One Identity Safeguard for Privileged Sessions 6.0.5 - DEPRECATED How to connect One Identity TPAM with One Identity Safeguard for Privileged Sessions

Table of Contents

Introduction How SPS and TPAM work together Technical requirements How SPS and TPAM work together - in detail Configuring SPS

Using a custom Credential Store plugin to authenticate on the target hosts Storing sensitive plugin data securely Configuring gateway authentication Configuring DNS resolution

Configuring TPAM

Adding an ISA CLI user Assign ISA access policies to ISA CLI user Obtaining the private key of the ISA CLI user Enabling custom attributes in TPAM

TPAM plugin parameter reference

[tpam] [plugin]

Configuring SPS

This section provides detailed instructions as to what to configure on SPS:

Using a custom Credential Store plugin to authenticate on the target hosts

Configuring SPS > Using a custom Credential Store plugin to authenticate on the target hosts

The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to retrieve the credentials used to login to the target host using a custom plugin.

Prerequisites

To use a custom Credential Store plugin, you have to upload a working Credential Store plugin to SPS. This plugin is a script that can be used to access an external Credential Store or Password Manager. If you want to create such a custom Credential Store plugin, contact our Support Team or see or see the documentation about custom Credential Store plugins.

NOTE:

Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication. Therefore, gateway authentication must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide.

To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins > Upload/Update Plugins, browse for the file and click Upload.

NOTE:

It is not possible to upload or delete Credential Store plugins if SPS is in sealed mode.

Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.

To configure SPS to retrieve the credentials used to login to the target host using a custom plugin

Navigate to Policies > Credential Stores.
Click and enter a name for the Credential Store.
Select External Plugin, then select the plugin to use from the Plugin list.

If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.

NOTE:

Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.

Click .
Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click .

Storing sensitive plugin data securely

Configuring SPS > Storing sensitive plugin data securely

By default, the configuration of the plugin is stored on SPS in the configuration of SPS. Make sure that you store the sensitive parameters (server_user_key) of the plugin in an encrypted way.

To store sensitive plugin data securely

Obtain the server_user_key.
Log in to SPS and create a local Credential Store. For details, see "Configuring local Credential Stores" in the Administration Guide.

Instead of usernames and passwords, you will store the configuration parameters of the plugin in this Credential Store.
Add the plugin parameters you want to store in an encrypted way to the Credential Store. You can store any configuration parameter of the plugin in the Credential Store, but note that if an option appears in the Credential Store, the plugin will use it. If the same parameter appears in the configuration of the plugin, it will be ignored.
- Enter the name of the configuration section without the brackets in the Host field (tpam).
- Enter the name of the plugin parameter in the Username field (server_user_key).
- Enter the value of the plugin parameter in the SSH Keys field.
Commit your changes, and navigate to the configuration of the plugin on the Policies > Credential Stores page.
In the plugin configuration file, enter the name of the local Credential Store under the [plugin] section, in the cred_store parameter.

Configuring gateway authentication

Configuring SPS > Configuring gateway authentication

To set up gateway authentication on the connection that uses TPAM as the Credential Store, follow the instructions in:

For out-of-band gateway authentication: "Configuring out-of-band gateway authentication" in the Administration Guide
For inband gateway authentication: "Client-side authentication settings" in the Administration Guide

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

One Identity Safeguard for Privileged Sessions 6.0.5 - DEPRECATED How to connect One Identity TPAM with One Identity Safeguard for Privileged Sessions

Configuring SPS

Using a custom Credential Store plugin to authenticate on the target hosts

Prerequisites

Storing sensitive plugin data securely

Configuring gateway authentication