External LDAP directory that has PAM managed accounts in it. Not sure if PAM can handle the accounts local to the API GW DB...we tried that briefly but couldn't get it work (haven't circled back to it yet though, would be cool if it could).
Also, it appears the product requires you to keep at least one permanent local super user, which can then be locked down with a max length password and toss on additional mitigations for that account. Just all depends on what is acceptable there; but that'd be your emergency "everything is dorked up" credential .
Mitigation ideas:
- Policy Management listener only on a non-exposed port (i.e., don't have it enabled on the ports you are exposing for services) and require connection coming from a specific secure network (possibly even coming only from a specific monitored management server that requires smartcard log in + role access).
- Email alert if emergency super user account logs in or has log in attempts. If you have something like Tripwire or other monitoring tools in place already they can do this - just have it look at the logs for specific events and take some action if it's not during a known event.
- Regular change of admin password and only known to a small set of trusted admins.
- Store the password itself in CA PAM that only certain groups can even view it to use after logging in with a strong certificate auth (medium hardware).
-------
I'm sure other folks may have some ideas that have used the product for a while .
Anyhoo, just some thoughts.