Purpose:
In the TPAM plugin's configuration file, you need to provide the private key (server_user_key) of the CLI user with Information Security Administrator (ISA) access rights to TPAM (server_user) that SPS will use when communicating with TPAM. To obtain the key, download it from TPAM.
To download the private key of the ISA CLI user
- Log in to TPAM using a TPAM Administrator account.
- Navigate to Users & Groups > User IDs > Manage User IDs.
- Click the Listing tab.
- Select the ISA CLI user.
- Click the Details tab.
- Click the Key Based tab.
- Select the CLI checkbox.
- Click Download Key.
This key must be stored in a local Credential Store in SPS. For details on how to do that, see Storing sensitive plugin data securely.
Purpose:
When mapping target user and target host names to their corresponding counterparts (Account and System names) in TPAM, an extra round of mapping may be necessary if the mapping option system_maptoreal is enabled.
The prerequisite of this extra mapping to happen is the enabling of custom attributes in TPAM.
To enable custom attributes in TPAM
- Log in to TPAM with a TPAM System Administrator account.
- Navigate to System Status/Settings > Global Settings.
- Search for the Custom Column Names category.
- For the ManagedAccount.AccountCustom1 option, type Real Account in the field next to the option name.
- For the ManagedAccount.AccountCustom2 option, type Real System in the field next to the option name.
- Click Save Changes.
Expected result:
You are now able to set these parameters per account on the Custom Information tab.
TPAM plugin parameter reference
This section describes the available options of the TPAM plugin.
The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).
[section name]
dirname=%(dir)s/mydirectory
dir=/var
All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.
You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.
[tpam]
authorization=policy
required_policy=<name-of-access-policy-required-to-be-present-for-authorization>
server=<hostname-or-IP-address-of-TPAM>
server_public_key=<public-key-of-TPAM>
server_port=<SSH-port-number-of-TPAM>
server_user=<TPAM-CLI-user-with-ISA-rights>
server_user_key=<private-key-of-server_user>
system_name_resolver=tpam
system_maptoreal=no
system_prefix=<your-preferred-prefix>
reuse_gateway_password=no
[plugin]
config_version=1
cred_store=<name-of-credential-store-hosting-sensitive-data>
log_level=info
This section contains the options related to the TPAM server.
[tpam]
authorization=policy
required_policy=<name-of-access-policy-required-to-be-present-for-authorization>
server=<hostname-or-IP-address-of-TPAM>
server_public_key=<public-key-of-TPAM>
server_port=<SSH-port-number-of-TPAM>
server_user=<TPAM-CLI-user-with-ISA-rights>
server_user_key=<private-key-of-server_user>
system_name_resolver=tpam
system_maptoreal=no
system_prefix=<your-preferred-prefix>
reuse_gateway_password=no
authorization
| Type: |
approval | gateway | policy |
| Required: |
no |
| Default: |
gateway |
Description: The authorization method used by TPAM to check whether the gateway user can be granted access to the target host. Possible values are:
- approval: Before providing the password required to access the target host, TPAM checks whether the gateway user is present in TPAM as a Requestor with approval to view the password.
- gateway: Access is granted without TPAM performing any checks.
- policy: Before providing the password required to access the target host, TPAM checks whether the gateway user has an access policy in TPAM for both the Account and System in question. If this value is configured, you must also configure required_policy.
required_policy
| Type: |
string |
| Required: |
no |
| Default: |
Privileged Access |
Description: Used only when authorization is set to policy. This parameter specifies the name of the access policy that is required to be present for access to be granted to the target host.
server
| Type: |
string |
| Required: |
yes |
| Default: |
N/A |
Description: The address of the TPAM server, either a hostname or an IP address.
server_public_key
| Type: |
string |
| Required: |
yes |
| Default: |
N/A |
Description: The public key corresponding to the hostname or IP address of the TPAM server, used for checking the TPAM server's identity.
Must be provided in the Open SSH known_hosts format, which includes:
- the address of the server
- the cipher suite used for encryption
- the hash of the key
Examples:
- current practice with hashed server address: |1|shAKuZdzJelKykkXBo+l4qpE+Fo=|J8oYavGEL2Rmo+u5R4r+Mdt7vuE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAy...
- legacy practice with plain-text server address: 10.170.1.30 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAy...
|
|
TIP:
To find out the public key of TPAM in the required format:
- Log in to the core shell of SPS (through the console or SSH). For details on how to access the SPS console, see "Accessing the One Identity Safeguard for Privileged Sessions (SPS) console" in the Administration Guide.
- Set up an SSH connection to TPAM. When prompted about the key fingerprint, answer yes.
-
Search for the public key of TPAM in the known-hosts file using the following command:
ssh-keygen -F <hostname-or-IP-address-of-TPAM>
This command returns the key in the required format, which you can then copy and paste in the server_public_key field. |
server_port
| Type: |
integer |
| Required: |
no |
| Default: |
22 |
Description: The port where TPAM is listening for SSH connections.
server_user
| Type: |
string |
| Required: |
yes |
| Default: |
N/A |
Description: The user name of a CLI user with Information Security Administrator (ISA) access rights to TPAM. SPS sets up the SSH connection to TPAM using this ISA CLI user. This user must be present in TPAM.
For details on how to add this user in TPAM or how to obtain its user name if the user is already present, see Adding an ISA CLI user.
server_user_key
| Type: |
string |
| Required: |
yes |
| Default: |
N/A |
Description: The SSH compatible, RSA-encrypted private key of server_user. This key must be stored in a Credential Store defined under cred_store in the [plugin] section.
For details on how to obtain the key, see Obtaining the private key of the ISA CLI user.
For details on how to store the key in a local Credential Store policy on SPS, see Storing sensitive plugin data securely.
system_name_resolver
| Type: |
tpam | dns |
| Required: |
no |
| Default: |
tpam |
Description: TPAM expects the address of the target host as a hostname rather than as an IP address. You can specify where to take the target hostname from in case the address of the target host has been provided as an IP address:
- If set to tpam, the hostname is retrieved from TPAM. For this to happen, ensure that the ISA CLI user used for communicating with TPAM has ISA permissions at the System level. For details, see Assign ISA access policies to ISA CLI user.
- If set to dns, the hostname is retrieved from SPS following DNS resolution. For this to happen, you must configure DNS resolution in SPS. For details, see Configuring DNS resolution.
system_maptoreal
| Type: |
yes | no |
| Required: |
no |
| Default: |
no |
Description: If this parameter is set to yes, an additional lookup is performed on TPAM to map the Account-System pair to the custom attributes ManagedAccount.AccountCustom1 and ManagedAccount.AccountCustom2. If the mapping is successful, the password corresponding to the custom pair is retrieved.
system_prefix
| Type: |
string |
| Required: |
no |
| Default: |
empty string |
Description: Any prefix of your choice. The TPAM plugin appends this prefix followed by an underscore (_) to the target hostname when constructing the System name for TPAM.
reuse_gateway_password
| Type: |
yes | no |
| Required: |
no |
| Default: |
no |
Description: If this parameter is set to yes, then if the gateway user is the same as the target user accessing the protected server, the gateway password is reused as the password required to access the target host, effectively skipping password checkout from TPAM.
