Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.3 - Hashicorp Vault as Credential Store

[engine-kv-v1]

This section contains the options related to your Hashicorp Vault account.

[engine-kv-v1]
secrets_path=<path>
key_field=key
password_field=password
default_type=
secrets_path
Type: string
Required: only in Automatic scenario
Default: N/A

Description: The path of the endpoint under which the user names and passwords are stored as secrets. For example, secrets/users. The server username is then appended to the path on-the-fly. This compound path points to an object that has the password or key as one of its fields. You can specify the name of the field that stores the password and the key in the password_field and key_field options.

The user can override this field when using the Interactive scenario, see Interactive scenario.

If the path to the endpoint contains a literal slash (/) or hashmark (#) character, double this character. For example, if the path is secrets/my#endpoint, use secrets/my##endpoint to escape the special character.

key_field
Type: string
Required: no
Default: key

Description: The value field to retrieve the SSH private key secret from.

The user can override this field when using the Interactive scenario, see Interactive scenario.

password_field
Type: string
Required: no
Default: password

Description: The value field to retrieve the password secret from. This parameter is not related to the password parameter.

The user can override this field when using the Interactive scenario, see Interactive scenario.

default_type
Type: key | password | empty string
Required: no
Default: empty string

Description: Determines the type of credential (key or password) that the plugin retrieves from the Hashicorp Vault. If not specified, the plugin attempts to retrieve both a key and a password.

If the default_type is set, but the user wants to authenticate with another credential type (password instead of key, or key instead of password), the user can specify the credential type in the prompt when using the Interactive scenario by beginning the secret path with password:// or key:// (you can use the p:// or k:// abbreviations as well).

[tls]

This section contains the options related to TLS settings.

Declaration
[tls]
enabled = yes
ca_cert = $[<trusted-ca-list-name>]
client_cert = <client-certificate-and-key>
enabled
Type: boolean (yes|no)
Required: no
Default: yes

Description: To disable TLS completely, enter no as the value of this parameter.

ca_cert
Type: string
Required: no
Default: N/A

Description: Configure this parameter to enable client-side verification. The certificate shown by the server will be checked with this CA.

If the value of this parameter is $[<trusted-ca-list-name>], the certificates are retrieved from the trusted CA list configured on SPS, identified by the name.

When the certificate is inserted into the configuration file (<ca-certificate-chain>, it must be in PEM format and all the new lines must be indented with one whitespace. If it is a chain, insert the certificates right after each other.

client_cert
Type: string
Required: no
Default: N/A

Description: Configure this parameter to enable server-side verification.

If the value of this parameter is $, the certificate identified by the section and option pair is retrieved from the configured Credential Store.

When the certificate is inserted into the configuration file, it must be in PEM format and all the new lines must be indented with one whitespace. Note that encrypted keys are not supported.

[credential_store]

This section contains settings related to storing sensitive information of the plugin.

Declaration
[credential_store]
name=<name-of-credential-store-policy-that-hosts-sensitive-data>
name
Type: string
Required: no
Default: N/A

Description: The name of a local Credential Store policy configured on SPS. You can use this Credential Store to store sensitive information of the plugin in a secure way (for example, the secrets_path value in the [hashicorp] section).

For details, see Store sensitive plugin data securely.

[logging]

This section contains logging-related settings.

Declaration
[logging]
log_level=info
log_level
Type: integer or string
Required: no
Default: info

Description: The logging verbosity of the plugin. The plugin sends the generated log messages to the SPS syslog system. You can check the log messages in the Basic settings > Troubleshooting > View log files section of the SPS web interface. To show only the messages generated by the plugins, filter on the plugin: string.

The possible values are:

  • debug

  • info

  • warning

  • error

  • critical

For details, see Python logging API's log levels: Logging Levels.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating