Integrating with BeyondTrust Password Safe
BeyondTrust Password Safe is application software that helps you to store and manage credentials securely, according to policies that your organization might require.
You can configure the integration with BeyondTrust Password Safe using the vault providers page in the BMC Discovery Outpost.
Before you begin
Credential broker performance testing
Credential brokers are designed with human interaction in mind. When BMC Helix Discovery is scanning, it can make many simultaneous API calls. Before putting an integration with any supported credential broker into production, you should perform scale and performance testing in your IT environment.
To integrate with BeyondTrust Password Safe
- From the main menu in the BMC Discovery Outpost, click Manage > Vault Providers.
The Manage Vault page opens.
Select the BeyondTrust Password Safe tab.
Enter the settings appropriate to your BeyondTrust Password Safe on the page:
A read-only display showing the status of the integration with BeyondTrust Password Safe. This can be one of: WORKING, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and an explanatory message.
Select the check box to enable the integration with BeyondTrust Password Safe.
The URL of BeyondTrust Password Safe. Only HTTPS URLs are permitted. This field is mandatory.
You should ask your BeyondTrust Password Safe administrator for the URL, API key, user name, and password to access BeyondTrust Password Safe.
Set API Key
Field in which you can enter an API key. To make the field editable, select the check box and paste in the key. The key is not displayed. This field is mandatory.
A user name for BeyondTrust Password Safe. This field is mandatory.
Field in which you can enter the password corresponding to the User name.
To make the field editable, select the check box and set the password. The password is not displayed.
The time (in minutes) for which the password is guaranteed to remain valid. The default is 15 minutes and the minimum is one minute.
Timeout (in seconds)
The timeout (in seconds) for requests to the provider. The default is 300 seconds and the minimum 5 seconds.
SSL Certificate Check
Select to enable an SSL certificate check against the server. The result is reported in the Status message.
- Click Test to test the connection. The configuration is not saved until you click the Apply button.
- Click Apply to save and apply the configuration.
How credentials are stored in BeyondTrust Password Safe
The credentials stored in BeyondTrust Password Safe are linked to an asset. You create the asset, and then add credentials to that asset, according to the .
Credential parameters in BeyondTrust Password Safe, the corresponding BMC Helix Discovery Add Credential field name, and a description of their meaning in BMC Helix Discovery are shown in the following table:
BeyondTrust Password Safe parameter
BMC Helix Discovery Add Credential field name
Meaning in BMC Helix Discovery
The name of the system in BeyondTrust Password Safe is taken from the asset name.
The system name should be considered as the credential name in BMC Helix Discovery. It has no effect on the target that BMC Helix Discovery scans, it simply locates the credential in BeyondTrust Password Safe.
The user name with which to access the discovery target. The integration retrieves the corresponding password from BeyondTrust Password Safe.
There might be more than one account for each system. For example, an account called
To use a credential from BeyondTrust Password Safe in BMC Helix Discovery
In this example there is a server called "server74". The following details are configured in BeyondTrust Password Safe:
- System — server74
- Account — discovery. A UNIX account called discovery and its corresponding password
- Account — root. A UNIX root account for the server and its corresponding password
For the discovery account, you specify the credential using server74 for the system and discovery for the user.
For the root account, you specify the credential using server74 for the system and root for the user.
The following screenshot shows adding the credential for server74: