Password page is possible to obtain a password for a station. To get a password for the station is necessary to install SecureAnyBox Agent on the station. More about SecureAnyBox Agents...

To obtain the station’s password, please follow these steps:

In a case that you are obtaining a password for the registered station, all values pre-fill automatically.

Select the agent configuration which is the same as the configuration of SecureAnyBox Agent installed on the station.

Select an operating system of the station. Settings of the agent configuration limit selection of operating systems.

Please check and eventually correct the local date. The time automatically sets according to server time.

Enter the station’s name. The name has to be in a format specified in the agent configuration.
NETBIOS = use NETBIOS station name.
Fully Qualified DN = use full Active Directory station name with the domain (e.g.,STATION1.domain.local).
SID = use station unique SID (e.g.,S-1-5-21-3623811015-3361044348-30300820-1013).

To obtain a password, the station has to be registered. If a station with entered name is not registered, the user will be prompted to register the station before obtaining a password.

Check the User for whom the password will work. The user is pre-filled according to settings in the agent configuration.

Check and eventually correct a timezone set on the station. Depending on the previously set Local Date and Time and selected timezone, the Station Date and Time set.

Click on the Show password button.

After clicking on the Show password button, the Station password page loaded.

After 60 seconds you will be redirected back to the Get Password page.

Downloads

At the Downloads page, it is possible to download SecureAnyBox Agent, its configuration, and SAB Launcher.

SecureAnyBox Launcher

SecureAnyBox (SAB) Launcher is an MS Windows (.NET Framework 4.5.2 or higher required) application delivered as a msi package. After installation, the application runs in the system tray and registers the custom URI scheme for sab:// links from the SecureAnyBox web interface.

After SecureAnyBox Agent registers the station, its IP address is also registered. By clicking on the station IP address at the Stations page, SecureAnyBox Launcher launches Remote Desktop application and connects to the registered station.

SecureAnyBox Launcher is also used in Safe Boxes. More information...

SecureAnyBox Agent

SecureAnyBox Agent is a system service/daemon that ensures login to the station using the password obtained in SecureAnyBox. The password can be obtained at the Get Password page or from the Ticket. Configured SecureAnyBox Agent works completely autonomously even without connection to the server. If a connection to the server is available, the SecureAnyBox agent automatically performs station registration.

To suuccessfully install SecureAnyBox Agent is necessary to download the Agent Configuration file also. Please download the appropriate configuration file by clicking the configuration name. If the required configuration does not display in the list of downloads for your platform, please verify that the Agent Configuration includes settings for that platform as well.

After the SecureAnyBox Agent successfully installed and the configuration is applied, SecureAnyBox Agent verifies whether the configuration used matches the agent configuration on the server. If so, the station will be automatically registered (this may take 10 minutes). In some cases, the station on which the SecureAnyBox Agent installed does not have access to the server and cannot be registered automatically. Such a station can be registered manually.

Troubleshooting:

In a case of problems with SecureAnyBox Agent, please refer to the log. Logging of the SecureAnyBox Agent on the Linux and macOS platform runs automatically into a file var/log/secureanybox-agent.log. On Linux, you can even enable detailed debug logging in /etc/secureanybox/settings by renaming (or copying) the “settings.example” file to “settings” and uncommenting the “export SECUREANYBOX_AGENT_DEBUG = true” line.

The log file on the macOS platform is possible to view in the Console. The log file on the MS Windows platform is possible to view by using SAB Monitor utility (download in SecureAnyBox/Downloads) or in the Windows Event Viewer.

If the station is not registered even though the station has access to the server, the most likely reason is an incorrect configuration of the agent (e.g. the configuration has been changed on the server but not on the station) or a problem with https certificate verification. The https certificate must be imported as trusted on the agent station. On Linux, it must be located in a Keystore that uses Python for certificate verification. This can be checked in the terminal using the command:

python -c 'import urllib2; import sys; resp = urllib2.urlopen("https://your.secureanyboxserveraddress.com"); rcode = resp.getcode(); body = resp.read(); print rcode; print ""; print body;'

If certificate validation is successful, on the first row of the response is code 200.

When the certificate validation fails, an error is displayed:

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

If urllib2 not found

• Check which version of python installed:

python ––version

or

python -v

Urllib2 is a built-in package of Python 2.x.x. To be able to run urllib2, it is necessary to have Python 2.x.x (recommended 2.7.18) installed properly. Some distributions of Linux may not have full version of Python 2.7.x installed. Try re-installing it.

wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz

sudo tar xzf Python-2.7.18.tgz

cd Python-2.7.18/

sudo ./configure

sudo make altinstall

Tickets

Tickets are intended for sharing access to getting passwords for the stations. Once the ticket created, it can be shared with anybody (even with people without access to SecureAnyBox). Sharing a ticket is a convenient method for giving access to registered station passwords only for a limited time. For example, tickets can be shared with external technicians.

Shared access to passwords can be limited according to the specification of a ticket.

When the Agent Configuration is selected only, then based on the ticket is possible to get passwords for all registered stations with the same Agent Configuration as is selected.

If the Agent OS is also selected, then through the ticket is possible to get passwords for all registered stations with same Agent Configuration and operation system as is selected.

When the station name is specified too, then on the basis of the ticket is possible to get a password for the one station only.

The validity of the ticket is limited. The person, to whom the ticket was shared, can get a password between dates and times specified in fields Valid from and Valid until only.

It is possible to restrict the usage of tickets, by setting subnets. When the ticket has subnet set, it is possible to obtain a password from the ticket only if the device’s subnet is the same as is set in the ticket. In the ticket, it is possible to set multiple subnets.

Create ticket

To create a ticket, please click the New Ticket button. After clicking, a form for creating the ticket displays. After all values entered, please click on the OK button to confirm the ticket.

While saving the ticket, a unique identifier of the ticket generated. This identifier is displayed in a message after the ticket created.

Edit ticket

To edit an existing ticket, please click the ticket’s row in a table. After clicking, an edit form displays.

In the edit form, it can be changed all values except the agent configuration. After all changes are made, please confirm them by clicking on the OK button.

Share ticket

To share the ticket with another person, please click on the blue arrow icon ( ) at the end of a ticket’s row.
After clicking, a share ticket form displays.

The ticket can share two ways – by sharing the URL or by sharing the QR code. After opening the URL, a special page for tickets displays.

Access to this page is without authentication – so is possible to share tickets with people who do not have user account specified in the SecureAnyBox (e.g.,external technicians) or users who do not have access to the Tickets.

To obtain a password from the ticket is necessary to enter values into all fields. If all required values set in the ticket, a password for the station is displayed automatically.

Audit log

The Audit log page displays a protocol of getting passwords for stations and using tickets. Depending on the user role are shown only actions of currently logged user or actions of all users.

You can filter displayed actions, by entering a text into the search field. Searching is possible above values of the columns IP, User, and Action.

Results of filtering the audit log can be exported by clicking on the Download button.

The audit log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the audit log is possible to turn off by clicking on the Disable autorefresh button.

Agent Configuration

At the Agent Configuration page, you can set some General setting for SecureAnyBox like columns at the Station page or Registration interface, or you can set Agent Configuration and the LDAP Agent. You can also change the configuration password and download the SecureAnyBox configuration file.

General

You can configure which columns display at the Stations page and alternative interface which is only intended for registration of stations. If alternative interface enabled and set, registration interface hostname and HTTPS port exported into the SecureAnyBox Agent configuration.

We recommend to enable and set registration interface because the registration of SecureAnyBox Agents will not be affected by any changes (e.g., of hostname, address, port) in the configuration of SecureAnyBox server.

Agent Configuration

To generate passwords for stations, each station must have SecureAnyBox Agent installed with a proper configuration. In the Agent configuration, you can configure for which platforms can be used, a password pattern, a password seed base, for which user or user group the password will be generated.

After each modification of Agent Configuration, the SecureAnyBox Agent (respectively Agent Configuration) installed on stations must be updated or generated passwords might not work.

Add Agent Configuration

To add a new configuration, please click on the add Configuration button and wait for Agent Configuration form to display. After all values are set, please click on the OK button. To use a new Agent configuration, the SecureAnyBox have to be restarted first.

Edit configuration

To edit the Agent Configuration, please click on configuration name in a list of Agent Configurations. After clicking on configuration name, details of the configuration displays.

To open Agent Configuration edit form, please click on the Edit button. In the Agent Configuration, you can modify all values except the configuration name.

After changes finished, please confirm them by clicking on the OK button. To apply changed Agent Configuration is necessary to apply changes in the SecureAnyBox configuration first.

Copy configuration

In a case, you want to create similar Agent Configuration, as is already stored, you can copy the stored one. To copy the Agent Configuration, please click on configuration name in a list of Agent Configurations. When details of the Agent Configuration displays, please click on the Copy button.

After clicking on the button, please enter the configuration name, modify values, which needed to be changed and confirm new Agent Configuration by clicking on the OK button.

Due to security reasons, we strongly recommend changing the Password Seed Base.

To use the new Agent Configuration is necessary to apply changes in the Configuration.

Remove configuration

To remove the Agent Configuration, please click on configuration name in a list of Agent Configurations. After clicking on configuration name, details of the configuration displays and click the  Remove button.

Removing the Agent Configuration have to be confirmed by applying changes in the SecureAnyBox configuration.

LDAP Agent

LDAP Agent holds LDAP server connection settings used for user password changes. Without LDAP Agent it is not possible to get passwords for LDAP users.

Add LDAP Agent

To add new configuration of LDAP agent, please click on the add LDAP Agent button and wait for LDAP Agent form to display. After all values set, please click on the OK button. To use a new LDAP Agent configuration is necessary to restart the SecureAnyBox server first.

Edit LDAP Agent

To edit the LDAP Agent, please click the agent name in a list of LDAP Agents. After clicking on agent name, details of the agent displays.

To open LDAP Agent edit form, please click on the Edit button. In the LDAP Agent, you can modify all values except the configuration name.

After changes made, please confirm them by clicking on the OK button. To apply changed LDAP Agent is necessary to apply changes in the SecureAnyBox configuration first.

Copy LDAP Agent

In a case, you want to create similar LDAP Agent, as is already stored, you can copy the stored one. To copy the LDAP Agent, please click the agent name in a list of LDAP Agent. When details of the LDAP Agent displays, please click on the Copy button.

After clicking on the button, please enter the Agent ID, modify values, which needed to be changed and confirm new LDAP Agent by clicking on the OK button.

To use a new LDAP Agent is necessary to apply changes in the Configuration.

Remove LDAP Agent

To remove the LDAP Agent, please click the agent name in a list of LDAP Agents. After clicking on agent name, details of the LDAP Agent display and click on the Remove button.

Removing the LDAP Agent have to be confirmed by applying changes in the SecureAnyBox configuration.

Execute LDAP Agent

By executing LDAP Agent, you change the password(s). Which passwords are changed depends on settings of Agent Configuration.

If any of users to whom should be changed password is set as SecureAnyBox mgr for any LDAP connector or LDAP Agent, then the password of that user will not be changed.

To execute the LDAP Agent, please click the agent name in a list of Agent Configurations. After clicking on agent name, details of the LDAP Agent display and click on the Execute button.

Administration interface

Configuration

A configuration of the SecureAnyBox application is divided into several sections. Each section can be independently edited. To change settings in the section, click on the edit button at the top of a section.

After clicking on the edit button a section’s form displays. At the bottom of each form are displayed three buttons – Test, OK, Cancel.

When changes made, you can test the new values (by clicking on the Test button), if they’re in a correct format and so on. If the test of values was successful, you can confirm the changes by clicking on the OK button.

Changed sections of the configuration will display marked with a blue checkmark.

To apply changes in the configuration, you need to restart the application by clicking on the Apply button. If changes should not be applied, click on the Revert button.

Summary

After clicking the Configuration button in the menu, a Summary page of Configuration displays. At this page, configured LDAP connectors and server messages are displayed.

For each of LDAP connectors, a status is displayed – whether communication with connector is working. After clicking on the connector’s name, settings of the connector displays.

At the Summary page, it is also possible to download the configuration.

General/Web interface

General SecureAnyBox server configuration and Web interface/API configuration.

Logging

Diagnostic log configuration. You can set the log level for specific parts of SecureAnyBox or a count of lines loaded into the browser into the current log view.

SIEM Syslog

Configure settings of the connection between SecureAnyBox and Syslog server. You can also set syslog facility, event source and log level of records sent to the syslog server. You can establish multiple syslog connections — for each syslog server, one for audit log and second for diagnostic log and so on.

Audit log archiving

Archiving of audit log can be done manually or automatically. Manual archiving can be started at the Audit log page in the Audit part of the SecureAnyBox.

Archived audit log records will be stored in separate files on the server. Once records are archived, they cannot be viewed in SecureAnyBox.

Users & Security

At this tab of the Configuration, it is possible to configure users and security oriented parametres of the SecureAnyBox. Such as a maximum number of login attempts, duration of the login ban and login password policy, etc.

Displaying full names of users

Backup

Backup of SecureAnyBox server is done at every midnight (if the server runs) or at the earliest possible opportunity. It is possible to set a configuration of backup and check if the backup ran.

To edit the configuration of Backup, click on the edit button and wait for a form to display.

Table with information about backups displays below the backup configuration details.

LDAP Connector

The LDAP connector holds LDAP server connection settings used for communication with the LDAP server to synchronize users from LDAP to the SecureAnyBox, and vice versa. Three types of Directory services are supported – eDirectory, Active Directory, and generic LDAP.
For each connector, it is possible to set more than one LDAP server for backup or load balancing purposes. All servers set to one connector need to be the same type (eDirectory, Active Directory, or generic LDAP).

By clicking the sync button, a user starts manual synchronization with the LDAP server. User is also redirected to the LDAP synchronization log page, where is possible to see synchronization results.
By clicking the view button, a user is redirected to the LDAP Viewer page, where he can view which users can be synchronized from the LDAP server after filtration specified in the LDAP connector is applied.

To create a new LDAP connector, click on the add LDAP Connector button and wait for a form to display.

To complete the configuration of the LDAP connector, please confirm the form by clicking the OK button. The application must be restarted for the LDAP connector to function properly.

eDirectory installation

While configuring new eDirectory LDAP connector, you can click on the Create SecureAnyBox objects button, to proceed eDirectory installation directly from SecureAnyBox web interface. After clicking on the button wait for the eDirectory Installation form to displays.

Once all required values set, click on the OK button and wait until the installation process successfully. If no error occurs, eDirectory Installation form is no longer displayed, and in the LDAP connector form is displayed a message Success.

KeyShield SSO Integration

In this part of SecureAnyBox configuration, you can set integration with the KeyShield SSO. SecureAnyBox support two types of Keyshield authentication – by IP address and by certificate using Client API.

Safe Boxes

Configuration of Default password pattern, which is used in Safe Boxes and Records, offering of previously entered labels, maximum file size, policy of the Access Code and applying of permission templates.

Access Code Policy

Settings of the required characters in the Access Code

Mail and Notification

Configuration of e-mail notifications. Notifications will be sent when some user makes changes in the records (Safe Boxes, Accounts and so on).

External files

Configuration of external files. External files are encrypted by SecureAnyBox and stored on another server. In this part of the Configuration, it is possible to set default external files path.

User management

Domains

Create domain Edit domain Disable domain Delete domain Show Domain Users

The page intended to manage domains. Only users with a role User Manager or Administrator have access on this page.

Domains can be used to divide a SecureAnyBox into several parts. Each domain has its users management and it is possible to create a hierarchical structure of domains.

The structure of domains can copy the structure of your company, and it is possible to create a hierarchy by setting the visibility of one domain for other domains, which are on the higher spot in a company structure.

For example, here can be created two domains named "Management" and "Technical support". Because users of the domain "Management" have a higher position in the structure of the company, the domain "Technical Support" will be set as a visible for users of the domain "Management".

This setting allows the domain users "Management" to grant access to Safe Boxes to users of both domains, but users of the domain "Technical support" can grant access to Safe Boxes only to users of their domain.

Domains can also copy the structure of containers in LDAP. When setting an LDAP connector is required to select the domain, into which users will import from that connector. Each LDAP connector can have only one domain.

Create domain

Only users with a role Administrator from System domain can create a domain. Users with a role User Manager can only edit their domain.

To create a domain click on the New Domain button at the Domain page. After clicking on the button, the domain’s form displays.

All fields are going to display after entering a domain name.

Edit domain

To edit a domain, click on the row in a list of domains. After clicking, the domain form will display. In the form can be changed any value.

To apply changes, click on the OK button.
By clicking on the Cancel button, all changes will revert.

Disable domain

By disabling a domain, you can block login of all users in the domain. To disable the domain, open domain’s form by clicking on the row in a list of domains and uncheck the Enabled field. After saving, the domain is disabled.

The domain which was disabled can be enabled anytime.

Delete domain

The domain can be deleted only if it does not contain users. To delete the domain, click on the cross icon ( ) at the end of a row in a table of domains.
Deleting the domain have to be confirmed.

Show domain users

It is possible to view users from a specific domain by clicking the appropriate icon ( ) in the domain table. After clicking the icon, a list of users of the domain will show in the new tab.

Users

Create user Edit user Disable user Enable user Unban user Export a list of users Delete user Invite user Send message Move user

The Users page is intended for the users management. Only users with a role User Manager have access to this page.

Users are filtered by domain by default. To change a domain by which users are filtered, click on the Select domain button and in a list of domains choose a domain whose users should be displayed. It is possible to have displayed all users from all domains by clicking on the All Domains in a list of domains.

Users can be created manually or can be imported from LDAP.

Create User

Before creating a new user is important to select the domain into which a user will create.

To create a new user, click the New User button. After clicking on the button, a user form displays.

Fields Security Officer ( ) and Inherited ( ) can be edited after the new user sets an access code.

User roles

The user role also determines to which parts of SecureAnyBox the user have access to and what actions he can perform. A basic overview of what actions and parts of SecureAnyBox are accessible for a user with specific user role is in the table below.

Grouping of user roles

When setting up a user role, other roles can be automatically set to the user too. It happens if user role includes all features of another role.

For example, user role Administrator includes all features of SecureAnyBox User, SecureAnyBox Admin, and User Manager user roles and even some extra features (access to the Configuration and can create a domain). So when user has an Administrator user role, he also has SecureAnyBox User, SecureAnyBox Admin, and User Manager user roles.

Edit user

To edit the user, click the user’s name in a list of users. After clicking, a user details displays.
If the user is imported from LDAP, different fields display in a user detail.

User can be also edited from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Edit .

After changes finished, confirm them by clicking the OK button in the user details form. Depending on changes, you can be asked to enter the access code. Have you forgotten the access code?

Disable user

If you only want to prevent the user from login to SecureAnyBox, you can disable the user’s account. Once disabled, the user cannot access SecureAnyBox, but all his records are still stored. Unlike deleting, this action can be taken back anytime.

To disable the user, uncheck Enable field in user details form.

User can be also enabled from the user’s actions menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Disable .

It’s also possible to disable multiple users at one time. Please check all users which should be disabled and click on the Disable button. After clicking, all selected users are disabled.

Enable user

The user must be enabled, to be able to log in to SecureAnyBox. To enable the individual user, check the Enabled field in the user details form.

User can be also enabled from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Enable .

It is also possible to enable multiple users at once. Please select all users to be enabled and click the Enable button. After clicking, all selected users will be enabled.

Unban user

If the user enters access code or login password incorrectly for many times, then the user is temporarily banned to enter the access code or to login. Banned users have an icon with a red lock in the list of users.

- Built-in administrator account, login is banned.
- Manually created user, login is banned.
- User is disabled, login is banned.
- Synchronized from LDAP connector, login is banned.
- Access code entry is temporarily banned because it was entered incorrectly several times.

The number of unsuccessful attempts of entering the access code or the login password, and how long the user is banned, is set in the Configuration.

To unban banned users, select all users to be unbanned and click the Unban button.

Export a list of users

At the Users page, it is possible to filter displayed users by checking/unchecking filter fields ( ). The filtered list of users is possible to export in CSV format by clicking on the Export to CSV button.

Into a file are exported values displayed in a list of users (name, username, email, domain, LDAP connector and roles).

Delete user

User can be deleted from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Delete .

If the user is the only one, who has permissions for some Safe Box, the Safe Box will be deleted with the user. If you don’t want to delete the Safe Boxes, assign permissions for these Safe Boxes to a different user.

Invite users

After users created, you can send them an e-mail invitation to SecureAnyBox. In the invitation will be a link to set the password. Once the password is set, the user can log in and set the access code.

To send invitations to users, select (by checking) users you want to invite to the SecureAnyBox and click the Invite users button.

To send the invitations, you have to configure mail server in the Configuration first.

User can be also invited from the user’s action menu. To open the action menu, click on three dots ( ) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Invitation .

After clicking Invitation in the user’s actions menu, the dialog Invitation displays. If the user has set e-mail address, you can create and send invitation to user’s e-mail or you can create invitation without sending it.

If the invitation is only created and does not have been sent, in the invitation dialog appears an invitation link which is possible to copy to clipboard.

Send message

If users have an email address specified, you can send them a message from SecureAnyBox.
To send a message to users, select (by checking) users you want to send a message and click the Send message button.

To send the messages, you have to configure mail server in the Configuration first.

After clicking the Send message button, a window for entering message text displays. To send a message, click the Ok button.

Move user

Users can be moved between the domains. To move users, select all users which should be moved and click on the Move button.

Moved user lose all inherited permissions to Safe Boxes. All assigned permissions stay valid.

After clicking on the button, a list of domains into which you can move selected users displays. Please select a domain into which selected users move, by clicking the domain name.
The move of users has to be confirmed.

User tags

Only users with a role User Manager have access to this page.

User tags intended for easier management of users and their permissions. To each domain, it is possible to assign an unlimited number of tags. User tags can be added to users with same domain only.

User tag can be assigned to:

• LDAP connector - user tag will be assigned to all users imported from the LDAP connector, and it is possible to assign tag to user group FDN also.
• domain - user tag will be assigned to all users in the domain
• user

User tag is used to create a Permission template for users who have the user tag assigned.

LDAP Viewer

Only users with a role Administrator have access to this page.

LDAP Viewer allows you to browse the LDAP tree of any of configured LDAP connectors. LDAP Viewer uses the “SecureAnyBox manager” account defined within the selected LDAP connector configuration. This means, that LDAP objects and their attributes you see with the LDAP Viewer correspond to what the selected authentication connector ‘sees’. If you don’t see what you expect (a specific user object or its attributes), then the access rights of the “SecureAnyBox manager” account for the particular LDAP tree are not sufficient. Please check the access rights assigned to the search base or root of the LDAP tree as well as possible inheritance filters.

To use LDAP viewer is necessary to configure at least one LDAP connector. After opening the page, a list of LDAP connectors displays. By clicking the connector name, you can view objects in a search base (as configured in the LDAP connector).

Displayed objects are folders (containers) and users. Click the folder name to view users and folders inside the folder. Click the username to view details about the user.

It is possible to filter the displayed objects by entering their name in the search field above the table. Should you need filter the displayed objects by LDAP search expression, click the Lookup object(s) button and use the filter field instead.

Logs

Only users with a role Administrator have access to this pages.

In the Logs part of the application, it is possible to see diagnostic log or LDAP synchronization log. Different log levels in displayed messages are visually distinqished:

Log levels:

INFO

WARNING

DEBUG

ERROR

Diagnostic log

On the Diagnostic log page a current log is automatically displayed.

The current log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the log is possible to turn off by clicking on the Disable autorefresh button.

To change a log level or log browser line limit, click on the Configure logging . After changes are confirmed, it is necessary to restart the SecureAnyBox for applying the changes.

To download the current log, click on the button Download and confirm the download.

If you need older than current log, click on the Logs button to display a list of available logs.

In the first table are displayed application logs for each day. To download the log, click on the log file name and confirm the download.

LDAP sync log

On the LDAP sync log page, is displayed a table with names of specified LDAP Connectors. Click on the connector name to view details of the last synchronization with LDAP.

The synchronization log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the synchronization log is possible to turn off by clicking on the Disable autorefresh button.

Synchronization of users can be started manually by clicking on the Synchronize button.

Settings of the synchronization can be changed anytime by clicking on the Configure <LDAP connector name> button.

To download the log of the last synchronization, click on the button Download and confirm the download.

To filter skipped users during the synchronization with LDAP, click on the button Show only skipped users .

Server status

Server status page intended for displaying problems with SecureAnyBox server. If any error or warning occurs, users will be warned by the number of errors and/or warnings in the top right corner of the page.

	On the SecureAnyBox server occurred 1 error, and 2 warnings
	On the SecureAnyBox server occurred 1 warning
	On the SecureAnyBox server occurred 1 error

After clicking on the number of errors and/or warnings, the Server status page loads. On the Server status page are shown three sections – Server Messages, Station registrations, and White Envelopes. In accordance with the user’s role, the SecureAnyBox determines which sections will display.

Server Messages

Server messages section displays only to the user with role Administrator. To handle messages from this section, go to the Configuration page.

Station Registrations

Station registration section displays only to the user with role SecureAnyBox Admin. To handle messages from this section, go to the SecureAnyBox part of the application.

White Envelopes

White Envelopes section displays only to the user with role User manager, and Security Officers

Guidelines

Synchronize users with LDAP

Manually created users can be synced with the LDAP server additionally, without losing saved data. It is possible to associate a user with an existing LDAP account or create a new LDAP account.

To synchronize a user with LDAP, the user must pass these conditions:

• the user is specified in a domain set as the target domain of LDAP connector
• the user must have the Synchronize field checked, and the GUID set.

We also recommend setting the username in SecureAnyBox same as username (UID) in LDAP.

During the synchronization, the users' information should be updated according to information in LDAP and fields LDAP connector, and LDAP DN should fill. Otherwise, synchronization was unsuccessful and please refer to the log of synchronization.

To see the log of synchronization go to Administration > Logs > Logs and click the LDAP connector name in Synchronization table. At the synchronization log page, you can view a log of the last synchronization with LDAP connector, start synchronization and open configuration of LDAP connector.

All issues that occurred during the synchronization have the WARNING logging level and have yellow coloring.

GUID is not unique

While entering the GUID into manually created user details, an error message that the GUID not unique appears.

A user account may have been already imported from LDAP to SecureAnyBox. You can search users by GUID on the Users management page. A user with the same GUID can even be in another domain. To search for users in all domains, please click the Find users button.

In a case, the user already imported from LDAP, please delete the imported account. Then enter the GUID into user details of the user who should be synchronized with LDAP and run the synchronization with LDAP.

Manually created user failed to synchronize with LDAP

To determine the cause of the failure, please go to the synchronization log page and enter the username of the synchronized user in the search field.

Installation on Linux

Upgrade on Linux

SecureAnyBox upgrade is provided by the installation script which is a part of the new release package downloaded from the website. Download the .bin package from the Downloads section at www.secureanybox.com. Then start the installation by ./inst_secureanybox…

If your installation is standard with the embedded Oracle Java (recommended), answer No.

Then the script gets the path used for the previous installation and offers it as default. Confirm this path because this is an upgrade and the goal is to upgrade the existing installation – running instance.

The configuration.properties file must be preserved to upgrade the running system.
Confirm default answer N = not to overwrite

Now you are ready to start the new installed release – it will stop SecureAnyBox and rerun it. Once the new release is running, it will convert the database (if alteration is a part of the upgrade) seamlessly.
Don’t miss to authenticate to the system console and enter the configuration password if applied – otherwise, agent support will not work.

Installing the Java Cryptography Extension

Before installation of Java Cryptography Extension, please stop SecureAnyBoxServer service.

To install Java Cryptography Extension, you need to download a zip archive from the Oracle web. When downloaded, please extract files from the zip archive and copy jar files into a <SecureAnyBox folder>/jre/lib/security.

After installation, the SecureAnyBox Server service can start.

Validate if HTPPS certificate is successfully imported on the station

Installation steps of SecureAnyBox Agent

Installation of SecureAnyBox Agent on MAC OS

To install SecureAnyBox Agent on MAC OS platform, please run installer (secureanybox-agent-1.x.pkg).

At the third step of the installer, it is possible to change an install location, by clicking the appropriate button ( ). To proceed with the installation, please click the Install button ( )

After clicking the Install button, it is necessary to enter the user password to allow the installation.

Once the installation finished, information about the successful installation of the SecureAnyBox Agent is displayed.

When the installer closed, please go to the Launchpad where you can find the sab-config application.

Start the application by double click on its icon. When the application starts, please select the downloaded configuration file by clicking on the button ( ). Once the configuration file selected, apply it by clicking an appropriate button ( ).

To apply the configuration is necessary to enter your password.

After the configuration was updated, information about it displays, and SecureAnyBox agent successfully installed.

After the installation complete, SecureAnyBox Agent verifies that the applied Agent Configuration matches the configuration on the SecureAnyBox server. If so, the station will be registered automatically (it might take 10 minutes). If the SecureAnyBox Agent does not have access to the server, it is possible to register the station manually.

Initialization of admin

After successful installation, the SecureAnyBox starts and the initialization page displays. To login into a web interface, is required to set the admin password first.

In the Security Code field, is pre-filled unique code for your installation.

While entering the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.

The password has to be confirmed by clicking on the OK button. After confirming the password, the login page displays.

First login

For a user to log into SecureAnyBox, the user needs to be created and has a password entered.
If more than one domain is specified, the user must also enter the domain name when logging in.

After entering the login credentials, a page for setting an access code displays. The access code is used to decrypt secured information (such as passwords, certificates) and to confirm changes.

While entering the access code, you can see how secure your access code is and also how many of the required characters you are using.

Requirements to characters of the access code are possible to change in a configuration. More...

After the access code set, the page automatically redirects to the root level of Safe Boxes.

How to set automatic login of default user by SecureAnyBox Agent

Automatic login by SecureAnyBox can be set for station default user only. Other users have to log in manually. This setting can be convenient for stations on which works more than one user, but the station primarily is used by a user with the lowest permissions. That user can be set as default and will automatically log on.

To set automatic login SecureAnyBox Agent on stations, please follow these steps:

Create Agent Configuration, where will be settings for all platforms of stations, on which you want install SecureAnyBox Agent.

At the Downloads page, please select appropriate Agent Configuration and download the SecureAnyBox Agent and it’s configuration.

Install SecureAnyBox Agent on a station.

If in the Agent Configuration is set to change the password of a group, is necessary to have set local users group in which will be all users, who will be able to obtain the password from SecureAnyBox. Default user has to be set as one of them.

Please set default user on your station.

After the restart of the station, the first automatic login should go through – the SecureAnyBox Agent sets the user’s password and changes it in the registers where the automatic login is stored. Password for default user can be obtained in SecureAnyBox at the Get Password page as for any other user.

Updating a password for default user in the Active Directory domain

In a case, that same default user set on more than one station; it is convenient to set changing a password for default user in the Active Directory domain. When all is set correctly, after the change of password of LDAP user, SecureAnyBox LDAP Agent checks all registered stations and where the user to whom the password changed set as default, the SecureAnyBox LDAP Agent changes a password for the station.

To update a password for default user in Active the Directory domain, please follow these steps:

Set Agent configuration for stations. In Agent configuration for LDAP platform set field Change password of to value default users in domain .

If you not have set App URL in general configuration of SecureAnyBox,it is necessary to set it in the Agent Configuration. App URL has to be accessible from the internet (out of local network). Without setting of App URL, the SecureAnyBox Agent can have problems with connection to SecureAnyBox server.

Configure LDAP Agent. In LDAP Agent select Active Directory as Directory service and prepare Active Directory server.

Into LDAP Agent select the Agent Configuration, which you created in the first step.

Into the Default user domain field, enter Active Directory domain name into which default user belongs, and if necessary, modify the User id attribute . Please configure other required values in LDAP Agent form and create LDAP Agent by clicking on the OK button. To apply the LDAP Agent is necessary restarting SecureAnyBox.

At the Downloads page, please select the Agent Configuration created in a first step and download the SecureAnyBox Agent and it’s configuration.

Please set default user on your station.

Install SecureAnyBox Agent on a station.

After successful installation of SecureAnyBox Agent, a station should automatically register in the SecureAnyBox. Please check at the Stations page, that registration of the station ran successfully.

While registering, the SecureAnyBox Agent (for Windows), if the default user is enabled, sends default user information when registering (including the domain if it is a domain user). If the default user is a domain user, the SecureAnyBox Agent does not set the password – because it does not have permission to change the password of a domain user. In that case, a password of a domain user is set by the LDAP Agent.

The LDAP Agent scans all registered stations and retrieves from them default users whose domain is the same as default user domain specified in the LDAP Agent configuration. LDAP Agent generates and sets new passwords for these default users. This process takes place when you start the SecureAnyBox server, then every hour and after a click on the Execute button.

Automatic authentication to KeyShield SSO

Depending on your configuration, users can authenticate via KeyShield SSO. For the automatic authentication, it is necessary to install the KeyShield SSO client on the station.
Instructions for unattended installation are at KeyShield_server/static/kshield_msi.page. For manual installation/configuration please follow screenshots:

The OES client for Windows integration works in a similar manner like former ClientTrust for BorderManager – KeyShield server creates a token and stores it as a value of an attribute of the user’s object. KeyShield client reads the value through the OES client for Windows API, uses it as a challenge, generates a response and sends it to the KeyShield server. Then the KeyShield server validates it and if OK, accepts the client authentication request and sends confirmation back to the client. Client changes the color of the icon in the taskbar to green to inform the user that authentication finished. Here is the related setting in the related eDirectory connector of the KeyShield server (keep in mind, you can use as many eDirectory trees, AD forests, etc. as you need at the time).

This is a so-called custom setup, but it is not necessary. The best practice is to let the KeyShield server to configure eDirectory connector automatically by choosing.

First, enter Connector ID and provide LDAP server IP and port.

Then click "Create KeyShield SSO objects"

KeyShield SSO will create own mgr account (proxy account used to access eDirectory), extend schema by auxiliary class (can be removed) for tokens and assign minimum access rights the mgr account needs.

Once you are done with this setting, the automatic authentication with the OES client for Windows should work. If not, consult Diagnostic log.

Import certificate on MS Windows

Importing the certificate is necessary for automatic registration of the station into SecureAnyBox via HTTPS protocol.

To import the certificate, please follow these steps:

Import certificate on macOS

To install the certificate on a Mac platform, please download the certificate on your station and follow these steps:

Import Keyshield SSO certificate to Java Keystore

Installing browser extension using GPO

Google Chrome

At first, install Chrome policy templates.

Group policy editor

Windows registry

Instead of using GPEDIT, you can write the settings directly into the windows registry.
Into key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist enter the value:

“1”="jmjiclmedngjhklhcafhkmbhmdiecgif;https://clients2.google.com/service/update2/crx"

Mozilla Firefox

At first, install Firefox policy templates.

Group policy editor

Windows registry

Instead of using GPEDIT, you can write the settings directly into the windows registry.
Into key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install enter the value:

“1”="http://<yourssecureanyboxserver.com>/swb/down/secureanybox-1.1.14-fx.xpi"

And into the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Locked enter the value:

“1”="sab_login@secureanybox.com"