Using a custom Credential Store plugin to authenticate on the target hosts
The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to retrieve the credentials used to login to the target host using a custom plugin.
Prerequisites
To use a custom Credential Store plugin, you have to upload a working Credential Store plugin to SPS. This plugin is a script that can be used to access an external Credential Store or Password Manager. If you want to create such a custom Credential Store plugin, contact our Support Team or see or see the documentation about custom Credential Store plugins.
|
|
NOTE:
Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication. Therefore, gateway authentication must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide. |
To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins > Upload/Update Plugins, browse for the file and click Upload.
|
|
NOTE:
It is not possible to upload or delete Credential Store plugins if SPS is in sealed mode. |
Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.
To configure SPS to retrieve the credentials used to login to the target host using a custom plugin
-
Navigate to Policies > Credential Stores.
-
Click
and enter a name for the Credential Store.
-
Select External Plugin, then select the plugin to use from the Plugin list.
-
If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.
NOTE: Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.
-
Click
.
-
Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click
Configuring other related parameters
Steps:
To configure other related parameters
- Navigate to Policies > Usermapping Policies and configure a usermapping policy. For details, see "Configuring usermapping policies" in the Administration Guide.
-
Depending on your requirements, configure an LDAP policy, or a Local User Database for gateway authentication.
-
To configure an LDAP policy, navigate to Policies > LDAP Servers. For details, see "Authenticating users to an LDAP server" in the Administration Guide.
-
To configure a Local User Database, navigate to Policies > Local User Databases. For details, see "Creating a Local User Database" in the Administration Guide.
-
- Navigate to SSH Control > Authentication Policies and configure the authentication policy with gateway authentication. For details, see "Authentication Policies" in the Administration Guide.
- Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field. Select the Authentication Policy that you have configured in Authentication policy field, and the Usermapping Policy in the Usermapping policy field.
SPS One Identity Safeguard Credential Store plugin parameter reference
To configure the plugin, you must edit the parameters in the config_local.py file.
The following is a sample configuration file for gateway authentication:
[safeguard] address=<address-of-the-safeguard> ca=<optional-ca-certificate-for-ssl-verification> check_host_name=1 [auth] use_credential=gateway # provider=<provider-for-explicit-or-gateway> # username=<username-only-for-explicit> # password=<provider-only-for-explicit>
[safeguard]
address
| Type: | string |
Description: The IPv4 address(es) or hostname(s) of the One Identity Safeguard machine or cluster. Use a comma (,) to separate multiple IP addresses/hostnames, ensuring that there is no space inserted around commas.
For example:
address=10.0.0.5,10.0.0.6
ca
| Type: | string |
Description: Optional. The certificate authority (CA) certificate to use for validating the server certificate of Safeguard Vault server(s). The certificate must be in the PEM format. Multi-line values must be specified in the following way:
- Starting from the second line, each line must begin with a space character.
- There must be an empty line after the certificate value.
For example:
ca=-----BEGIN CERTIFICATE----- MIIGxzCCBK+gAwIBAgITOgAABd9VJ2E4MStYlQAAAAAF3zANBgkqhkiG9w0BAQsF ... Qpdb3REB/BfQLbA= -----END CERTIFICATE-----
check_host_name
| Type: | boolean (no | yes) |
Description: If set to no, there is no host name checking. The default value is yes for strict host name checking, only when the parameter ca has been configured too.
For example:
check_host_name=yes
ip_resolving
| Type: | boolean (no | yes) |
Description: Used when the target servers are listed under their hostname in Safeguard Vault as assets.
If set to no, this parameter has no effect. If set to yes, the plugin will resolve the IP address of the remote server to hostname(s) and attempt the password checkout using the hostname(s) as well. See Asset and account lookup for details on the order in which the attempts are made. DNS resolution uses the DNS server specified for SPS (in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields on SPS's web interface).
For example:
ip_resolving=yes
domain_suffix
| Type: | string |
Description: If users do not provide the full domain name in the connection, this option can be used to automatically expand the domain name with a suffix.
For example:
domain_suffix=acme.org
If the user provides the credentials "user\backoffice", then the domain part will be replaced with "backoffice.acme.org". Note the automatically added dot (.). See Asset and account lookup for details on when and how the domain name is used in the attempts to check out the password.