Integrating with Thycotic Secret Server

Thycotic Secret Server is application software that helps you to store and manage credentials securely, according to policies that your organization might require.

You can configure the integration with Thycotic Secret Server using the vault management page in BMC Discovery.

Related topics

Integrating-with-credential-brokers

Credentials

Adding-credentials

Managing-the-credential-vault

For information on integrating BMC Discovery with Thycotic Secret Server, see the following video (04:57):

icon-play.png https://youtu.be/bpdEFy4sdAM

Before you begin

Tip

Credential broker performance testing

Credential brokers are designed with human interaction in mind. When BMC Discovery is scanning, it can make many simultaneous API calls. Before putting an integration with any supported credential broker into production, you should perform scale and performance testing in your IT environment.

To integrate with Thycotic Secret Server


For the BMC Discovery appliance to be able to access Thycotic Secret Server, you must also perform the integration from the appliance. For a registered BMC Discovery Outpost to be able to access Thycotic Secret Server, you must also perform the integration from the BMC Discovery Outpost.

  1. To integrate the BMC Discovery appliance with Thycotic Secret Server:

    1. From the main menu of the appliance UI, click the Administration icon.
      The Administration page opens. 
    2. In the Discovery section, click Vault Management.
      ThycoticApplianceWorking.png

    To integrate the BMC Discovery Outpost with Thycotic Secret Server:

    1. From the main menu in the BMC Discovery Outpost, click Manage > Vault Providers.
      The Manage Vault page opens. 
    2. Select the Thycotic Secret Server tab.
      ThycoticWorking.png

  2. Enter the settings appropriate to your Thycotic Secret Server on the page

    Field Name

    Description

    Status

    A read-only display showing the status of the integration with Thycotic Secret Server. This can be one of: WORKING, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and an explanatory message.

    Enabled

    Select the check box to enable the integration with Thycotic Secret Server.

    URL

    The URL of Thycotic Secret Server. Only HTTPS URLs are permitted. This field is mandatory.

    You should ask your Thycotic Secret Server administrator for the URL, user name, and password to access Thycotic Secret Server.

    User Name

    A user name for Thycotic Secret Server. This field is mandatory.

    Set Password

    Field in which you can enter the password. To make the field editable, select the check box and set the password. The password is not displayed.

    Checkout Duration
    (in minutes)

    The time (in minutes) for which the password is guaranteed to remain valid. The default is 15 minutes and the minimum is one minute.

    Timeout (in seconds)

    The timeout (in seconds) for requests to the provider. The default is 300 seconds.

    SSL Certificate Check

    Select the check box to enable an SSL certificate check against the server. The result is reported in the Status message.

  3. and click Test to test the connection. 
  4. The configuration is not saved until you click the Apply button.
  5. Click Apply to save and apply the configuration.

The integration between 

BMC Discovery

 and Thycotic Secret Server is complete. See Adding-credentials for information on using credentials from Thycotic Secret Server to access discovery targets.

How credentials are stored in Thycotic Secret Server

For information on configuring credentials in Thycotic Secret Server, see the product documentation.  

Credentials are referred to as Secrets in Thycotic Secret Server, and are all named. You access the credentials from the BMC Discovery credentials UI using a series of filters to uniquely identify the element of the credential to use. For example, for a server called "server74", the following details are configured in Thycotic Secret Server:

  • Secret Name — server74 
    • Unix Account (SSH)
    • Username — discovery. A UNIX account called discovery and its corresponding password
  • Secret Name — server74 
    • Unix Root Account (SSH)
    • Username — root. A UNIX root account and its corresponding password

There are two secrets concerning this server, they are both called "server74". The first filter to add is to locate the required secret; that is, "Secret Name" is "server74". However, this does not uniquely identify the credential, an additional filter is required. We can use the Username field for this, so for the discovery user we can add "Username" is "discovery", which uniquely identifies that credential. We can do the same for the root credential.

To use a credential from Thycotic Secret Server in BMC Discovery

In this example, in Thycotic Secret Server, the credential name is stored under the heading "Secret Name", so in the BMC Discovery you add a filter with the name "Secret Name" and the name of the secret you want to use. You use additional filters for components of a credential, such as user name and password, or ssh key and passphrase. Additional filters are populated for each credential type automatically, using the Thycotic templates (Secret Templates) that you use to create credentials in Thycotic Secret Server.

The following screenshot shows adding the credential for server74:

ThycoticAddCredential.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*