Safeguard for Privileged Sessions On Demand Hosted - Hashicorp Vault as Credential Store

Introduction

This tutorial describes how you can connect One Identity Safeguard for Privileged Sessions (SPS) and your Hashicorp Vault with a Credential Store Plugin.

SPS can interact with Hashicorp Vault and can automatically retrieve the password or SSH key of the target host to form a comprehensive Privileged Access Management solution to protect critical assets and meet compliance requirements.

Technical requirements

To successfully connect SPS with Hashicorp Vault, you need the following components:

A valid, working Hashicorp Vault server or cluster of servers with the following configuration:
- In case of explicit authentication:
  A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.
- In case of gateway-based authentication:
  SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.
A SPS appliance (virtual or physical), at least version 6.2.0.
A Credential Store plugin for Hashicorp Vault.

SPS uses plugins to interact with third-party credential stores and password vaults. One Identity provides the sample Hashicorp Vault plugin free of charge, and provides help to customize it for your environment.

How SPS and Hashicorp Vault work together

Authentication:

The plugin can use either explicit or gateway-based credentials.

In case of explicit authentication:
A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.
In case of gateway-based authentication:
SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.

Secret lookup:

Interactive scenario: If the secrets in Hashicorp are stored in an unstructured way, SPS will have to retrieve the path to the secret from the end-user.

Alternatively, you can pass the vault path to the plugin by including vp= in the username. For example: vp=secret/linux/webserver/root@gu=exampleusername@root

The proxy will tokenize the above username by the @ delimiter, and parse out the following information:

Target username: root
Gateway username: exampleusername
Vault path: secret/linux/webserver/root

Automatic scenario: If the secrets are organized around server user names in Hashicorp Vault, then the path to the secret is generated from configuration and the server user name.

Hashicorp Vault scenarios

The following scenarios are the most common methods to use SPS and Hashicorp Vault together.

셀프 서비스 도구: 지식 기반; 공지 및 알림; 제품 지원; 소프트웨어 다운로드; 기술 설명서; 사용자 포럼; 비디오 자습서; RSS 피드

문의처: 라이센싱 지원가져오기; 기술 지원; 모두 보기

제품을 선택하십시오.

더 나은 서비스 제공을 위해 채팅 목적을 작성해 주십시오.

문제에 대한 권장 솔루션