PAM360 Release (Minor) 5003 (9th April 2021)
- A security vulnerability allowed unauthorized personnel to pull the Super Admin's email
address by accessing the URL - /SuperAdminAlertList.ec, through API.
- A Cross-Site Scripting (XSS) issue found in the Query report description.
- A Cross-Site Scripting (XSS) issue found in the edit LDAP server details page.
- A stored XSS issue occurred via the ResourceURL while accessing - /InvokeResourceURL.cc in
- A Cross-Site Scripting (XSS) issue found in the User Password Change page has been fixed by
ensuring proper output encoding for the password policy.
PAM360 Release (Minor) 5002 (16th March 2021)
- A Cross-Site Scripting (XSS) issue that occurred in the web app connection page has been fixed.
PAM360 Release (Minor) 5001 (23rd November 2020)
- PAM360 - Log360 UEBA Integration
ManageEngine PAM360 now integrates with ManageEngine Log360 UEBA, a machine learning-based tool that
analyzes audit logs and detects unusual behavior using score-based risk assessment, anomaly trends, and
audit reports. On the whole, the integration helps you to consolidate the extensive resource and user audit
trails recorded by PAM360 and render them into fully visualized anomaly reports, interpreted using patterns
and user behavior, all from the PAM360 console.
- In the build 5000, there was an issue due to the broken "Your Position" hyperlink in the Windows
File Transfer client. This issue has been fixed by upgrading our RDP engine.
- In build 4101, during AD sync, the resource or user removed from an AD resource/user group still showed up
in the PAM360 resource/user group. This issue has been fixed now.
PAM360 Release (Major) 5000 (24th October 2020)
- Connection Settings
PAM360 now offers advanced configuration settings for remote connections added to the product, which are
customizable for SSH, RDP, and VNC connections, thereby improving the overall user experience while
initiating connections from PAM360 to the respective remote resources. Some of the advanced settings include
changing the SSH terminal type, modifying the desktop composition for RDP connections, changing the encoding
type of VNC connections, etc.
- Secure File Transfer
PAM360 now allows bi-directional file transfer between two systems through the SSH File Transfer Protocol
(SFTP). Users can accomplish this by installing the SFTP server in the target remote systems. There is no
proposed size limit for file transfer through the secure file transfer mechanism, therefore allowing PAM360
to authenticate the connection and transfer large files without the risk of security breaches. Besides file
transfer, PAM360 permits bi-directional upload and download of files between the user's machine and the
remote connection they have established, without the need for a remote session. This upload and download
mechanism is made possible through the Secure Copy Protocol (SCP).
- Enhanced Connections
This release comes with a more polished 'Connections' tab that serves as a one-stop platform to view all the
added Connections, Favorites, and Connection Groups. The tab holds some useful options, such as a new secure
file transfer option, and a new search filter that facilitates the search of resources within the tab using
Name, DNS name, or type of OS. All the connections have the following quick access control buttons; Connect,
Request, Checkin, Checkout, Remote App, and Upload/Download files.
- Remote App
PAM360 now allows you to connect to specific applications, already configured as 'Remote Apps', in target
systems. Adding Remote Apps to RDP connections increases accessibility and ease of use when connecting to
remote machines. Remote Apps are of great utility to IT admins in making the privileged sessions easier to
control, as they limit users' access to selected applications.
- Gateway Settings
From this release, users can customize 'Gateway settings' in PAM360, under 'Admin >> Connections'.
Users can edit and control the cipher suites used for SSL communication, set up a different port, choose SSL
protocols to be used for securing remote connections initiated from the product, customize HTTP header log
- New SSH Terminal
From this release, users can avail of a new lag-free SSH Terminal that uses the WebSocket API and is faster
and more responsive.
- Landing Server for Windows
Provision to launch secure, one-click RDP access to remote devices in data centers with complete password
management. Administrators can now configure landing servers and their login credentials and associate them
with the resources managed by PAM360. They can then launch one-click connections with the remote resources,
without worrying about the intermediate hop, thus providing them the same experience as the direct
- Azure MSSQL Support
PAM360 now supports Azure MSSQL as the backend database. It also allows PostgreSQL to Azure MSSQL instance
- New Certificate Format - PEM
A new certificate format, Privacy Enhanced Mail (PEM), has been added, in addition to the already available
certificate export formats, Keystore and PFX, where the PEM format is used for digital certificates and
keys, deployed in web server platforms (e.g., Apache).
- Support for GoDaddy DNS
PAM360 now supports GoDaddy DNS to complete the domain control validation procedure while acquiring
certificates from public Certificate Authorities, along with the already available DNS support types, Azure
DNS, Cloudflare DNS, Amazon route 53, and RFC2136 Update. Using GoDaddy DNS, users can update the DNS record
for GoDaddy domain validation from the PAM360 portal itself.
- Previously, it was possible to configure access control settings at the resource level only, which were
applicable for all the accounts under the resource. Now, it is possible to set password access control
independently for each account under a resource, without affecting the access control configurations of
other accounts in the resource. This ability to set unique configurations for each account helps users
maintain unparalleled security levels for each account, based on requirements. Remember, the account-level
access control configuration takes higher precedence over the resource-level access control configuration.
- This release comes with an exclusive page for 'Windows Agents', accessible from the SSL tab, from where
users will be able to perform all agent-specific operations such as SSL Discovery using agent, deployment of
SSL certificates in certificate groups using agent and CSR Signing with MSCA agent.
- Certificate deployment in multiple servers has now been made simpler by using an agent, provided the agent
is running in the server to be deployed, and both the agent name and the server DNS name are the same.
- Now, auto-renewal of certificates is possible for the 'MSCA using agent' sign type as well, from 'Settings
>> SSL >> Certificate Renewal'.
- The 'Certificate Sign Report' comes with the following MSCA/Third party CA signing details; Certificate
Authority, Certificate Template, Sign Type column.
- The 'Certificate Renewal report' comes with the 'Renewed By' column relevant to MSCA and 3rdPartyCA renewal
- A new option 'Reissue Certificate' has been added under 'SSL >> GlobalSign' that allows users to
request GlobalSign to reissue an SSL certificate.
- The new 'GlobalSign Orders Report' allows the GlobalSign orders to be added as individual reports, which
provide a detailed view of certificate orders requested from the GlobalSign CA
- From now on, users can add a "Key Comment' while importing a new SSH key and editing an existing key
from the repository. Also, users can avail the checkbox "Update comment in associated users" to
update the Key comment to the associated end servers automatically.
- Now, it is possible to add additional properties to a certificate while creating it, by using the 'Advanced
Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties, and add
them to the new certificate. Examples for the Key Usage properties include; Digital Signature, Decipher
Only, Encipher Only, and Certificate Sign.
- The DigiCert CA page has been enhanced with a new menu 'Show' that has four options, Expired, Revoked,
Rejected, and Others, used to filter the DigiCert CA list view.
- Now, while adding or modifying the Certificate Groups, it is possible to set 'additional fields' also as one
of the 'By Criteria' filters for certificates.
- While creating an additional field, users are allowed to choose if it is applicable for SSH/SSL/both. The
'Additional fields' option is now available under 'Settings'.
- New REST APIs 'GET CSR list' and 'Sign CSR' have been added.
- The 'Expiry Notification' has been enhanced with the custom mail content, 'Title' and 'Signature'.
- The 'Certificate Renewal Report' page under the 'Reports' tab now comes with a column chooser.
- Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of
the agent listed under 'SSL >> Windows Agents'.
- Now, users can tailor schedules by adding custom email content and a unique signature.
- Now, users can discover certificates issued by a particular 'Microsoft Certificate Authority' just by
entering the MSCA name in the relevant text box during discovery. Remember, this additional option will be
available in PAM360 installations running in Windows machines only.
- Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed
certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a
- Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields
followed a fixed format. Now, the customization settings configured for notification emails in
'Notification' and 'Schedule' tabs will be applied to the emails sent via email addresses in the additional
fields as well.
- An issue in Download file API has been fixed.
- Server certificate update failed in case of Key Store with multiple alias names. This has been fixed.
- The root and intermediate certificates of PEM format got added as separate entries in the certificates
repository. This has been fixed now.
- Agent got duplicated when re-installed from a different IP address. This has been fixed.
- The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
- The issue in MSCA auto-renewal with the EC key has been fixed.
- Get Templates issues that existed with the non - English languages have been fixed.
- A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the Resource name
while masking password, theme type, skin color, Category name of the Personal tab, web app connections, and
user sessions of the Audit tab has been fixed.
- The TLS of the SSL agent in PAM360 has been upgraded to version 1.2 and is configurable in 'Agent.conf '.
- Earlier, during API calls, the Authentication token was passed as a request parameter. Hereafter, each API
call made to the application requires the Authentication token to be passed in the request header.
- Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which
posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain
- A local File Intrusion issue that occurred during the MS store discovery has been fixed.
PAM360 Release 4.5 (Security Hotfix) 4501 (16th May 2020)
- An unauthenticated servlet vulnerability found in our internal framework that posed the risk of
less-impactful entries getting inserted in the integration system configurations table, remotely, has been
PAM360 Release 4.5 (4500) (6th May 2020)
- Expiry Notifications for SSL Certificates
PAM360 now enables users to discover, import, and configure expiry notifications for SSL certificates hosted
in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management
- Self-signed Certificates Auto Renewal
PAM360 now supports automated renewal of self-signed certificates along with Microsoft CA certificate
- SSL Certificate Deployment and Binding - IIS Server
From now on, you can both deploy a certificate to the IIS server and also bind it to the desired website in
the IIS, all from the PAM360 interface itself, without the need to access the IIS server separately. Also,
an option has been provided to automatically restart the IIS server for the deployment and binding to take
effect, thereby eliminating the need for the manual restart from the IIS end.
- Additional Fields PAM360 now brings you the 'Additional Fields' feature, configured from
'Admin >> SSH/SSL' that is used to include any additional information about SSH keys and SSL
certificates, stored in the repository. There are four different categories to add the additional fields:
character, numeric, date and email. Users can choose to add or remove the additional fields from SSH and SSL
- Column Chooser
This version of PAM360 comes with the 'Column Chooser' feature that allows users to show or hide columns at
runtime, and also rearrange the columns from the current view via drag-and-drop.
- Pretty Good Privacy (PGP) Keys
PGP encryption is used to enhance cryptographic privacy and authentication for online communication by
encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression, hashing, and
public-key cryptography to boost confidentiality. Now, PAM360 brings you this PGP functionality in the form
of PGP key generation, where the keys are used to encrypt the data like emails, texts, etc. Create, store
and manage PGP keys under 'Admin >> SSH/SSL'. Modify the key description anytime, export
private/public keys, export keys to multiple email ids, and generate, view, and schedule reports. You can
also send expiry notification emails to admins. This feature allows you to share and collaborate information
securely among your trusted groups of users and businesses.
PAM360 now supports integration with GlobalSign SSL—a trusted Certificate Authority and a leading
cloud-based PKI solutions provider. This integration enables users to request, acquire, import, deploy,
renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by GlobalSign,
directly from the PAM360 web interface.
- Certificate Deployment using Agent
PAM360 can already deploy and bind certificates to IIS servers belonging to the domain, where PAM360 also
resides. Now, PAM360 can also deploy certificates to IIS servers in demilitarized zones and also bind them
to websites in IIS, all using an agent. This makes PAM360 more scalable, as it can deploy and bind
certificates in IIS servers, irrespective of whether they are in the same or different domain.
- CSR Signing using Agent
In addition to the already available two sign types, namely, 'MS Certificate Authority' and 'Sign with
Root', used to sign certificates from PAM360, a third sign type 'MS Certificate Authority with Agent' has
been introduced. This new sign type is mainly used to sign certificates originating from a distinct domain,
i.e., other than the domain to which PAM360 belongs.
- Integrating with Ticketing Systems
PAM360 now integrates with enterprise ticketing systems namely ServiceDesk Plus (on-premise) and ServiceNow.
This integration ensures that automatic service requests are created in the ticketing environment to notify
administrators of SSL certificates that are at the risk of expiring and certificates that are deemed
vulnerable after a vulnerability scan in PAM360. Users can set notification policies to govern the frequency
of service request creation for expiring and vulnerable tickets.
- PAM360 now provides additional insights on agent activity such as heartbeat interval, latest response time
and operation performed.
- For scheduled SSL expiry tasks, users now have the option to choose whether or not, to receive email
notifications when no certificates in that particular schedule are nearing expiration.
- PAM360 offers automatic bundling of individual private key (.key) files and certificate files (.cer/.pem)
into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
- Two extra categories have been added to the criteria-based certificate group creation: AWS service and
- Now, it is possible to use the PAM360 service account credentials for authentication while deploying
certificates in Windows servers.
- Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and minutes)
to the certificates created, after which the certificate auto-expires. This eliminates the need for
compulsory permanent access credentials to access target systems and also explicit access repeal.
- It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address combination.
- The option to filter certificates based on the key length and signature algorithm within specific expiry
days has been added to the 'getAllSSLCertificates' Rest API.
- It is now possible to customize notifications and their intervals. Users can now choose not to receive
notifications regarding the expired certificates, and send a separate email and customized subject per
certificate, from 'Admin >> SSH/SSL >> Notification Settings'. The same actions can be done
while creating new schedules under 'SSH/SSL >> Schedules >> Add Schedule', where you have to
select the Schedule Type as 'SSL Expiry'.
- Earlier, PAM360 allowed signing and deployment of certificates only from Windows systems. Now, it is
possible to perform certificate signing and deployment to Windows systems from Linux installations through
- It is now possible to provide customized subjects in 'Schedules'.
- In RestAPI, the fetch details format is modified is such a way that the "details" attribute holds
all the data. The following is the modified API list; GetCertificateDetails, getallsslcertificates,
getAllSSLCertsExpiryDate, sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey,
GetSSHKeysForUser and GetAllAssociatedUsers.
- Previously, certificate deployment failed if the field "Store Password" contained a space
character while creating certificates from 'Certificates → Create'. This has now been fixed.
- Previously, when performing bulk operations, the "Create and Deploy" action failed when executed
on SSH user groups, for RSA and DSA signature algorithms. This has now been fixed.
- Previously, when there was a "space" character present in a certificate group name, attempting to
fetch the SSL certificates report pertaining to that group from the Reports tab threw the following error:
"Invalid field format". This has now been fixed.
- Previously, even after the certificate private key was imported and attached to a certificate in PAM360'
certificate repository, the "Export Keystore/PFX" was still disabled. This has now been fixed.
- During all AD-related operations performed from the PAM360 interface, the 'Connection Mode' got saved as 'No
SSL' only, even if the 'SSL' mode was chosen. This issue has been fixed now.
- Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be supported
by MSCA signing. During certificate creation, all values entered in the SAN field were all together
categorized as 'DNS' only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
- When a set of resources is shared with a user(s) with varying access permissions, and when different access
permission is granted for one of those resources, the access permission of all the other resources also got
changed. This issue has been fixed now.
- A SQL injection vulnerability identified in 'Audit Reports' has been fixed.
- A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the user input has
- Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which
posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain
PAM360 Release 4.1 (4101) (1st April 2020)
- Just in Time (JIT) Privilege Elevation for Local Accounts
Now, a PAM administrator can provide just-in-time (JIT) privilege elevation to Windows local accounts in
PAM360 with short-term access to a sensitive application or a service, for a defined period, say 30 minutes.
In other words, the administrator can use this feature to temporarily elevate an account's privilege to be a
Windows Administrator or any other privileged user, and accomplish the required privileged functions. This
is useful in scenarios where users do not need continual privilege access but only a temporary, on-demand
privileged access to certain applications or tasks.
PAM360 Release 4.1 (4100) (3rd February 2020)
- AWS EC2 Discovery
This build comes with the option to discover AWS EC2 instances and their associated privileged
accounts, in addition to the already available Windows, Linux, VMware and Network device discovery.
Discover the AWS EC2 instances by providing the access key and secret key of AWS IAM users. Discover the
privileged accounts associated with each AWS EC2 instance by providing the SSH private key (.pem) of the
relevant instance at the time of discovery. You can also discover AWS EC2 instances from multiple regions.
- Integration with the Automation Anywhere RPA Tool
ManageEngine PAM360 integrates with Automation Anywhere, Robotic Process Automation (RPA)-powered platform
that automates software processes using bots. PAM360 renders a bot that helps you automatically fetch
passwords from the PAM360 secure vault without manual intervention. This bot is capable of working in
combination with other bots in Automation Anywhere to create a complete endpoint management workflow.
- Periodic Password Integrity Check
For resource groups, an option is already available to check if the passwords stored in the PAM360 database
are in sync with the passwords in the target devices. Now, a new option 'Periodic Integrity Check' is added
that allows you to schedule tasks to run on a specific day/time, or at regular intervals of the specified
day(s), or on a specific day of a month. The password integrity check will happen periodically based on the
schedule set. Unlike the former option, you can use the new option to check the integrity of the passwords
in the desired groups at your convenient schedules.
- During RDP sessions, it was not possible to copy texts using the keyboard shortcut 'Ctrl+C'. This was
due to a breakage in the content security policy header enabled in PAM360 build 4000. This issue has been
- From build 4000, while updating LDAP details, LDAP users alone got removed from the user group. This issue
is fixed now.
- From build 4000, SSH sessions did not get recorded when the option 'Enable splitting of SSH and Telnet
session recordings into multiple files' was enabled under 'General Settings--> Miscellaneous'. This issue
occurred in FQDN servers or when the DNS name contained IP address. This issue has been fixed.
PAM360 Release 4.0 (4002) (14th January 2020)
Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally
authenticated users. Now, as a security practice, we have exerted the following measures, applicable for
installations under the 'Program Files' directory:
- No inherited permissions are allowed for data and configurations directories.
- "Authenticated Users" permission has been excluded entirely.
- Only the CREATOR OWNER, SYSTEM, Installation User, NT AUTHORITY\Network Service and Administrators groups
will have the Full Control over the directories and also can start PostgreSQL.
PAM360 Release 4.0 (4001) (13th November 2019)
Integration with DigiCert SSL
PAM360 integrates with DigiCert—a leading TLS/SSL, IoT and various other PKI solutions provider. Users
can request, acquire, create, deploy, renew and automate the end-to-end management of SSL/TLS certificates
issued by DigiCert, all directly from the PAM360 portal.
It is now possible to create and use predefined templates for CSR (Certificate Signing Request) generation
Option to Exclude Certificates
Users can now choose to ignore certain certificates during the SSL discovery or manual addition of
certificates into the PAM360 repository. A new option is added under 'Admin >> SSH/SSL >>
Exclude Certificate', which you can utilize to add the certificates to be excluded, by specifying their
Common Name and Serial Number.
Support for RFC2136 DNS Updates
PAM360 now supports RFC2136 DNS updates to complete domain control validation while acquiring certificates
from public certificate authorities (CAs).
Support for Browser Extensions
From build 4001, support is enabled for browser extensions (Chrome and Firefox), which allows you auto-fill
passwords to websites and web applications, and set up Auto-Logon gateway to launch RDP and SSH sessions.
Additionally, the add-on allows you to view all passwords, resource groups, favorites, etc., and access
existing passwords and add new ones - all into a single platform accessible through a central console.
- Option to modify the email id of the Let's Encrypt account, used by Let's Encrypt to send email
alerts of expiring certificates.
- From the PAM360 build 4001, an option is provided for Linux resource types that users can opt to force
map SSH keys to user accounts, even if the target systems are not reachable.
- Users can now use PAM360 to sign CSRs (either using your internal Microsoft CA or a root certificate) as and
when they are generated.
- PAM360 now supports file-based discovery for scheduled SSH and SSL discovery tasks.
- A new dashboard widget to provide data about SSL configuration vulnerabilities has been added.
- Support is enabled for the discovery of SSH keys with ECDSA and ED25519 signature algorithms.
- A new REST API to view the private key passphrase of SSL certificates has been added.
In PAM360 build 4000, while trying to integrate with ServiceDesk Plus, the "Invalid API key" error was
encountered. This issue has been fixed in this build.