Integrating with Thycotic Secret Server
Thycotic Secret Server is application software that helps you to store and manage credentials securely, according to policies that your organization might require.
You can configure the integration with Thycotic Secret Server using the vault providers page in the BMC Discovery Outpost.
For information on integrating BMC Helix Discovery with Thycotic Secret Server, see the following video (04:57):
Before you begin
Credential broker performance testing
Credential brokers are designed with human interaction in mind. When BMC Helix Discovery is scanning, it can make many simultaneous API calls. Before putting an integration with any supported credential broker into production, you should perform scale and performance testing in your IT environment.
To integrate with Thycotic Secret Server
- From the main menu in the BMC Discovery Outpost, click Manage > Vault Providers.
The Manage Vault page opens.
Select the Thycotic Secret Server tab.
Enter the settings appropriate to your Thycotic Secret Server on the page.
A read-only display showing the status of the integration with Thycotic Secret Server. This can be one of: WORKING, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and an explanatory message.
Select the check box to enable the integration with Thycotic Secret Server.
The URL of Thycotic Secret Server. Only HTTPS URLs are permitted. This field is mandatory.
You should ask your Thycotic Secret Server administrator for the URL, user name, and password to access Thycotic Secret Server.
A user name for Thycotic Secret Server. This field is mandatory.
Field in which you can enter the password. To make the field editable, select the check box and set the password. The password is not displayed.
The time (in minutes) for which the password is guaranteed to remain valid. The default is 15 minutes and the minimum is one minute.
Timeout (in seconds)
The timeout (in seconds) for requests to the provider. The default is 300 seconds.
SSL Certificate Check
Select the check box to enable an SSL certificate check against the server. The result is reported in the Status message.
- Click Test to test the connection. The configuration is not saved until you click the Apply button.
- Click Apply to save and apply the configuration.
The integration between BMC Helix Discovery and Thycotic Secret Server is complete. See Adding credentials for information on using credentials from Thycotic Secret Server to access discovery targets.
How credentials are stored in Thycotic Secret Server
For information on configuring credentials in Thycotic Secret Server, see the .
Credentials are referred to as Secrets in Thycotic Secret Server, and are all named. You access the credentials from the BMC Helix Discovery credentials UI using a series of filters to uniquely identify the element of the credential to use. For example, for a server called "server74", the following details are configured in Thycotic Secret Server:
- Secret Name — server74
- Unix Account (SSH)
- Username — discovery. A UNIX account called discovery and its corresponding password
- Secret Name — server74
Unix Root Account (SSH)
Username — root. A UNIX root account and its corresponding password
There are two secrets concerning this server, they are both called "server74". The first filter to add is to locate the required secret; that is, "Secret Name" is "server74". However, this does not uniquely identify the credential, an additional filter is required. We can use the Username field for this, so for the discovery user we can add "Username" is "discovery", which uniquely identifies that credential. We can do the same for the root credential.
To use a credential from Thycotic Secret Server in BMC Helix Discovery
In this example, in Thycotic Secret Server, the credential name is stored under the heading "Secret Name", so in the BMC Helix Discovery you add a filter with the name "Secret Name" and the name of the secret you want to use. You use additional filters for components of a credential, such as user name and password, or ssh key and passphrase. Additional filters are populated for each credential type automatically, using the Thycotic templates (Secret Templates) that you use to create credentials in Thycotic Secret Server.
The following screenshot shows adding the credential for server74: