Integrating with One Identity Safeguard for Privileged Passwords

One Identity Safeguard for Privileged Passwords (Safeguard for Privileged Passwords or Safeguard) is application software that acts as a vault to store and manage credentials and secure the assets in your IT environment. Your assets include computers, servers, network devices, directories, and applications.

As a credential broker, Safeguard for Privileged Passwords automates, controls, and secures the process of granting privileged credentials with role-based access management and automated workflows.


Related topics

Integrating with credential brokers

Configuring credentials

Adding credentials

One Identity Safeguard for Privileged Passwords Open link

Before you begin

Before you start integrating BMC Discovery with Safeguard for Privileged Passwords, you must have:

  • Installed Safeguard for Privileged Passwords and completed the necessary configuration to ensure that your assets' credentials are already saved in the Safeguard Vault. For more information, consult your Safeguard Vault administrator and the Safeguard documentation Open link .
  • Added asset details in Safeguard for Privileged Passwords from the Application to Application (A2A) option under Settings > External Integration.

Important

The integration of BMC Discovery with Safeguard for Privileged Passwords supports only credentials of type Password (including Microsoft Active Directory), SSH Key, and Private Keys. This restriction is due to the limitation imposed by the Safeguard Application to Application (A2A) REST API.

Credential broker performance testing

Credential brokers, such as Safeguard for Privileged Passwords, are designed with human interaction in mind. When BMC Discovery scans your IT environment, BMC Discovery can make many simultaneous API calls. Before you put the integration with a supported credential broker into production, we recommend that you conduct scale and performance testing in your IT environment.

For information on integrating BMC Discovery with Safeguard for Privileged Passwords, see the following video (07:54):

 https://youtu.be/VsIorTtpbdI

To integrate BMC Discovery with Safeguard for Privileged Passwords

  1. From the Administration page, click Vault Management.
    The Vault Management page is displayed.

  2. Click the Safeguard Vault tab.



    Alternatively, if you have registered an Outpost and want to use it, then from the main menu in BMC Discovery Outpost, select Manage > Vault Providers. The Manage > Vault page is displayed with an identical Safeguard Vault tab.

  3. Specify the following settings relevant to your installation of Safeguard Vault.

    Field Name

    Description

    Status

    A read-only message showing the current status of the integration with Safeguard Vault. This message can be one of: ACTIVE, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and with an explanatory message.

    Enabled

    Select the check box to enable the integration with Safeguard Vault.

    URL

    Enter the URL of Safeguard Vault. Only HTTPS URLs are permitted. This field is required.

    You must obtain the URL, user name, and password to access Safeguard Vault from your Safeguard Vault administrator.

    Safeguard Application Name

    Enter the name assigned to the application's registration in Safeguard for Privileged Passwords. You must have registered the Application Name earlier in Safeguard for Privileged Passwords. For more information about configuring the application name, see the Administration Guide Open link in the Safeguard documentation.

    TLS Certificate Bundle

    Click Choose File to select the TLS certificate bundle file from your system. The TLS certificate bundle must be in the PEM format. The bundle must include the client certificate and the private key for the BMC Discovery instance, and can optionally include the CA certificate of the vault. Consult your Safeguard Vault administrator to get the certificate bundle.

    BMC Discovery accesses the Safeguard Vault server by using the Transport Layer Security (TLS) certificate bundle authentication method. For more information about this, see the Safeguard documentation at How to setup Certificate authentication for Safeguard users Open link .

    Set TLS Bundle Passphrase

    By default, the TLS bundle passphrase is not displayed. Perform the following steps:

    • If your TLS certificate bundle is not encrypted, a passphrase is not required. You must skip this field.
    • If the TLS certificate bundle is encrypted by using a passphrase, BMC Discovery requires the passphrase to decrypt and use the bundle at runtime. Select the check box and enter the passphrase.

    Checkout Duration
    (in minutes)

    Enter the time (in minutes) for which the password will remain valid. The default is 15 minutes and the minimum is one minute.

    Timeout (in seconds)

    Enter the timeout (in seconds) for requests sent to the Safeguard Vault server. The default is 300 seconds.

    TLS Certificate Check

    Enable or disable the TLS certificate check. By default, BMC Discovery Outpost checks the TLS certificate against the Safeguard Vault server. You can clear the check box to disable the TLS certificate check, but this step should be done only in a test environment against the server. The result of the test is reported in the Status field.

  4. Click Test to test the connection between BMC Discovery and the Safeguard Vault server

    If your configuration details are correct, the Status field displays a success message. If the Status field displays an error message, consult your Safeguard Vault administrator to ensure that the field values are correct and the Safeguard Vault server is up and running. 

  5. Click Apply to save the configuration.

Important

The configuration is not saved until you click the Apply button.

The integration between BMC Discovery and Safeguard for Privileged Passwords is complete.


Example of using a credential from Safeguard for Privileged Passwords in BMC Discovery 

After you save the integration between BMC Discovery and Safeguard for Privileged Passwords, you must test whether BMC Discovery can successfully access and use the credentials stored in the Safeguard Vault.

In this example, we test the credential usage by creating an SSH credential from the appliance/instance UI and then run a discovery scan from the appliance/instance.

  1. From the main menu, click Manage > Credentials.
    The Credentials page is displayed.
    Alternatively, if you have registered an Outpost and want to use it, then from the main menu in BMC Discovery Outpost, click Manage > Credentials.

  2. Click Add and select a host of type SSH.
    The Add Credential page is displayed.



  3. Configure the default UI fields, such as Label and Vault source. For information about such fields, see Adding credentials.
  4. Configure the remaining UI fields specific to Safeguard for Privileged Passwords according to the following table:

    SectionFieldDescription
    GeneralUser: Safeguard Service Account Name Specify the service account that Safeguard for Privileged Passwords uses to securely manage accounts and passwords on the asset.
    User: Safeguard Asset NameSpecify the name of the asset associated with the Service Account. For example, Microsoft Active Directory can be an asset name whose accounts and passwords you manage through a service account.
    SSHSSH Key: Safeguard Service Account Name

    Specify the service account that Safeguard for Privileged Passwords uses to securely manage accounts and passwords on the asset.

    This field is applicable if you use an SSH key on the host instead of passwords.

    SSH Key: Safeguard Asset Name

    Specify the name of the asset associated with the Service Account.

    This field is applicable if you use SSH key on the host instead of passwords.

    SSH AuthenticationTo use an SSH key or password, select Key or Password. If you have not configured an SSH key, Key is disabled.


  5. Click Apply to save the credential.
    The new credential is displayed on the Manage > Credentials page, Credentials tab.



  6. From the Actions list, select Test.
    The Test Credential dialog box is displayed.
  7. Enter the IP Address of the host that you want to test, and click Test.
    The Tests tab displays the success or failure of the credential test.
    If the page displays Success, proceed with the remaining steps. In case of Failure, edit the credential and verify that you have entered valid values in all fields.
  8. In the BMC Discovery UI, go to Manage > Discovery.
  9. Click Add New Run to perform a test scan. 
    The Add New Run dialog box is displayed. 
  10.  Configure the fields of the Add New Run dialog box and perform a scan. For information about the fields, see Performing a discovery run
  11. After the scan is complete, go to the DiscoveryAccess page.
    You can see that BMC Discovery succeeded in finding the host using the Safeguard Vault credential.

Additional information—adding different credential types

In general, a BMC Discovery credential type (such as Cloud, Database, and so on) need not exactly match a Safeguard asset or credential type. In Safeguard for Privileged Passwords, you can set up, for example, a UNIX CentOS asset that authenticates with a Username/Password, which you can then use for any BMC Discovery credential having a Username/Password combination. 

Example: It is possible to add a cloud credential, such as Amazon Web Services (AWS), by performing the following tasks:

  1. In Safeguard for Privileged Passwords, add the cloud credential by saving the AWS Access Key ID as the Account Name and the AWS Access Key Secret as the Password. You can store these fields as a Linux Host or a similar asset type that stores a credential as a Username/Password combination.
  2. In BMC Discovery, select Manage > Credentials, add the Safeguard credential as an Amazon Web Services credential (available under the Cloud group), enter valid values in the Safeguard-specific fields, and save the AWS credential as shown in the following screenshots.  





Was this page helpful? Yes No Submitting... Thank you

Comments