-
Title
How to configure Safeguard A2A and credential requests? -
Description
Steps required to configure Safeguard A2A and credential requests. -
Cause
Safeguard 2.2 includes a new API and functionality for security interactions between applications, Application to Application (A2A).
The intention is for customers to be able to configure programmatic users to perform one of two functions:
- Create access requests on behalf of other users.
- Obtain passwords for managed accounts in Safeguard without having to go through Access Request Workflow.
-
Resolution
The following are the steps required to configure Safeguard A2A.
Prerequisites- Program or Script to access the Safeguard A2A API.
Customers are strongly encouraged to use the Powershell Safeguard-ps library available here. - Certificate or PKI.
To create a programmatic user, a certificate is required. This KB article creates a certificate using OpenSSL.
1. Certificate Creation
Create a certificate
openssl req -newkey rsa:2048 -nodes -keyout mykey.key -x509 -days 365 -out mycrt.crt
Take note of the certificate thumbprint
openssl x509 -noout -fingerprint < mycrt.crt
Convert to pfx (Windows only, as this guide uses PowerShell libraries)
openssl pkcs12 -out combined.pfx -in mycrt.crt -inkey mykey.key -export
2. Safeguard Configuration
Add certificate to Trusted Certificates in Safeguard
Admin Tools | Settings | Certificates | Trusted Certificates
Create a certificate user
Admin Tools | Users
*Use the thumbprint of the certificate you created earlier.
Enable A2A via the API
Navigate to https://[appliance]/service/appliance/swagger
Authorize with Operations Admin.
Expand 'A2A' API endpoint.
Expand POST /v2/A2AService/Enable
Click 'Try it out!' (response code should be 200)
*This enables a new API, http://[appliance]/service/a2a/swagger
Create RegistrationAdmin Tools | Settings | External Integration | Application to Application
Click '+'
Select name and enable Credential Retrieval
Select accounts the Registration can manage
Copy the API key for the account whose password is to be requested
Admin Tools | Settings | External Integration | Application to Application
Select registration
Click key icon
Copy API keyTo request for a credential using the PS Credential Request cmdlet, do the following:
Get Credential: Get-SafeguardA2aPassword –Appliance [ip] –Insecure –CertificateFile [filepath to pfx] –ApiKey [key string] - Program or Script to access the Safeguard A2A API.