Synchronizing Active Directory Secrets from Production to a Standalone SPP Appliance Using the SPP Asset Platform (4382455)

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

Synchronizing Active Directory Secrets from Production to a Standalone SPP Appliance Using the SPP Asset Platform
Description
Overview

This document is based on the Configure SPP Asset Platform section of the Safeguard for Privileged Passwords (SPP) 8.2 Administration Guide: Configure SPP asset platform . It also addresses a specific configuration scenario which may not be applicable to your environment. Our Professional Services team is available help you tailor this solution to your organizations requirements to ensure compliance.

Problem Statement

A customer has an SPP instance hosted in Safeguard On Demand that they access over a secure VPN. There is concern that they could lose access to secrets if:
- the VPN tunnel is unavailable, or
- there is an issue with the Safeguard On Demand-managed SPP instance (less likely, since One Identity manages it continuously).
Historically, this was handled by using Secrets Broker as an intermediary between the Production SPP cluster and a Standalone SPP appliance:

[SPP Production] <--- [Secrets Broker] ---> [SPP Standalone]

In this model, Secrets Broker monitors events on the Production appliance, then pulls secrets from Production and pushes them to the Standalone appliance.

While functional, Secrets Broker introduces an additional component (and therefore an single point of failure).

Why use the SPP Asset Platform?

The SPP Asset Platform can push secrets directly from one SPP instance to another. This means that when a privileged AD account password is rotated on SPP Production, the updated secret can be pushed to the Standalone SPP appliance automatically.

[AD] <--ChangePassword---> [SPP Production] ----Password Pushed---> [SPP Standalone]

Key difference:
- Secrets Broker pulls secrets from Production (via an intermediate service using A2A).
- SPP Asset Platform pushes secrets from Production directly to Standalone.
Because of this push model, Production must be able to reach/communicate with the Standalone appliance over the network.
Resolution
Setup

a. Prerequisites

This guide makes the following assumptions
1. PKI is configured correctly and both the Production and Standalone appliances trust certificates issued by the same Certificate Authority (CA)
2. The Production SPP cluster is already deployed and
  1. Password check/change against AD works correctly.
  2. Entitlements and Access Request Policies are already configured as required.
3. A Standalone SPP instance is deployed, and all post-installation tasks are completed.
4. That you have followed all instructions located in this KB article: Configure SPP asset platform
b. Specific configurations for the Standalone SPP Appliance

To prevent the Standalone appliance from overwriting secrets received from Production, ensure the Standalone does not rotate or change these accounts on its own.

At minimum, confirm on the Standalone appliance:
- Password rotation is disabled (never check/never change) for the replicated accounts, and
- Change password on check-in is disabled (if applicable for your workflow/policies).
  
  If the Standalone Appliance rotates or changes the password independently, it can cause mismatches and potentially overwrite the secret being pushed from Production.
c. Configure Production SPP to Push AD Secrets to the Standalone Appliance
1. On your production instance, add your AD accounts as Account Dependencies on the Standalone SPP asset (note the Asset Name, in this case vertige.local AD, as you’ll need it in the next step ).
2. On your standalone instance, add a new Other Asset. The Asset name has to match the name of the AD Account Asset on the production SPP (in this case, vertige.local AD).
  
  If the asset names do not match, the password will not get successfully pushed from production to the standalone appliance. Be aware of spelling/case errors.
3. You can now add an AD account that exists on the production SPP by simply using the name.
  Important constraints:
  
  You can only use the Account Name.
  
  The value must match exactly what exists on the Production appliance (including spelling/case conventions as enforced in your environment).
d. Validation
1. Change the AD account secret on the production appliance.
2. Check out the secret on the production appliance and the standalone appliance, and verify that they match:
3. On the production appliance you can check to see if the password was pushed by in the Activity Center. Select the Password Activity Category to view the relevent events
  
  By opening the Dependent Asset Update Succeeded Event, we can then see that the account was successfully updated on the Standalone Appliance:
Additional Considerations

Automated verification: Consider implementing a recurring validation that compares a known test secret on both systems via safeguard-ps. If you need assistance you can reach out to one of our many One Identity Safeguard Professionals.

Bulk Import of AD Accounts to the Standalone Appliance: Consider using CSV export/import to simplify the task if you have many accounts that you want replicated to the Standalone appliance.