Integrating with One Identity Safeguard for Privileged Passwords

One Identity Safeguard for Privileged Passwords (Safeguard for Privileged Passwords or Safeguard) is application software that acts as a vault to store and manage credentials and secure the assets in your IT environment. Your assets include computers, servers, network devices, directories, and applications.

As a credential broker, Safeguard for Privileged Passwords automates, controls, and secures the process of granting privileged credentials with role-based access management and automated workflows.

Before you begin

Before you start integrating BMC Helix Discovery with Safeguard for Privileged Passwords, you must have:

Installed Safeguard for Privileged Passwords and completed the necessary configuration to ensure that your assets' credentials are already saved in the Safeguard Vault. For more information, consult your Safeguard Vault administrator and the Safeguard documentation.
Added asset details in Safeguard for Privileged Passwords from the Application to Application (A2A) option under Settings > External Integration.

Important

The integration of BMC Helix Discovery with Safeguard for Privileged Passwords supports only credentials of type Password (including Microsoft Active Directory), SSH Key, and Private Keys. This restriction is due to the limitation imposed by the Safeguard Application to Application (A2A) REST API.

Credential broker performance testing

Credential brokers, such as Safeguard for Privileged Passwords, are designed with human interaction in mind. When BMC Helix Discovery scans your IT environment, BMC Helix Discovery can make many simultaneous API calls. Before you put the integration with a supported credential broker into production, we recommend that you conduct scale and performance testing in your IT environment.

For information on integrating BMC Helix Discovery with Safeguard for Privileged Passwords, see the following video (07:54):

https://youtu.be/VsIorTtpbdI

To integrate BMC Helix Discovery with Safeguard for Privileged Passwords

From the main menu in BMC Discovery Outpost, select Manage > Vault Providers.
The Manage > Vault page is displayed.
Click the Safeguard Vault tab.

Specify the following settings relevant to your installation of Safeguard Vault.

Field Name	Description
Status	A read-only message showing the current status of the integration with Safeguard Vault. This message can be one of: ACTIVE, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and with an explanatory message.
Enabled	Select the check box to enable the integration with Safeguard Vault.
URL	Enter the URL of Safeguard Vault. Only HTTPS URLs are permitted. This field is required. You must obtain the URL, user name, and password to access Safeguard Vault from your Safeguard Vault administrator.
Safeguard Application Name	Enter the name assigned to the application's registration in Safeguard for Privileged Passwords. You must have registered the Application Name earlier in Safeguard for Privileged Passwords. For more information about configuring the application name, see the Administration Guide in the Safeguard documentation.
TLS Certificate Bundle	Click Choose File to select the TLS certificate bundle file from your system. The TLS certificate bundle must be in the PEM format. The bundle must include the client certificate and the private key for the BMC Helix Discovery instance, and can optionally include the CA certificate of the vault. Consult your Safeguard Vault administrator to get the certificate bundle. BMC Helix Discovery accesses the Safeguard Vault server by using the Transport Layer Security (TLS) certificate bundle authentication method. For more information about this, see the Safeguard documentation at How to setup Certificate authentication for Safeguard users.
Set TLS Bundle Passphrase	By default, the TLS bundle passphrase is not displayed. Perform the following steps: If your TLS certificate bundle is not encrypted, a passphrase is not required. You must skip this field. If the TLS certificate bundle is encrypted by using a passphrase, BMC Helix Discovery requires the passphrase to decrypt and use the bundle at runtime. Select the check box and enter the passphrase.
Checkout Duration (in minutes)	Enter the time (in minutes) for which the password will remain valid. The default is 15 minutes and the minimum is one minute.
Timeout (in seconds)	Enter the timeout (in seconds) for requests sent to the Safeguard Vault server. The default is 300 seconds.
TLS Certificate Check	Enable or disable the TLS certificate check. By default, BMC Discovery Outpost checks the TLS certificate against the Safeguard Vault server. You can clear the check box to disable the TLS certificate check, but this step should be done only in a test environment against the server. The result of the test is reported in the Status field.

Click Test to test the connection between BMC Helix Discovery and the Safeguard Vault server.
If your configuration details are correct, the Status field displays a success message. If the Status field displays an error message, consult your Safeguard Vault administrator to ensure that the field values are correct and the Safeguard Vault server is up and running.
Click Apply to save the configuration.

Important

The configuration is not saved until you click the Apply button.

The integration between BMC Helix Discovery and Safeguard for Privileged Passwords is complete.

Example of using a credential from Safeguard for Privileged Passwords in BMC Helix Discovery

After you save the integration between BMC Helix Discovery and Safeguard for Privileged Passwords, you must test whether BMC Helix Discovery can successfully access and use the credentials stored in the Safeguard Vault.

In this example, we test the credential usage by creating an SSH credential from the appliance/instance UI and then run a discovery scan from the appliance/instance.

In the BMC Discovery Outpost, click Manage > Credentials.
Click Add and select a host of type SSH.
The Add Credential page is displayed.
Configure the default UI fields, such as Label and Vault source. For information about such fields, see Adding-credentials.

Configure the remaining UI fields specific to Safeguard for Privileged Passwords according to the following table:

Section	Field	Description
General	User: Safeguard Service Account Name	Specify the service account that Safeguard for Privileged Passwords uses to securely manage accounts and passwords on the asset.
General	User: Safeguard Asset Name	Specify the name of the asset associated with the Service Account. For example, Microsoft Active Directory can be an asset name whose accounts and passwords you manage through a service account.
SSH	SSH Key: Safeguard Service Account Name	Specify the service account that Safeguard for Privileged Passwords uses to securely manage accounts and passwords on the asset. This field is applicable if you use an SSH key on the host instead of passwords.
	SSH Key: Safeguard Asset Name	Specify the name of the asset associated with the Service Account. This field is applicable if you use SSH key on the host instead of passwords.
	SSH Authentication	To use an SSH key or password, select Key or Password. If you have not configured an SSH key, Key is disabled.

Click Apply to save the credential.
The new credential is displayed on the Manage > Credentials page, Credentials tab.
From the Actions list, select Test.
The Test Credential dialog box is displayed.

Enter the IP Address of the host that you want to test, and click Test.
The Tests tab displays the success or failure of the credential test. If the page displays Success, proceed with the remaining steps. In case of Failure, edit the credential and verify that you have entered valid values in all fields.
In the BMC Helix Discovery UI, go to Manage > Discovery.
Click Add New Run to perform a test scan.
The Add New Run dialog box is displayed.
Configure the fields of the Add New Run dialog box and perform a scan. For information about the fields, see Performing-a-discovery-run.

After the scan is complete, go to the DiscoveryAccess page.
You can see that BMC Helix Discovery succeeded in finding the host using the Safeguard Vault credential.

Additional information—adding different credential types

In general, a BMC Helix Discovery credential type (such as Cloud, Database, and so on) need not exactly match a Safeguard asset or credential type. In Safeguard for Privileged Passwords, you can set up, for example, a UNIX CentOS asset that authenticates with a Username/Password, which you can then use for any BMC Helix Discovery credential having a Username/Password combination.

Example: It is possible to add a cloud credential, such as Amazon Web Services (AWS), by performing the following tasks:

In Safeguard for Privileged Passwords, add the cloud credential by saving the AWS Access Key ID as the Account Name and the AWS Access Key Secret as the Password. You can store these fields as a Linux Host or a similar asset type that stores a credential as a Username/Password combination.
In BMC Helix Discovery, select Manage > Credentials, add the Safeguard credential as an Amazon Web Services credential (available under the Cloud group), enter valid values in the Safeguard-specific fields, and save the AWS credential as shown in the following screenshots.