サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Sessions 7.2.1 - Hashicorp Vault as Credential Store

Introduction

This tutorial describes how you can connect One Identity Safeguard for Privileged Sessions (SPS) and your Hashicorp Vault with a Credential Store Plugin.

SPS can interact with Hashicorp Vault and can automatically retrieve the password or SSH key of the target host to form a comprehensive Privileged Access Management solution to protect critical assets and meet compliance requirements.

Technical requirements

To successfully connect SPS with Hashicorp Vault, you need the following components:

  • A valid, working Hashicorp Vault server or cluster of servers with the following configuration:

    • In case of explicit authentication:

      A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.

    • In case of gateway-based authentication:

      SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.

  • A SPS appliance (virtual or physical), at least version 6.2.0.

  • A Credential Store plugin for Hashicorp Vault.

    SPS uses plugins to interact with third-party credential stores and password vaults. One Identity provides the sample Hashicorp Vault plugin free of charge, and provides help to customize it for your environment.

How SPS and Hashicorp Vault work together

Authentication:

The plugin can use either explicit or gateway-based credentials.

  • In case of explicit authentication:

    A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.

  • In case of gateway-based authentication:

    SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.

Secret lookup:

Interactive scenario: If the secrets in Hashicorp are stored in an unstructured way, SPS will have to retrieve the path to the secret from the end-user.

Alternatively, you can pass the vault path to the plugin by including vp= in the username. For example: vp=secret/linux/webserver/root@gu=exampleusername@root

The proxy will tokenize the above username by the @ delimiter, and parse out the following information:

  • Target username: root

  • Gateway username: exampleusername

  • Vault path: secret/linux/webserver/root

Automatic scenario: If the secrets are organized around server user names in Hashicorp Vault, then the path to the secret is generated from configuration and the server user name.

Hashicorp Vault scenarios

The following scenarios are the most common methods to use SPS and Hashicorp Vault together.

セルフ・サービス・ツール
ナレッジベース
通知および警告
製品別サポート
ソフトウェアのダウンロード
技術文書
ユーザーフォーラム
ビデオチュートリアル
RSSフィード
お問い合わせ
ライセンスアシスタンス の取得
Technical Support
すべて表示
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択