Fingerprinting callers

The pamutil client has the ability to "fingerprint" both the caller and the calling environment. This can help reduce the risk of unintended access disclosure – if the initialization fingerprint is different than the caller’s, then access to the credential is denied. Fingerprinting is optional but it can be applied as necessary in high-risk environments. It can also help to prevent unintended configuration mishaps from occurring in dynamic large scale deployments.

If you want to prevent credential access from unauthorized systems that simply had copies of the creds.ini file, you can add the line:

usemachinekey=1

to the config.ini before it is initialized. Callers on other machines will not be able to obtain the credentials if the machine attributes (such as the MAC address) are different than the one it was initialized with.

Similarly, the line:

filekey=./config.ini

Will prevent disclosure of credentials when its own configuration has been modified. In both cases, pamutil needs to be re-initialized with a new OTP API password before credentials can be retrieved.

See Configuration and credentials files for additional methods of fingerprinting pamutil callers in your version of Bravura Privilege .