SecureAnyBox5 User Guide

Back to the contents

Contents

First steps and user settings

First login

For a user to log into SecureAnyBox5, the user needs to be created and has a password entered.
If more than one domain is specified, the user must also enter the domain name when logging in.

Login page

Only one domain is specified. You only need to enter your username and password to sign in to SecureAnyBox5.

More than one domain is specified. You must also enter a domain name to log into SecureAnyBox5.

After entering the login credentials, a page for setting an Access Code displays. The Access Code is used to decrypt secure information (such as passwords, certificates) and to confirm changes.

While entering the Access Code, you can see how secure your Access Code is and also how many of the required characters you are using.

Entering the Access Code

Actual/required length of the Access Code

Actual/required number of lowercase letters

Actual/required number of uppercase letters

Actual/required number of numbers

Pointer how secure the Access Code is

Button for displaying the Access Code

Time to crack the Access Code online

Actual/required entropy of the Access Code (the higher, the better)

Requirements to characters of the Access Code can be changed in the Configuration for users in all domains or in the domain details for users in that domain.

After the Access Code set, the page automatically redirects to the root level of Safe Boxes.

User interface – controls

SecureAnyBox5 user interface

Full name of the logged user and a domain into which the user logged
After clicking on the menu icon (next to the name of the user), a context menu displays. In the context menu, it is possible to change user’s settings, activate the White Envelope or log out from the application.

Notification area
If any error or warning occurs or some action needs to perform, the notification displays in the area. For more information, please click the notification icon.

Main menu
The main menu of the application. Displayed menu items are dependent on the user’s role and other settings.

Information about license
Information about license displays only to users with the “Administrator” role.

Breadcrumb navigation
The breadcrumb navigation shows a path to the currently opened page. By clicking on the breadcrumb navigation element, it is possible to move to the parent level.

Page menu
The list of possible actions on the page.

Filter area
Enables filtration of items displayed on the page.

Change Access Code

If you know your Access Code, and you need to change it (due to security reasons or you shared your Access Code with someone else, etc.), please click the menu icon (next to a name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In a menu, please click on the Change Access Code button ( 2).

Context Menu

After clicking the button, a form for changing the Access Code displays. To change the Access Code enter a current Access Code into the first field and into other two fields, please enter a new one. While entering the new Access Code, you can see how secure your Access Code is and also how many of the required characters you are using.

Change Access Code Form

To confirm the new Access Code, please click the OK button. After the new Access Code set, a success message displays.

Success message

Forgotten Access Code

In a case you forgot the Access Code, you may reset it. By resetting your Access Code, you will lose access to all Safe Boxes, and Safe Boxes accessed only by you will be deleted.

Before reset of the Access Code, please consult your administrator about losses.

To reset the Access Code, please click the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In a menu, please click the  Reset Access Code button ( 2).

Context menu

You need to confirm the warning only if you have access to some Safe Box. Otherwise, you will be asked to enter a new Access Code immediately.

In the Reset Access Code form, you must confirm the warning that you will lose access to all Safe Boxes. You can also check which Safe Boxes will be deleted because after the Access Code restored, nobody will have permission for these Safe Boxes.

Reset Access Code form

After the warning confirmed, a form for entering new Access Code displays. While entering the Access Code, you can see how secure your Access Code is and also how many of the required characters you are using. To confirm the new Access Code, please click the OK button.

New Access Code

After resetting the Access Code, you will see a message about the successful reset of the Access Code. You can confirm the changes with the new Access Code. If you had some inherited permissions for Safe Box Groups and Safe Boxes, another user could share them to you. Also, your White Envelope can be activated again, but all assigned permissions have to be assigned manually.

Success message

Change Login Password

LDAP/Azure AD synchronized users are not allowed to changing their password in the SecureAnyBox5 because the password does not change in LDAP/Azure AD. If you are not sure whether you are syncing from LDAP/Azure AD, contact your administrator and consult the password change.

To change your login password, please click on the menu icon (next to a name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In a menu, please click on the Change Login Password button ( 2).

Context menu

After clicking the button, Change Login Password form displays. To change your login password, please enter the current password into the first field and to the other fields enter a new one. While entering the new password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.

Change Login Password form

To confirm the change of the password, please click the OK button. After changing the password, a success message displays.

Two-Factor Authentication

In order to improve the security of data stored in the SecureAnyBox5, users can use Two-Factor Authentication. As a second factor is used 6-digits code from the Authenticator app, paired with SecureAnyBox5 via secret-key.

Enable Two-Factor Authentication

Each user can enable two-factor authentication to SecureAnyBox5. If the Two-Factor Authentication is enabled, the user has to enter a verification code every time to log in. Verification code is generated by the Authenticator app on the users mobile phone (iOS and Android).

To enable a Two-Factor Authentication, it is necessary to have the Authenticator app installed on a mobile phone.

To enable the Two-Factor Authentication, please click on the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( 2).

Two-Factor Authentication settings

After clicking the button, a wizard displays. To enable a Two-Factor Authentication is necessary to pair the Authenticator app with SecureAnyBox5. Please follow the steps in the wizard.

first step

second step

third step

fourth step

After the Two-Factor Authentication set, a user has to enter the second factor every time to log in. Two-Factor Authentication can be deactivated by the user in the Two-Factor Authentication settings or by user with the User Manager role in the user’s details.

Pair another Authenticator

Once the Two-Factor Authentication set and confirmed, it is possible to pair another Authenticator.

To pair another Authenticator, please click on the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( 2).

Two-Factor Authentication settings

After clicking the button, the wizard with two options displayed. Please click the PAIR ANOTHER AUTHENTICATOR button and follow the steps. When another Authenticator paired, all Authenticators should give you the same 6-digit code.

first step

second step

third step

fourth step

fifth step

Disable second factor

If you do not want to use the second factor, you can disable Two-Factor Authentication settings. But in a case, that the Two/Factor Authentication is mandatory, you will be ask to set the second factor again. Disabling the second factor will delete all user’s settings and all paired Authenticators have to be paired again.

To disable second factor, please click on the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In the displayed menu, please click on the Two-Factor Authentication settings button ( 2).

Two-Factor Authentication settings

After clicking the button, the wizard with two options displayed. Please click the Disable second factor button and enter the 6-digit code to confirm the action.

first step

second step

third step

Reset Two-Factor Authentication settings

Users with the User Manager role can reset Two-Factor Authentication settings for another user by clicking the Reset Two-Factor Authentication button in the bottom of user details form.

Reset button

To confirm the reset is necessary to enter the Access Code. Reset of Two-Factor Authentication settings should use when the user lost access to the paired Authenticator app and etc.

Change language

Each user can change the language of a web interface. Available options are English, Czech, German and French. To change the language of the interface, please click on the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In the displayed menu, please click on the Change Language button ( 2).

Context menu

After clicking the button, a form for changing the language displays. In the form, please select which language you want to set, and click the OK button. After changing the language, a page reloads in the chosen language.

Change language form

User Preferences

Each user can modify preferences, which are applied only to him. To alter these preferences, please click on the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In the displayed menu, please click the Change preferences button ( 2).

Context menu

After clicking on the Change Preferences button, User preferences form displays.

User Preferences form

Field Remember Access Code ( 1) is displayed only if remembering of Access Code is set in the server configuration.

Fields in Notification settings part of a form ( 2) are displayed if e-mail notifications are enabled in the server configuration.

Field Notification of user initialization ( 3) is displayed only to users with User Manager role.

In User preferences form, it is possible to set remembering last location, default password pattern for Safe Box Groups, Safe Boxes, and Accounts which user will create and configure e-mail notification settings. All preferences are applied only for the currently logged user. Changing preferences for all users is possible in SecureAnyBox5 configuration.

Remember Last Location
Remembering of the last visited location (page) is possible set for user or combination of user and station. If not turned off, after user logs in SecureAnyBox5, the last visited page automatically loaded.

Available options:
  • Off - Don’t remember the last page
  • Remember for user - Remember last visited page or Safe Box for given user
  • Remember for user and station key - Remember last visited page or Safe Box for given user and station key

If a start page set, it is not possible to set the remembering of the last visited location.

Remember Access Code

This field is displayed if remembering of Access Code is set in the server configuration.

After entering an Access Code, SecureAnyBox5 will temporarily store your Access Code in a cache, so you don’t have to enter the Access Code repeatedly. To disable remembering your Access Code, uncheck the field.

Default password pattern

Default password pattern for Safe boxes and Accounts where no password pattern is set.

Each letter in the pattern corresponds to letter in the generated password.

See examples of the password pattern


Characters allowed in the password pattern and their meaning:

v – lower case vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lower case consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lower case
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character

Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p)
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.

Customized column of records in Safe Boxes

Selection of which data displays in the middle column of the list of records in the Safe Box – after the record name. The default value in server configuration is Description.

Notification settings
Notification of changes

This field is displayed only if e-mail notifications are enabled in the server configuration.

Select if notification e-mails with a summary of changes will be sent and whether you will be notified of changes in all in Safe Box Groups, Safe Boxes, and records, or only the watched ones.

Whether users will be notified of changes in all fields or only encrypted ones and how often notification will be sent to them depends on SecureAnyBox5 server configuration.

Notification of accesses

This field is displayed only if e-mail notifications are enabled in the server configuration.

Select if notification e-mails with a summary of accesses to encrypted information will be sent and whether you will be notified of accesses to encrypted information in all currently accessible Safe Box Groups, Safe Boxes, and records, or only the watched ones.

How often notification will be sent to users depends on SecureAnyBox5 server configuration.

Notification of user initialization

This field is displayed only if e-mail notifications are enabled in the server configuration.
This field is displayed only to users with User Manager role.

Enabling e-mail notifications of user initialization, you will allow sending emails with a summary of which user set their password and/or Access Code for the first time.

Override default settings

By overriding the default settings from the domain, you can set the automatic watching accordingly on your preferences. If the default setting overridden, any changes in settings of automatic watching in the domain will not apply to you.

Automatically watch changes

For Safe Box Groups, Safe Boxes, and records, the user creates or obtains access will be set watching changes automatically. If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of changes in the watched ones.

Automatically watch accesses

Safe Box Groups, Safe Boxes, and records, the user creates or obtains access will be automatically watching accesses to encrypted information in them. If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of accesses to the watched ones.

Start page setting

Each user can set a start page – page to which will be redirected after login into SecureAnyBox5.

To set start page, please click on the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In the displayed menu, please click the Start page setting ( 2).

Start page setting menu

After clicking Start page setting , window for start page setting displays.

First setting of a start page

If you are setting up a start page for the first time, a window will appear where you confirm that you want to set the page as a start page.

First setting of a start page

Start page is set to the current page

In a case, the current page is set as a start page, a window will appear where it is possible to remove start page setting.

Start page is set to the current page

Start page is set to different page

If a start page is set to different page than the current page, it is possible to check setting by clicking the link. At the same time, you can override or remove your start page settings.

Start page is set to different page

Switch to Administration

From version 5.0, the Administration part of SecureAnyBox5 has been moved to its own interface. To switch to Administration, please click on the menu icon (next to the name of the user) in the top right corner of the page ( 1). After clicking, a context menu displays. In the displayed menu, please click the Switch to Administration ( 2), which will redirect you to the Administration interface.

Switch to Administration

Safe Boxes

Safe Boxes and Safe Box Groups are used to store sensitive data, such as accounts used to log in, certificates, credit cards, and other files. Safe Boxes can be divided into three types:

Safe Boxes and Safe Box Groups can be shared with other users. On shared Safe Boxes and Safe Box Groups will apply dynamic inheritance of permissions. For private Safe Boxes and SafeBox Groups, all permissions to other users have to be set manually.

Each name of Safe Box or Safe Box Group must be unique within the range of root level or Safe Box Group. However, is possible to create private Safe Box or Safe Box Group with the same name as another Safe Box (or Safe Box Group), because the private Safe Box’s name contains an owner’s name.

When the logged user is an owner of a private Safe Box, he can’t see the owner’s name in s Safe Box’s name.

Private Safe Box's name is displayed differently to the owner of private Safe Box and to other users to whom the private Safe Box is shared.

As you can see in the image above, Private Safe Box’s name is displayed differently to the owner of private Safe Box and to other users who have permissions to this private Safe Box.

Menu

Filtering of Safe Boxes and Safe Box Groups

Safe Boxes and Safe Box Groups at the root level can be filtered by their name or description by entering a text into the filter field ( 1). Safe Boxes and Safe Box Groups can also be filtered by selecting a user tag or a user into a special field ( 2).

Filtering fields

When filtering by a user tag, in the table are shown Safe Boxes and Safe Box Groups which have some permission template assigned to the selected user tag.
When filtering by user, the table shows Safe Boxes and Safe Box Groups to which the selected user has some permissions.

Pinned Safe Boxes and Safe Box Groups

User can edit order of displayed Safe Boxes and Safe Box Groups by pinning the selected Safe Box (Safe Box Group) to the top of the list.
To pin the Safe Box, please click the pin icon ( pin icon) in the row of selected Safe Box, and confirm the dialog.

click to pin Safe Box

pin Safe Box dialog

After the Safe Box is pinned, it displays at the top of the list with pin icon.

pinned Safe Box in Grid

Order of pinned Safe Boxes can be managed in the form, which displays after clicking the Edit pinned order button. To change the order of the pinned Safe Boxes, drag the selected Safe Box to the desired position.

edit pinned order

To unpin the Safe Box, please click the pin icon again and confirm the dialog. After unpinning, the Safe Box is displayed without the pin icon.

Sharing & Permissions

Access rights can be managed for each Safe Box or Safe Box Group separately. For Safe Boxes and Safe Box Groups, which are not private applies the dynamic inheritance of access rights. If Safe Box or Safe Box Group is private, then inheritance of access rights is blocked. However, permissions for the private Safe Box Group or Safe Box can be assigned manually.
Access rights can be managed at the root level too.

Managing of the access rights is possible after clicking on a link Sharing & Permissions .

The Sharing & Permissions button is displayed only to users with permission Access Control

Sharing & Permissions table

At the page Sharing & Permissions is displayed a table of users who have permissions for that level (the root level, a Safe Box Group or Safe Box) and all records in it.

Each user can have three types of rights:

Inherited rights - Permissions inherited from parent Safe Box Group or the root level

Effective rights - These permissions are checked when verifying permissions to some action. Effective rights are given by assigned rights. If rights not assigned, then effective rights are given by from inherited rights. If a user has effective rights to READ for any of Safe Boxes inside a Safe Box Group, then effective rights for the Safe Box Group will be set to READ as well. In a case, that a Safe Box or a Safe Box Group is private, the owner’s effective rights will be set to full permissions (IRCMDA).

Assigned rights - Permissions explicitly assigned

Permissions overview

In a table are displayed only permissions which can be set at the Sharing & Permissions page.

Permission Description
Inherited This permission enables dynamic inheritance of permissions. Can be set only for the root level or a Safe Box Group
Read User has permission to view Safe Box Groups, Safe Boxes and records in them (accounts, files, etc.)
Create User has permission to create new Safe Box Group, Safe Box or record (account, file, etc.)
Modify User has permission to modify Safe Box Groups, Safe Boxes and records in them (accounts, files, etc.)
Delete User has permission to delete or move Safe Box Group, Safe Box or record (account, file, etc.)
Access Control User has permission to manage rights for Safe Box Group, Safe Box or record (account, file, etc.)
Apply Templates User has permission to apply Permission templates for Safe Box Group or SafeBox.

Sharing Safe Box or Safe Box Group

By assigning access rights, you can share a Safe Box or Safe Box Group with other users.

To assign permissions for Safe Box or Safe Box Group to another user, please click on the Add User button. After clicking, a list of users to whom is possible to share Safe Box or Safe Box Group displays. You cannot share Safe Boxes and Safe Box Groups with users who don’t have set the Access Code.

If a user is from a different domain than the currently logged user, after the user’s name is displayed a domain name.

Add user

In a list of users, please select a user with whom you want to share a Safe Box or Safe Box Group. It is possible to add multiple users at a time. After users are selected, please click the  OK  button. Adding users needs to be confirmed by entering the Access Code. Have you forgotten the Access Code?

After adding a user into a table of permissions, the user has only a permission to READ. You can assign other permissions manually by checking the appropriate checkbox.

All changes at the Sharing & Permissions’s page have to be confirmed by entering the Access Code.

Assigned rights

The assigned rights can be managed separately for each Safe Box or Safe Box Group. If a user has any inherited rights, it is necessary to click on the blue gear icon ( blue gear). After that, it is possible to assign rights by clicking on an appropriate checkbox.

Assigned rights have precedence before inherited ones.

If a user does not have any inherited rights, assigned rights can be managed just by clicking on an appropriate checkbox.

To delete assigned rights for a user, click on the icon of a cross ( cross icon) at the end of a row and confirm applying changes. If the deleted user had the assigned rights only, then after confirmation is no longer displayed in a table.

Dynamic inheritance

Dynamic inheritance of permissions applies only to shared Safe Boxes or Safe Box Groups. To apply the dynamic inheritance of user access rights, the user must have assigned the Inherited permission for the root level or Safe Box Group.

When a user has the Inherited permission assigned for the root level, all of the user’s other permissions (Read, Create, Modify, Delete, Access Control) at the root level will be inherited by all shared Safe Boxes and Safe Box Groups.

If a user has the Inherited permission assigned only for a Safe Box Group, all of the user’s other permissions at a Safe Box Group will be inherited by all shared Safe Boxes within the range of Safe Box Group.

When a user modifies the Inherited permission, a warning dialog appears. To proceed with the modification, a user has to type in the confirmation code (three letters displayed boldly) and confirm the warning dialog.

Modifying inheritance warning dialog

Permissions for the root level

Permissions for the root level are pre-set by Default Safe Box Permissions in a user detail but can be modified directly for the root level. To be able to manage permissions for the root level, logged user need to have Access Control permission for the root level and user role User Manager or Administrator. Otherwise, the Sharing & Permissions button is not going to be displayed at the root level page.

Share inherited permissions

If any user resets his Access Code or to some user was assigned permission Inherited for the root level, it is necessary to share inherited permissions with them.
In a case that situation occurs, a warning message displays to you, after loading the root level page. To share permissions, please click the OK button and enter the Access Code.

Share inherited permissions

Permission templates

Permission templates can be managed only by users with permission Access Control

Permission templates are designed to help you assign permissions to users. Permission templates can set for root level, any Safe Box Group, and any Safe Box. Permission templates are set for user tags. For each level, you can create user tag one time only. User tags can be from the domain of the current user and even from other visible domains.

Permission templates for group

To create a permission template, please select user tag and assign permissions. Permission template will apply to all users with the same user tag as set in the template.

Permission template set for Affected levels
Root level all shared Safe Boxes and Safe Box Groups
Safe Box Group all Safe Boxes within the Safe Box Group
Safe Box Safe Box only

If the permission template set from the parent level, it is possible to modify it by clicking the blue gear icon ( blue gear).

Permission templates for box in group

To view or manage permission template(s) for parent level, click the Up button.

After permission templates set, users with the permission Apply templates can apply them.

Apply permission templates

Only users with Apply templates permission can perform this action.

Permission templates can be applied when these conditions met:

When all conditions met, notification icon appears ( notification)

Permission templates can be applied to Safe Box Group or Safe Box. Permissions to apply are computed based on permission template in listed Safe Box Groups and Safe Boxes for each user tag assigned to a user. If computed permissions are missing some of the effective permissions, the red arrow ( red arrow icon) appears.

Apply permission templates

Please review permissions in the table below.

Permissions were computed based on Permission Templates in listed Safe Boxes and Safe Box Groups depending on User tags assigned to listed users.

You can either Approve permissions, Skip permission assignment this time or Reject permission assignment. When you Reject permission assignment, SecureAnyBox5 will remember this choice. Next time Permission Templates are processed, permission record will show as rejected by default.

To completely remove a user from the permission assignment processing, you can change the user’s user tag assignment.

Computed permissions Permissions applied to:
Contains permission I (Inherited) all shared Safe Boxes and Safe Box Groups
Does not contain permission I all shared Safe Boxes; Safe Box Groups will have just R (read) permission applied

Watching...

For Safe Box Groups, Safe Boxes, and records, it is possible to set the watching of changes and/or accesses to encrypted information. Watching can be set for each level – the only exception is the root level.

When a user is watching changes for some level, and e-mail notifications are enabled in the server configuration, SecureAnyBox5 sends e-mails with a summary of changes at that level. Whether the changes are watched in all fields, or encrypted ones only, it depends on the server configuration of notifications.

If the user is watching accesses to encrypted information and e-mail notifications are enabled in the server configuration, SecureAnyBox5 sends e-mails with a summary of accesses at that level.
To access encrypted information is necessary to enter the Access Code in a record. If the Access Code is temporarily remembered, user accesses all records without entering the Access Code..

Watching of accesses and/or changes is inheritable – if user watches changes in Safe Box Group, all Safe Boxes, and records within the Safe Box Group will inherit watching of changes/accesses from the parent level.

From the root level is possible to edit watching for all currently accessible Safe Box Groups, Safe Boxes, and records by clicking the Watching... button.

Watching of changes/accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

Watching menu in root

In the Watching report , it is possible to check what the currently logged user is watching.

Start watching changes to everything

Changes in all Safe Box Groups, Safe Boxes, and records within them, which you can currently access, will be watched.

Watching of changes will be explicitly set for all currently accessible Safe Box Groups and Safe Boxes. Records inherit watching of changes from the Safe Box in which they are stored.

Note: Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on user’s settings and whether the level in which will be stored watches accesses, because watching of accesses may be inherited from the parent level.

After clicking the Start watching changes to everything button, it is necessary to confirm dialog window.

Start watching accesses to everything

Accesses to encrypted information in the records stored in all Safe Boxes and Safe Box Groups to which you have access currently will be watched.

Watching of accesses will be explicitly set for all currently accessible Safe Box Groups and Safe Boxes. Records inherit the watching of accesses from the Safe Box in which they are stored.

Note: Watching of accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on user’s settings and whether the level in which will be stored watches accesses, because watching of accesses may be inherited from the parent level.

After clicking the Start watching accesses to everything button, it is necessary to confirm dialog window.

Stop watching changes to everything

Changes in all Safe Box Groups, Safe Boxes, and records within them, which you can access currently will no longer be watched.

Watching of changes can reactivated at any time.

Note: Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

After clicking the Stop watching changes to everything button, it is necessary to confirm dialog window.

Stop watching accesses to everything

Access to encrypted information in all Safe Box Groups, Safe Boxes, and records within them which you can access currently will no longer be watched.

Watching of accesses can reactivated at any time.

Note: Watching of accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

After clicking the Stop watching accesses to everything button, it is necessary to confirm dialog window.

Stop watching all

After clicking Stop watching all button, the watching of changes and accesses will be deactivated for all currently accessible Safe Box Groups and Safe Boxes, and records.

Watching of accesses and/or changes can reactivated at any time.

Note: Watching of accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

After clicking the Stop watching all button, it is necessary to confirm dialog window.

Safe Box Group

Create Edit Watching... Delete

Safe Box Group is intended for associating Safe Boxes into larger units. For example, the Safe Box Group can associate all Safe Boxes related to some project, server and so on.

Access rights can be managed for each Safe Box Group separately. For Safe Box Groups, which are not private, is applied the dynamic inheritance of access rights. The inheritance permission can be set for root level or Safe Box Group. When a user has the inheritance permission for Safe Box Group, all new shared Safe Boxes inside this group will inherit his permissions from Safe Box Group.

If the user has set  Inherited permission for the root level, he automatically inherits permissions for all shared Safe Box Groups and Safe Boxes within the range of the user’s domain.

When the Safe Box Group is private, the inheritance of access rights is blocked. However, the permissions to the private Safe Box Group can be assigned manually.

Create New Safe Box Group

To create a Safe Box Group, the user needs to have assigned the Create permission for the root level.

To create a Safe Box Group click the New Safe Box Group button. In the Safe Box Group, it is necessary to set a name, a password pattern and a type (private or shared). Into a Safe Box Group can be created a new Safe Box or can be moved existing Safe Box.

New Safe Box Group

If the Safe Box Group is private, all Safe Boxes in it are also considered private.

Name

Safe Box Group name should characterize its content to work with SecureAnyBox5 more effectively and conveniently. Each name must be unique within the range of root level.

However, a user can create two Safe Box Groups with the same name, if one of the Safe Box Groups is private. The name of a private Safe Box Group is stored along with a username of its owner, so both names are unique.

Description

The description should more precisely characterize the Safe Box Group for better distinction from others.

Password settings

Select the password settings that will be applied when generating a password for records within the scope of this Safe Box Group:

Edit Safe Box Group

To be able to edit the Safe Box Group, a user must have permission to Modify.

For each of Safe Box Groups, it is possible to change name, description, password pattern, external files path and Safe Box Group Type.

If an external file path is changed, SecureAnyBox5 will store all new external files at the new location, but all previously stored files will remain at their original location.

Watching...

For each Safe Box Group, you can turn on two types of watching – watching changes, and watching accesses to encrypted information. In a case that someone changed the watched Safe Box Group, or Safe Box, or record within these Safe Boxes, or someone accessed encrypted information in the record within these Safe Boxes, an e-mail notification is sent to a user who watches the Safe Box Group (depending on the configuration of mail notifications).

To access encrypted information is necessary to enter the Access Code in a record. If the Access Code is temporarily remembered, user accesses all records without entering the Access Code.

The user can customize the notification settings in user preferences.

Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

To set watching for the Safe Box Group, click the Watching... button, watching menu will display.

Watching menu Safe Box Group

In the Watching report is possible to check what the currently logged user is watching within the Safe Box Group.

Current status of watching for the Safe Box Group is displayed next to the Watching... button.

Watch changes Watch accesses Watching of changes and accesses to encrypted data is set explicitly for the Safe Box Group.
Watch changes Watching of changes is set for the Safe Box Group. Watching of accesses to encrypted data not set.
Watch accesses Watching of changes not set. Watching of accesses to encrypted data is set explicitly for the Safe Box Group.

Safe Box Groups can have watching of accesses and/or changes set explicitly only.

By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the Safe Box Group. All Safe Boxes within this Safe Box Group, and records in them, will inherit the watching of changes/accesses from the Safe Box Group.

Start watching changes within this Safe Box Group

All Safe Boxes currently stored in this Safe Box Group will have set the watching of changes explicitly, and changes in them will remain watched even if these Safe Boxes are moved to another Safe Box Group where changes are not watched.

Records stored in Safe Boxes within this Safe Box Group will inherit watching of changes from the Safe Box.

Note: If the automatic watching of changes not set, Safe Boxes (and records in them) added into this Safe Box Group in the future will inherit watching of changes from the Safe Box Group. Otherwise, all Safe Boxes and records will have set the watching of changes explicitly.

After clicking the Start watching changes within this Safe Box Group button, it is necessary to confirm dialog window.

Start watching accesses within this Safe Box Group

All Safe Boxes currently stored in this Safe Box Group will have set the watching of accesses explicitly, and accesses to encrypted information in them will remain watched even if these Safe Boxes are moved to another Safe Box Group where accesses are not watched.

Records stored in Safe Boxes within this Safe Box Group will inherit watching of accesses from the Safe Box.

Note: If the automatic watching of accesses not set, Safe Boxes (and records in them) added into this Safe Box Group in the future will inherit watching of accesses from the Safe Box Group. Otherwise, all Safe Boxes, and records will have set the watching of accesses explicitly.

After clicking the Start watching accesses within this Safe Box Group button, it is necessary to confirm dialog window.

Stop watching changes within this Safe Box Group

Safe Box Group, all Safe Boxes within this Safe Box Group, and all records in them will no longer have set the watching of changes.

Watching of changes can reactivated at any time.

Note: Watching of changes for Safe Boxes, and records within this Safe Box Group that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

After clicking the Stop watching changes within this Safe Box Group button, it is necessary to confirm dialog window.

Stop watching accesses within this Safe Box Group

Safe Box Group, all Safe Boxes within this Safe Box Group, and all records in them will no longer have set the watching of accesses to encrypted data.

Watching of accesses can reactivated at any time.

Note: Watching of accesses for Safe Boxes, and records within this Safe Box Group that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

After clicking the Stop watching accesses within this Safe Box Group button, it is necessary to confirm dialog window.

Delete Safe Box Group

Safe Box Group can be deleted from the root level. To be able to delete the Safe Box Group, a user must have permission Delete. If a user has this permission, a cross icon ( cross icon) is displayed at the end of a row.
After clicking on a cross icon, a user is asked to confirm deleting of the Safe Box Group. When confirmed, the Safe Box Group is deleted and is no longer displayed.

Deleted Safe Box Group user can immediately restore by clicking on the Undo in the displayed message.

Delete message

Safe Box

Create Edit Move Import records Watching... Connect from Safe Box Delete

Safe Boxes are intended for storing records. Different types of records - accounts, secret accounts, files, certificates, credit cards - can be stored inside a Safe Box.

Access rights can be managed for each Safe Box separately. For Safe Boxes, which are not private, is applied the dynamic inheritance of access rights. The inheritance permission can be set for root level or Safe Box Group. When a user has this permission, all new shared Safe Boxes will inherit his permissions from parent level.

When the Safe Box is private, the inheritance of access rights is blocked. However, the access rights to the private Safe Box can be assigned manually.

Create Safe Box

To be able to create a Safe Box, a user must have permissions to Create for the root level or a Safe Box Group in which the Safe Box will be created.

New Safe Box can be created at the root level or inside a Safe Box Group by clicking on the New Safe Box button. In the Safe Box, it is necessary to set a name, a password pattern and a type (private or shared). Private Safe Box can be created only at the root level.
When creating a Safe Box into a Safe Box Group the Safe Box Type cannot be set – is given by Safe Box Group Type.

New Safe Box

Name

Safe Box name should characterize its content to work with SecureAnyBox5 more effectively and conveniently. Each name must be unique within the range of a Safe Box Group or the root level.

However, a user can create two Safe Boxes with the same name at the root level, if one of the Safe Boxes is private. The name of a private Safe Box is stored along with a username of its owner, so both names are unique.

Description

The description should more precisely characterize the Safe Box for better distinction from others.

Password settings

Select the password settings that will be applied when generating a password for records within the scope of this Safe Box:

Edit Safe Box

To be able to edit the Safe Box, a user must have permission to Modify.

For each of Safe Boxes, it is possible to change name, description, password pattern, external files path and Safe Box Type.

If an external file path is changed, SecureAnyBox5 will store all new external files at the new location, but all previously stored files will remain at their original location.
If the Safe Box is not in a Safe Box Group, it is possible to change a Safe Box type also.

Move Safe Box

To be able to move the Safe Box, a user must have permission to Delete. When moving, the Safe Box is effectively deleted from an original location and created at a target location.

To move the Safe Box click the button Move Safe Box , and wait until is displayed a list of possibilities, to where it is possible to move the Safe Box.

Move Safe Box

Click on a row in a list select the destination into which the Safe Box will be moved and confirm the move by entering the Access Code. Have you forgotten the Access Code?

By moving the Safe Box, you may change permissions of other users for the Safe Box.

Import records into Safe Box

Into the Safe Box can be imported records from other applications. Before importing, please create target Safe Box. On the Safe Box page, then click the Import... button and in the displayed menu select SecureAnyBox5 Importer

Import to Safe Box - menu

Import utilities can be downloaded from Downloads page too.

After clicking, a dialog with a download link displays. When downloaded, extract files from the zip archive and run a utility.

Download link for the import utility

In the SecureAnyBox5 Importer, the user needs to enter SecureAnyBox5 address to the appropriate field. You can get and copy SecureAnyBox5 address by clicking the Copy SecureAnyBox5 address option in the menu, that displays after clicking on the Import... button.

Copy SecureAnyBox5 address messageBox

Watching

For each Safe Box, you can turn on two types of watching – watching changes and watching accesses to encrypted information. In a case that someone changed the watched Safe Box or record within the Safe Box or someone accessed encrypted information in the record within the Safe Box, an e-mail notification is sent to a user who watches the record (depending on the configuration of mail notifications).

If the Safe Box is watched, all records in it are watched also. The user can customize the notification settings in user preferences.

Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

Watching menu Safe Box

In the Watching report is possible to check what the currently logged user is watching within the Safe Box.

Current status of watching for the Safe Box is displayed next to the Watching... button.

Watch changes Watching of changes is set explicitly for the Safe Box. Accesses are not watched.
Watch changes - inherited Watching of changes is inherited from the parent level. Accesses are not watched.
Watch accesses Watching of accesses to encrypted data is set explicitly for the Safe Box. Changes are not watched.
Watch changes - inherited Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
Watch changes Watch accesses Watching of changes and accesses to encrypted data is set explicitly for the Safe Box.
Watch changes Watch accesses - inherited Watching of changes is set explicitly for the Safe Box. Watching of accesses to encrypted data is inherited from the parent level.
Watch changes - inherited Watch accesses Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the Safe Box.
Watch changes - inherited Watch accesses - inherited Watching of changes and accesses to encrypted data is inherited from the parent level.

By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the Safe Box. All records within this Safe Box will inherit the watching of changes/accesses from the Safe Box.

Start watching changes within this Safe Box

All records currently stored in this Safe Box will have set the watching of changes explicitly and the changes will be watched even if record moved to another Safe Box that where the changes are not watched.

Note: If the automatic watching of changes not set, records added into this Safe Box in the future will inherit watching of changes from the Safe Box. Otherwise, all records will have set the watching of changes explicitly.

After clicking the Start watching changes within this Safe Box button, it is necessary to confirm dialog window.

Start watching accesses within this Safe Box

All records currently stored in this Safe Box will have set the watching of accesses explicitly and the accesses to encrypted information will be watched even if record moved to another Safe Box where the accesses are not watched.

Note: If the automatic watching of changes not set, records added into this Safe Box in the future will inherit watching of changes from the Safe Box. Otherwise, all records will have set the watching of changes explicitly.

After clicking the Start watching accesses within this Safe Box button, it is necessary to confirm dialog window.

Stop watching changes within this Safe Box

Changes in this Safe Box and all records within it will no longer be watched.

Note: If the Safe Box is stored in Safe Box Group, then Safe Box (and records within it) may have inherited watching of changes from the Safe Box Group.
Watching of changes for records within this Safe Box that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

After clicking the Stop watching changes within this Safe Box button, it is necessary to confirm dialog window.

Stop watching accesses within this Safe Box

Accesses to encrypted information in this Safe Box and all records within it will no longer be watched.

Watching of changes can be reactivated anytime.

Note: If the Safe Box is stored in Safe Box Group, then Safe Box (and records within it) may have inherited watching of accesses from the Safe Box Group.
Watching of changes for records within this Safe Box that you create or to which you obtain accesses in the future depends on the user’s settings of automatic watching.

After clicking the Stop watching accesses within this Safe Box button, it is necessary to confirm dialog window.

Connect

If any account or secret account stored in Safe Box has defined connection type, it is possible to open the connection by click on the Connect button. To open connection is necessary to have installed SecureAnyBox5 Launcher on your station.

Connect button at the Safe Box page

If username (login) and password stored in the record, the user automatically connects to the target (server, station, etc.).

Delete Safe Box

To be able to delete the Safe Box, a user must have permission to Delete. If a user has this permission, a cross icon ( cross icon) is displayed at the end of a row.

Safe Box can be deleted from the Safe Box Group page or the root level page. To delete Safe Box, please click the cross icon at the end of a row. After clicking on a cross icon, a user is asked to confirm deleting of the Safe Box. When confirmed, the Safe Box is deleted and is no longer displayed.

Delete Safe Box

Deleted Safe Box user can immediately restore by clicking on the Undo in the displayed message.

Records

Create Edit Change password Password History Copy as... Watching... Connect Move Move to White Envelope Delete

Records are stored inside the Safe Boxes and are intended to store important information. By the nature of the information that will store, a user needs to select a type of record. All types of records and which information can be stored in them, are listed in the table below.

Record type Field
Name Description Tags Note Password settings Password preset Password pattern Address Login Site Login Connection Type Connection Options Secret Note Password File Alias Certificate Certificate password Number Expiration Date CVV PIN Compliance profile
Account
Secret Account
File
Certificate
Credit Card
yes Information can be stored in this record type.
Access to this information is not audited.
yes, encrypted Information can be stored for this type of record. This information will be encrypted when the record is saved.
You need to enter an Access Code to access it. Access to this information is audited.
no Information cannot be stored in this record type.


Account
The account is used to store credentials - like a login info for e-shops, e-mail accounts, applications, servers and so on.

In the stored account, the password will save encrypted. To decrypt the password is necessary to enter the Access Code.

Should you need to protect the username and the server address also, use the secret account type of record instead.
Secret Account
The secret account is used to store credentials - like a login info for e-shops, e-mail accounts, applications, servers and so on.

In the secret account, more information is protected than in an account. After saving the secret account, all information stored in the Secure part will be encrypted. This information can be decrypted only after entering the Access Code.
File
The file record is intended for storing files which might contain sensitive security information (e.g., configuration files with stored passwords).

After storing the file record, all the information, stored in the Secure part, will be encrypted. A user can only decrypt encrypted values after entering the Access Code.
Certificate
Like the certificate, you can store a keystore (a certificate, a public or a private key).

All information stored in the Secure part will be encrypted. Encrypted information can only be decrypted after entering the Access Code.
Credit Card
The record intended for storing the information about a credit card. In this record, you can store a credit card number, an expiration date, CVV and PIN code. But also other information within the fields like a description, a note, and tags.

All information stored in the Secure part of a record will be encrypted. This information can only be decrypted after entering the Access Code.

Create record

Account  Secret Account  File  Certificate  Credit Card

To be able to create a record, the user must have permission to Create for the Safe Box, into which the record will create.

At the page of Safe Box into which a record should create, click on the Add... button, and in the context menu, select a type of record. After that, a form for creating a new record will display.

When creating the record, it is necessary to set a name. Other fields are optional. All values can be modified later.

Account form

Identification
Name

The account name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.

The account name can be modified later.

Maximum length: 255 characters

Address

Address, link or description where the information stored in the account used.

When the address stored in a correct format (e.g.,“https://192.168.1.231”), it will appear as a link. For a location in a local network, you can use an IP address (e.g. “http://172.22.60.30”), for other webs, e-shops, etc. you can use a URL address (e.g.,“http://www.ebay.com”).

Addresses can be also stored in other formats like an SSH (e.g.,“ssh://admin@myserver.com”), FTP (e.g., “ftp://myserver.com”) and so on.

In the address field, it is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g. “172.22.88.75:8876” or “test.tdp.cz:887”).

The address is an optional value.

Maximum length: 1000 characters

e.g., URL, hostname or IP address of the server where you use the stored password.

Login Site

The login site is used for better specification where the stored account can be used. The value of this field is used especially in the browser extension to edit the visibility of an account.

For example, the stored account will be used to login to Gmail. If the Address field is set to URL “https://accounts.google.com”, and the Login Site field is set to “google.com”, then the account will be visible in browser extension for all google login forms, even if the actual URL will differ from "https://accounts.google.com."

Maximum length: 1000 characters

Login

The username that you use to log in.

Maximum length: 255 characters

Description

The description should more specifically characterize an account.
In the description can be stored only one line of a text. A longer description can be stored as the note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize the stored data. The tags should be specified for each record to search more effectively.

For each record, it is possible to select multiple tags. Tags have to be previously specified by the user with the Safe Box Manager role on the Record Tags management page in the Administration interface.

Password settings

Select the password settings that will be applied when generating a password:

  • Inherited - settings will be inherited from a domain, parent level (Safe Box Group or Safe Box) or assigned record tag

  • Password preset - the selected password preset will apply when generating a password. The password preset has to be specified before in the Administration interface.

  • Password pattern - when generating a password, the entered password pattern will apply

Password preset

A password preset will be used to generate a password. The preset has specified password requirements, such as the number of uppercase letters, characters to include/exclude, minimum entropy, etc. The password preset has to be specified first in the Administration interface.

Password pattern

Default password pattern for Accounts where no password pattern is set.
Each letter in the pattern corresponds to letter in the generated password.

See examples of the password pattern


Characters allowed in the password pattern and their meaning:

v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g., pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character

Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.

Maximum length: 255 characters

Note

The note field is intended for multiline information about the account. For example, as the note can be stored a description of the account, a list of steps how to successfully log in, a description of the configuration and so on.

Maximum length: 4000 characters

Connection Type

Please select connection type. If the SecureAnyBox5 Launcher installed, is possible to open connection directly from the account page. To create a connection, SecureAnyBox5 Launcher needs to download from a secret account the values of Address and Login fields and the stored password.

In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g. “172.22.88.75:8876” or “test.tdp.cz:887”).

Compliance profile

The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.

Secure
Connection options
You can enter additional connection parameters in the Connection options field. These will be transmitted to the running application via the SecureAnyBox5 Launcher along with the address, username, and password. Some parameters can also be set globally directly in the SecureAnyBox5 Launcher configuration. Parameters set for a record are always used in preference to the values from the global setting.

Remote Desktop connections support the following parameters:

/admin - If your RDS servers are grouped into a collection (farm) and you need to log in directly to one specific server you must use the /admin parameter. The parameter can also be written in the format /admin:true, or /admin:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)

/gateway:<hostname RD gateway> - remote desktop gateway address
/gatewayusername:<username> - username for connecting to the remote desktop gateway
/gatewaypassword:<password> - password to connect to the remote desktop gateway.

For example: /gateway:rdg.tdp.cz /gatewayusername:gatekeeper /gatewaypassword:somestrongpassword

/gatewaybypassforlocal:<true/false> - disables the use of the remote desktop gateway when connecting from the local network. The parameter can also be written in the format /gatewaybypassforlocal:true, or /gatewaybypassforlocal:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)

For other connection types SCP, SSH, Telnet, and so on, you can specify any parameters that the application supports when started from the command line. For a detailed description, see the application’s help.

Maximum length: 2000 characters

New password

The password you use to log in.

Into this field can be stored a password which you already have or you might generate a new one. The password can be generated by clicking on the Generate password button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname).

Generated passwords are formatted in accordance with the current password pattern. Generated passwords can be edited.

While editing the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.

After saving an account record, the password will be encrypted. The password can be decrypted after entering the Access Code only.

Maximum length: 255 characters

Password field

number of characters

number of lowercase letters

number of uppercase letters

number of digits

number of special characters

pointer how secure the password is

button for displaying the password

time to crack password offline

password entropy (the higher the better)

Secret account form

Identification
Name

The secret account name should characterize the purpose of stored data to work more effectively and conveniently.

Each name must be unique inside a single Safe Box.
The secret account name can be modified later.

Maximum length: 255 characters

Login Site

The login site is used for better specification where the stored account can be used. The value of this field is used especially in the browser extension to edit the visibility of an account.

For example, the stored account will be used to login to Gmail. If the Address field is set to URL “https://accounts.google.com”, and the Login Site field is set to “google.com”, then the account will be visible in browser extension for all google login forms, even if the actual URL will differ from "https://accounts.google.com."

Maximum length: 1000 characters

Description

The description should more specifically characterize a secret account.

In the description can be stored only one line of a text. A longer text is possible to store as the note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize the stored data. The tags should be specified for each record to search more effectively.

For each record, it is possible to select multiple tags. Tags have to be previously specified by the user with the Safe Box Manager role on the Record Tags management page in the Administration interface.

Maximum length of one tag: 32 characters

Password settings

Select the password settings that will be applied when generating a password:

  • Inherited - settings will be inherited from a domain, parent level (Safe Box Group or Safe Box) or assigned record tag

  • Password preset - the selected password preset will apply when generating a password. The password preset has to be specified first in the Administration interface.

  • Password pattern - when generating a password, the entered password pattern will apply
  • Password preset

    A password preset will be used to generate a password. The preset has specified password requirements, such as the number of uppercase letters, characters to include/exclude, minimum entropy, etc. The password preset has to be specified first in the Administration interface.

    Password pattern

    Password pattern used when generating the password for the secret account.

    Each letter in the pattern corresponds to a letter in the generated password.

    See examples of the password pattern

    Characters allowed in the password pattern and their meaning:

    v – lowercase vowel a,e,i,o,u,y
    V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
    Z – upper case vowel
    c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
    C – mixed case consonant
    z – upper case consonant
    l - any alphabet character (vowel or consonant) - lowercase
    A - any alphabet character - mixed case
    u – upper case alphabet
    d - digit (0-9)
    s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
    n – digit or special character
    \ - escape character - next character is used as is (e.g., pattern ‘\-‘ outputs ‘-‘ in the resulting password)
    * - any allowed character

    Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
    For example, you can set a password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.

    Maximum length: 255 characters

    Note

    This field intended for multiline information about the secret account. For example, as the note is possible to store a description of the secret account, a list of steps how to successfully log in, a description of the configuration and so on.

    Maximum length: 4000 characters

    Connection Type

    Please select the connection type. If the SecureAnyBox5 Launcher installed, it is possible to open a connection directly from the secret account page.

    To create a connection, SecureAnyBox5 Launcher needs to download from a secret account the values of Address and Login fields and the stored password.

    In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon (e.g. 172.22.88.75:8876 or test.tdp.cz:887).

    Compliance profile

    The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.

    Secure
    Address

    Address, link or description where the information stored in the secret account used.

    When the address stored in a correct format (e.g. “https://192.168.1.231”), it will appear as a link. For a location in a local network, you can use an IP address (e.g. “http://172.22.60.30”), for other webs, e-shops, etc. you can use a URL address (e.g., “http://www.ebay.com”).

    Addresses can also be stored in other formats like an SSH (e.g., “ssh://admin@myserver.com”), FTP (e.g., “ftp://myserver.com”) and so on.

    The address is an optional value.

    In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g., 172.22.88.75:8876 or test.tdp.cz:887).

    Unlike in an account, the address in a secret account will be encrypted. The address can be decrypted after entering the Access Code only.

    Maximum length: 1000 characters

    Login

    The username that you use to log in.

    Unlike in an account, the login in a secret account will encrypt. The login can only be decrypted after entering the Access Code.

    Maximum length: 255 characters

    Secret Note

    The secret note field intended for storing multiline information about the file. Unlike a note, the secret note will encrypt. The secret note can only be decrypted after entering the Access Code only.

    Maximum length: 4000 characters

    Connection options
    You can enter additional connection parameters in the Connection options field. These will be transmitted to the running application via the SecureAnyBox5 Launcher along with the address, username, and password. Some parameters can also be set globally directly in the SecureAnyBox5 Launcher configuration. Parameters set for a record are always used in preference to the values from the global setting.

    Remote Desktop connections support the following parameters:

    /admin - If your RDS servers are grouped into a collection (farm) and you need to log in directly to one specific server you must use the /admin parameter. The parameter can also be written in the format /admin:true, or /admin:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)

    /gateway:<hostname RD gateway> - remote desktop gateway address
    /gatewayusername:<username> - username for connecting to the remote desktop gateway
    /gatewaypassword:<password> - password to connect to the remote desktop gateway.

    For example: /gateway:rdg.tdp.cz /gatewayusername:gatekeeper /gatewaypassword:somestrongpassword

    /gatewaybypassforlocal:<true/false> - disables the use of the remote desktop gateway when connecting from the local network. The parameter can also be written in the format /gatewaybypassforlocal:true, or /gatewaybypassforlocal:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)

    For other connection types SCP, SSH, Telnet, and so on, you can specify any parameters that the application supports when started from the command line. For a detailed description, see the application’s help.

    Maximum length: 2000 characters

    New password

    The password you use to log in.

    Into this field can be stored a password which you already have or you might generate a new one. The password can is possible to generate by clicking on the Generate password button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname).

    Generated passwords are formatted by the current password pattern. Generated passwords can also be edited.

    While editing the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.

    After saving a secret account record, the password will encrypt. The password can only be decrypted after entering the Access Code.

    Maximum length: 255 characters

    Password field

    number of characters

    number of lowercase letters

    number of uppercase letters

    number of digits

    number of special characters

    pointer how secure the password is

    button for displaying the password

    time to crack password offline

    password entropy (the higher the better)

File form

Identification
Name

The file name should characterize the purpose of stored data to work more effectively and conveniently.

Each name must be unique inside a single Safe Box.
The file name can be modified later.

Maximum length: 255 characters

Description

The description should more specifically characterize a file.

In the description can be stored only one line of a text. A longer description should store as the note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize the stored data. The tags should be specified for each record to search more effectively.

For each record, it is possible to select multiple tags. Tags have to be previously specified by the user with the Safe Box Manager role on the Record Tags management page in the Administration interface.

Maximum length of one tag: 32 characters

Note

This field is intended for multiline information about the file. For example, as the note can be stored a description of the file, a list of steps how to use it and so on.

Maximum length: 4000 characters

Secure
File

Into this field can be selected a file, which will be stored in this file record. Select the file from your computer or server by clicking on the Browse... button.

After saving the record, the stored file will encrypt. The file can be decrypted after entering the Access Code only. After the file decrypted, it will be possible to download or change the file.

Secret Note

The secret note field is intended for multiline information about the file. Unlike a note, the secret note will encrypt. The secret note can only be decrypted after entering the Access Code.

Maximum length: 4000 characters

Certificate form

Identification
Name

Certificate name should characterize the purpose of stored data to work more effectively and conveniently.

Each name must be unique inside a single Safe Box.

The certificate name can be modified later.

Maximum length: 255 characters

Description

The description should more specifically characterize a certificate.

In the description can be stored only one line of a text. A longer description should store as the note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize the stored data. The tags should be specified for each record to search more effectively.

For each record, it is possible to select multiple tags. Tags have to be previously specified by the user with the Safe Box Manager role on the Record Tags management page in the Administration interface.

Maximum length of one tag: 32 characters

Note

The note field is intended for multiline information about the certificate. For example, like the note, it is possible to store a description of the certificate, a list of steps how to use the certificate and so on.

Maximum length: 4000 characters

Secure
Alias

The alias is used as the name under which is the certificate file stored in the repository. After saving a certificate, the alias will encrypt. . The alias will be decrypted after entering the Access Code only.

Maximum length: 255 characters

Certificate

Into this field can be selected a keystore file (a certificate, a public or a private key), which will store in this record. Select the file from your computer or server by clicking on the “Browse...” button.

After saving the record, the stored file will encrypt. The file can only be decrypted after entering the Access Code. After decrypting the file, it will be possible to download or change the file..

Certificate password

The password that is used with the certificate. The password can be generated by clicking on the Generate password button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname).

Generated passwords are formatted by the current password pattern. Generated passwords can also be edited.

After saving a certificate record, the password will be encrypted. The password can be decrypted after entering the Access Code only.

Maximum length: 255 characters

Secret Note

The secret note field is intended for multiline information about the certificate. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the Access Code only.

Maximum length: 4000 characters

Credit card form

Identification
Name

The name should characterize the credit card to work more effectively and conveniently. For example, as the name of the card can be used a name of the bank, the name of person or company which is the owner of a card, etc.

Each name must be unique inside a single Safe Box.

The credit card name can be modified later.

Maximum length: 255 characters

Description

The description should more specifically characterize a credit card.

In the description can be stored only one line of a text. A longer description should be stored in the note field.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize the stored data. The tags should be specified for each record to search more effectively.

For each record, it is possible to select multiple tags. Tags have to be previously specified by the user with the Safe Box Manager role on the Record Tags management page in the Administration interface.

Maximum length of one tag: 32 characters

Note

The note field is intended for multiline information about the credit card. For example, as the note is possible to store a description of the credit card, the currency of a card, for which payments the card should be used and so on.

Maximum length: 4000 characters

Secure
Number

Credit card number. After saving a record, the number will be encrypted. The number can be decrypted after entering the Access Code only.

Maximum length: 64 characters

Expiration Date

The expiration date is the last day of the credit card validity. In case that expiration date on the card is in the format of MM/YY only, the card is valid until last day of the month (e.g., 03/16 means March 31st, 2016, 06/19 means June 30th, 2019 and so on).

After saving a record, the CVV code will encrypt. The CVV code can only be decrypted after entering the Access Code.

CVV

CVV code is usually listed at the back side of your card.

The code used when paying online with the credit card.

After saving a record, the CVV code will be encrypt. The CVV code can only be decrypted after entering the Access Code.

Storing the CVV code is optional.

Maximum length: 64 characters

PIN

PIN code of the credit card.

After saving a record, the PIN code will encrypt. The PIN code can only be decrypted after entering the Access Code.

Storing the PIN code is optional.

Maximum length: 64 characters

Secret Note

The secret note field is intended for multiline information about the credit card. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the Access Code only.

Maximum length: 4000 characters

Edit record

Account  Secret Account  File  Certificate  Credit Card

To be able to edit the record, a user must have a Modify permission for a Safe Box in which the record is stored.

To modify an record, click the Edit button on a page of record. After clicking, an edit form displays. In the edit form, it is possible to change any value of record. To edit values in the Secured section of the form, is necessary to enter the Access Code first. Only passwords in account and secret account type of record have to be edited differently.

To edit account’s and secret account’s password, click the Change password button on a record’s page.

Change password

Account  Secret Account

To be able to change the record’s password, a user must have a Modify permission for a Safe Box, in which the record is stored.

To change record’s password, click on the Change password button at record’s pag. After clicking, the form for entering a new password appears.

The password can be changed by entering a new password into fields or by generating a new one. Generated passwords are formatted by the current password pattern. Generated passwords are possible to edit.

Change of the record’s password has to be confirmed by entering the Access Code (unless the Access Code is cached). Have you forgotten the Access Code?

By clicking the Change password button, you can change passwords in an account and secret account type of record only. Certificate password can be changed in the edit form of certificate.

Password history

Account  Secret Account

For each account and secret account is recorded a password history. The password history will display after clicking the Password History button at record’s page.

At the password history’s page, all of the record’s password changes display in a table.

Password history

After clicking on a row in a table and entering the Access Code, a user can view the password which was valid after that change. Have you forgotten the Access Code?

Copy as...

Account  Secret Account  File  Certificate  Credit Card

Each record can be copied, either as the same type of record or the different type of record. To make a copy, click the Copy as ... button and select the record type.

Copy record menu

When making a copy of a record, the field values are copied to the new record – if it is possible to save such values in the selected record type. A copy of the record is created in the same Safe Box, so it is necessary to edit the name of the record.

Copy record message

After saving a copy of the record, the original record is displayed, and the newly created record can be accessed by clicking on the name of the new record in the displayed message.

Watching...

Account  Secret Account  File  Certificate  Credit Card

For each record, you can turn on two types of watching – watching changes and watching accesses to encrypted information. In a case that someone changed the watched record or someone accessed encrypted information, an e-mail notification is sent to a user who watches the record (depending on the configuration of mail notifications).

The user can customize the notification settings in user preferences.

Watching of record

Watching settings are inheritable – if you watch changes in Safe Box Group, you also watch changes in all Safe Boxes within the Safe Box Group, as well as changes in records within all Safe Boxes.
Whether the watching is set explicitly for a specific record or inherited from the parent level can be recognized by the icon color which is displayed next to the Watching... button.

Watch changes Watching of changes is set explicitly for the record. Accesses are not watched.
Watch changes - inherited Watching of changes is inherited from the parent level. Accesses are not watched.
Watch accesses Watching of accesses to encrypted data is set explicitly for the record. Changes are not watched.
Watch changes - inherited Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
Watch changes Watch accesses Watching of changes and accesses to encrypted data is set explicitly for the record.
Watch changes Watch accesses - inherited Watching of changes is set explicitly for the record. Watching of accesses to encrypted data is inherited from the parent level.
Watch changes - inherited Watch accesses Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the record.
Watch changes - inherited Watch accesses - inherited Watching of changes and accesses to encrypted data is inherited from the parent level.

By checking fields Watching Changes , or Watching Accesses , user immediately set explicit watching of changes/accesses for the record.

Connect

Account  Secret Account

If the record (account and secret account only) has specified a connection type, it is possible to open the connection by click on the Connect button. To open connection is necessary to have installed SecureAnyBox5 Launcher on your station.

Connect button at the record page

If username (login) and password is stored in the record, the user connects to the target (server, station, etc.) automatically.

Move record

Account  Secret Account  File  Certificate  Credit Card

To be able to move the record, a user must have a Delete permission for the Safe Box in which the record stored and Create permission for the Safe Box into which the record will move. When moving, the record will be effectively deleted from the original Safe Box and created in the target Safe Box.

To move the record, click on the Move record button. After clicking, a list of possibilities to where it is possible to move the record displays.

Move record

In the list, the name of the Safe Box Group is blue, and after clicking it, a list of Safe Boxes stored in the Safe Box Group displays. If you want to move from a Safe Box Group to the root level, click on the first line with two dots.

The names of the Safe Boxes are black and by click on them a user to select the Safe Box to which the record will be moved. Moving of the record have to be confirmed by entering an Access Code. Have you forgotten the Access Code?

All record permissions are determined by the Safe Box permissions in which the record stored. By moving the record, you may change even yours permissions, and you will not be able to return the record to the original Safe Box.

All record tags are specified for a domain in which the parent Safe Box is stored. By moving the record into Safe Box stored in another domain, all record tags will be deleted..

Move to White Envelope

Account  Secret Account  File  Certificate  Credit Card

This option is available only if currently logged user has activated White Envelope. More about White Envelopes...

To be able to move the record into a White Envelope, a user must have a Delete permissions for Safe Box in which the record stored. When moving, the record will be effectively deleted from the original Safe Box and created in the White Envelope.

To move the record into a White Envelope, click on the appropriate button.
Before moving the record into a White Envelope, the user is asked to confirm moving the record, by entering the Access Code. Have you forgotten the Access Code?

Moving the record into a White Envelope cannot be taken back.

Delete record

Account  Secret Account  File  Certificate  Credit Card

To be able to delete the record, a user must have a Delete permissions for Safe Box in which the record stored. If the user has this permission, a cross icon ( cross icon) is displayed at the specific record (at the end of the row).

Record can be deleted from the Safe Box page. To delete the record, click the cross icon at the end of a row. After clicking on a cross icon, a user is asked to confirm deleting of the record. When confirmed, the record is deleted and is no longer displayed.

Delete record

Deleted record user can immediately restore by clicking on the Undo in the displayed message.

Message with Undo button

Pinned records

User can edit order of displayed records by pinning the selected record to the top of the list.
To pin the Safe Box, please click the pin icon ( pin icon) in the row of selected record, and confirm the dialog.

click to pin record

pin record dialog

After the record is pinned, it displays at the top of the list with pin icon.

pinned record in Grid

Order of pinned record can be managed in the form, which displays after clicking the Edit pinned order button. To change the order of the pinned records, drag the selected record to the desired position.

edit pinned order

To unpin the record, please click the pin icon again and confirm the dialog. After unpinning, the record is displayed without the pin icon.

Search page

At the Search page, a user can search stored records (such as Safe Boxes, Safe Box Groups, Accounts, etc.), by their name, specified tag of a field value. However, it is not possible to search record by a field value which is encrypted.

To initiate the search, start typing into a search field.
You can use regular expressions when searching.

Search page

White Envelopes

Activate White Envelope Security Officers page Open White Envelope Close White Envelope Editing Mode of White Envelopes Recover White Envelope Reactivate White Envelope Initialize Security Officers Possible situations

White Envelope is a special type of Safe Box, which is intended to store important information for which the access must not lose. If the user who stored data in the White Envelope is unavailable, Security Officers can access this information.

The White Envelope can store the same records as any other Safe Box – accounts, files, etc.
There are two ways to add records to White Envelopes – by creating new records in the White Envelope or by moving existing records from other Safe Boxes.
Users can change stored records, but cannot delete them.
Security Officers can delete White Envelopes and the records in them, by enabling editing mode.

To be able to use the White Envelopes, it is needed to set at least a minimum count of Security Officers.

The Security Officer is a special type of user’s role. To set Security Officers, go to the Users management and in the user details form, to add the role.

Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.

After Security officers set, it is possible to activate the White Envelope.

Activate White Envelope

Only if a minimum count of Security Officers set, it is possible to activate the White Envelope. To activate the White Envelope, open a context menu by clicking on the arrow next to the user’s name in the top right corner of the page and click on the Activate White Envelope button.

Activate White envelope

White Envelope Page

Security Officers page

For each of White Envelopes is possible to display which Security Officers who have access to it. To display Security Officers with access to the White Envelope, click the Security Officers button at the White Envelope page.

Security Officers button

At the Security Officers page, you can see which Security Officers has access to the White Envelope and their e-mail. Above the table of Security Officers, is displayed a number of Security Officers needed to work together to perform actions with White Envelopes.

It is possible to filter displayed Security Officers, by entering a part of their name into the Filter field.

Security Officers page

Open White Envelope

Only users with a role Security Officer can open White Envelopes of other users.

Should you need view encrypted values of records in another user’s White Envelope, open the White Envelope. To open the White Envelope, minimum count (two by default) of the Security Officers have to enter their Access Code.

Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.

Open White envelope

In an opened White Envelope the Security Officers can view even encrypted values of records such as passwords, files, secret notes and so on.

Close White Envelope

Once the Security Officers finish their work with records in open White Envelope, they should close it. Security Officers can open and close the White Envelope repeatedly.

Close White envelope

Editing mode of White Envelopes

Security Officers can enable editing mode and delete White Envelopes or records in them. To enable the editing mode, two of the Security Officers have to enter their Access Code.

Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.

Enable editing mode

When editing mode enabled, into tables of White Envelopes or records is added the first column with checkboxes. The Security Officer selects which White Envelopes or records will delete by checking appropriate row in a table. After all White Envelopes or records to delete selected, click the Delete selected button.

Active editing mode

Deleted White Envelopes and records from them cannot be restored.

Once the Security Officers finish their editing of White Envelopes, editing mode should be disabled. To disable editing mode, click on the appropriate button.

Disable editing mode

Recover White Envelope

After the user with an active White Envelope resets Access Code, the White Envelope needs to recover. Until the White Envelope recovered, the user cannot view or change stored records and move records from other Safe Boxes into the White Envelope.

A White Envelope can be restored by a minimum count of the Security Officers.

Recover White nevelope

Reactivate White Envelope

If the count of Security Officers was below the minimum and new Security Officers added, to work with the White Envelopes, their owners have to reactivate them.
To reactivate the White Envelope, go to the White Envelope page and confirm a warning message. When message confirmed, enter the Access Code. After the Access Code entered, the White Envelope successfully reactivated.

Reactivate White Envelope

Recover Access Code

If the user has a private key backed up in a White Envelope, it is possible for their Access Code to be restored. To reset the Access Code, Security Officers must first open the White Envelope. Once the White Envelope is opened and the private key backup is stored in the White Envelope, the button Recover Access Code will appear in the menu of the White Envelope.

Recover Access Code button

After clicking the button, the Security Officer is asked to confirm that they want to recover the Access Code of the owner of the White Envelope.

Confirmation of Access Code recovery

Nach der Bestätigung, dass der Sicherheitsbeauftragte eine Wiederherstellung des Access Codes durchführen möchte, wird der aktuell angemeldete Benutzer aufgefordert, seinen Access Code einzugeben. Danach ist es möglich, einen neuen Access Code für den Besitzer des White Envelopes festzulegen.

Recovery of the Access Code

Initialize Security Officers

For initialization of Security Officers, are two reasons – a user became the new Security Officer, or current Security Officer resets his Access Code.

Only two other Security Officers can initialize a Security Officer. To initialize Security Officers, click on the Initialize Security Officers button. After that, two of the Security Officers have to enter their Access Code.

Add/Init Security Officers

After successful initialization, the Secure Officer has access to White envelopes of other users and may do all operations with White Envelopes as others Security Officers (open, close or recover White Envelope, or initialize Security Officer).

Possible situations

Count of Security Officers is not sufficient

If any Security Officer deleted and count of Security Officers is not sufficient (below the threshold – set in a domain), it is necessary to add new Security Officers. After new Security Officers added, current Security Officers, need to initialize the new ones, to share the White Envelope key parts.

message

Count of Security Officers is below the minimum

If any Security Officer deleted and count of Security Officers is below the minimum (set in a domain), it is necessary to set a new Security Officers.

All White Envelopes have been reset. Reactivating them is necessary..

message

Deleted Security Officer has been re-added

If some Security Officer has been deleted and then re-added, it is necessary to set him as a Security Officer again. After the user has Security Officer role set, can be initialized.

Downloads

At the Downloads page, you can download SecureAnyBox5 Importer, SecureAnyBox5 Launcher, web extensions, SecureAnyBox5 Manager plugins for FAR and Total Commander, and a trial version of CBT client.

Downloads page - Safe Boxes Tools

SecureAnyBox5 Importer

SecureAnyBox5 Importer is a utility intended to import records from CSV files and KeePass. From KeePass, it is possible to import records from kdb, kdbx, and xml files.

SecureAnyBox5Importer window

When importing records from CSV file, it is necessary to map account fields to columns in CSV file. After CSV file is selected, the Field map displays. When the mapping of columns to appropriate fields finished, it is possible to save a map for later usage.

Field Map - SecureAnyBox5 Importer

When importing records from KeePass, it is possible to choose a record type, and view record values by double-clicking a record row in the Import preview.

Record  detail - SecureAnyBox5 Importer

p(#SABImporterParagraph3).After clicking the Import button, it is necessary to login to SecureAnyBox5 server (and enter 2FA code if required), enter the Access Code, and select Safe Box into which records will import. After import performed, report of import displays.

Import - SecureAnyBox5Importer

SecureAnyBox5 Launcher

SecureAnyBox5 Launcher is a MS Windows application. In Safe Boxes is intended to be used to connect from (secret) accounts and for communication between web extensions and SecureAnyBox5 server

SecureAnyBox5 Launcher is an MS Windows (.NET Framework 4.5.2 or higher required) application delivered as a msi package. After installation, the application runs in the system tray and registers the custom URI scheme for sab:// links from the SecureAnyBox5 web interface.

In the SecureAnyBox5 account or secret account, you can set the connection type (RDP/SSH/SCP/SFTP/TELNET/WINBOX/RASDIAL). After clicking the Connect button at the (secret) account page, where the connection type set, web browser passes custom URI (sab://) to SecureAnyBox5 launcher.

Depending on the URI value, SecureAnyBox5 Launcher selects appropriate plugin (currently PuTTY for SSH, WinSCP for SCP/SFTP, MikroTik Winbox for WINBOX, and Remote Desktop for RDP). Then SecureAnyBox5 Launcher downloads account data using a one-time token that was received in the URI and started selected plugin.

To create a connection, SecureAnyBox5 Launcher needs to download from an account the values of Address and Login fields and the stored password.

In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g., "172.22.88.75:8876" or "test.tdp.cz:887").

The location of the WinSCP, MikroTik Winbox, and the PuTTY is detected automatically in Program Files but can be set manually in the SecureAnyBox5 Launcher settings. To open SecureAnyBox5 Launcher settings, click left mouse button on the SecureAnyBox5 Launcher icon in the system tray and in displayed context menu click Settings.

SecureAnyBox5 Launcher context menu

In the SecureAnyBox5 Launcher Settings, you can edit settings for Web extensions, change the location of WinSCP, MikroTik WinBox, and PuTTY or set size of Remote Desktop window, and influence settings of clipboard or printers.

SecureAnyBox5 Launcher Settings

Approval of exceptions for SSL Certificates

If the SecureAnyBox5 server uses an SSL certificate that is not trusted in Windows, when Launcher connects to the server, a warning window will be displayed to warning about the potential security risk. This could be because the certificate is signed by a non-trusted certification authority in Windows, or because it is self-signed.

Certificate exception

Please check with your administrator first to verify if the certificate is valid (e.g., a self-signed certificate). If so, you can accept it and approve the exception by clicking I have verified that this is a valid certificate button and then the Accept button. If you do not want this warning to appear again, you can permanently approve the exception by selecting the Accept this certificate permanently checkbox.

If this warning suddenly appears, and you have used Launcher before, it is very likely a security incident. In this case, do not approve the exception and contact your administrator!

Previously accepted exceptions can be reset in the Launcher settings in the Web Extension section, by clicking the Reset certificate exceptions button. It will remove only exceptions accepted in SecureAnyBox5 Launcher. Other exceptions for certificates that you may have approved on your system or browsers will remain.

Launcher configuration enforced by Windows registry

Part of SecureAnyBox5 Launcher configuration can be enforced by setting it in the Windows registry (HKLM).
When starting SecureAnyBox5 Launcher, settings are loaded first from the Launcher and then from the Windows registry – HKLM. The setting values are overwritten as they load, and the last loaded setting is used.
In Windows registry, it is possible to store all Web extension settings and RDP gateway.

Launcher settings keys are stored in HKEY_LOCAL_MACHINE\SOFTWARE\TDP\SecureAnyBox Launcher. For a list of keys and recommended values, download the README file.

Click to download Launcher configuration enforced by Windows registry README file

You can also download a registry example file and edit key values in the file. After the file is edited, run it.

Click to download the Windows registry example file

SecureAnyBox5 browser extensions for Mozilla Firefox and Google Chrome

SecureAnyBox5 browser extensions simplify logging in to accounts on websites using stored accounts in SecureAnyBox5.

If the extension on the web page recognizes the login fields, it will offer the user to fill in credentials from one of the saved accounts in SecureAnyBox5. Also, the extension allows users to create accounts with login information directly from the website where they will be used.

Browser extension communicates with the SecureAnyBox5 Launcher, which communicates with the SecureAnyBox5 server, so to be able to work with browser extensions, it is necessary to have SecureAnyBox5 Launcher (minimum version 2.0.0.x) installed as well.

Installation of browser extension
Mozilla Firefox

Download Firefox extension to your computer and drag and drop it to Firefox window.

Add FF extension

Confirm installation of the extension by clicking the Add button.

Extension added

SecureAnyBox5 extension for Firefox is sucessfully installed.

Google Chrome

At the Downloads page, click the Chrome Extension for SecureAnyBox5 link and from the Chrome web store install the web extension.

Work with SecureAnyBox5 browser extensions

When accessing a web page with a login form, the SecureAnyBox5 vault icon ( vault icon) appears in the password entry field. For example, at paypal.com

vault icon at the Paypal page

After clicking on the vault icon, a login window will appear, asking you to log on to the SecureAnyBox5 server. Launcher remembers successful login until restart, logout, or session timeout if it set on the server.

Login window

Note: When you use the extension for the first time, you may first see the SecureAnyBox5Server Address window. Use the same address you use to access the SecureAnyBox5 web interface.

Enter SecureAnyBox5 Address

If the KeyShield SSO login configured on the SecureAnyBox5 server and the user is logged to KeyShield, this part of the authentication performs automatically.

If the user has a two-factor authentication set, the second-factor code is requested after login.

2FA in extension

After successful authentication to SecureAnyBox5 server, a window will appear with a menu of records that can be used to log in to the web service. Displayed are all relevant accounts, from all Safe Boxes into which the user has access.

Select record to use for login

Accounts are displayed ranked by relevance calculated based on data stored by SecureAnyBox5. The default search is based on URLs in the Address and Login Site fields. If the relevant account is stored in SecureAnyBox5 but does not have a filled URL in the appropriate fields, it is still possible to search for it manually, by entering the search term (e.g., name, description, etc.) into the Find field.

After selecting the account (by double-clicking, pressing Enter, or selecting and clicking OK), you are asked to enter the Access Code.

The Access Code can be temporarily cached by Launcher (see Settings), so the Access Code will not be required for repeated accesses within the time limit.

Enter the Access Code

After entering a valid Access Code, the launcher fills in the selected credentials to the login fields.

Context menu

If the login is divided into several steps (e.g., Google account, etc.), or if the password field is non-standard and does not display the extension icon, you can use the context menu instead of clicking the icon. The context menu is displayed by right-clicking in the user name or password field.

Under the SecureAnyBox5 section, the Fill username, Fill password options are available (in both cases, the record selection dialog will be displayed). If an entry has already been used on this page, additional options are available: “Enter username for...” and “Enter password for...”

Extension context menu

Add account

Using the context menu it is possible to create a new account, directly from the website, without having to use the SecureAnyBox5 web interface.
In the context menu click Add account to display a form with a pre-filled Name, Address, and Login Site.

Add account form

Into the Create in Safe Box field, select the Safe Box into which you want to create a new account by clicking the button with three dots.
Into the Username filed, enter the username.
Into Password and Repeat password fields, enter the password. In addition to manual entry, the password can be generated.
When generating the password, it is possible to choose from 2 preset modes: Very strong (password is generated from all characters) and Strong (special and easily interchangeable characters are omitted).

If you need to meet any specific password requirements (number of characters or numbers, special characters, etc.), you can create your own generating rule by clicking the gear button ( gear icon) next to the Generate button.

Custom password requirement settings

When all values set, an account can be saved by clicking the OK button. Depending on the settings of remembering of the access Code, it may be necessary to enter the access Code again.

SecureAnyBox5 Manager plugin for Total Commander

SecureAnyBox5 Manager plugin allows you to work with data in Safe Boxes via Total Commander.

Installation

Open zip file in Total Commander (64-bit version). Total Commander automatically detects that it is a plugin and guides you through the installation. All dialog boxes have to be confirmed (Yes / OK).

SecureAnyBox5 Manager plugin for Total Commander installation

SecureAnyBox5 Manager plugin for Total Commander installation

SecureAnyBox5 Manager plugin for Total Commander installation

SecureAnyBox5 Manager plugin for Total Commander installation

Configuration

After the SecureAnyBox5 Manager plugin installed, the SecureAnyBox5 directory is available as a Network Neighborhood place. To open the directory for the first time, it is necessary to enter the SecureAnyBox5 server address, login information and etc. Next time, the connection will be opened, the user will be asked to enter the password only.

Select “Network Neighborhood” as a disk drive

SecureAnyBox5 Manager plugin for Total Commander configuration

The SecureAnyBox5 directory is now available as Network Neighborhood place.

SecureAnyBox5 Manager plugin for Total Commander configuration

Each time you access the plugin directory, is created new directory named SecureAnyBox5-hh.mm.ss (where hh.mm.ss is the current time).

SecureAnyBox5 Manager plugin for Total Commander configuration

In this directory, you have to create a connection to the SecureAnyBox5 server using the F7 key.
As a first step enter a connection name.

SecureAnyBox5 Manager plugin for Total Commander configuration

In the next step, enter the SecureAnybox URL address. (Address can be obtained from any Safe Box detail from the menu Import... > Copy SecureAnyBox5 address).

SecureAnyBox5 Manager plugin for Total Commander configuration

Next, enter the user name of the user who will connect to the SecureAnyBox5

SecureAnyBox5 Manager plugin for Total Commander configuration

and domain name. If you are using only one domain (the default System domain), you do not have to enter its name.

SecureAnyBox5 Manager plugin for Total Commander configuration

The newly created connection is displayed as a folder.

SecureAnyBox5 Manager plugin for Total Commander configuration

You can view the saved connection details by pressing Alt + Enter.

SecureAnyBox5 Manager plugin for Total Commander configuration

The connection to the server is made by entering the connection folder (a password will be requested). After entering the password, a list of safeboxes is displayed.

SecureAnyBox5 Manager plugin for Total Commander configuration

Shortcut Keys

Enter - Copies a password to the clipboard from your account, secret account, and credit card.

The plugin allows you to edit file or certificate in the appropriate program associated with the specific file type. After saving the modified file, it creates a new version of the file.

Alt+Enter - Displays properties of account, secret account etc.

Account detail

F3 View - Displays the file if the record is File or Certificate.

F4 Edit - Edits a file if the record is File or Certificate.

F5 Copy - Copies the file (s) or certificate (s) from / to SecureAnyBox5. Only file and certificate records can be copied.

F6 Move - Move is not supported.

F7 New Folder - Only in connection overview. Creates a new connection and writes data (connection name, URL, domain and username) to the registry.
The plugin does not create new records.

F8 Delete - Deleting records is not supported.

Deleted records

At the page Deleted records, a user can manage deleted records (such as Safe Boxes, Safe Box Groups, Accounts, etc.)

Deleted records can be permanently removed or restored to the original location.

Deleted records

You can remove permanently multiple records at one time by selecting them and clicking on the Remove selected button. The button is only displayed if some of the deleted records are selected. Removing selected records have to be confirmed.

Selected deleted records can be restored by clicking the Restore selected button. The button is displayed if some of the deleted records are selected.
Deleted records can be also restored to the original location by clicking on the restore icon ( restore icon) at the end of a row. Restoring the record have to be confirmed.

Audit log

Audit log page displays a log of users actions in Safe Boxes, Safe Box Groups, White Envelopes and all records inside them. Depending on the user role, only actions of currently logged user or actions of all users are shown.

Audit log

User can filter displayed actions in the log by entering a text into the search field. Searching is possible above values of the columns IP, User, and Action.

Results of filtering the audit log can export by clicking on the Download button.

The audit log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the audit log is possible to turn off by clicking on the Disable autorefresh button.

Clicking the Select Safe Box button allows you to filter audit log results just for a specific Safe Box. Once the Safe Box is selected, the audit will show data only for that Safe Box. If you want to show only data for one specific record from the selected Safe Box, click the Select record button

All audit log events are specified in an Overview of Audited Events

Reports

Access to Records

The Access to Records report shows all records into which the selected user has entered the Access Code, to view encrypted values. To run the report, select a user.

In report results, records into which currently logged user don’t have access, won’t be displayed even though the selected user accessed them. To view all records which selected user accessed, use the report with the same name in Audit part.

Report access to Records

In report results, you can click the record name. After clicking, a record page displays in a new tab, where you can check details or even change the encrypted values. If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.

To actualize report results, click the Refresh button.

Access to Safe Box

The Access to Safe Box report shows all records from selected Safe Box into which users have entered the Access Code, to view encrypted values.

In this report, Safe Boxes into which currently logged user does not have access, cannot be selected. To see results for any Safe Box (even the private one) within a currently logged user’s domain, use the report with the same name in Audit part.

Report access to Safe Box

In report results, you can click the record name. After clicking, a record page displays in a new tab, where you can check details or even change the encrypted values. If the password has changed, the users who access to record are no longer displayed in report results because they did not access the changed password.

To actualize report results, click the Refresh button.

Watching report

Watching report displays Safe Box Groups, Safe Boxes, and records which is currently logged user watching on the selected level.

Watching report

Following icons are used to distinguish whether the watching is set explicitly or is inherited from the parent level:

Watch changes Watching of changes is set explicitly for that level. Accesses are not watched.
Watch changes - inherited Watching of changes is inherited from the parent level. Accesses are not watched.
Watch accesses Watching of accesses to encrypted data is set explicitly for that level. Changes are not watched.
Watch changes - inherited Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
Watch changes Watch accesses Watching of changes and accesses to encrypted data is set explicitly for that level.
Watch changes Watch accesses - inherited Watching of changes is set explicitly for that level. Watching of accesses to encrypted data is inherited from the parent level.
Watch changes - inherited Watch accesses Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for that level.
Watch changes - inherited Watch accesses - inherited Watching of changes and accesses to encrypted data is inherited from the parent level.

If selected Safe Box inherits watching accesses and/or changes from the Safe Group, then the Safe Box Group will be displayed in the report results for selected Safe Box also.

Safe Box inherits watching from Safe Box Group

Permissions

Report Permissions displays permissions of the selected user to all Safe Boxes, Safe Box Group and domain' root level. The results are filtered by permissions of the currently logged user. It means that the currently logged user will only see selected user' permissions for Safe Boxes, Safe Box Groups and domain' root level, for which currently logged user has permissions also.

To display results, click the Select user button and wait for a list of users. In the displayed list, select a user for which you want to display results.

Permissions report results

The following icons are used to distinguish the level for which permissions set:

domains icon - Root level of domain
safe group icon - Shared (non-private) Safe Box Group
private safe box group - Private Safe Box Group
safe box - Shared (non-private) Safe Box
private safe box - Private Safe Box

To manage permissions for the specific level, click its name in search results. After clicking the name, in new browser tab will be opened the Sharing & Permissions page for that level. At the page can be managed permissions for other users.

Permission Templates Assignment

Report Permission Templates Assignment shows all permission templates set for the selected user tag. The results are filtered by permissions of the currently logged user. It means that the currently logged user will only see permission templates for Safe Box Groups and Safe Boxes, for which the currently logged user has permissions.

To display results, click the Select user tag button and wait for a list of user tags. In the displayed list, select a user tag for which you want to see results.

Permission Templates Assignment report results

The following icons are used to distinguish the level for which permissions set:

domains icon - Root level of domain
safe group icon - Shared (non-private) Safe Box Group
private safe box group - Private Safe Box Group
safe box - Shared (non-private) Safe Box
private safe box - Private Safe Box

Passwords Audit

Report Passwords Audit displays all records that a logged on user has access to, and for passwords of displayed records, counts password entropy, time to crack the password, and alerts for duplicates of passwords.

To display results, select a level of audit:

When the level of audit selected, a user is prompted to enter the Access Code. Have you forgotten the Access Code?

After entering the Access Code, SecureAnyBox5 checks all records which can decrypt with an entered Access Code, obtains passwords from them and counts results of the report.

To calculate passwords entropy and other values, SecureAnyBox5 uses password strength estimator nbvcxz . The password strength estimator inspires by password crackers.
Strength estimation accomplishes by running a password through different algorithms and looking for matches in any part of the password on word lists (with fuzzy matching), common dates, common years, spatial patterns, repeating characters, repeating sets of characters, and alphabetic sequences.
Each of these represents a way, how an attacker may try to crack a password. More information...

The calculation of the password entropy will be more accurate if custom password dictionaries added.

We strongly recommend adding a dictionary of the commonly used passwords in your language, a dictionary with names of towns, streets in your area etc. You should also add the default passwords used by your company to the dictionaries.

A password dictionary is usually .txt file with one word per line. Should not find a suitable password dictionary, you can create a dictionary by yourself.

There are two types of password dictionaries:

  • ranked - which are sorted by the frequency of password usage
  • unranked - which can be alphabetically sorted or even unsorted

Password dictionaries need to be added to "<SecureAnyBox5 folder>/files/dictionaries/<type of dictionary>" folder

Examples:

You want to add a dictionary with names of cities and streets near you. All names are text file, each one on a single line.

In that case, the dictionary is unranked (does not matter if names are alphabetically ordered or not). Please add the dictionary to unranked folder in the dictionaries folder (e.g., “C:\\SecureAnyBox\files\dictionaries\unranked\”).

You want to add a dictionary with the most common passwords, ordered by the frequency of password usage.

In that case, the dictionary is ranked. Please add the dictionary to ranked folder in the dictionaries folder (e.g., “C:\\SecureAnyBox\files\dictionaries\ranked\”).

When dictionaries added, it is necessary to restart the SecureAnyBox5. After restart, the dictionaries are applied to the calculation of the password entropy.

Report Used Passwords

When loaded, in results are displayed Safe Box Groups and Safe Boxes, stored at the root level. By clicking on the plus icon ( expand icon), you can see more detailed results – for each Safe Box inside a Safe Box Group or each account and secret account in a Safe Box.

Results for Safe Box Group and Safe Box displays the lowest value of Password Entropy of all records inside the Safe Box or Safe Box Group and how many passwords of records inside the Safe Box or Safe Box Group are duplicit.

In order to display the report results better organized, detailed results can be collapsed into results for Safe Box or even Safe Box Group.
Results for Safe Box Group and SafeBox displays the lowest Password Entropy of all passwords inside and how many passwords of records inside the Safe Box are duplicate.
After clicking on the record name, the record page displays in the new tab. On the records page, you can also change the password to a more secure one.

To refresh the report results, click the Run Report button again.

Password entropy

Password entropy is a measurement of how unpredictable a password is. The higher the value, the better.
Based on password entropy value, SecureAnyBox5 recognizes four levels of how secure the password is.

Password security min. max. Description
really bad error 0 20 password should be changed immediately
unsatisfactory warning 20 35 password does not meet security standards, should be changed
satisfactory 35 50 password meets security standards, but it can be better
really good success 50 password is really secure
Time to crack online/offline

Depending on the password strength, SecureAnyBox5 counts how long it would take to crack your password online and offline. The longer a and more unpredictable your password is, the better.

Duplicity

SecureAnyBox5 checks passwords for duplicity. If there are any duplicates, a number of duplicate passwords displays. Due to security, we recommend changing duplicate passwords to unique ones.

If the number of duplicates is lower or equal to five, a warning icon ( warning icon) displays. If the number of duplicates is higher than six, an error icon ( error icon) displays.
Next, to the number of duplicates, you can click the button ( button to show records) to show records with the same password.

Last password change

Date and time when the password changed last time.

Time since change

The elapsed time since the last password change. If the time since change is higher or equal than two years, a warning icon ( warning icon) displays.

Search for password

Report Search for password allows the user to see which records have a particular password. To run the report, enter the password you want to search for into the search field. After the password entered, click the search button ( search button) or press Enter key. The entered password can be viewed by clicking the eye button ( eye button) anytime.

Once the Access code entered, SecureAnyBox5 decrypts all passwords to which the user has access. Then compares each decrypted password with the searched one and all records with the same password displays in the report results. SecureAnybox also computes the entropy of the password and displays it beside the search field. More about the entropy...

report Search for Password

Compliance

Report Compliance allows to check whether stored passwords adhere to security requirememts.
To run the report, you need to create or open previously stored scope. Once the scope creted/opened, user is prompted to enter the access code. After the access code entered, SecureAnyBox5 server starts running the report. When report results displayed, it is possible to filter them, in the header row of result table.

Scope can be saved to use later. From report it is possible to generate PDF protocols or get RAW datan xlsx format.

Audit

The audit is a part of SecureAnyBox5 application, accessible only to users with Auditor role, for auditors are three reports and the audit log of all parts available. Each auditor can audit within a domain, in which belongs. The only exception is an auditor from the System domain which can audit all domains.

Access to Records

The Access to Records report shows all records into which the selected user has entered the Access Code, to view encrypted values. To run the report, select a user.

Report Access to Records

In report results, all records into which currently logged user have access, are blue. After clicking on such record, a record page displays in a new tab, where you can check details or even change the encrypted values.
If record name is black, currently logged user hasn’t access to a record and nothing happens after clicking on it.
In a case, record name is crossed out, the record is deleted but can still be restored on the Deleted page.

If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.

To actualize report results, click the Refresh button.

Access to Safe Box

The Access to Safe Box report shows all records from selected Safe Box into which users have entered the Access Code, to view encrypted values.

Report Access to Safe Box

In report results, all records into which currently logged user have access, are blue. After clicking on such record, a record page displays in a new tab, where you can check details or even change the encrypted values.
If record name is black, currently logged user hasn’t access to a record and nothing happens after clicking on it.
In a case, record name is crossed out, the record is deleted but can still be restored on the Deleted page.

If the password has changed, the record is no longer displayed in the report results for the selected user because that user did not access the changed password.

To actualize report results, click the Refresh button.

Permissions

Report Permissions displays permissions of the selected user to all Safe Boxes, Safe Box Group and domain' root level. Unlike from report in Reports part, results of this report don’t filter by permissions of the currently logged user. That means that the currently logged user will see all selected user' permissions for Safe Boxes, Safe Box Groups and domain’s root level, even for which currently logged user has no permissions.

To display results, click the Select user button and wait for a list of users. In the displayed list, select a user for which you want to display results.

Permissions report' results

The following icons are used to distinguish the level for which permissions set:

domains icon - Root level of domain
safe group icon - Shared (non-private) Safe Box Group
private safe box group - Private Safe Box Group
safe box - Shared (non-private) Safe Box
private safe box - Private Safe Box

To manage permissions for the specific level, click its name in search results. After clicking the name, in new browser tab will be opened the Sharing & Permissions page for that level. At the page can be managed permissions for other users.

Permission Templates Assignment

Report Permission Templates Assignment shows all permission templates set for the selected user tag. Unlike from report in Reports part, results of this report don’t filter by permissions of the currently logged user. That means that the currently logged user will see all selected user' permissions for Safe Boxes, Safe Box Groups and domain’s root level, even for which currently logged user has no permissions.

To display results, click the Select user tag button and wait for a list of user tags. In the displayed list, select a user tag for which you want to see results.

Permission Templates Assignment audit report results

The following icons are used to distinguish the level for which permissions set:

domains icon - Root level of domain
safe group icon - Shared (non-private) Safe Box Group
private safe box group - Private Safe Box Group
safe box - Shared (non-private) Safe Box
private safe box - Private Safe Box

Audit Log

The Audit log page displays a log of users actions in Safe Boxes and SecureAnyBox part of the application. The audit log results are filtered by domain into which currently logged user belongs. The only exception is an auditor from System domain which can see audit log of user actions from all domains.

Audit log

It is possible to filter displayed actions in Audit log by clicking buttons SecureAnyBox logs , Authentication logs , User Management logs or Safe Boxes logs . The filter can be turned off by clicking the All logs button.

AuditlogParagraph2

If enabled in the Configuration, auditor can archive the audit log by clicking the Archive log records button. After clicking the button, it is necessary to confirm archiving.

All audit log events are specified in an Overview of Audited Events

confirm archiving of audit records

SecureAnyBox

Stations

The Stations page intended for management of registered stations. After loading the page, users can see a table of registered stations for selected Agent Configuration.

Stations page

To change the Agent Configuration, click on the Select Config button and in a displayed list select the configuration. After a different configuration is selected, the list of the registered domain is actualized and displays stations registered in the currently selected configuration.

Registered stations are possible to sort by any displayed column. To sort the stations, click on the column header. It is also possible to add more columns to the table of stations (IP address, Timezone, Default User, Station Registration). To configure a displaying of additional columns, go to the Agent Configuration page.

Registered stations can be filtered by the date of registration and last access. User with role SecureAnyBox Administrator from System domain can also see (and delete) inaccessible stations. Stations are inaccessible if the Agent Configuration with which the stations are registered is deleted.

As the IP address of the station displayed the address which station had during the last registration. IP addresses are not unique.

Register station

Stations have to be registered to get passwords for them. Once the station is registered, it is possible to get the password by clicking on a row in a table of stations. After clicking on a row with the registered station, the Get Password page will load with prefilled values according to the values specified in the registered station.

Stations may be registered by SecureAnyBox5 Agent or manually. After successful installation of SecureAnyBox5 Agent and applying the configuration, the SecureAnyBox5 Agent checks if the applied configuration matches the Agent Configuration on the server. If so, the station would be registered automatically (it might take 10 minutes). In some cases, the station on which the SecureAnyBox5 Agent installed, does not have access to the server and cannot be registered automatically. But the station can be registered manually.

To register the station manually, click on the Register station button and wait for displaying the station’s form.

If the station name is changed. It is necessary to re-configure SecureAnyBox5 Agent, which will later register the station with a changed name. Original station registration can be deleted manually from the SecureAnyBox5 later.

Stations form

Agent Configuration

In this field select the Agent Configuration, which is the same as the configuration of a SecureAnyBox5 Agent installed on a registered computer.

Selection of incorrect configuration leads to generating passwords that do not work.

Selected Agent Configuration is pre-filled into this field and can be changed by clicking on the folder icon ( folder) and selecting another one from a list of Agent Configurations.

Platform

Select the platform (operating system) of a registered station.

The platform is important for identifying a username of an administrator, for whom a password will be generated. Settings of the Agent Configuration limit selection of platforms.

Station Name

Station name has to be in a format selected in the Agent Configuration.

NETBIOS = use NETBIOS station name.

Fully Qualified DN = use full Active Directory station name with the domain (e.g., STATION1.domain.local).

SID = use station unique SID (e.g., S-1-5-21-3623811015-3361044348-30300820-1013).

Entered IP Address

IP address of the station entered by the user

Time Zone

Select a time zone which is set on the registered station. The timezone is used for the definition of station’s actual time compared to the actual time and the timezone of the server.

For example, if the server has set timezone as “(GMT) Dublin, Edinburgh, Lisbon, London” , and the station has set timezone as “(GMT -08:00) Pacific Time (US & Canada)”. The password for this station will be generated for date and time which is about 8 hours lower than the actual time of the server.

Edit station

Only users with the role SecureAnyBox Admin can edit stations.

To edit the registered station, please click on the edit icon ( edit icon) at the end of a row. After that, the edit form displays, and it is possible to edit the timezone and the Entered IP Address of the previously registered station.

Edit Station form

Delete station

Only users with the role SecureAnyBox Admin can delete stations.

To delete registered station, please click on the cross icon ( cross icon) at the end of a row. Deleting the station have to be confirmed.

It is also possible to delete multiple stations at the same time. To select a station to delete, check the checkbox in the first column. After the selection is complete, click the Delete selected button.

Delete station

Get Password

At the Get Password page is possible to obtain a password for registered station. To get a password for the station is necessary to install SecureAnyBox5 Agent on the station. More about SecureAnyBox5 Agents...

Get password

To obtain the station’s password, please follow these steps:

If you click on a registered station for which you want to get a password on the Stations page, all values will be automatically prefilled.

Select the Agent Configuration which is the same as the configuration of SecureAnyBox5 Agent installed on the station.

Select an operating system of the station. Settings of the Agent Configuration limit selection of operating systems.

Please check and eventually correct the local date. The time automatically sets according to server time.

Enter the station’s name. The name has to be in a format specified in the Agent Configuration.
NETBIOS = use NETBIOS station name.
Fully Qualified DN = use full Active Directory station name with the domain (e.g.,STATION1.domain.local).
SID = use station unique SID (e.g.,S-1-5-21-3623811015-3361044348-30300820-1013).

To obtain a password, the station has to be registered. If a station with entered name is not registered, the user will be prompted to register the station before obtaining a password.

Check the User for whom the password will work. The user is pre-filled according to settings in the Agent Configuration.

Check and eventually correct a timezone set on the station. Depending on the previously set Local Date and Time and selected timezone, the Station Date and Time set.

Click on the Show password button.

After clicking on the Show password button, the Station password page loaded.

Station password

After 60 seconds you will be redirected back to the Get Password page.

Downloads

At the Downloads page, it is possible to download SecureAnyBox5 Agent, its configuration, and SecureAnyBox5 Launcher.

Downloads page

SecureAnyBox5 Launcher

SecureAnyBox5 Launcher is an MS Windows (.NET Framework 4.5.2 or higher required) application delivered as a msi package. After installation, the application runs in the system tray and registers the custom URI scheme for sab:// links from the SecureAnyBox5 web interface.

After SecureAnyBox5 Agent registers the station, its IP address is also registered. By clicking on the station IP address at the Stations page, SecureAnyBox5 Launcher launches Remote Desktop application and connects to the registered station.

SecureAnyBox5 Launcher is also used in Safe Boxes. More information...

SecureAnyBox5 Agent

SecureAnyBox5 Agent is a system service/daemon that ensures login to the station using the password obtained in SecureAnyBox5. The password can be obtained at the Get Password page or from the Ticket. Configured SecureAnyBox5 Agent works completely autonomously even without connection to the server. If a connection to the server is available, the SecureAnyBox5 Agent automatically performs station registration.

If the SecureAnyBox5 Agent sets a password for the default user of the station and has an online configuration, the SecureAnyBox5 Agent must first register the station on the server and only then set the password of the default user in the registry.

SABAgentDownloadInfo

SecureAnyBox5 Agent installation steps:

SABAgentInstallationInfo

Tickets

Tickets are intended for sharing access to getting passwords for the stations. Once the ticket created, it can be shared with anybody (even with people without access to SecureAnyBox5). Sharing a ticket is a convenient method for giving access to registered station passwords only for a limited time. For example, tickets can be shared with external technicians.

Shared access to passwords can be limited according to the specification of a ticket.

When the Agent Configuration is selected only, then based on the ticket is possible to get passwords for all registered stations with the same Agent Configuration as is selected.

If the Agent OS is also selected, then through the ticket is possible to get passwords for all registered stations with same Agent Configuration and operation system as is selected.

When the station name is specified too, then on the basis of the ticket is possible to get a password for the one station only.

The validity of the ticket is limited. The person, to whom the ticket was shared, can get a password between dates and times specified in fields Valid from and Valid until only.

It is possible to restrict the usage of tickets, by setting subnets. When the ticket has subnet set, it is possible to obtain a password from the ticket only if the device’s subnet is the same as is set in the ticket. In the ticket, it is possible to set multiple subnets.

Create ticket

To create a ticket, please click the New Ticket button. After clicking, a form for creating the ticket displays. After all values entered, please click on the OK button to confirm the ticket.

Ticket form

While saving the ticket, a unique identifier of the ticket generated. This identifier is displayed in a message after the ticket created.

Ticket message

Agent Configuration

Select the Agent Configuration. Agent Configuration must be the same as the configuration SecureAnyBox5 Agent installed on the station for which the ticket will create.

In case that a ticket will be saved with the selected Agent Configuration only, it will be possible to get the password for all the stations where the SecureAnyBox5 Agent with the same configuration installed.

Description

The description should characterize the purpose of the ticket.

For example, if the ticket will be used by external workers, in the description can be specified for whom and why the ticket created.

In the case that the ticket will save without any description, and the description will be generated. The result of generating the description will be “Ticket {number of the ticket}” (e.g. Ticket 1, Ticket 2 and so on).

Agent OS

Select the operating system. Settings of the Agent Configuration limit selection of the operating systems.
Selecting the operating system is optional.

When the operating system is selected, through the ticket is possible to get passwords only for stations with the same OS.

If the operating system is not selected, then the last selected platform will be used while generating a password for the station.

Station Name

Name of the registered station, for which the ticket will be created. Station name must be in the same format as is specified in the Agent Configuration.

NETBIOS = use NETBIOS station name.
Fully Qualified DN = use full Active Directory station name with the domain (e.g.,STATION1.domain.local).
SID = use station unique SID (e.g.,S-1-5-21-3623811015-3361044348-30300820-1013).

If the station name not specified in a saved ticket, it will be possible to specify the name while getting a password for the stations. Through such a ticket will be possible to get the password for each registered station with the same Agent Configuration and operating system as are selected in the ticket.

User

The user for whom will be generated the password. The user field has prefilled value base on values specified for the selected operating system in the Agent Configuration.

Valid from

Date and time from which the ticket is valid, and based on the ticket, it is possible to get a password.

Valid until

Date and time until which the ticket is valid, and based on the ticket, it is possible to get a password.

Valid Subnets

Ticket is only valid when accessed from specified subnets or addresses. If no subnet or address is listed, ticket access not restricted by client address.

Subnets can be entered in three formats – standalone IP address, IP address/subnet mask where subnet mask can be specified in IPv4 format or in CIDR notation format - e.g.: 172.22.38.19 or 172.22.38.1/255.255.255.0 or 172.22.38.1/24
The IP address must be in IPv4 format. IPv6 not supported.

Ticket is only valid when accessed from specified subnets or addresses. If no subnet or address is listed, ticket access is not restricted by client address.

Subnets are possible to enter in three formats – standalone IP address, IP address/subnet mask where subnet mask can be specified in IPv4 format or CIDR notation format - e.g.: 172.22.38.19 or 172.22.38.1/255.255.255.0 or 172.22.38.1/24
IP address must be in IPv4 format. IPv6 not supported.

Enabled

If the ticket is not enabled, it can not be used.

Edit ticket

To edit an existing ticket, please click the ticket’s row in a table. After clicking, an edit form displays.

Edit ticket

In the edit form, it can be changed all values except the Agent Configuration. After all changes are made, please confirm them by clicking on the OK button.

Share ticket

To share the ticket with another person, please click on the blue arrow icon ( blue arrow) at the end of a ticket’s row.
After clicking, a share ticket form displays.

Share ticket

The ticket can share two ways – by sharing the URL or by sharing the QR code. After opening the URL, a special page for tickets displays.

Access to this page is without authentication – so is possible to share tickets with people who do not have user account specified in the SecureAnyBox5 (e.g.,external technicians) or users who do not have access to the Tickets.

Show password

To obtain a password from the ticket is necessary to enter values into all fields. If all required values set in the ticket, a password for the station is displayed automatically.

Ticket password

Audit log

The Audit log page displays a protocol of getting passwords for stations and using tickets. Depending on the user role are shown only actions of currently logged user or actions of all users.

Audit log

AuditlogParagraph2

All audit log events are specified in an Overview of Audited Events

Agent Configuration

At the Agent Configuration page, you can set some General setting for SecureAnyBox5 like columns at the Station page or Registration interface, or you can set Agent Configuration and the LDAP Agent. You can also change the configuration password and download the SecureAnyBox5 configuration file.

Only users with a role SecureAnyBox Manager or Administrator have access on this page.

Agent Configuration page

General

You can configure which columns display at the Stations page and alternative interface which is only intended for registration of stations. If alternative interface enabled and set, registration interface hostname and HTTPS port exported into the SecureAnyBox5 Agent Configuration.

We recommend to enable and set registration interface because the registration of SecureAnyBox5 Agents will not be affected by any changes (e.g., of hostname, address, port) in the configuration of SecureAnyBox5 server.

General config form

Stations table

Optional registered stations table columns definition

IP Address

Show IP Address column

Time Zone

Show Time Zone column

Default User

Show Default User column

Station Registration

Show Station Registration date column

Registration/Web interface

SecureAnyBox5 server station registration web interface/API configuration.

Enable registration interface

Enable standalone HTTPS interface used only for station registration

IP address

SecureAnyBox5 station registration (HTTPS) interface IP address.

HTTPS Port

SecureAnyBox5 station registration (HTTPS) interface port.

HTTPS keystore

PKCS #12 file with a private key and corresponding certificates used for HTTPS web interface. You can create a self-signed certificate file by clicking the Create self-signed SSL certificate button in the left bottom corner of this form.

HTTPS keystore password

HTTPS key store password. It is used to read HTTPS keys and certificates. In a case you create the HTTPS keystore file by clicking the Create self-signed SSL certificate button, the keystore password entered automatically.

Hostnames

List of hostnames for SecureAnyBox5 station registration interface (HTTP).

Validate if HTPPS certificate is successfully imported on the station

If the HTTPS keystore certificate is imported as trusted on your Linux station, it is possible to verify in the terminal using the command:

python -c 'import urllib2; import sys; resp = urllib2.urlopen("https://your.secureanyboxserveraddress.com"); rcode = resp.getcode(); body = resp.read(); print rcode; print ""; print body;'

If certificate validation is successful, on the first row of the response is code 200.

When the certificate validation fails, an error is displayed:

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

If urllib2 not found

python ––version

Urllib2 is a built-in package of Python 2.x.x. To be able to run urllib2, it is necessary to have Python 2.x.x (recommended 2.7.18) installed properly. Some distributions of Linux may not have full version of Python 2.7.x installed. Try re-installing it.

wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz

sudo tar xzf Python-2.7.18.tgz

cd Python-2.7.18/

sudo ./configure

sudo make altinstall

Agent Configuration

To generate passwords for stations, each station must have SecureAnyBox5 Agent installed with a proper configuration. In the Agent Configuration, you can configure for which platforms can be used, a password pattern, a password seed base, for which user or user group the password will be generated.

After each modification of Agent Configuration, the SecureAnyBox5 Agent (respectively Agent Configuration) installed on stations must be updated or generated passwords might not work.

Agent Configuration

Managing and Using Agent Configurations

For each Agent Configuration, users in SecureAnyBox5 can be set to have the ability to manage the Agent Configuration and to use the Agent Configuration.

Agent Configuration Management

Users who can manage the Agent Configuration can view/edit/delete a specific configuration on the Agent Configuration page.

In the Agent Configuration form, it is possible to check the box Manageable by all SecureAnyBox Admins . If the box is not checked, only users (with the role of SecureAnyBox Admin) from the domain to which the Agent Configuration is assigned can manage the Agent Configuration.

When creating an Agent Configuration, it is automatically assigned to the domain of the currently logged-in user. The assignment of the configuration to the domain can be modified in the domain form (in the administration interface).

Using Agent Configurations

Users who can use the Agent Configuration can obtain passwords and use tickets for stations with a specific configuration. Users with the role of SecureAnyBox Admin, can also create tickets for a specific Agent Configuration.

By default, the usage of Agent Configuration is available to all users in the domain to which the configuration is assigned.
The ability to use the Agent Configuration can be expanded/limited by setting permitted users. If any permitted users are set, all other users will no longer have the ability to use the Agent Configuration (even if they are from the domain to which the configuration is assigned).

Add Agent Configuration

To add a new configuration, please click on the add Configuration button and wait for Agent Configuration form to display. After all values are set, please click on the OK button. To use a new Agent Configuration, the SecureAnyBox5 have to be restarted first.

Agent Configuration form

Name

Please enter SecureAnyBox5 Agent Configuration Name. Configuration name must start with a letter and contain only letters, numbers and underscore.

Password pattern

Password pattern which will be used to generate passwords for stations.

Each letter in the pattern corresponds to letter in the generated password.

See examples of the password pattern

Characters allowed in the password pattern and their meaning:

v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g., pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character
1 – character according to Pattern Characters 1 setting
2 – character according to Pattern Characters 2 setting
3 – character according to Pattern Characters 3 setting

Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set a password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.

Pattern Characters 1

By setting the Pattern Characters, you can specify a set of characters that will be used or omitted while generating a password.
To specify a set of characters that will be used while generating a password, please enter them into the field without any separator. (e.g.,‘abc‘). In that case, the generated password will use only specified characters.
The set of characters that will be omitted while generating a password must begin with ^ character (e.g.,‘^0123‘). In that case, the generated password will use allowed characters except for specified ones.

For each character which should generate according to the setting of this set of characters, enter ‘1‘ into the Password Pattern.

View examples of use of Pattern Characters
Pattern Characters 2

By setting the Pattern Characters, you can specify a set of characters that will be used or omitted while generating a password.
To specify a set of characters that will be used while generating a password, please enter them into the field without any separator. (e.g., ‘abc‘). In that case, the generated password will use only specified characters.
The set of characters that will be omitted while generating a password must begin with ^ character (e.g., ‘^0123‘). In that case, the generated password will use allowed characters except for specified ones.

For each character which should generate according to the setting of this set of characters, enter ‘2‘ into the Password Pattern.

View examples of use of Pattern Characters
Pattern Characters 3

By setting the Pattern Characters, you can specify a set of characters that will be used or omitted while generating a password.
To specify a set of characters that will be used while generating a password, please enter them into the field without any separator. (e.g., ‘abc‘). In that case, the generated password will use only specified characters.
The set of characters that will be omitted while generating a password must begin with ^ character (e.g., ‘^0123‘). In that case, the generated password will use allowed characters except for specified ones.

For each character which should generate according to the setting of this set of characters, enter ‘2‘ into the Password Pattern.

View examples of use of Pattern Characters
Password Seed Base

This is a secret string used as a base to generate a station password. Seed Base should be unique for your configuration and is shared between the server and SecureAnyBox5 Agent instances. You have to distribute Seed Base together with password pattern to all SecureAnyBox5 Agent managed stations.

MS Windows

Enable MS Windows platform

Linux

Enable Linux platform

macOS

Enable macOS platform

LDAP

Enable LDAP platform

Configuration Password

Configuration encryption password. If SecureAnyBox5 configuration is encrypted, then is required to enter the configuration password, to create or edit Agent Configuration successfully.

MS Windows

SecureAnyBox5 Agent Configuration for Windows Platform

Change password of
Select whether to use the SecureAnyBox5 Agent to set the password for a user, or group of users.
User account
Please enter a username of the station user account, which will be able to login with an obtained password.
User group
Please enter the name of the Windows local group. Unique password will generate for each member of this group.
Station name method
Select a method used to get the station name which is used to compute the password.
NETBIOS = use NETBIOS station name (e.g.,STATION1).
Fully Qualified DN = use full Active Directory station name with domain (e.g.,STATION1.domain.local).
SID = use station unique SID (e.g.,S-1-5-21-3623811015-3361044348-30300820-1013).
Update Default Password
Enable / Disable synchronization with a default user.
When a synchronization is enabled, it is possible to use the Agent Configuration even for users who are automatically logging in to Windows. During the synchronization, the set password will be saved into the station registry.
If the synchronization is disabled, then the automatic login into Windows will fail. How to set default user at your station
Enable / Disable synchronization with a default user.
When synchronization is enabled, it is possible to use the Agent Configuration even for users who are automatically logging in to Windows. During the synchronization, the set password will save into the station registry.
If the synchronization is disabled, then the automatic login into Windows will fail. How to set default user at your station
Online Config
Enable / Disable online configuration of the SecureAnyBox5 Agent.
The online configuration is more secure than offline one, but has some limitations:
Enable / Disable online configuration of the SecureAnyBox5 Agent.
Online configuration is more secure than offline one, but has some limitations:
  • SecureAnyBox5 Agent must be connected to SecureAnyBox5 server
  • SecureAnyBox5 Registration interface must be configured
Linux

SecureAnyBox5 Agent Configuration for Linux Platform

Change password of
Select whether to use the SecureAnyBox5 Agent to set the password for a user, or group of users.
User account
Please enter a username of the station user account, which will be able to login with an obtained password.
User group
Please enter the name of the local group of users. Unique password will generate for each member of this group.
macOS

SecureAnyBox5 Agent Configuration for macOS Platform

Change password of
Select whether to use the SecureAnyBox5 Agent to set the password for a user, or group of users.
User account
Please enter a username of the station user account, which will be able to login with an obtained password.
User group
Please enter the name of the local group of users. Unique password will generate for each member of this group.
LDAP

SecureAnyBox5 Agent Configuration for LDAP Platform

Change password of
Select whether to use the SecureAnyBox5 Agent to set the password for a user, group of users, or default user of the domain.
User Account FDN
Please enter an FDN of the user account, which will be able to login with the obtained password. e.g.,cn=admin,o=org
User group
Please enter the name of LDAP group of users. Unique password will generate for each member of this group. e.g.,cn=Admins,o=org
Permitted Users

It is possible to extend or limit the visibility of the Agent Configuration by setting permitted users. If permitted users not set, the Agent Configuration is visible to all users from the domain, for which the Agent Configuration set as visible. To set permitted users, please add a domain or user. If domain added, the Agent Configuration is visible to all users from that domain. If a user added, the Agent Configuration is visible for that user only.

Domains

If you add a domain, the Agent Configuration will be visible for users from that domain.

Users

If you add a user, the Agent Configuration will be visible for that user.

User tags

If you add a User tag, the Agent Configuration will be visible for users with this User tag assigned.

Edit configuration

To edit the Agent Configuration, please click on configuration name in a list of Agent Configurations. After clicking on configuration name, details of the configuration displays.

With any change, it is advisable to note that changes in agent configuration can have severe consequences on the functionality of SecureAnyBox5 agents on registered stations.

Agent Configuration details

To open Agent Configuration edit form, please click on the Edit button. In the Agent Configuration, you can modify all values except the configuration name.

After changes finished, please confirm them by clicking on the OK button. To apply changed Agent Configuration is necessary to apply changes in the SecureAnyBox5 configuration first.

Copy configuration

In a case, you want to create similar Agent Configuration, as is already stored, you can copy the stored one. To copy the Agent Configuration, please click on configuration name in a list of Agent Configurations. When details of the Agent Configuration displays, please click on the Copy button.

After clicking on the button, please enter the configuration name, modify values, which needed to be changed and confirm new Agent Configuration by clicking on the OK button.

Due to security reasons, we strongly recommend changing the Password Seed Base.

To use the new Agent Configuration is necessary to apply changes in the Configuration.

Remove configuration

To remove the Agent Configuration, please click on configuration name in a list of Agent Configurations. After clicking on configuration name, details of the configuration displays and click the  Remove button.

Removing the Agent Configuration have to be confirmed by applying changes in the SecureAnyBox5 configuration.

LDAP Agent

LDAP Agent holds LDAP server connection settings used for user password changes. Without LDAP Agent it is not possible to get passwords for LDAP users.

Agent Configuration page

Add LDAP Agent

To add new configuration of LDAP agent, please click on the add LDAP Agent button and wait for LDAP Agent form to display. After all values set, please click on the OK button. To use a new LDAP Agent Configuration is necessary to restart the SecureAnyBox5 server first.

LDAP Agent form

Agent ID

Unique Agent identifier. Agent ID is used when generating a password for the user from LDAP.

Enabled

Enable/disable this LDAP Agent

Directory service

LDAP server type.

LDAP servers

LDAP server address or addresses of multiple LDAP servers with same directory replica/mirror (for failover).

SecureAnyBox5 mgr account

LDAP User DN used by SecureAnyBox5 to access LDAP directory, lookup users, change passwords, etc.

Minimum access rights:
entry/object rights – browse
cn – read, compare
objectClass – read, compare

Use ‘Create SecureAnyBox objects’ button to create the manager user automatically when using NetIQ eDirectory. If you are connecting to a directory service from another vendor, please create a manager user using your directory service management console. LDAP interface on some directory services (e.g., Active Directory) doesn’t provide access rights/permissions modification.

e.g.,cn=secureanyboxmgr,o=org or cn=secureanyboxmgr,cn=Users,dc=DOMAIN,dc=local

SecureAnyBox5 mgr password

Please enter SecureAnyBox5 mgr user password.

LDAP search base

LDAP container used as a search base for LDAP synchronization search query. When the search base not set,the search starts at the root of the LDAP tree.

e.g.,o=org or leave empty to search from the root of the tree

Search subtree

Uncheck to search only the immediate subordinates of the specified search base.

Dereference aliases

An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.

There are four modes of dereferencing aliases:

LDAP search filter
LDAP search filter used during a password change

Default filters:
  • AD - (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • eDirectory - (&(objectClass=person)(!(loginDisabled=true)))
  • generic LDAP - (objectClass=person)
Group membership filter examples:
  • AD: (memberof:1.2.840.113556.1.4.1941:=cn=Group1, OU=groups,DC=domainname)
  • eDirectory: (groupMembership=cn=group1,o=org)

e.g.,(objectClass=person)

Search Page Size

When set to greater than zero, SecureAnyBox5 will use Simple Paged Result extended control to retrieve LDAP search results in pages of a given number of entries. Some LDAP servers have a default server-side limit for the number of entries returned in the single response. For example, Active Directory servers have a default limit of 1000 objects for a single search request. Setting Search Page Size to 1000 or lower will allow SecureAnyBox5 to retrieve more results (than the server limit) using multiple requests. When set to 0 no paging is used and an only single request is used to retrieve all results.

When using embedded LDAP from KeyShield SSO, this value must be set to 0.

Agent Configuration

Please select the Agent Configuration for this LDAP Agent. Selected Agent Configuration has to contain settings for LDAP platform.

Default user domain

The domain of default user is necessary for identifying the default user while generating a password. Default user domain must be the same as set in the workstation registry otherwise login of default user via SecureAnyBox5 Agent won’t work.

e.g., Default user on a station is set to “COMPANY/user1” - the default user domain is “COMPANY”.

This field is available only if Active Directory set as LDAP directory service.

User id attribute

LDAP attribute used by LDAP authentication for user lookup. This field is available only if Active Directory set as LDAP directory service.

Edit LDAP Agent

To edit the LDAP Agent, please click the Agent name in a list of LDAP Agents. After clicking on Agent name, details of the Agent displays.

LDAP Agent details

To open LDAP Agent edit form, please click on the Edit button. In the LDAP Agent, you can modify all values except the configuration name.

After changes made, please confirm them by clicking on the OK button. To apply changed LDAP Agent is necessary to apply changes in the SecureAnyBox5 configuration first.

Copy LDAP Agent

In a case, you want to create similar LDAP Agent, as is already stored, you can copy the stored one. To copy the LDAP Agent, please click the Agent name in a list of LDAP Agent. When details of the LDAP Agent displays, please click on the Copy button.

After clicking on the button, please enter the Agent ID, modify values, which needed to be changed and confirm new LDAP Agent by clicking on the OK button.

To use a new LDAP Agent is necessary to apply changes in the Configuration.

Remove LDAP Agent

To remove the LDAP Agent, please click the Agent name in a list of LDAP Agents. After clicking on Agent name, details of the LDAP Agent display and click on the Remove button.

Removing the LDAP Agent have to be confirmed by applying changes in the SecureAnyBox5 configuration.

Execute LDAP Agent

By executing LDAP Agent, you change the password(s). Which passwords are changed depends on settings of Agent Configuration.

The Agent Configuration can be set to change a password of:

If any of users to whom should be changed password is set as SecureAnyBox5 mgr for any LDAP connector or LDAP Agent, then the password of that user will not be changed.

To execute the LDAP Agent, please click the Agent name in a list of Agent Configurations. After clicking on Agent name, details of the LDAP Agent display and click on the Execute button.

Administration interface

Configuration

A configuration of the SecureAnyBox5 application is divided into several sections. Each section can be independently edited. To change settings in the section, click on the edit button at the top of a section.

Edit config section

After clicking on the edit button a section’s form displays. At the bottom of each form are displayed three buttons – Test, OK, Cancel.

Config buttons

When changes are made, you can test the new values (by clicking on the Test button), if they’re in the correct format and so on. If the test of values was successful, you can confirm the changes by clicking on the OK button.

Changed sections of the configuration will display marked with a blue checkmark.

Blue check mark

To apply changes in the configuration, you need to restart the application by clicking on the Apply button. If changes should not be applied, click on the Revert button.

Apply config changes

Summary

After clicking the Configuration button in the menu, a Summary page of Configuration displays. At this page, configured LDAP connectors and server messages are displayed.

For each of LDAP connectors, a status is displayed – whether communication with connector is working. After clicking on the connector’s name, settings of the connector displays.

Config summary

At the Summary page, it is also possible to download the configuration.

General/Web interface

General SecureAnyBox5 server configuration and Web interface/API configuration.

General/Web interface

Web address

SecureAnyBox5 web (HTTP) interface address. At this address is SecureAnyBox5 web interface accessible from the local network.

Web port

SecureAnyBox5 web interface HTTP port.

HTTP mode

Web interface HTTP (plaintext) mode. Possible values: enabled (default), disabled, API (only JSON/XML API is accessible). When HTTP mode is disabled, it is possible to set redirecting to HTTPS mode.

HTTPS port

SecureAnyBox5 web interface HTTPS port.

HTTPS keystore

PKCS #12 file with the private key and corresponding certificates used for HTTPS web interface. You can create a self-signed certificate file by clicking on the Create self-signed SSL certificate button in the left bottom corner of this form.

SSL certificate form

Alias

The certificate alias is used as an alias inside a keystore and as a filename for stored encrypted PKCS12 file.

Common name

The common name of the certificate represents the hostname protected by the SSL certificate. The certificate is valid only if the hostname is the same as the common certificate name.
Use the domain name of your server as the common name of the certificate. If the server is available on the Internet using the “https://secureanybox.domain.com:8996” URL, use “secureanybox.domain.com” as a common name.

Validity

Enter the certificate validity in years (1-10).

RSA Key size

The RSA key size indicates the length of the encryption key of the corresponding encryption algorithm. The RSA key size is given in bits. The minimum recommended RSA key size is 2048 bits.

Organizational Unit

Organization unit name used in certificate subject – leave empty if not needed.

Organization

Organization name used in certificate subject – leave empty if not needed.

Country code

Country code used in certificate subject – leave empty if not needed.

Alternative Subject

Alternative Subject Names – additional domain names or IP addresses used to access SecureAnyBox5 SSL interface

HTTPS keystore password

HTTPS key store password. It is used to read HTTPS keys and certificates.

Hostnames

SecureAnyBox5 web (HTTP) interface hostnames. Setting multiple hostnames is possible. All hostnames specified in the hosts files on stations must be specified here. Otherwise, the user with an unknown hostname, cannot access SecureAnyBox5.

App path

Base application URL. For example, if you set the app path to ‘/sab’, SecureAnyBox5 will be accessible at http://server:port/sab/. New app path will apply after restarting the SecureAnyBox5.

App URL

App URL. At this address is SecureAnyBox5 web interface accessible for users.

Remember Last Location
Remembering of the last visited location (page) can be set for user or combination of user and station. If not turned off, after user logs in SecureAnyBox5, the last visited page automatically loaded.
Available options:
  • Off - Don’t remember the last page
  • Remember for user - Remember last visited page or Safe Box for given user
  • Remember for user and station key - Remember last visited page or Safe Box for given user and station key
Trusted proxy servers

When SecureAnyBox5 is behind a reverse proxy server, it is necessary to enter the trusted proxy IP address (or multiple addresses) to enable KeyShield SSO integration.

Disable CSP for login.page

The server will not send Content-Security-Policy header for login.page. This can be used for example to allow third-party SSO solutions (like NetIQ NAS) to use custom login.page or insert inline scripts.

HTTPS public key API mode
The HTTPS public key API mode settings. This API is used in the Firefox extension to check that the web browser’s connection to the SecureAnyBox5 server is not eavesdropped on by an intermediate proxy server (Man In The Middle attack).
  • Disabled - API does not return the public HTTPS key, can not use Firefox extension for checking Man In The Middle attacks.
  • SecureAnyBox5 server key - Users access the SecureAnyBox5 server’s HTTPS interface directly, and the API will return the SecureAnyBoxServer public HTTPS key.
  • Reverse Proxy Key - Users access the SecureAnyBox5 server through the HTTPS interface of the reverse proxy server. The API will return the public HTTPS key of the reverse proxy server. In this case, you still need to upload the Reverse Proxy HTTPS keystore and enter the password for that file.
Reverse proxy HTTPS keystore

PKCS # 12 file that contains the private key and corresponding certificate for the HTTPS reverse proxy server interface. This file must be uploaded if users access the SecureAnyBox5 server through the HTTPS interface of a reverse proxy server and want to use the public HTTPS key API.

Proxy server’s HTTPS keystore password

Reverse proxy server HTTPS key store password. Used to read the public key of the reverse proxy server. The public key is available through the HTTPS public key API.

User interface
Language

Please select the default language of the SecureAnyBox5 web interface. This language will be automatically pre-set to all users. Each user can change the language in the User Preferences.

User Help Mode
This setting allows limiting visibility of documentation link and help tours. These settings apply to all users (Administrator and User Manager excluded).

Options:
  • Visible - help tours and link to the documentation are visible to all users
  • Disable help tours autorun - disable autorun of help tours for users (Administrator and User Manager excluded)
  • Hide help tours - hide button for starting the help tour
  • Hidden - help tours and link to the documentation are hidden to all users

Logging

Diagnostic log configuration. You can set the log level for specific parts of SecureAnyBox5 or a count of lines loaded into the browser into the current log view.

Logging form

Default Log Level

Default log level. If the log level for a specific part not set, the default log level used.

Core Log Level

Core engine log level

Services Log Level

Internal SecureAnyBox5 services and database log level

API Log Level

API calls log level

Authentication Log Level

Authentication and authorization log level

KeyShield SSO Log Level

KeyShield SSO authentication and WebSockets log level

Log browser line limit

Limits number of lines loaded into the browser in current log view.

SIEM Syslog

Configure settings of the connection between SecureAnyBox5 and Syslog server. You can also set syslog facility, event source and log level of records sent to the syslog server. You can establish multiple syslog connections — for each syslog server, one for audit log and second for diagnostic log and so on.

If you send audit messages to the SIEM syslog server, you can choose from two formats in which to send the messages:

AuditFormatExamples

Syslog form

ID

Please enter unique ID of connection with a Syslog server

Enabled

Enable/disable this connection.

Server address

Syslog server address. The server address can be entered as an IP address (e.g., “172.22.13.1”) or as a domain name (e.g., “syslog.tdp.cz”)

Port

Syslog server port.

Syslog facility

Desired facility value for log messages sent to syslog. A facility code is used to specify the type of program that is logging the message. Messages with different facilities may be handled differently.

Event source
Select which records sent to the syslog target.
Options:
  • Audit log
  • Diagnostic log
Audit record format

Please, select an audit record format (CSV or CEF) sent to the syslog target.

Records in CSV (Comma-separated values) contains the same information as records in the Audit log of application.
Records in CEF (Common Event Format) contains the most relevant event information, making it easy for event consumers to parse and use them. CEF format of records can be more detailed.

Examples of audit log in both formats are in the documentation.

Please, select an audit record format (CSV or CEF) sent to the syslog target.
Records in CSV (Comma-separated values) contains the same information as records in the Audit log of application. Records in CEF (Common Event Format) contains the most relevant event information, making it easy for event consumers to parse and use them. CEF format of records can be more detailed.

Examples:

  • CSV format

Aug 7 10:27:43 172.22.78.100 [SecureAnyBox-audit] “SWB”,“172.22.100.105”,“System\\admin”,“GET PASSWORD”,TDPPRG,kiosek,DomAgent
Aug 7 10:27:58 172.22.78.100 [SecureAnyBox-audit] “SAFE”,“172.22.100.105”,“System\\admin”,“GET PASSWORD”,Firm,"Cisco ASR 1006 Router"
Aug 7 10:28:12 172.22.78.100 [SecureAnyBox-audit] “SAFE”,“172.22.100.105”,“System\\admin”,“VIEW ACCOUNT”,Firm,"Bank Certificate"

  • CEF format

Aug 7 10:29:34 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SWB.GET_PASSWORD|get password|3|src=172.22.100.105 suser=System\\admin act=GET_PASSWORD station=TDPPRG user=kiosek config=DomAgent
Aug 7 10:29:47 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SAFE.GET_PASSWORD|get password|3|src=172.22.100.105 suser=System\\admin act=GET_PASSWORD safe=Firm rec=Cisco ASR 1006 Router
Aug 7 10:29:58 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SAFE.VIEW_ACCOUNT|view account|3|src=172.22.100.105 suser=System\\admin act=VIEW_ACCOUNT safe=Firm rec=Bank Certificate

Level

Send messages with this or higher log level to syslog. It is possible to set the different log level for messages sent to the syslog and for messages sent to the log of application. For records sent to the syslog server, it is not possible to set multiple logging levels for each part of the application, as in the SecureAnyBox5 diagnostic log. The selected logging level applies to all parts of the application.
To configure the log level of messages sent to the log of application, go to Logging part of SecureAnyBox5 configuration.

Log level Value Log level of sent messages
TRACE 0 TRACE,DEBUG,INFO,WARN,ERROR
DEBUG 1 DEBUG,INFO,WARN,ERROR
INFO 2 INFO,WARN,ERROR
WARN 3 WARN,ERROR
ERROR 4 ERROR

Audit log archiving

Archiving of audit log can be done manually or automatically. Manual archiving can be started at the Audit log page in the Audit part of the SecureAnyBox5.

Archived audit log records will be stored in separate files on the server. Once records are archived, they cannot be viewed in SecureAnyBox5.

Audit log archiving form

Enable archiving

If enabled, an auditor can run the archiving from the audit log page (in the Audit part). During the archiving, older records (than a number of months set below) will be saved in separate files and removed from the database. You will no longer be able to view them from SecureAnyBox5.

Archive records older than x months

Records older than the specified number of months will be archived (within the range of 1 to 240)

Automatically archive

Enable automatic archiving of audit log records. The auditor can still start archiving audit log records on the audit log page.

Frequency of archiving

Frequency of automatic archiving (daily, weekly, monthly, quarterly, semiannually, yearly)

Archiving start day

The day of the week when archiving will start. At weekly frequency, it will be every week. At a shorter frequency, it will be the selected day in the first week of the period.

Archiving start time

Server time in whole hours (within the range of 0 and 23), when archiving of audit records will run.

Users & Security

At this tab of the Configuration, it is possible to configure users and security oriented parameters of the SecureAnyBox5. Such as a maximum number of login attempts, duration of the login ban and login password policy, etc.

Users and Security form

User Security

User Authentication and Security configuration

Login disclaimer

Disclaimer message shown on login page.

Max Login Attempts

User is banned (cannot log into application) after this number of unsuccessful attempts. Set to 0 to turn this feature off.

User Ban Minutes

User is banned (cannot log into application) for this amount of minutes.

Session timeout

Inactivity timeout for user session. After this timeout expires with no user activity, the user will be logged-out.

2FA (Two-Factor Authentication)

Use of second factor (authenticator application) is either optional – enabled by user in the top right menu, or mandatory.

Enable Login Password Policy

Enabling the login password policy allows you to set minimum password requirements – minimum length, minimum entropy, minimum number of uppercase or lowercase letters, and so on.

Login Password Policy

Login password policy determines minimum requirements for the login password.

This fields are displayed only if the Enable Login Password Policy field is checked.

Minimum lenght

Minimum length of the login password.

Uppercase letters

Minimum number of uppercase letters in login password.

Lowercase letters

Minimum number of lowercase letters in login password.

Digits

Minimum number of digits in login password.

Special characters

Minimum number of special characters in login Password.

Minimum Entropy
Value of the minimum allowed entropy of login password. The value of password entropy shows how unpredictable and strong the password is (the higher value the better.)
  • 0 – 20 – password is very weak
  • 20 – 35 – password is weak
  • 35 – 40 – password is good
  • 40 – 50 – password is strong
  • 50 – 256 – password is very strong
Management of users and domains

Permissions to manage users and domains

Allow manage visible domains

If not allowed, user manager from other than the System domain can only manage its own domain. If allowed, It can manage all visible domains.

Send invitation e-mail to new users

After manually create a user who does not have a password, send this user an invitation e-mail with a link to set the password.

Displaying full names of users

Displaying full names of users form

Preference for selecting a full name

Settings of preferences for selecting the full name of users. The full name displays in the top right corner of the web interface and is also used in e-mail invitations, e-mail notifications and messages.

If the full name could not be selected according to settings in the first preference, the second preference settings would be tried. In a case, selecting of the full name according to both preferences is unsuccessfull, username will be displayed as the full name.

First preference

Most preferred settings how the full name of users will be selected.

if the first preference result is empty

Settings to apply if the first preference result is empty.

if both settings have empty results

the username will be displayed as the user’s full name

Preferences for selecting a short full name

Settings of preferences for selecting the short full name of users. The short full name displays in lists with users – e.g. in the users management, when adding permissions for Safe Boxes to other users, in the names of private Safe Boxes shared from another user, in reports, etc.

If the short name could not be selected according to settings in the first preference, the second preference settings would be tried. In a case, selecting of the short name according to both preferences is unsuccessfull, username will be displayed as the short name.

First preference

Most preferred settings how the short name of users will be selected.

if the first preference result is empty

Settings to apply if the first preference result is empty.

if both settings have empty results

the username will be displayed as the user’s short name.

Backup

The SecureAnyBox5 server is backed up at the set time (if the server is running) or at the earliest possible opportunity. The default setting is midnight. It is possible to set a configuration of backup and check if the backup ran.
Backup of the SecureAnyBox5 server can also be started manually.

View how to restore SecureAnyBox5 data from a backup

To edit the configuration of Backup, click on the edit button and wait for a form to display.

Backup tab

File path

The path to the location where the backup files created. The default path is the backup directory in the SecureAnyBox5 installation directory. By default: /opt/tdp/secureanybox/backup or C:\SecureAnyBox\backup

Filename prefix

A time stamp in the rrrr-mm-dd format is automatically added after the prefix (e.g., secureanybox-backup-2018-05-17.zip). The default prefix is secureanybox-backup.

Number of the last backups to keep

The number of maintained backups. When a count of backups exceeds the number set here, the oldest backups automatically deleted. The default number of backups is 7.

Customized file permissions

Allows you to edit the default user rights of the backup file.

File owner

User account which will be set as the owner when creating the backup file (e.g., root, Administrators).

This field displayed if SecureAnyBox5 server runs on Windows platform

File group

Group of users with permissions to backup files.

This field displayed if SecureAnyBox5 server runs on Linux platform

File permissions

Permissions that are set to backup files. The Unix symbolic notation in the rw-rw--— format is used for the setting (see https://en.wikipedia.org/wiki/File_system_permissions). By default, only the owner has permission to read and write (rw-------).

This field displayed if SecureAnyBox5 server runs on Linux platform

Table with information about backups displays below the backup configuration details.

The Connector holds server connection settings used for communication with the LDAP/Azure AD server to synchronize users from LDAP/Azure AD to the SecureAnyBox5, and vice versa. Three types of Directory services are supported – eDirectory, Active Directory, generic LDAP, and Azure AD.

LDAP tab

By clicking the sync button, a user starts manual synchronization with the connector server. User is also redirected to the Connector synchronization log page, where is possible to see synchronization results.
By clicking the view button, a user is redirected to the Connector Viewer page, where he can view which users can be synchronized from the LDAP/Azure AD server after filtration specified in the LDAP/Azure AD connector is applied.

LDAP Connector

For each connector, it is possible to set more than one LDAP server for backup or load balancing purposes. All servers set to one connector need to be the same type (eDirectory, Active Directory, or generic LDAP).

To create a new LDAP connector, click on the add LDAP Connector button and wait for a form to display.

LDAP form

Connector ID

Unique connector identifier. Connector ID must start with a letter and contain only letters, numbers and underscore.

Enabled

Uncheck (false) to disable this connector.

LDAP settings
Directory service

LDAP server type.

LDAP server(s)

LDAP server address or addresses of multiple LDAP servers with same directory replica/mirror (for failover).

To add an LDAP server, click on the button with the plus symbol and wait for a form to display.

New LDAP

In a form, enter the Server address and Port of LDAP server. The server address can be entered as an IP address (e.g.,“172.22.13.1”) or as a domain name (e.g.,“ldapsrv.tdp.cz”). Port is set to 636 by default along with using the SSL .

We recommend using the SSL protocol to communicate between SecureAnyBox5 and LDAP server.

To successfully add new LDAP server address, confirm entered values by clicking on the OK button.

Server address

Please enter LDAP server address. Server address can be entered as an IP address (e.g. “172.22.13.1”) or as a domain name (e.g. “ldapsrv.tdp.cz”)

Port

Port on which SecureAnyBox5 communicates with LDAP server. For connection with SSL protocol is used port 636 and for connection without SSL protocol is used port 389.

SSL

Enable/disable SSL protocol during communication between SecureAnyBox5 and LDAP server. We strongly recommend using SSL protocol.

Load balancing

When enabled, LDAP requests will be distributed among available LDAP servers (for load balancing). When not enabled, SecureAnyBox5 will connect to the first server available. Servers are tried in the order in which they are defined.

SecureAnyBox5 mgr account

LDAP User DN used by SecureAnyBox5 to access LDAP directory, lookup users, change passwords, etc.

Minimum access rights:

entry/object rights – browse
cn – read, compare
objectClass – read,compare

Use Create SecureAnyBox objects button to create manager user automatically when using NetIQ (Novell) eDirectory. If you are connecting to a directory service from another vendor, create a manager user using your directory service management console. LDAP interface on some directory services (e.g.,Active Directory) doesn’t provide access rights/permissions modification...

e.g.,cn=secureanyboxmgr,o=org or cn=secureanyboxmgr,cn=Users,dc=DOMAIN,dc=local

LDAP search base

LDAP container used as a search base for LDAP synchronization search query. When the search base not set, the search starts at the root of the LDAP tree.

e.g.,o=org or leave empty to search from the root of the tree

Search subtree

Uncheck to search only the immediate subordinates of the specified search base.

Dereference aliases

An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.

There are four modes of dereferencing aliases:

Never
Dereference while finding the object
- aliases are dereferenced when searching subordinates of the base object but not when locating the base object.
Dereference while retrieving objects according to search scope - aliases are dereferenced when locating the base object but not when searching for the subordinates of the base object
Always
More...

An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.

There are four modes of dereferencing aliases:

  • Never
  • Dereference while finding the base object - aliases are dereferenced when searching subordinates of the base object but not when locating the base object.
  • Dereference while retrieving objects according to search scope - aliases are dereferenced when locating the base object but not when searching for the subordinates of the base object
  • Always

    More...
Search Page Size

When set to greater than zero, SecureAnyBox5 will use Simple Paged Result extended control to retrieve LDAP search results in pages of a given number of entries. Some LDAP servers have a default server-side limit for a number of entries returned in the single response. For example, Active Directory servers have a default limit of 1000 objects for a single search request. Setting Search Page Size to 1000 or lower will allow SecureAnyBox5 to retrieve more results (than the server limit) using multiple requests. When set to 0 no paging is used, and an only single request is used to retrieve all results. This setting is used when importing users and in Connector Viewer.

When using embedded LDAP from KeyShield SSO, this value must be set to 0.

Include

List of FDNs included in user synchronization.

Exclude

List of FDNs excluded from user synchronization.

LDAP search filter
LDAP search filter used during user synchronization

Default filters:
  • AD - (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • eDirectory - (&(objectClass=person)(!(loginDisabled=true)))
  • generic LDAP - (objectClass=person)
Group membership filter examples:
  • AD: (memberof:1.2.840.113556.1.4.1941:=cn=Group1, OU=groups,DC=domainname)
  • eDirectory: (groupMembership=cn=group1,o=org)

e.g.,(objectClass=person)

LDAP pool size

A number of LDAP connections SecureAnyBox5 will keep alive to improve the performance of LDAP requests.

Attribute mapping
UUID attribute

An attribute used as UUID (Universally unique identifier) attribute. This attribute value is used to uniquely identify the user object in connector and must be unique across domains and LDAP connector. Usually, GUID (eDirectory) or objectGUID (Active Directory) attributes are used and recommended, because they are generated to be unique globally.

First Name Attribute

Attribute used as a first name.

Middle Name Attribute

Attribute used as a middle name.

Last Name Attribute

Aattribute used as a surname.

Display Name Mapping

Enable mapping to Display name

Display Name Attribute

Field is displayed only if the Display Name Mapping field is checked.

Attribute used as a display name.

Short Display Name Mapping

Enable mapping to Short display name

Short Display Name Attribute

Field is displayed only if the Short Display Name Mapping field is checked.

Attribute used as a short display name.

Custom Mail Attribute

You can set source attribute for reading user e-mail address and optional regex to pick correct e-mail address if source attribute is multi-valued.

Fields below are displayed only if the Custom Mail Attribute field is checked.

Mail Attribute

Source attribute used to read user e-mail address.

Mapping method

Mapping method used to read e-mail value, for example, when the source attribute is multivalue. The default mapping method (First value) reads the first value of the attribute as is returned by the server.

Match regex

This field is displayed only if the Mapping method field is set as First match or First match or first value.

Regular expression used to find the value of the user’s e-mail address. For example use regex .*@yourdomain.com to match e-mail address from yourdomain.com.

Synchronization
Target Domain

Synchronized user objects are created in this domain.

User tags

List of user tags which will be assigned to all users synchronized from this connector.

Group to User tag

Mapping of group FDN to user tags – all users with specified group FDN will have the user tag assigned. FDN of the group must be in the search scope.

Enable Synchronization

Enable periodic synchronization of users from connector.

User Synchronization interval

The delay between the synchronization of users from this connector.

To complete the configuration of the LDAP connector, please confirm the form by clicking the OK button. The application must be restarted for the LDAP connector to function properly.

eDirectory installation

While configuring new eDirectory LDAP connector, you can click on the Create SecureAnyBox objects button, to proceed eDirectory installation directly from SecureAnyBox5 web interface. After clicking on the button wait for the eDirectory Installation form to displays.

eDir Installation

LDAP server

LDAP server address. The address can be specified in various formats (e.g. 172.22.40.68, localhost, mail.tdp.cz), but cannot be specified along with the type of connection (e.g. smtp://127.0.0.1).

LDAP Port

The port on which SecureAnyBox5 communicates with the LDAP server. For SSL connection, use port 636 and for SSL-free connections use port 389.

SSL

Enable/disable the use of SSL for communication between SecureAnyBox5 and LDAP. We strongly recommend using SSL.

LDAP search base

LDAP container used as a search base for LDAP synchronization search query. When the search base not set, the search starts at the root of the LDAP tree.

e.g.,o=org or leave empty to search from the root of the tree

SecureAnyBox5 container

LDAP container where SecureAnyBox5 objects (like a SecureAnyBox5 manager) should create.

Admin FDN

Enter FDN of LDAP admin (e.g.,cn=admin,o=org). LDAP admin credentials are necessary to create SecureAnyBox5 objects in LDAP.

Password

Enter admin password

Password override

When enabled, you can override User DN and password for SecureAnyBox5 mgr user. Otherwise will be used default values.

SecureAnyBox5 mgr account

LDAP User DN used by SecureAnyBox5 to access LDAP directory.

Password Pattern

Password pattern for generating a SecureAnyBox5 manager password. Each letter in the pattern corresponds to letter in the generated password.

See examples of the password pattern

Characters allowed in the password pattern and their meaning:

v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character

Default pattern is CVCVdddCVCCVdC (this might generate passwords such as “wEHe063heFme4p”).

For example, you can set a password pattern as “\p\a\s\sddddddd” and this might generate password such as “pass1762885” or “pass5687412”.

SecureAnyBox5 mgr password

Please set SecureAnyBox5 manager password. The password can be generated by clicking on the Generate button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favorite actor or nickname). Generated passwords are formatted by the current password pattern. Generated passwords can also be edited.

Once all required values set, click on the OK button and wait until the installation process successfully. If no error occurs, eDirectory Installation form is no longer displayed, and in the LDAP connector form is displayed a message Success.

Success

Azure AD Connector

To create a new Azure AD connector, click on the add Azure AD Connector button and wait for a form to display.

Azure AD Connector form

Enabled

Uncheck (false) to disable this connector.

Authentication Settings

Primary domain

Primary domain of your Azure Active Directory – it is used to form a userPrincipalName (@ used to login into Azure AD.

Tenant ID

Tenant ID of your Azure AD

Client ID

ID of application registered in Azure AD used for SecureAnyBox5 synchronization and authentication.

Client secret

Secret code (id) of application client

Attribute mapping
connectorAttributeMapping
Synchronization
connectorSync

KeyShield SSO Integration

In this part of SecureAnyBox5 configuration, you can set integration with the KeyShield SSO. SecureAnyBox5 support two types of Keyshield authentication – by IP address and by certificate using Client API.

KeyShield SSO Integration form

IP address authentication

KeyShield SSO integration for clients with the unique IP address using KeyShield SSO web REST API.

KeyShield SSO

KeyShield SSO authentication is disabled by default. You can enable it for all users or non-admin users only.

KeyShield SSO server URL

KeyShield SSO server URL (syntax: http://address:port).

If you are connecting to Keyshield SSO server using SSL (via HTTPS instead of HTTP), you need to import a certificate from KeyShield SSO server to your Java Keystore. More...

KeyShield SSO server URL (syntax: http://address:port).

If you are connecting to Keyshield SSO server using SSL (via HTTPS instead of HTTP), you need to import a certificate from KeyShield SSO server to your Java Keystore. More...

http://127.0.0.1:8485

API key

Key used to authenticate against KeyShield SSO API. To obtain the API key, go to the KeyShield SSO Administration.

Trusted proxy servers

When SecureAnyBox5 is behind a reverse proxy server, it is necessary to enter the trusted proxy IP address (or multiple addresses) to enable KeyShield SSO integration.

Connection Timeout

Determines the timeout in seconds until a connection to KeyShield SSO server established.

Enabled Authentication Types for synchronized users

Select the authentication type. This value determines, whether the authentication through login form enabled, or whether the two-factor authentication used.

Notification URL

Copy this URL and use it in notification configuration within KeyShield SSO Server. Keyshield SSO will notify SecureAnyBox5 Server, that user is logged in logged out, even if user is authenticated to SecureAnyBox5 server by using the GUID.

Certificate authentication using client API

Integration with Keyshield SSO for clients with the non-unique IP address. This authentication uses KeyShield SSO client API and requires browser extension to work. Using KeyShield SSO (Windows) client in TLS mode is also required.

Enable Certificate Authentication

Enables SSO through KeyShield SSO Client API

KeyShield SSO API Certificate

Upload KeyShield SSO API certificate which can be downloaded from KeyShield SSO configuration in the API section.

Safe Boxes

Configuration of Default password pattern, which is used in Safe Boxes and Records, offering of previously entered labels, maximum file size, policy of the Access Code and applying of permission templates.

Password safe

Safe Boxes Management
Customized column

Selection of which data displays in the middle column of the list of records in the Safe Box – after the record name. The default value is Description.
This value is set for the server and can be overridden in the domain and the user preferences.

Enable creating tags from the record

When using the API (/safe/boxes/{boxId}/records), it is possible to create new record tags directly when creating a record using the ‘forceCreateTags’ parameter. This setting determines who can use this parameter.

Note: Global setting can be overridden by domain setting

Do not offer previously entered tags

When entering a tag in the record’s form, previously typed tags will not offer.

Maximum File Size

This value determines the maximum size of the file which is possible to store in a record (file or certificate type of record).

Safe Box delete mode

Sets whether the user who has delete permission for Safe Box can delete the Safe Box or only content inside.

White Envelope mode

Select White Envelope mode. If the White Envelope is mandatory, a sufficient number of Security Officers must be set up.

If the private key is backed up in the White Envelope, a forgotten Access Code can be recovered with the help of Security Officers and does not need to be reset. When recovering the Access Code, unlike a resetting, the user does not lose the keys to the Safe Boxes, and it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.

Note: The domain settings can override this setting.

Access Code reset enabled

Enable resetting the Access Code even though the Access Code can be recovered with the help of Security Officers. When recovering the Access Code, unlike when resetting, the user does not lose the keys to the Safe Boxes. So, it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.

Note: The domain settings can override this setting.

Password policy

Settings of the default password generation method

Generate passwords using

Select the setting that will be the default for all users. The selected setting will be used when generating a password:

Default password preset

A password preset will be used to generate a password. The preset has specified password requirements, such as the number of uppercase letters, characters to include/exclude, minimum entropy, etc. The password preset has to be specified first in the Administration interface.

Default password pattern

Default password pattern for Safe Boxes and Records where no password pattern set.

Each letter in the pattern corresponds to letter in the generated password.

See examples of the password pattern

Characters allowed in the password pattern and their meaning:

v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character

\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character

Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p).
For example, you can set a password pattern as ‘\p\a\s\sddddddd‘ and this might generate passwords such as ‘pass1762885‘ or ‘pass5687412‘.

User tags
Apply Permission Templates from
Select which permission templates will be offered to apply permission templates:
  • All domains - Permission Templates will be offered for user tags from all visible domains
  • Only current domain - Permission Templates will be offered only for user tags from the domain of the currently logged user

Enhanced Client Encryption

Enhanced Client Encryption

Configuration of enhanced client-side encryption of Access Code and record data. This is additional encryption inside the already encrypted and secure SSL/TLS connection.

Access Code Policy

Access Code Policy

Minimum length

Minimum length of the Access Code.

Uppercase letters

Minimum number of uppercase letters in Access Code.

Lowercase letters

Minimum number of lowercase letters in Access Code.

Digits

Minimum number of digits in Access Code.

Special characters

Minimum number of special characters in Access Code.

Minimum Entropy
Value of the minimum allowed entropy of the Access Code. The value of entropy shows how unpredictable and strong the Access Code is.
  • 0 – 20 – Access Code is very weak
  • 20 – 35 – Access Code is weak
  • 35 – 40 – Access Code is good
  • 40 – 50 – Access Code is strong
  • 50 – 256 – Access Code is very strong
Access Code Timeout

By setting the Access Code Timeout, you will enable temporary remembering of the Access Code. The last entered valid Access Code will be temporarily stored in a cache (for the specified amount of time), so users will not have to enter the Access Code repeatedly.
To turn this feature off, set the Access Code Timeout to 0.

Max Access Code Attempts

User Access Code is temporarily disabled after this number of unsuccessful attempts. Set to 0 to turn this feature off.

Access Code Ban Minutes

User cannot use his/her Access Code for this amount of minutes

Settings of the required characters in the Access Code
Default value Minimum value
Minimum length 8 5
Uppercase letters 1 0
Lowercase letters 1 0
Digits 3 0
Special characters 0 0
Minimum Entropy 20 0

Mail and Notification

Configuration of e-mail notifications. Notifications will be sent when some user makes changes in the records (Safe Boxes, Accounts and so on).

Mail notification

SMTP Server

Please enter the SMTP server address from which notification emails will send. The host address can be specified in various formats (e.g. 172.22.40.68, localhost, mail.tdp.cz), but cannot be specified along with the type of connection (e.g. smtp://127.0.0.1).

SMTP Port

Please enter the port of the SMTP server. Usual SMTP ports are 25, 587 or 2525.

Username

Please enter a username of SMTP account which the SecureAnyBox5 will be using to connect to the SMTP server.

Password

Please enter a password for SMTP account which the SecureAnyBox5 will be using to connect to the SMTP server.

From Address

Enter an e-mail address from which the notification emails will send.

Enable Mail Notification

By enabling the e-mail notification, you will allow sending notification emails with a summary of changes in the records.
When the notifications enabled, it is possible to set options when and to whom the emails will be send.

Only Encrypted Fields

If this field checked or the value is “yes” notification emails will be sent only if some encrypted fields (in records) changes.

Notify Only Watchers

If this field checked or the value is “yes” notification emails will send only to watchers of Safe Box in which the changed record stored.

Notify Self

If this field checked or the value is “yes” notification email will send even to the user who made changes.

Changes Aggregation [minutes]

Set the time (in minutes), during which the SecureAnyBox5 will aggregate changes. After the set time, SecureAnyBox5 will send an e-mail with the summary of all changes in the record.

External files

Configuration of external files. External files are encrypted by SecureAnyBox5 and stored on another server. In this part of the Configuration, it is possible to set default external files path.

External files

User management

Domains

Create domain Edit domain Disable domain Delete domain Show Domain Users

The page intended to manage domains. Only users with a role User Manager or Administrator have access on this page.

Domains can be used to divide a SecureAnyBox5 into several parts. Each domain has its users management and it is possible to create a hierarchical structure of domains.

The structure of domains can copy the structure of your company, and it is possible to create a hierarchy by setting the visibility of one domain for other domains, which are on the higher spot in a company structure.

For example, here can be created two domains named "Management" and "Technical support". Because users of the domain "Management" have a higher position in the structure of the company, the domain "Technical Support" will be set as a visible for users of the domain "Management".

This setting allows the domain users "Management" to grant access to Safe Boxes to users of both domains, but users of the domain "Technical support" can grant access to Safe Boxes only to users of their domain.

Domains can also copy the structure of containers in LDAP. When setting an LDAP connector is required to select the domain, into which users will import from that connector. Each LDAP connector can have only one domain.

Create domain

Only users with a role Administrator from System domain can create a domain. Users with a role User Manager can only edit their domain.

To create a domain click on the New Domain button at the Domain page. After clicking on the button, the domain’s form displays.

Domain form

All fields are going to display after entering a domain name.

Enabled

When enabled, users from this domain can log in.

Name

The name should characterize the domain. Each domain name must be unique.

If more than one domain is specified, it will be required to fill the domain name at the login page.

By clicking on the Login page link button, is possible to get a link to the login page, where the domain name will be prefilled.

Description

The description should more specifically characterize the domain.

Attributes
Maximum number of initialized users

If this limit reached, non-initialized users will not be able to set the Access Code.

Language

Select a language which users of this domain will have set by default. The language can be changed anytime.

Visible Domains

List of domains visible for users of this domain.

Users of this domain can share their Safe Boxes and Safe Box Groups also with users of visible domains.

Agent Configurations

Agent Configurations assigned to this domain.

When the Agent Configuration assigned, by default users with a role SecureAnyBox Admin can modify or remove Agent Configuration. Management of the Agent Configuration can be enabled to SecureAnyBox Admins from all domains in the Agent Configuration settings.
SecureAnyBox Admins from other domains (if the Agent Configuration is visible for them) can copy Agent Configuration only.

Assigned Agent Configuration can be used by users from this domain by default. The ability to use the Agent Configuration can be expanded/limited by setting permitted users in the Agent Configuration settings.

Agent Configuration can be assigned to one domain only.

Send invitation e-mail to new users

After manually create a user who does not have a password, send this user an invitation e-mail with a link to set the password.

2FA (Two-Factor Authentication)

Use of second factor (authenticator application) is either optional – enabled by user in the top right menu, or mandatory.

Safe Boxes settings

Domain form

Customized column of records in Safe Boxes

Selection of which data displays in the middle column of the list of records in the Safe Box – after the record name. The default value in server configuration is Description.
This value is set for the domain and can be overridden in the user preferences.

Default Safe Box type

Choose a default Safe Box type for all new Safe Boxes and Safe Box Groups which will be created in this domain.

Shared – Access rights are inherited from parent level.

Private – Blocks access rights inheritance from parent level.

Enable creating tags from the record

When using the API (/safe/boxes/{boxId}/records), it is possible to create new record tags directly when creating a record using the ‘forceCreateTags’ parameter. This setting determines who can use this parameter.

Note: This setting overrides global setting

Override Max. File Size

Check this box to override the maximum file size. The default value is 15 MB.

Maximum File Size

This value determines the maximum size of file which is possible to store in a record (file or certificate type of record).

Enable sharing

Enables/ Disables sharing of permissions for Safe Boxes to other users

Forbid remembering Access Code

Checking this box will override ‘Access Code Timeout’ settings, and for users of this domain, the Access Code will not be remembered.

Default settings for automatic watching
Automatically watch changes

For Safe Box Groups, Safe Boxes, and records users from this domain create or obtain access will be set the watching of changes automatically by default.

Each user can change whether changes will be watched automatically in the user preferences form.

If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of changes to the watched ones.

Automatically watch accesses

For Safe Box Groups, Safe Boxes, and records users from this domain create or obtain access will have set the watching of accesses to encrypted information automatically by default.

Each user can change whether accesses to encrypted information will be watched automatically in the user preferences form.

If sending notifications is enabled (in the server configuration), e-mail notifications will be sent with a summary of accesses to encrypted information to the watched ones.

User tags and Permission Templates

Domain form

Permission templates will be offered for user tags from

Select which permission templates will be offered to apply permission templates:

  • All domains - Permission Templates will be offered for user tags from all visible domains
  • Only current domain - Permission Templates will be offered only for user tags from the domain of the currently logged user
User tags assigned to all domain users

List of user tags assigned to all users from this domain.

Security policy

Domain form

Password settings

Select the password setting that will be the default for users from this domain. Password settings are used when generating a password:

  • Inherited - settings will be inherited from domain or parent level

  • Password preset - the selected password preset will apply when generating a password. The password preset has to be specified first in the Administration interface.

  • Password pattern - when generating a password, the entered password pattern will apply

Password preset

Select the password setting that will be the default for users from this domain. Password settings are used when generating a password:

  • Inherited - settings will be inherited from domain or parent level

  • Password preset - the selected password preset will apply when generating a password. The password preset has to be specified first in the Administration interface.

  • Password pattern - when generating a password, the entered password pattern will apply

Default password pattern

Default password pattern for Safe Boxes and Records which will create in the domain, where no password pattern set.

Each letter in the pattern corresponds to letter in the generated password.


See examples of the password pattern


Characters allowed in the password pattern and their meaning:

v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character

Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p )
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.

Compliance profile

The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.

Selected compliance profile would be default for all users within this domain.

Login Password Policy

Domain form

Override Password Policy

By overriding the Login Password Policy, you can set the policy only for this domain. If not override, login password policy from the Configuration (if specified) will apply.

Fields below are displayed only if the Override Password Policy field is checked.

Minimum lenght

Minimum length of the login password.

Uppercase letters

Minimum number of uppercase letters in login password.

Lowercase letters

Minimum number of lowercase letters in login password.

Digits

Minimum number of digits in login password.

Special characters

Minimum number of special characters in login password.

Minimum Entropy
Value of the minimum allowed entropy of login password. The value of password entropy shows how unpredictable and strong the password is (the higher value the better.)
  • 0 – 20 – password is very weak
  • 20 – 35 – password is weak
  • 35 – 40 – password is good
  • 40 – 50 – password is strong
  • 50 – 256 – password is very strong
Access Code Policy

Domain form

Override Access Code Policy

By overriding the Access Code Policy, you can set the policy only for this domain. If not override, the Access Code Policy from the Configuration will apply.

Fields below are displayed only if the Override Access Code Policy field is checked.

Minimum length

Minimum length of the Access Code.

Uppercase letters

Minimum number of uppercase letters in Access Code.

Lowercase letters

Minimum number of lowercase letters in Access Code.

Digits

Minimum number of digits in Access Code.

Special characters

Minimum number of special characters in Access Code.

Minimum Entropy
Value of the minimum allowed entropy of the Access Code. The value of entropy shows how unpredictable and strong the Access Code is.
  • 0 – 20 – Access Code is very weak
  • 20 – 35 – Access Code is weak
  • 35 – 40 – Access Code is good
  • 40 – 50 – Access Code is strong
  • 50 – 256 – Access Code is very strong
White Envelopes

Domain form

White Envelope mode

Select White Envelope mode. If the White Envelope is mandatory, a sufficient number of Security Officers must be set up.

If the private key is backed up in the White Envelope, a forgotten Access Code can be recovered with the help of Security Officers and does not need to be reset. When recovering the Access Code, unlike a resetting, the user does not lose the keys to the Safe Boxes, and it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.

Access Code reset enabled

Enable resetting the Access Code even though the Access Code can be recovered with the help of Security Officers. When recovering the Access Code, unlike when resetting, the user does not lose the keys to the Safe Boxes. So, it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.

Security Officers Threshold

The number of Security Officers required to open White Envelope. Count of configured Security Officers has to be greater than this.

Minimum Security Officers Count

If this limit reached, non-initialized users will not be able to set the Access Code.

Desired count of Security Officers

Number of Security Officers appointed in your organization. SecureAnyBox5 will warn you if the Security Officer Count falls below this value.

Default Safe Box Permissions

These settings of Default Safe Box permissions are used as default settings of permissions while creating a new user into the domain.

Domain form

Read
User has permission to view shared Safe Boxes, shared Safe Box Groups and records in them. User has permission to view shared Safe Boxes, shared Safe Box Groups and records
Create
User has permission to create new shared Safe Box, shared Safe Box Group or record in them. User has permission to create new shared Safe Box, Safe Box Group or record
Modify
User has permission to modify shared Safe Boxes, shared Safe Box Groups and records in them. User has permission to modify shared Safe Boxes, shared Safe Box Groups and records in them
Delete
User has permission to delete or move shared Safe Box, shared Safe Box Group or record in them. User has permission to delete or move shared Safe Box, shared Safe Box Group or record
Access Control
User has permission to manage permissions for shared Safe Box or shared Safe Box Group. User has permission to manage permissions for shared Safe Box or shared Safe Box Group.
Private Boxes
User has permission to create new Private Safe Box or Safe Box Group. User has permission to create new Private Safe Box or Safe Box Group.
Default Licensed Features for new users

By checking the fields below, new users created (not updated during LDAP synchronization) in this domain will be granted access to licensed features – CBT client (Custom Branded Trusted client) or File manager plugin. A number of users with access to Licensed features cannot exceed the number of licenses.

Domain form

Edit domain

To edit a domain, click on the row in a list of domains. After clicking, the domain form will display. In the form can be changed any value.

To apply changes, click on the OK button.
By clicking on the Cancel button, all changes will revert.

Disable domain

By disabling a domain, you can block login of all users in the domain. To disable the domain, open domain’s form by clicking on the row in a list of domains and uncheck the Enabled field. After saving, the domain is disabled.

The domain which was disabled can be enabled anytime.

Delete domain

The domain can be deleted only if it does not contain users. To delete the domain, click on the cross icon ( cross icon) at the end of a row in a table of domains.
Deleting the domain have to be confirmed.

Delete domain

Show domain users

It is possible to view users from a specific domain by clicking the appropriate icon ( people icon) in the domain table. After clicking the icon, a list of users of the domain will show in the new tab.

Show Users

Users

Create user Edit user Disable user Enable user Unban user Export a list of users Delete user Invite user Send message Move user

The Users page is intended for the users management. Only users with a role User Manager have access to this page.

Users are filtered by domain by default. To change a domain by which users are filtered, click on the Select domain button and in a list of domains choose a domain whose users should be displayed. It is possible to have displayed all users from all domains by clicking on the All Domains in a list of domains.

Select domain

Users can be created manually or can be imported from LDAP.

Create User

Before creating a new user is important to select the domain into which a user will create.

To create a new user, click the New User button. After clicking on the button, a user form displays.

User form

Fields Security Officer ( 1) and Inherited ( 2) can be edited after the new user sets an Access Code.

Atrributes
Domain

A domain in which the user belongs.

To change the domain into which a new user created, you must select a different domain on the Users page.
Once the user created, it is possible to move the user to a different domain.

Username

Username which the user will use to log in.

By clicking on the Login page link button, it is possible to get a link to the login page, where the domain name and the username will pre-fill.

Once the user created, this value cannot be changed.

User tags

User tags assigned to this user. Tags are used when applying permission templates set in Safe Boxes.

Domain User tags

User tags assigned by domain membership. Tags are used when applying permission templates set in Safe Boxes.

Synchronize

When the field is checked (or a value of this field is “yes”), the user will be synchronized with LDAP.

Once the user created, this value cannot be changed.

Set password

Set a password. When the password is not set, the user cannot log in.

Password

User password.

While entering the password, there is shown how long the password is, how many lowercase and uppercase letters, numbers, and other symbols it contains and how much secure the password is.

The password will be displayed after clicking on the eye icon behind this field.

Repeat password

Repeat the password

Settings
Enabled

Enables/disables user account login.

Language

Select a language that the user will use in the application. The language can be changed anytime.

Licensed features

By checking the fields below, the user will be granted access to licensed features – CBT client (Custom Branded trusted client) or File manager plugin.

CBT client

CBT (Custom Branded Trusted) client is a native Windows application simplifying work with SecureAnyBox5 file records. For more information, please contact your distributor.

File manager plugin

File Manager plugin for Total Commander or FAR allows working with Safe Boxes and records in them from these applications.

LDAP Synchronization

This part of the form is displayed if the user is synchronized with LDAP

GUID

User GUID (entryUUID or objectGUID) used to match user with LDAP object during LDAP synchronization (hexadecimal format in lowercase e.g.,950aea900084d311aef800e029255247). Use Connector Viewer to get user GUID in the correct format if you for some reason need to link existing user record with LDAP.

LDAP connector

Name of the LDAP connector with which the user is synchronized.

LDAP DN

LDAP user DN (distinguished name).

Synchronized User tags

User tags assigned by LDAP synchronization. Tags are used when applying permission templates set in Safe Boxes. User Tags which synchronize are specified in the LDAP connector configuration.

Roles
Administrator
User administers SecureAnyBox5 server configuration – domains, URLs, LDAP, SSO, email, SIEM, diagnostic logs, etc.User administers SecureAnyBox5 server configuration – domains, URLs, LDAP, SSO, email, SIEM, diagnostic logs, etc.
Auditor
User is approved to access the complete audit log through a set of reporting tools. This doesn’t include any access to the encrypted data.User is approved to access the complete audit log through a set of reporting tools. This doesn’t include any access to the encrypted data.
SecureAnyBox User
User is generally allowed to get passwords managed by agents, can be limited by access rights. User is generally allowed to get passwords managed by agents, can be limited by access rights.
SecureAnyBox Admin
User is approved to administer configuration of agents. User is approved to administer configuration of agents.
User Manager
User is approved to manage domains, user accounts, assign roles and default rights.User is approved to manage domains, user accounts, assign roles and default rights.
Security Officer
User, only together with other Security Officers, can open White Envelopes within his/her domain.User, only together with other security officers, can open White Envelopes within his/her domain.
Safe Boxes User
User is allowed to use SafeBoxes (must have valid Access Code) User is allowed to use SafeBoxes (must have valid Access Code)
Safe Boxes Manager
The user has extended permissions to manage Safe Boxes within their domain.The user has extended permissions to manage Safe Boxes within their domain.
Default Safe Box Permissions
Inherited
Default or Safe Box Group permissions are added automatically to every created shared Safe Box or shared Safe Box Group created by another user in the user domain. Default or Safe Box Group permissions are added automatically to every created shared Safe Box or shared Safe Box Group created by another user in the user domain.

Assigning this permission is recommended only for users who manage/are responsible for all Safe Boxes/Safe Box Groups within a domain. Assigning other permissions for Safe Boxes/Safe Box Groups within a domain can be fully automated using Permission Templates.

Read
User has permission to view shared Safe Boxes, shared Safe Box Groups and records in these. User has permission to view shared Safe Boxes, shared Safe Box Groups and records
Create
User has permission to create new shared Safe Box, shared Safe Box Group or records in. User has permission to create new shared Safe Box, shared Safe Box Group or records
Modify
User has permission to modify shared Safe Boxes, shared Safe Box Groups and records. User has permission to modify shared Safe Boxes, shared Safe Box Groups and records
Delete
User has permission to delete or move shared Safe Box, shared Safe Box Group or records. User has permission to delete or move shared Safe Box, shared Safe Box Group or records
Access Control
User has permission to manage permissions for shared Safe Box or shared Safe Box Group. User has permission to manage permissions for shared Safe Box or shared Safe Box Group.
Private Boxes
User has permission to create new private Safe Box or private Safe Box Group. User has permission to create new private Safe Box or private Safe Box Group
User roles
User role Description
Administrator User administers SecureAnyBox5 server configuration – domains, URLs, LDAP, SSO, email, SIEM, diagnostic logs, etc.
Auditor User is approved to access the complete audit log through a set of reporting tools. This doesn’t include any access to the encrypted data.
SecureAnyBox User User is generally allowed to get passwords managed by agents, can be limited by access rights.
SecureAnyBox Admin User is approved to administer configuration of agents.
User Manager User is approved to manage domains, user accounts, assign roles and default rights.
Security Officer User, only together with other Security Officers, can open White Envelopes within his/her domain
Safe Boxes User User is allowed to use Safe Boxes (must have valid Access Code)
Safe Boxes Manager The user has extended permissions to manage Safe Boxes within their domain
Security Policy Admin The user can manage security policies (record tags, password presets and compliance profiles)

The user role also determines to which parts of SecureAnyBox5 the user have access to and what actions he can perform. A basic overview of what actions and parts of SecureAnyBox5 are accessible for a user with specific user role is in the table below.

User role SecureAnyBox Safe Boxes Reports Audit Administration
Administrator Access yes yes yes no yes
Extra access Access to Agent Configuration, Configuration. Only Administrator has access to them
Auditor Access no no no yes no
Note The auditor who belongs to System domain can do an audit over all domains
SecureAnyBox User Access yes no no no no
Actions View registered stations, obtain passwords for stations
SecureAnyBox Admin Access yes no no no no
Actions All actions with stations, tickets, passwords
User manager Access no no no no yes
Actions View and edit domains and all actions with users
Security Officer Access no yes yes no no
Actions Can open White Envelopes of other users (in co-op with other Security Officers)
Safe Box User Access no yes yes no no
Actions Can use Safe Boxes
Safe Box Manager Access no yes yes no yes
Actions Can force the creation of record tags when creating a record through API
Security Policy Admin Access no yes yes no yes
Actions Can force the creation of record tags when creating a record through API
Grouping of user roles

When setting up a user role, other roles can be automatically set to the user too. It happens if user role includes all features of another role.

For example, user role Administrator includes all features of SecureAnyBox User, SecureAnyBox Admin, and User Manager user roles and even some extra features (access to the Configuration and can create a domain). So when user has an Administrator user role, he also has SecureAnyBox User, SecureAnyBox Admin, Safe Box Manager, and User Manager user roles.

Edit user

To edit the user, click the user’s name in a list of users. After clicking, a user details displays.
If the user is imported from LDAP, different fields display in a user detail.

User form - LDAP synchronization

User can be also edited from the user’s action menu. To open the action menu, click on three dots ( three dots) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Edit .

Edit user from Action menu

After changes finished, confirm them by clicking the OK button in the user details form. Depending on changes, you can be asked to enter the Access Code. Have you forgotten the Access Code?

Disable user

If you only want to prevent the user from login to SecureAnyBox5, you can disable the user’s account. Once disabled, the user cannot access SecureAnyBox5, but all his records are still stored. Unlike deleting, this action can be taken back anytime.

To disable the user, uncheck Enable field in user details form.

Enable field

User can be also enabled from the user’s actions menu. To open the action menu, click on three dots ( three dots) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Disable .

Disable user from the Actions menu

It’s also possible to disable multiple users at one time. Please check all users which should be disabled and click on the Disable button. After clicking, all selected users are disabled.

Disable users

Enable user

The user must be enabled, to be able to log in to SecureAnyBox5. To enable the individual user, check the Enabled field in the user details form.

Enable field

User can be also enabled from the user’s action menu. To open the action menu, click on three dots ( three dots) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Enable .

Enable user from Action menu

It is also possible to enable multiple users at once. Please select all users to be enabled and click the Enable button. After clicking, all selected users will be enabled.

Enable users

Unban user

If the user enters Access Code or login password incorrectly for many times, then the user is temporarily banned to enter the Access Code or to login. Banned users have an icon with a red lock in the list of users.

banned admin - Built-in administrator account, login is banned.
banned user - Manually created user, login is banned.
banned disabled - User is disabled, login is banned.
banned LDAP user - Synchronized from LDAP connector, login is banned.
banned Access Code - Access code entry is temporarily banned because it was entered incorrectly several times.

The number of unsuccessful attempts of entering the Access Code or the login password, and how long the user is banned, is set in the Configuration.

To unban banned users, select all users to be unbanned and click the Unban button.

Unban button

Export a list of users

At the Users page, it is possible to filter displayed users by checking/unchecking filter fields ( 1). The filtered list of users is possible to export in CSV format by clicking on the Export to CSV button.

Filter fields

Into a file are exported values displayed in a list of users (name, username, email, domain, LDAP connector and roles).

Delete user

User can be deleted from the user’s action menu. To open the action menu, click on three dots ( three dots) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Delete .

Delete user from the Actions menu

If the user is the only one, who has permissions for some Safe Box, the Safe Box will be deleted with the user. If you don’t want to delete the Safe Boxes, assign permissions for these Safe Boxes to a different user.

Delete user

Invite users

After users created, you can send them an e-mail invitation to SecureAnyBox5. In the invitation will be a link to set the password. Once the password is set, the user can log in and set the Access Code.

To send invitations to users, select (by checking) users you want to invite to the SecureAnyBox5 and click the Invite users button.

To send the invitations, you have to configure mail server in the Configuration first.

Invite Users

User can be also invited from the user’s action menu. To open the action menu, click on three dots ( three dots) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Invitation .

Invite user from the action menu

After clicking Invitation in the user’s actions menu, the dialog Invitation displays. If the user has set e-mail address, you can create and send invitation to user’s e-mail or you can create invitation without sending it.

Invitation dialog

If the invitation is only created and does not have been sent, in the invitation dialog appears an invitation link which is possible to copy to clipboard.

Invitation link

Reset password

After users created, you can send them an e-mail invitation to SecureAnyBox5. In the invitation will be a link to set the password. Once the password is set, the user can log in and set the Access Code.

To send invitations to users, select (by checking) users you want to invite to the SecureAnyBox5 and click the Invite users button.

To send the invitations, you have to configure mail server in the Configuration first.

Invite Users

User can be also invited from the user’s action menu. To open the action menu, click on three dots ( three dots) in the Actions column. After clicking, action menu appears, where it is necessary to click on the Invitation .

Invite user from the action menu

After clicking Invitation in the user’s actions menu, the dialog Invitation displays. If the user has set e-mail address, you can create and send invitation to user’s e-mail or you can create invitation without sending it.

Invitation dialog

If the invitation is only created and does not have been sent, in the invitation dialog appears an invitation link which is possible to copy to clipboard.

Invitation link

Send message

If users have an email address specified, you can send them a message from SecureAnyBox5.
To send a message to users, select (by checking) users you want to send a message and click the Send message button.

Poslat uživatelům zprávu

To send the messages, you have to configure mail server in the Configuration first.

After clicking the Send message button, a window for entering message text displays. To send a message, click the Ok button.

Poslat uživatelům zprávu2

Move user

Users can be moved between the domains. To move users, select all users which should be moved and click on the Move button.

Moved user lose all inherited permissions to Safe Boxes. All assigned permissions stay valid.

Move users

After clicking on the button, a list of domains into which you can move selected users displays. Please select a domain into which selected users move, by clicking the domain name.
The move of users has to be confirmed.

Confirm move of a user

White Envelope Status

Only users with a role User Manager have access to this page.

The White Envelope Status page is intended to see if the Security Officer has keys to White Envelopes of users within the Security Officer’s domain.

White Envelope Status page

User tags

Only users with a role User Manager have access to this page.

User tags intended for easier management of users and their permissions. To each domain, it is possible to assign an unlimited number of tags. User tags can be added to users with same domain only.

User tag can be assigned to:

User tag is used to create a Permission template for users who have the user tag assigned.

User tags page

Connector Viewer

Only users with a role Administrator have access to this page.

Connector Viewer allows you to browse the LDAP tree / Azure AD structure of any of configured connectors.

When viewing the LDAP tree, Connector Viewer uses the “SecureAnyBox manager” account defined within the selected LDAP connector configuration. This means, that LDAP objects and their attributes you see with the Connector Viewer correspond to what the selected authentication connector ‘sees’. If you don’t see what you expect (a specific user object or its attributes), then the access rights of the “SecureAnyBox manager” account for the particular LDAP tree are not sufficient. Please check the access rights assigned to the search base or root of the LDAP tree as well as possible inheritance filters.

To use Connector Viewer is necessary to configure at least one LDAP / Azure AD connector. After opening the page, a list of connectors displays. By clicking the connector name, you can view objects in a search base (as configured in the connector).

Select LDAP connector

Displayed objects are folders (containers) and users. Click the folder name to view users and folders inside the folder. Click the username to view details about the user.

User details in Connector Viewer

It is possible to filter the displayed objects by entering their name in the search field above the table. Should you need filter the displayed objects by LDAP search expression, click the Lookup object(s) button and use the filter field instead.

Connector Viewer Look Up Objects

Audit log

Audit log page displays a log of users actions in User management.

Audit log

AuditlogParagraph2

All audit log events are specified in an Overview of Audited Events

Security policy

Record Tags management

Only users with a role Security policy admin have access to this page.

Record tags are intended for easier management of records stored in Safe Boxes. To each domain, it is possible to assign an unlimited number of tags. Record tags can be added to records within the same domain only.

User with role Security policy admin can manage record tags for all domains which are visible to him. To switch domain, which record tags should be managed, click Select domain button and from displayed list; please select a domain.

Currently selected domain determines into which domain a new tag will be created. If “All domains” are selected, a new tag will be created for the current user’s domain.
Existing tags can be converted to other ones to reduce the usage of similar tags and simplify the search for relevant records. To convert the tag to another one, the original tag has to be used at least once. To convert the tag, please open the action menu by clicking the three dots button at the end of the row and select Delete and convert to another tag in the records action.
The record tag can be removed by clicking the three dots button at the end of the row and selecting the Delete tag action.

To record tag can be assigned a Password preset and/or a Compliance profile, which will be default for all records where the record tag is used.

Records tags page

Compliance profiles

Only users with a role Security policy admin have access to this page.

The compliance profile specifies requirements for password security that the passwords should adhere to. The Compliance report can be used to check whether the passwords meet the security requirements.

To create a new compliance profile, click New compliance profile button and in the displayed form, specify requirements for password security.

Compliance profiles form

Name

Name of the compliance profile

Description

Description of the compliance profile

Compliance requirements
Length

Minimum length of a password.

Entropy

Minimum entropy

Age (days)

Maximum age (days)

Enforce password history

The number of password changes after which it is permissible to reuse a previously used password.

Complexity rules

Select complexity rules which will be applied:

  • Basic complexity rules - specified number of characters (uppercase, lowercase, digits and special)

  • Microsoft complexity rules
    1. Passwords may not contain the user’s samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive

    2. The password must contain characters from three of the following categories:
      • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters).

      • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters).

      • Base 10 digits (0 through 9)

      • Non-alphanumeric characters, e.g. '-!"#$%&()*,./:;?@[]^_`{|}~+<=>

        Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.

      • Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.

Character type requirements

This fieldset is displayed only if Basic comlexity rules are selected

Uppercase

Minimum of uppercase letters a password must contain.

Lowercase

Minimum number of lowercase letters a password must contain.

Digits

Minimum decimal digits (0-9) a password must contain.

Special

Minimum number of special characters a password must contain.

Password presets

Only users with a role Security policy admin have access to this page.

Password presets can be used when generating a password for records. In the password preset, it is possible to use a password pattern or specify detailed password requirements—such as which character sets to use, which characters to include or exclude, minimum length, and minimum entropy.

Fort is possible to set its priority—the position in the list. To change the priority of the preset, please click the Reorder priorities button and drag the preset into the desired position.

Password preset form

Name

Name of the password preset

Description

Description of the password preset

Generate password using

Select whether a new password will be generated using a password pattern or a set of password requirements.

Password pattern

This field is displayed if the Password pattern is selected in the Generate password using field.

Password pattern for Safe Boxes and Records where this Password preset is set (or inherited).

Each letter in the pattern corresponds to letter in the generated password.


See examples of the password pattern


Characters allowed in the password pattern and their meaning:

v – lowercase vowel a,e,i,o,u,y
V – mixed case vowel (A,E,I,O,U,Y,a,e,i,o,u,y)
Z – upper case vowel
c – lowercase consonant (b,c,d,f,g,h,j,k,l,m,n,p,q,r,s,t,v,w,x,z)
C – mixed case consonant
z – upper case consonant
l - any alphabet character (vowel or consonant) - lowercase
A - any alphabet character - mixed case
u – upper case alphabet
d - digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ - escape character - next character is used as is (e.g.,pattern ‘\-‘ outputs ‘-‘ in the resulting password)
* - any allowed character

Default pattern is CVCVdddCVCCVdC (this might generate passwords such as: wEHe063heFme4p )
For example, you can set password pattern as ‘\p\a\s\sddddddd‘ and this might generate password such as ‘pass1762885‘ or ‘pass5687412‘.

Use character sets

This fieldset is displayed if the Password requirements are selected in the Generate password using field.

Lowercase (a-z)

Minimum number of lowercase letters.

Uppercase (A-Z)

Minimum number of uppercase letters.

Digits (0-9)

Minimum number of digits.

Special (<>_-.(,)[]/:;@#$%&*)

Minimum number of special characters.

Must also include following characters

Characters that must be included in the generated password.

Exclude characters

Characters that must be omitted in the generated password.

Requirements

This fieldset is displayed if the Password requirements are selected in the Generate password using field.

Minimum password length

Minumum length of the generated password.

Minimum entropy

Minumum entropy of the generated password.

Dictionary configurations

SecureAnyBox5, uses a list of dictionaries for the estimation of password entropy. This list includes both default (built-in) dictionaries and customly added dictionaries by the administrator. These dictionaries contribute significantly to the process of calculating Password Entropy during a new password entry or for the Password Audit report and the Compliance Report generation.

The custom dictionaries are stored in two locations on the SecureAnyBox5 server – in 'files/dictionaries/ranked' and 'files/dictionaries/unranked' folders.

Dictionary Configurations

Database diagnostic

After starting the database diagnostics, all records of type ‘file’ and ‘certificate’ will be checked to see if they are missing uploaded files or have more.
The complete path (with domain) to the record and another user with permission to record is displayed for each inconsistent record.

Database diagnostics can be started at any time. It should be completed in a few minutes max.

Database diagnostic

Logs

Only users with a role Administrator have access to this pages.

In the Logs part of the application, it is possible to see diagnostic log or Connector synchronization log. Different log levels in displayed messages are visually distinqished:

Log levels: info INFO warning WARNING debug DEBUG error ERROR

Diagnostic log

On the Diagnostic log page a current log is automatically displayed.

Logs page

The current log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the log is possible to turn off by clicking on the Disable autorefresh button.

To change a log level or log browser line limit, click on the Configure logging . After changes are confirmed, it is necessary to restart the SecureAnyBox5 for applying the changes.

To download the current log, click on the button Download and confirm the download.

If you need older than current log, click on the Logs button to display a list of available logs.

Logs

In the first table are displayed application logs for each day. To download the log, click on the log file name and confirm the download.

Connector sync log

On the Connector sync log page, is displayed a table with names of specified Connectors. Click on the connector name to view details of the last synchronization with connector.

Connector synchronization log page

The synchronization log can be refreshed manually by clicking on the Refresh button or automatically by clicking on the Enable autorefresh button. Automatic refresh of the synchronization log is possible to turn off by clicking on the Disable autorefresh button.

Synchronization of users can be started manually by clicking on the Synchronize button.

Settings of the synchronization can be changed anytime by clicking on the Configure <Connector name> button.

To download the log of the last synchronization, click on the button Download and confirm the download.

To filter skipped users during the synchronization with LDAP, click on the button Show only skipped users .

LDAP synchronization log

Server status

Server status page intended for displaying problems with SecureAnyBox5 server. If any error or warning occurs, users will be warned by the number of errors and/or warnings in the top right corner of the page.

errors and warnings On the SecureAnyBox5 server occurred 1 error, and 2 warnings
warnings On the SecureAnyBox5 server occurred 1 warning
errors On the SecureAnyBox5 server occurred 1 error

After clicking on the number of errors and/or warnings, the Server status page loads. On the Server status page are shown three sections – Server Messages, Station registrations, and White Envelopes. In accordance with the user’s role, the SecureAnyBox5 determines which sections will display.

Section User role
Administrator User manager SecureAnyBox Admin Security Officer other roles
Server Messages yes no no no no
Station Registrations yes no yes no no
White Envelopes yes no no yes yes
Server Messages

Server messages section displays only to the user with role Administrator. To handle messages from this section, go to the Configuration page.

Server messages

Station Registrations

Station registration section displays only to the user with role SecureAnyBox Admin. To handle messages from this section, go to the SecureAnyBox5 part of the application.

Station registrations

White Envelopes

White Envelopes section displays only to the user with role User manager, and Security Officers

White Envelopes

License

On the License page, users can see information about the currently used licenses. Users can check a number of remaining licenses for Safe Boxes, Safe Box Groups, records, users, domains, applications, etc.

License page

Guidelines

Synchronize users with LDAP

Manually created users can be synced with the LDAP server additionally, without losing saved data. It is possible to associate a user with an existing LDAP account or create a new LDAP account.

To synchronize a user with LDAP, the user must pass these conditions:

We also recommend setting the username in SecureAnyBox5 same as username (UID) in LDAP.

During the synchronization, the users' information should be updated according to information in LDAP and fields LDAP connector, and LDAP DN should fill. Otherwise, synchronization was unsuccessful and please refer to the log of synchronization.

To view the synchronization protocol, go to the Logs > Connector sync log section in the Administration interface and click on the connector name in the table. On the Connector sync log page, you can view the protocol of the last synchronization with the connector, start synchronization, and open the connector configuration.

All issues that occurred during the synchronization have the WARNING logging level and have yellow coloring.

GUID is not unique

While entering the GUID into manually created user details, an error message that the GUID not unique appears.

Error message: GUID not unique

A user account may have been already imported from LDAP to SecureAnyBox5. You can search users by GUID on the Users management page. A user with the same GUID can even be in another domain. To search for users in all domains, please click the Find users button.

In a case, the user already imported from LDAP, please delete the imported account. Then enter the GUID into user details of the user who should be synchronized with LDAP and run the synchronization with LDAP.

Manually created user failed to synchronize with LDAP

To determine the cause of the failure, please go to the synchronization log page and enter the username of the synchronized user in the search field.

Search sync log for "mbriggs"

Possible situations:

Existing user s UID (but different UUID) found in the database
In a SecureAnyBox5 database exists a user with the username (UID) that matches a user’s UID in LDAP, but with another GUID (UUID). This user cannot be synced and is skipped when syncing.

Example:

existing user with uid=‘peter’ (but different UUID) found in database -> skipping cn=peter,o=org

A user with the username “peter” is manually created and should be synchronized with LDAP. However, the user account in LDAP has a different GUID (UUID) than the user in SecureAnyBox5. To successfully synchronize “peter” with LDAP, you need to modify the GUID according to UUID in LDAP.

Existing user cannot be renamed
Synchronized user has a different username in SecureAnyBox5 and the UID in LDAP. During the synchronization, SecureAnyBox5 tries to rename that user, so the username will be the same as is UID in LDAP. But in user domain is already another user with that username. Because in the domain, usernames have to be unique, SecureAnyBox5 cannot synchronize the user.

To successfully synchronize a manually created user with LDAP, you must edit the user’s username so that the conflict does not occur again at the next synchronization.

Example:

existing user ‘mbriggs’ cannot be renamed to ‘monica’ username not unique -> skipping cn=monica,o=org

The user with username “mbriggs” is manually created and should synchronize with LDAP. In LDAP, the user with the same GUID (UUID) has different UID - “monica”. During the synchronization, SecureAnyBox5 tries to change username “mbriggs” to “monica”, so the username will be the same as is UID in LDAP. To successfully synchronize the user “mbriggs” with LDAP, it is necessary to edit or delete the user with username “monica”.

Installation on Linux

Linux Standard Base (lsb) must be installed, otherwise, the SecureAnyBox5 can’t register for automatic start. Linux Standard Base is available through various online repositories.

The installation procedure depends on your distribution, it can be for example sudo yum install redhat-lsb-core for SUSE/RedHat/CentOS Linux(rpm based) or sudo apt-get install lsb-core for Ubuntu Linux, Debian (deb package based distributions).

For SUSE Linux Enterprise Server 15 SP4 distribution and OES 2023 distribution of Linux you can use:
wget https://download.opensuse.org/repositories/openSUSE:/Factory/standard/noarch/lsb-release-3.3-1.3.noarch.rpm
and after the package is downloaded install it by running the command:
rpm -ihv lsb-release-3.3-1.3.noarch.rpm --nodeps

On some Linux distributions (e.g. Open SUSE) it is also necessary to install insserv-compat package (for more information about the package, please refer to this page) to enable init scripts and start SecureAnyBox5 automatically. Installation of Linux Standard Base can be done manually by running the command:
sudo zypper install insserv-compat

If you decide not to install LSB or it is not available for your system, you still can register the starting script manually. We always create it in /etc/init.d/

We don’t support other JVMs than Oracle or Temurin Java. You can install Oracle/Temurin JVM manually, locate and use existing
installation or choose private Temurin JVM installation. Tested and approved OpenJDK distribution from Adoptium – Eclipse Temurin JVM is always a part of the installation package. Optionally you can also select custom preinstalled Java runtime.

The default installation path is /opt/tdp/secureanybox, but you can choose whatever path/device you need.

Installation script then needs the IP address and port - this can be changed later, but you have to choose address:port combination which will not cause any conflict with other services running on the box. Thus we recommend starting with the default port. Once you enter the management console, you can change it or add more interfaces on a different address:port combinations. If a conflict will be detected, the system reverts to the last “good” configuration which allows you to continue.

It is highly recommended to switch to SSL (https) as soon as possible. You can use a built-in function for generating a self-signed certificate, or you can import your existing certificate with a private key (usually available in PKCS12 format). Please keep in mind, that interfaces are virtualized - it is necessary to set both IP address and URL otherwise system is not able to accept a request.

Please note – When using a custom JVM installation (such as Oracle), encryption policies may be restricted by default. You can download and apply unlimited encryption policies if it is legal in your country ( please refer to www.oracle.com for detailed information). You can’t use a password longer than 7 characters without application of unlimited policies.

In a case of upgrading the SecureAnyBox, the same installation script is used. Please confirm the same installation path like before and choose the default option NOT to overwrite the configuration file.

Upgrade on Linux

SecureAnyBox5 upgrade is provided by the installation script which is a part of the new release package downloaded from the website. Download the .bin package from the Downloads section at www.secureanybox5.com. Then start the installation by ./inst_secureanybox…

Upgrade on Linux - step 1

If your installation is standard with the embedded Oracle Java (recommended), answer No.

Upgrade on Linux - step 2

Then the script gets the path used for the previous installation and offers it as default. Confirm this path because this is an upgrade and the goal is to upgrade the existing installation – running instance.

Upgrade on Linux - step 3

The configuration.properties file must be preserved to upgrade the running system.
Confirm default answer N = not to overwrite

Upgrade on Linux - step 4

Now you are ready to start the new installed release – it will stop SecureAnyBox5 and rerun it. Once the new release is running, it will convert the database (if alteration is a part of the upgrade) seamlessly.
Don’t miss to authenticate to the system console and enter the configuration password if applied – otherwise, Agent support will not work.

Upgrade on Linux - step 5

Validate if HTPPS certificate is successfully imported on the station

If the HTTPS keystore certificate is imported as trusted on your Linux station, it is possible to verify in the terminal using the command:

python -c 'import urllib2; import sys; resp = urllib2.urlopen("https://your.secureanyboxserveraddress.com"); rcode = resp.getcode(); body = resp.read(); print rcode; print ""; print body;'

If certificate validation is successful, on the first row of the response is code 200.

When the certificate validation fails, an error is displayed:

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

If urllib2 not found

python ––version

Urllib2 is a built-in package of Python 2.x.x. To be able to run urllib2, it is necessary to have Python 2.x.x (recommended 2.7.18) installed properly. Some distributions of Linux may not have full version of Python 2.7.x installed. Try re-installing it.

wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz

sudo tar xzf Python-2.7.18.tgz

cd Python-2.7.18/

sudo ./configure

sudo make altinstall

Installation steps of SecureAnyBox5 Agent

To successfully install SecureAnyBox5 Agent, it is necessary to download the Agent Configuration file (from the Downloads page in the SecureAnyBox section of the web interface). Please download the appropriate configuration file by clicking the configuration name. If the required configuration does not display in the list of downloads for your platform, please verify that the Agent Configuration also includes settings for that platform.

Download Agent Configuration

MS Windows

First, please download the SecureAnyBox5 Agent and export the Agent Configuration for the Windows platform.
Install the SecureAnyBox5 Agent on your station by running the installer.
After the installation is completed, double-click the secureanybox-agent.reg file to import the Agent configuration into the Windows registry.

Every ten minutes, SecureAnyBox5 Agent checks the Agent Configuration and connects with the server to update the password. If the station is not yet registered, the station will be automatically registered. Without registration, it is not possible to get the station password.

If the Agent Configuration in the Windows registry changes, the SecureAnyBox5 Agent will register the station with new values. If the re-registration fails, try to delete the original station registration. The station can also be registered manually.

To diagnose any problems with SecureAnyBox5 Agent installed on the Windows station, you can use SecureAnyBox Agent Monitor (which can be downloaded on the SecureAnyBox/Downloads page). This utility displays an organized log of SecureAnyBox5 Agent from the Windows Event Viewer.

macOS

Before the installation, please download the SecureAnyBox5 Agent and configuration file for the macOS platform.
Install the SecureAnyBox5 Agent on your station. After the installation of the SecureAnyBox5 Agent is completed, please run the configuration utility (sab-config). Into that configuration utility, please select the configuration file and apply it.

Linux

Before installation, please download the SecureAnyBox5 Agent installation package for your Linux distribution and the Linux platform configuration file.
Install the SecureAnyBox5 Agent on your station. After installation, copy the configuration file (secureanybox-agent.properties) to the /etc/secureanybox folder created during SecureAnyBox5 Agent installation (root permission is required to access the folder).

To apply the configuration immediately, you must restart the SecureAnyBox5 Agent by running /etc/init.d/secureanybox-agent restart in the terminal. However, without restarting the SecureAnyBox5 Agent, the configuration is applied after 10 minutes when the SecureAnyBox5 agent checks the folder for configuration.

Requirements for installing and successfully running the SecureAnyBox5 Agent on Linux:

  • LSB (Linux Standard Base) - must be installed prior to installing the SecureaAnyBox5 Agent.
  • Python 2.7 (recommended version 2.7.18) with package urlllib2 – for successful registration of the station.

Installation of LSB

Linux Standard Base (lsb) must be installed. Linux Standard Base is available through various online repositories.

The installation procedure depends on your distribution. It can be, for example sudo yum install redhat-lsb-core for SUSE/RedHat/CentOS Linux(rpm based) or sudo apt-get install lsb-core for Ubuntu Linux, Debian (deb package-based distributions).

For SUSE Linux Enterprise Server 15 SP4 distribution and OES 2023 distribution of Linux, you can use:
wget https://rpmfind.net/linux/opensuse/distribution/leap/15.2/repo/oss/x86_64/lsb-4.0-lp152.4.4.x86_64.rpm
and after the package is downloaded, install it by running the command:
rpm -ihv lsb-4.0-lp152.4.4.x86_64.rpm --nodeps

On some Linux distributions (e.g. Open SUSE), it is also necessary to install insserv-compat package to enable init scripts and start SecureAnyBox5 Agent automatically. Installation of Linux Standard Base can be done manually by running the command:
sudo zypper install insserv-compat

Troubleshooting

In the case of problems with SecureAnyBox5 Agent, please refer to the log. Logging of the SecureAnyBox5 Agent on the Linux and macOS platforms runs automatically into a file var/log/secureanybox-agent.log. On Linux, you can even enable detailed debug logging in /etc/secureanybox/settings by renaming (or copying) the “settings.example” file to “settings” and uncommenting the "export SECUREANYBOX_AGENT_DEBUG = true" line.

The log file on the macOS platform can be viewed in the Console. The log file on the MS Windows platform is possible to view by using SecureAnyBox5 Monitor utility (download in SecureAnyBox/Downloads) or in the Windows Event Viewer.

Station that was previously registered fails to re-register

If the station was previously registered but cannot be registered after changes to the station, please first check that the station has the correct Agent Configuration uploaded. If the Agent Configuration on the station is correct, please go to the Station page in the SecureAnyBox part and remove the original registration of the station. The station should re-register automatically within 10 minutes. Alternatively, you can manually re-register the station.

Station that was previously registered fails to re-register after its station name was changed

If the station was previously registered but cannot be registered after change of its station name, please go to the Station page in the SecureAnyBox part and remove the original registration of the station. The station should re-register automatically within 10 minutes. Alternatively, you can manually re-register the station.

Station will not connect even though it has access to the server

If the station is not registered even though the station has access to the server, the most likely reason is an incorrect configuration of the Agent (e.g. the configuration has been changed on the server but not on the station) or a problem with HTTPS certificate verification. The HTTPS certificate must be imported as trusted on the Agent station. On Linux, it must be located in a Keystore that uses Python for certificate verification. This can be checked in the terminal using the command:

python -c 'import urllib2; import sys; resp = urllib2.urlopen(“https://your.secureanyboxserveraddress.com”); rcode = resp.getcode(); body = resp.read(); print rcode; print ""; print body;'

If certificate validation is successful, on the first row of the response is code 200.

When the certificate validation fails, an error is displayed:

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

If urllib2 not found

  • Check which version of python is installed:

python --version

or

python -v

Urllib2 is a built-in package of Python 2.x.x. To be able to run urllib2, it is necessary to have Python 2.x.x (recommended 2.7.18) installed properly. Some distributions of Linux may not have a full version of Python 2.7.x installed. Try reinstalling it.

wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz

sudo tar xzf Python-2.7.18.tgz

cd Python-2.7.18/

sudo ./configure

sudo make altinstall

Installation of SecureAnyBox5 Agent on macOS

To install SecureAnyBox5 Agent on macOS platform, please run installer (secureanybox-agent-1.x.pkg).

After running the installer, proceed to the next installation steps. In the second step, you must select the target location (disk) where the SecureAnyBox5 Agent will be installed.

At the third step of the installation, it is possible to change an install location by clicking the appropriate button ( 1). To proceed with the installation, please click the Install button ( 2)

SecureAnyBox5Agent Installator

After clicking Install , you must enter your password to allow the application to install.

Enter the password to allow the installation

After the installation is complete, you will see information about the successful installation of the SecureAnyBox5 Agent.

Installattion successfull

After closing the installer window, go to the list of applications where you can find the sab-config application.

sab-config application

Launch the app by double-clicking on its icon. Once the application is running, please select the downloaded agent configuration file by clicking on the Select Configuration File button. After the configuration file is selected, you need to apply the configuration by clicking the Apply Configuration button.

Select and apply the configuration

In order for the configuration to be applied, a user password must be entered.

Enter your password to apply the configuration

After the configuration is uploaded, information about the successful application of the configuration is displayed and the SecureAnyBox5 Agent is completely installed.

Configuration updated

After the installation is complete, the SecureAnyBox5 Agent verifies that the uploaded agent configuration matches the configuration on the SecureAnyBox5 server. If so, it will automatically register the station.
If the SecureAnyBox5 Agent does not have access to the server, it is possible to register the station manually in the SecureAnyBox5 interface. In order for the agent to register the station, the SecureAnyBox5 server’s SSL certificate for macOS must be trusted. If the certificate is not issued by a CA that is already considered trusted in macOS, an error will occur when attempting to register:

2023-06-20 09:54:51 [ERROR] station registration failed – HTTP status = -1
2023-06-20 10:54:51 [ERROR] Error Code: -1202, Description: The certificate for
this server is invalid. You might be connecting to a server that is pretending
to be “172.22.78.78” which could put your confidential information at risk.

(see the log that can be viewed in the Console application – secureanybox.log, or directly in the log file in /var/log/secureanybox.log)

log in Console application

V tomto případě je potřeba exportovat příslušný certifikát z rozhraní serveru SecureAnyBox5, a to buď z Administračního rozhraní > Konfigurace > Obecné/Webové rozhraní, nebo pokud máte nastavené samostatné registrační rozhraní pro agenty, exportujte příslušné certifikát z SecureAnyBox > Konfigurace agenta > Obecné.

Export certificate from Configuration

Export certificate from Agent Configuration

Import the downloaded certificate (by tapping or dragging it) in macOS into Keychain – System (!) section and set it as trusted. Then restart the agent from the terminal using the command:

launchctl stop com.tdp.secureanybox-agent

Export certificate from Agent Configuration

In order for an agent to set a password for a configured account or group of accounts, those accounts must not have a Secure Token set on macOS. Secure Token is automatically set to the account created with Apple’s Setup Assistant, and then any other accounts created under that account via the Users and Groups preference pane in System Preferences. If the account whose password is to be managed by the SecureAnyBox5 agent has a Secure Token set, an error occurs when the agent attempts to set the password:

2023-06-20 08:54:46 [ERROR] err4001 0x7fe9cc70a210
2023-06-20 08:54:46 [ERROR] Failed to change password for ‘sab5’ (Uknown)!

You can verify that an account has a Secure Token set up by using the following command in Terminal:

sysadminctl -secureTokenStatus

It can be deactivated using the command:

sudo sysadminctl -secureTokenOff -password -adminUser -adminPassword

and restart the agent with the command:

launchctl stop com.tdp.secureanybox-agent

Terminal window

Initialization of admin

After successful installation, the SecureAnyBox5 starts and the initialization page displays. To login into a web interface, is required to set the admin password first.

Init Admin

In the Security Code field, is pre-filled unique code for your installation.
If the installation code is not pre-filled, it can be found in the inst.id file in the directory where SecureAnyBox5 server was installed.

While entering the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.

The password has to be confirmed by clicking on the OK button. After confirming the password, the login page displays.

First login

FirstLoginContent

How to set automatic login of default user by SecureAnyBox5 Agent

Automatic login by SecureAnyBox5 can be set for station default user only. Other users have to log in manually. This setting can be convenient for stations on which works more than one user, but the station primarily is used by a user with the lowest permissions. That user can be set as default and will automatically log on.

To set automatic login SecureAnyBox5 Agent on stations, please follow these steps:

Create Agent Configuration, where will be settings for all platforms of stations, on which you want install SecureAnyBox5 Agent.

At the Downloads page (in the SecureAnyBox section of the web interface), please select appropriate Agent Configuration and download the SecureAnyBox5 Agent and it’s configuration.

Download Agent Configuration

Install SecureAnyBox5 Agent on a station.

Installation steps of SecureAnyBox5 Agent:

SABAgentInstallationInfo

If in the Agent Configuration is set to change the password of a group, is necessary to have set local users group in which will be all users, who will be able to obtain the password from SecureAnyBox5. Default user has to be set as one of them.

To create a local group of users in MS Windows, please follow these steps:

On the desktop, right-click My Computer, and then click Manage.

In the Computer Management window, under System Tools, expand Local Users and Groups.

Right-click Groups, and then click New Group.

In the New Group dialog box, do the following:

Use this To do this
Group name Type the name of the group that you want to create.
Description Optionally, type a description for this group account.
Add Click Add to select members to add to the group.

Add all the user accounts that you want to the group.

Click Create.

Repeat steps 4 and 5 for the other required groups.

Click Close.

Click the Groups folder and verify that the group that you wanted to create are in the list.

Please set default user on your station.

If you want to update default user password by SecureAnyBox5 Agent, you need to have set a default user. Default user can log in to Windows automatically without entering his password.

To set default user for your station, please enter “netplwiz” into the Windows search field and click on the program in search results.

Windows searchs netplwiz

After clicking, User Accounts form displays. In a list of Users for this computer, please click on a user which will be set as default ( 1), uncheck Users must enter a user name and password to use this computer ( 2) and confirm this modification by clicking on the OK button ( 3).

Default user

After the restart of the station, the first automatic login should go through – the SecureAnyBox5 Agent sets the user’s password and changes it in the registers where the automatic login is stored. Password for default user can be obtained in SecureAnyBox at the Get Password page as for any other user.

Updating a password for default user in the Active Directory domain

In a case, that same default user set on more than one station; it is convenient to set changing a password for default user in the Active Directory domain. When all is set correctly, after the change of password of LDAP user, SecureAnyBox5 LDAP Agent checks all registered stations and where the user to whom the password changed set as default, the SecureAnyBox5 LDAP Agent changes a password for the station.

To update a password for default user in Active the Directory domain, please follow these steps:

Set Agent Configuration for stations. In Agent Configuration for LDAP platform set field Change password of to value default users in domain .

Default user in domain

If you not have set App URL in general configuration of SecureAnyBox,it is necessary to set it in the Agent Configuration. App URL has to be accessible from the internet (out of local network). Without setting of App URL, the SecureAnyBox5 Agent can have problems with connection to SecureAnyBox5 server.

Configure LDAP Agent. In LDAP Agent select Active Directory as Directory service and prepare Active Directory server.

Active Directory value in LDAP Agent form

Into LDAP Agent select the Agent Configuration, which you created in the first step.

Into the Default user domain field, enter Active Directory domain name into which default user belongs, and if necessary, modify the User id attribute . Please configure other required values in LDAP Agent form and create LDAP Agent by clicking on the OK button. To apply the LDAP Agent is necessary restarting SecureAnyBox5.

At the Downloads page, please select the Agent Configuration created in a first step and download the SecureAnyBox5 Agent and it’s configuration.

Please set default user on your station.

If you want to update default user password by SecureAnyBox5 Agent, you need to have set a default user. Default user can log in to Windows automatically without entering his password.

To set default user for your station, please enter “netplwiz” into the Windows search field and click on the program in search results.

Windows searchs netplwiz

After clicking, User Accounts form displays. In a list of Users for this computer, please click on a user which will be set as default ( 1), uncheck Users must enter a user name and password to use this computer ( 2) and confirm this modification by clicking on the OK button ( 3).

Default user

Install SecureAnyBox5 Agent on a station.

SABAgentDownloadInfo
SABAgentInstallationInfo

After successful installation of SecureAnyBox5 Agent, a station should automatically register in the SecureAnyBox5. Please check at the Stations page, that registration of the station ran successfully.

Registered station

While registering, the SecureAnyBox5 Agent (for Windows), if the default user is enabled, sends default user information when registering (including the domain if it is a domain user). If the default user is a domain user, the SecureAnyBox5 Agent does not set the password – because it does not have permission to change the password of a domain user. In that case, a password of a domain user is set by the LDAP Agent.

The LDAP Agent scans all registered stations and retrieves from them default users whose domain is the same as default user domain specified in the LDAP Agent Configuration. LDAP Agent generates and sets new passwords for these default users. This process takes place when you start the SecureAnyBox5 server, then every hour and after a click on the Execute button.

Automatic authentication to KeyShield SSO

Depending on your configuration, users can authenticate via KeyShield SSO. For the automatic authentication, it is necessary to install the KeyShield SSO client on the station.
Instructions for unattended installation are at KeyShield_server/static/kshield_msi.page. For manual installation/configuration please follow screenshots:

KeyShield SSO Installation 1

KeyShield SSO Installation 2

KeyShield SSO Installation 3

The OES client for Windows integration works in a similar manner like former ClientTrust for BorderManager – KeyShield server creates a token and stores it as a value of an attribute of the user’s object. KeyShield client reads the value through the OES client for Windows API, uses it as a challenge, generates a response and sends it to the KeyShield server. Then the KeyShield server validates it and if OK, accepts the client authentication request and sends confirmation back to the client. Client changes the color of the icon in the taskbar to green to inform the user that authentication finished. Here is the related setting in the related eDirectory connector of the KeyShield server (keep in mind, you can use as many eDirectory trees, AD forests, etc. as you need at the time).

KeyShield SSO Installation 4

This is a so-called custom setup, but it is not necessary. The best practice is to let the KeyShield server to configure eDirectory connector automatically by choosing.

First, enter Connector ID and provide LDAP server IP and port.

KeyShield SSO Installation 5

Then click "Create KeyShield SSO objects"

KeyShield SSO Installation 6

KeyShield SSO will create own mgr account (proxy account used to access eDirectory), extend schema by auxiliary class (can be removed) for tokens and assign minimum access rights the mgr account needs.

Once you are done with this setting, the automatic authentication with the OES client for Windows should work. If not, consult Diagnostic log.

Import certificate on MS Windows

Importing the certificate is necessary for automatic registration of the station into SecureAnyBox5 via HTTPS protocol.

To import the certificate, please follow these steps:

Click Start and into Windows search field please enter “mmc” ( 1) and click on the program in the search results ( 2).
Start Menu after searching for "mmc"

In the Console window, please click the File ( 1) -> Add/Remove Snap-in( 2).
"Microsoft Management Console window"

Select Certificates ( 1) in the left panel and click Add ( 2) to move a selection into the right panel. Then click the OK button ( 3).
Add or Remove Snap-Ins window

In the Certificates snap-in window, select Computer account option ( 1) and click Next button ( 2). At the next window click the Finish button ( 3).
Settings of Certificate Snap-In

In the Add or Remove Snap-ins window click OK button ( 1).
Add or Remove Snap-Ins window after certificate added

In the Console window, expand Certificates, and right-click Trusted Root Certificates -> All tasks -> Import
Import Certificate

In Certificate Import Wizard window click Next ( 1), and at the next screen please select certificate to import ( 2). When certificate select, please click Next ( 3).
CertificateImportWizard

Please enter the certificate password ( 1) and click Next ( 2) and at the next windows click Next ( 3) and Finish ( 4).
CertificateImportWizard
CertificateImportWizard

After import completed, the station should be registered into SecureAnyBox5 automatically (it may take 10 minutes). For immediate registration, you can restart SecureAnyBox5 Agent service.

Import certificate on macOS

To install the certificate on a Mac platform, please download the certificate on your station and follow these steps:

To open Keychain Access, start by clicking on Go in the Finder menu and then select Utilities.

When the Utilities window opens up, look for and click on the icon named Keychain Access.
Note: Alternatively, you can open the Keychain Access by typing “Keychain Access” in the Spotlight search field at the top.

In the Keychains window select System.

Within the Keychain Access menu select File > click Import Items.

Browse to the .p12 or .pfx file that you want to import and open it.

Enter your admin password to authorize the changes and click Modify Keychain.

Enter the password that you entered when you created your .p12 or .pfx file.

Your SSL certificate should now be installed, and the station should be automatically registered.

Import Keyshield SSO certificate to Java Keystore

Download KeyShield SSO certificate from the Certificate section of KeyShield SSO server.

On the server where SecureAnyBox5 installed please run a script in the format:

<SecureAnyBox5 Java folder>/bin/keytool -importcert -file <certificate file> -keystore <SecureAnyBox5 Java folder>/jre/lib/security/cacerts

where:
<SecureAnyBox5 Java folder> - is location of Java on which runs SecureAnyBox5 server (e.g.: /opt/tdp/secureanybox/jdk8/)
<certificate name> - is location of certificate file (if the script is running from a folder where the certificate file stored, just enter the name of the certificate file).

After certificate imported, it is possible to connect with KeyShield SSO server and save SecureAnyBox5 configuration successfully.

Installing browser extension using GPO

Google Chrome

At first, install Chrome policy templates.

Group policy editor

Run GPEDIT (gpedit.msc)

In the GPEDIT go to Computer Configuration > Administrative templates > Google Chrome > Extensions > Configure the list of force-installed apps and extensions
(Extensions in the list are installed silently, without user interaction, and cannot be uninstalled nor disabled by the user)

Add SecureAnyBox5 Extension to the list in the following format:

jmjiclmedngjhklhcafhkmbhmdiecgif;https://clients2.google.com/service/update2/crx

Where text jmjiclmedngjhklhcafhkmbhmdiecgif is the extension ID. For example, you can verify extension ID from the Chrome store address

Windows registry

Instead of using GPEDIT, you can write the settings directly into the windows registry.
Into key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist enter the value:

“1”="jmjiclmedngjhklhcafhkmbhmdiecgif;https://clients2.google.com/service/update2/crx"

Mozilla Firefox

At first, install Firefox policy templates.

Group policy editor

Run GPEDIT (gpedit.msc)

In the GPEDIT go to Computer Confguration > Administrative templates > Mozilla > Firefox > Extensions > Extensions to install
(Extensions in the list are installed automatically)

Add path to SecureAnyBox5 Extension file in one of following formats:

In the GPEDIT go to Computer Configuration > Administrative templates > Mozilla > Firefox > Extensions > Prevent extensions from being disabled or removed
(Extensions in the list cannot be uninstalled nor disabled by the user)

Add SecureAnyBox5 Extension ID: sab_login@secureanybox.com

Windows registry

Instead of using GPEDIT, you can write the settings directly into the windows registry.
Into key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install enter the value:

“1”="http://<yourssecureanyboxserver.com>/swb/down/secureanybox-1.1.14-fx.xpi"

And into the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Locked enter the value:

“1”="sab_login@secureanybox.com"

Recover SecureAnyBox5 data from backup

Restoring data from a backup will overwrite/add:

The uploaded database includes all synchronized LDAP/Azure AD user accounts. If the user has previously logged into SecureAnyBox5, he or she can access SecureAnyBox5 without connecting to the LDAP/Azure AD server.

To restore SecureAnyBox5 data from backup, follow these steps:

Stop SecureAnyBox5 server

If you want to restore data from a backup to a new installation of SecureAnyBox5, do not start the server after installation, do not configure anything and stop the server if necessary.

In case you need to change the IP address in the configuration (for example because of moving to another server), use the changeaddress utility, which is in the SecureAnyBox5 server folder.

After starting the utility, confirm the introductory note by pressing the Enter key.

introductory note

Set the new IP address and ports for HTTP and HTTPS and save the changes (use the Tab key to move around the utility).

change address

After saving, you will be informed that the changes have been saved.

configuration changed

Select the backup zip file from which the data is to be restored.

Select the backup zip file from which the data is to be restored

Extract the files from the backup zip file to the SecureAnyBox5 server folder

Extract the files from the backup zip file to the SecureAnyBox5 server folder

Files can also be extracted using the command line (e.g. on a Linux server)

$ unzip <SecureAnyBox backup file> -d <SecureAnyBox folder>

The user account that runs the script must have sufficient permissions.

Start SecureAnyBox5 server

When restoring data to a new SecureAnyBox5 server installation, you must also upload the license file.

Windows 11 Encrypted File System troubleshooting

If you have a problem with encrypting on Windows 11, while working with external files, please see if:

You have the latest version of Windows 11.
- In particular, the initial version of Windows 11 is most likely to be affected.

You are not using Windows Home Edition
- Encrypted File System (EFS) is not available in the Windows Home edition. To be able to encrypt the files, you have to upgrade the Windows to Education, Enterprise, or Pro edition.

System drive if NTFS drive and not FAT32
- If you find that your system disk is formatted as FAT32, please change the format to NTFS to use the EFS function.

Enable EFS through Windows Registry

Open the Registry Editor
(Press Windows + R to open Run dialog box, type regedit and click OK.)

Once the Registry editor window opens, switch to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Find the NtfsDisableEncryption and double-click on it to edit the value to 1. Once edited, press the Enter and hit OK button.

Enable EFS through Command Line

Start the Command Line as Administrator.
(Press Windows, type cmd (into the search bar) and click the Run as administrator option.)

When the Command Prompt window appears, enter fsutil behavior query disableEncryption to get status of the encryption.
To turn on the encryption, enter fsutil behavior set disableencryption 0.

To apply the new setting, it is necessary to reboot the station.

Additional information

CIDR format of subnet masks

SecureAnyBox5 stores subnets in the CIDR notation format.

The CIDR number comes from the number of 1’s in the subnet mask when converted to binary. You can refer to the following table to find the CIDR equivalent of your subnet mask.

CIDR notation format Dotted decimal format Binary format
32 255.255.255.255 1111 1111 1111 1111 1111 1111 1111 1111
31 255.255.255.254 1111 1111 1111 1111 1111 1111 1111 1110
30 255.255.255.252 1111 1111 1111 1111 1111 1111 1111 1100
29 255.255.255.248 1111 1111 1111 1111 1111 1111 1111 1000
28 255.255.255.240 1111 1111 1111 1111 1111 1111 1111 0000
27 255.255.255.224 1111 1111 1111 1111 1111 1111 1110 0000
26 255.255.255.192 1111 1111 1111 1111 1111 1111 1100 0000
25 255.255.255.128 1111 1111 1111 1111 1111 1111 1000 0000
24 255.255.255.0 1111 1111 1111 1111 1111 1111 0000 0000
23 255.255.254.0 1111 1111 1111 1111 1111 1110 0000 0000
22 255.255.252.0 1111 1111 1111 1111 1111 1100 0000 0000
21 255.255.248.0 1111 1111 1111 1111 1111 1000 0000 0000
20 255.255.240.0 1111 1111 1111 1111 1111 0000 0000 0000
19 255.255.228.0 1111 1111 1111 1111 1110 0000 0000 0000
18 255.255.192.0 1111 1111 1111 1111 1100 0000 0000 0000
17 255.255.128.0 1111 1111 1111 1111 1000 0000 0000 0000
16 255.255.0.0 1111 1111 1111 1111 0000 0000 0000 0000
15 255.254.0.0 1111 1111 1111 1110 0000 0000 0000 0000
14 255.252.0.0 1111 1111 1111 1100 0000 0000 0000 0000
13 255.248.0.0 1111 1111 1111 1000 0000 0000 0000 0000
12 255.240.0.0 1111 1111 1111 0000 0000 0000 0000 0000
11 255.224.0.0 1111 1111 1110 0000 0000 0000 0000 0000
10 255.192.0.0 1111 1111 1100 0000 0000 0000 0000 0000
9 255.128.0.0 1111 1111 1000 0000 0000 0000 0000 0000
8 255.0.0.0 1111 1111 0000 0000 0000 0000 0000 0000
7 254.0.0.0 1111 1110 0000 0000 0000 0000 0000 0000
6 252.0.0.0 1111 1100 0000 0000 0000 0000 0000 0000
5 248.0.0.0 1111 1000 0000 0000 0000 0000 0000 0000
4 240.0.0.0 1111 0000 0000 0000 0000 0000 0000 0000
3 224.0.0.0 1110 0000 0000 0000 0000 0000 0000 0000
2 192.0.0.0 1100 0000 0000 0000 0000 0000 0000 0000
1 128.0.0.0 1000 0000 0000 0000 0000 0000 0000 0000

Dereference aliases

An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.

There are four modes of dereferencing aliases:

Example

In the directory have been set up two aliases:

In container “ou=People” are set up two other entries:

The following table summarizes the results of searching “ou=Employees” in different modes.

Dereference mode Results
Never no entries (because the “ou=Employees” alias never dereferenced)
Dereference while finding the base object no entries (because the “ou=Employees” alias never dereferenced)
Dereference while retrieving objects according to search scope two entries: “cn = Marie Smith, ou=People” and “cn = Robert Norman, ou=People” (because the “cn=Newbie, ou=People” alias never dereferenced)
Always three entries: “cn = Marie Smith, ou=People”, “cn = Robert Norman, ou=People” and "cn= James Black, ou=NewHires"

Password Pattern Examples

Password pattern Entropy* Generated passwords (examples)
17 characters
CvddcVcAzduldAAvl 74.01 zi02gIfKT5Ah7frys Qo60histH3Pd4OQez hi82xOpGQ7Ft1Lzef
ZuAcVdAddcVlduldA 72.65 YLjvU9c67tol3Lc0P ETGgO0B66zek9Xi3M AIivE7q60kUr7Rt5y
uzVcsAnVdACCvdAnC 76.45 NCur]g6o5Ygru3Y[t CMul#F.A6mMfi8D(c BMEx/y_A9SFTy4S5X
dCVAAAAAdscVnuAnV 76.70 7siJIsnK0/ce$Cy*E 4WyKKsnr7$ky&Fu6A 4koceFZL7;wo<Wm[u
CvdscVcAznuldAAvl 77.13 Cy7)zYnVL5Vd4CYuo Za0&tEmAW4Qc7Lbon li7$rejUN*Og6Ixon
15 characters
vddcVcAZduldAvl 64.19 o56xYtWU6He9Sal a93vucrO8Gj5Oap u58xYnAI5Be5uic
AcdVAAVlCuldAdl 66.02 rz0ogHefmIf5A3w Eh1aSfegCYt7t5w pb1oPLYtPRg7P3n
uZcdVCVCZuAVcdA 65.94 ZIn7eMawIHDYk5W KAz9OCYgILLaz0t GYx0YCyfYWpiv2c
ZnAcVdnlAundCAV 66.65 A-LzI3:cPD;7SMy U$Xby2:ecG45nlU O4bpY6]wrQ71pMA
dCVAccAdcVduAdV 64.62 2gufrgC5by1Mm8u 3ZeFtbv7pa2NY9A 2Mavcqg2fO7Fa4u
12 characters
CulllduCldVz 53.25 rHevf4DXy1EZ bBuud7YKz2UM cCbtg8Zsy5IB
VAn*dAcVdlsu 53.50 Aj;O3mcy9b.H Ex2<7gmE8i-O UA2S8wry4y(W
ZVdAsCVndldA 52.34 UA2p/SU58k7b EO0C%HO@4s7r OI5c:Se*8e2r
uCldVdAsCVVA 52.56 Yxo8i3K>rUEF ZNs3U6g/BuAX Qwb6u6n&luYK
AcVdlsCuldAd 52.10 lty8i%JHy6F5 Cqu6t@xZk9m7 Ymu9i$XRh9t0
Easier to remember (alternating consonants and vowels)
cVcZdCvcddC 46.32 rumE9Zes04L kurA7jas53d tUlE8xiz14V
cvVcdVddzZzV 50.18 hyoh6Y78DUPO weyp8u59TYFA viyr8u33PIQI
cvcsdddcvcs 45.35 qab/141qor/ cyh/582wut@ guv$451vof@
CvcVsdcVcvd 46.45 GohI>5zini7 juny/7xYdi3 HamY&7dyqa4
zZzVdsdzZzV 47.03 PELa4[7TOQY GIKo1@5KAKU XAHa6#4NULa

* Password pattern entropy is counted as an average entropy of a hundred passwords that were generated based on the password pattern.

Password entropy

Password entropy is a measurement of how unpredictable a password is. The higher the value, the better.
Based on password entropy value, SecureAnyBox5 recognizes four levels of how secure the password is.

Password security   min. max. Description
really bad error 0 20 password should be changed immediately
unsatisfactory warning 20 35 password does not meet security standards, should be changed
satisfactory   35 50 password meets security standards, but it can be better
really good success 50 password is really secure

Examples of the use of Pattern Characters

To specify a set of characters that will be used while generating a password, please enter them into the field without any separator. (e.g., ‘abc’). In that case, the generated password will use only specified characters.

The set of characters that will be omitted while generating a password must begin with ^ character (e.g., ‘^0123’). In that case, the generated password will use allowed characters except for specified ones.

In the Agent Configuration, it is possible to use a combination of 3 different Pattern Characters settings. Each character of the generated password can use only one setting.

Recommended steps:

Characters used in generated passwords

lowercase vowels aeiouy
mixed case vowels AEIOUYaeiouy
uppercase vowels AEIOUY
lowercase consonants bcdfghjklmnpqrstvwxz
uppercase consonants BCDFGHJKLMNPQRSTVWXZ
mixed case consonants bcdfghjklmnpqrstvwxzBCDFGHJKLMNPQRSTVWXZ
lowercase alphabet characters abcdefghijklmnopqrstuvwxyz
uppercase alphabet characters ABCDEFGHIJKLMNOPQRSTUVWXYZ
mixed alphabet characters abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
digits 0123456789
special charaters .@&*()<>_][%$#/\?;-:
Examples

You want to generate passwords that are user-friendly, without easily interchangeable characters (like 0 and O, or I and l and 1).

For such a password, enter ^0O1Il into Pattern Characters 1 field and into Password Pattern field enter as many ‘1’ as the number of characters the generated password should have.

Example of password Pattern setting for a password without interchangeable characters

This setting will generate passwords such as: vZ\Z7q@hoqiPK, C_6wsK((AujbG, K(_H-T*C]c%fq

If you want to ommit all special characters also, just add all special charaters to the text in Pattern Characters 1 field.

Example of password Pattern setting for a password without interchangeable and special characters

This setting will generate passwords, such as: 2a5CMpdGUXytD, Zs7aPYqSUV8ps, AxnXkr5KZhFYw


You want to generate easily readable passwords (with alternating consonants and vowels)

For passwords where characters are alternating is necessary to set two pattern characters settings. Into the first pattern characters enter all consonants and into the second one enter all vowels. The password pattern field will be set as alternations of 1 and 2. A number of 1 and 2 depend on how many characters the new password should have.

Example of password pattern setting for a easily readable passwords

This setting will generate passwords, such as: fABOqucimac, minITafeJAl, NidedYvOKAt


You want to generate passwords that conform to the password requirements (for example, at least two capital letters, one number, or a special character)

For passwords that conform to the password requirements, it is necessary to set all characters that can be used in the generated passwords as Pattern Characters 1, upper case characters as Pattern Characters 2, digits, and special characters as Pattern characters 3.

Example of password pattern setting that conform to the password requirements

As you can see on the image, in some cases, it can be simplier to specify characters to ommit. Text '^.&()<>_][%$#\?;:' has same effect as text 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@-*/'

Example of password pattern setting that conform to the password requirements

This setting will generate passwords, such as: vaDB3/smCVR, oFhV62MQEvI, RWXZl2HiGth