Integrating with BeyondTrust Password Safe

BeyondTrust Password Safe is application software that helps you to store and manage credentials securely, according to policies that your organization might require.

You can configure the integration with BeyondTrust Password Safe using the vault providers page in the BMC Discovery Outpost.

Before you begin


Credential broker performance testing

Credential brokers are designed with human interaction in mind. When BMC Helix Discovery is scanning, it can make many simultaneous API calls. Before putting an integration with any supported credential broker into production, you should perform scale and performance testing in your IT environment.

To integrate with BeyondTrust Password Safe

  1. From the main menu in the BMC Discovery Outpost, click Manage > Vault Providers.
    The Manage Vault page opens. 
  2. Select the BeyondTrust Password Safe tab.

  3. Enter the settings appropriate to your BeyondTrust Password Safe on the page:

    Field Name



    A read-only display showing the status of the integration with BeyondTrust Password Safe. This can be one of: WORKING, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and an explanatory message.


    Select the check box to enable the integration with BeyondTrust Password Safe.


    The URL of BeyondTrust Password Safe. Only HTTPS URLs are permitted. This field is mandatory.

    You should ask your BeyondTrust Password Safe administrator for the URL, API key, user name, and password to access BeyondTrust Password Safe.

    Set API Key

    Field in which you can enter an API key. To make the field editable, select the check box and paste in the key. The key is not displayed. This field is mandatory.

    User Name

    A user name for BeyondTrust Password Safe. This field is mandatory.

    Set Password

    Field in which you can enter the password corresponding to the User name.
    To make the field editable, select the check box and set the password. The password is not displayed.

    Checkout Duration
    (in minutes)

    The time (in minutes) for which the password is guaranteed to remain valid. The default is 15 minutes and the minimum is one minute.

    Timeout (in seconds)

    The timeout (in seconds) for requests to the provider. The default is 300 seconds and the minimum 5 seconds.

    SSL Certificate Check

    Select to enable an SSL certificate check against the server. The result is reported in the Status message.

  4. Click Test to test the connection. The configuration is not saved until you click the Apply button.
  5. Click Apply to save and apply the configuration.
The integration between BMC Helix Discovery and BeyondTrust Password Safe is complete. For information on using credentials from BeyondTrust Password Safe to access discovery targets, see Adding credentials.

How credentials are stored in BeyondTrust Password Safe

The credentials stored in BeyondTrust Password Safe are linked to an asset. You create the asset, and then add credentials to that asset, according to the BeyondTrust Password Safe documentation

Credential parameters in BeyondTrust Password Safe, the corresponding BMC Helix Discovery  Add Credential field name, and a description of their meaning in BMC Helix Discovery are shown in the following table:

BeyondTrust Password Safe parameter

BMC Helix Discovery Add Credential field name

Meaning in BMC Helix Discovery


BeyondTrust System

The name of the system in BeyondTrust Password Safe is taken from the asset name. 

The system name should be considered as the credential name in BMC Helix Discovery. It has no effect on the target that BMC Helix Discovery scans, it simply locates the credential in BeyondTrust Password Safe.


BeyondTrust Account

The user name with which to access the discovery target. The integration retrieves the corresponding password from BeyondTrust Password Safe.

There might be more than one account for each system. For example, an account called discovery and one called root or admin for discovering targets using elevated permissions.

To use a credential from BeyondTrust Password Safe in BMC Helix Discovery

In this example there is a server called "server74". The following details are configured in BeyondTrust Password Safe:

  • System — server74
    • Account — discovery. A UNIX account called discovery and its corresponding password
    • Account — root. A UNIX root account for the server and its corresponding password

For the discovery account, you specify the credential using server74 for the system and discovery for the user.

For the root account, you specify the credential using server74 for the system and root for the user.

The following screenshot shows adding the credential for server74:

Was this page helpful? Yes No Submitting... Thank you


  1. Anuparn Padalia

    How BeyondTrust Vault works with Windows Proxies and how it can manage Windows Discovery? I think if some more details can be added around this in Documents will be helpful.

    Aug 18, 2020 08:18
    1. Duncan Tweed


      We do not use Windows proxies with BMC Helix Discovery. All of the configuration on this page is in the BMC Discovery Outpost, which is the application that you install on a Windows host in your premises/datacenter. The Outpost can perform Windows discovery without the need for a Windows proxy. There's more information on Outposts and how they relate to BMC Helix Discovery here

      I hope this helps.


      Oct 01, 2020 07:44