Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.13.1 - Secrets Vault User Guide

Installing and using the Vault CLI tool on Windows or Linux clients

The Secrets Broker Vault is fully compatible with the Hashicorp vault CLI and can be further configured and accessed using this CLI. By default, the embedded vault has been configured with the K/V secrets engine and a policy which allows the Secrets Broker service to push account credentials into a OneIdentity secrets store. For additional information about how to install and use the Hashicorp vault CLI, see Vault Commands (CLI).

Connecting to the embedded vault

  1. Set the following environment variable:

    VAULT_ADDR=https://<SecretsBroker Address>

  2. Only one of the following variables can be selected:

    1. If selected, the following variable can be set to specify the SSL certificate using the method outlined in Vault Commands (CLI):

      VAULT_CACERT=<PEM encoded certificate file>

    2. If selected, the following variable can be set to specify the SSL certificate using the method outlined in Vault Commands (CLI):

      VAULT_CAPATH=<Directory containing PEM encoded certificates>

    3. If selected, the following variable will bypass SSL certificate validation entirely:

      VAULT_SKIP_VERIFY=true

  3. Log in to the embedded Secrets Broker Vault. For more information, see Login.

  4. The CLI will prompt for the root token. To connect to the embedded vault using the Hashicorp vault CLI, the root token needs to be fetched from Safeguard for Privileged Passwords. This token was stored in Safeguard for Privileged Passwords during the deployment of the Secrets Broker Vault Add-on. For more information, see Getting the vault root token from the connected Safeguard for Privileged Passwords appliance.

Getting the vault root token from the connected Safeguard for Privileged Passwords appliance

During the deployment of the Secrets Broker Vault Add-on, the add-on automatically deploys and configures an embedded vault which is capable of storing specific account information and credentials that are pushed from the connected Safeguard for Privileged Passwords appliance. During the configuration of the embedded vault, the root token and unseal shards are automatically added to the Safeguard for Privileged Passwords appliance as new accounts and an account group is created that contains these accounts. The account group can be used to create an access policy and subsequent access request to retrieve the root token so that the embedded vault can be further configured by an administrator.

NOTE: For more information on the Safeguard for Privileged Passwords settings and pages mentioned in the following instructions, see the Safeguard for Privileged Passwords Administration Guide.

  1. Retrieve the embedded vault root token:

    1. Open the Safeguard for Privileged Passwords appliance web interface by going to https://<spp-address>.

    2. Navigate to Security Policy Management | Entitlements.

    3. Create a new entitlement for accessing the Secrets Broker Vault accounts.

    4. On the Access Request Policies tab within the new Secrets Broker Vault entitlement, add a new Access Request Policy that includes the following settings:

      1. On the General tab, ensure the policy type is set to Credential and the credential type is set to Password.

      2. On the Security tab, ensure Change Password After Check-in is set to False.

        CAUTION: If Change Password After Check-in is not set to False, then the tokens will be lost since they cannot be changed.

      3. On the Scope tab, add the new Secrets Broker account group that corresponds to the Secrets Broker instance where the Secrets Broker Vault Add-on was deployed.

    5. On the Users tab of the new Secrets Broker Vault entitlement, add the Safeguard for Privileged Passwords user(s) that should have access to the Secrets Broker Vault root token.

  2. Navigate back to the main Safeguard for Privileged Passwords page and select Access Requests | My Requests.

  3. Create a new access request to fetch the root token that corresponds to the Secrets Broker Vault instance.

  4. Fetch the root token and copy it to the clipboard.

Enabling and configuring the Username/Password authentication method

By default, the deployment of the Secrets Broker Vault Add-on automatically configures the vault by enabling the Key/Value secrets engine, but it doesn't enable any additional authentication methods. When the Secrets Broker Vault plugin is configured with Safeguard for Privileged Passwords accounts, the corresponding credentials are pushed to the vault K/V secrets engine. The Hashicorp vault CLI can be used to pull the secrets from the K/V secrets engine by simply logging in using the root token, or the vault can be configured with the Username/Password authentication method which will allow users to be added to access and manage the embedded vault.

To enable the Username/Password authentication method

  1. Log into the vault using the root token that is stored in Safeguard for Privileged Passwords. For more information, see Getting the vault root token from the connected Safeguard for Privileged Passwords appliance.

  2. Use the following command to enable the Username/Password authentication method. For more information, see Userpass Auth Method: Configuration.

    vault auth enable userpass

  3. Create a new admin policy. This is done using the following command which adds the policy that is contained in the .hcl file to the vault policies. For more information, see Policy.

    vault policy write adminpolicy "<path to file>/admin-policy.hcl

    Example .hcl file

    # Read system health check

    path "sys/health"

    {

    capabilities = ["read", "sudo"]

    }

    # Create and manage ACL policies broadly across Vault

    # List existing policies

    path "sys/policies/acl"

    {

    capabilities = ["list"]

    }

    # Create and manage ACL policies

    path "sys/policies/acl/*"

    {

    capabilities = ["create", "read", "update", "delete", "list", "sudo"]

    }

    # Enable and manage authentication methods broadly across Vault

    # Manage auth methods broadly across Vault

    path "auth/*"

    {

    capabilities = ["create", "read", "update", "delete", "list", "sudo"]

    }

    # Create, update, and delete auth methods

    path "sys/auth/*"

    {

    capabilities = ["create", "update", "delete", "sudo"]

    }

    # List auth methods

    path "sys/auth"

    {

    capabilities = ["read"]

    }

    # Enable and manage the key/value secrets engine at `secret/` path

    # List, create, update, and delete key/value secrets

    path "secret/*"

    {

    capabilities = ["create", "read", "update", "delete", "list", "sudo"]

    }

    # Manage secrets engines

    path "sys/mounts/*"

    {

    capabilities = ["create", "read", "update", "delete", "list", "sudo"]

    }

    # List existing secrets engines.

    path "sys/mounts"

    {

    capabilities = ["read"]

    }

  4. Create a new user/password and assign policies. This is done using the following CLI command which adds a new user to the user database that is enabled with the policies that correspond to adminpolicy and oneidentity policy. For more information, see Auth.

    vault write auth/userpass/users/<username> password=<password> policies=adminpolicy,oneidentity

Enabling a new secrets engine in the embedded Secrets Broker Vault

The embedded vault that is deployed by the Secrets Broker Vault Add-on deploys a vault that is completely compatible with the Hashicorp vault CLI. The embedded vault can be configured with additional secrets engines. One of the secrets engines that can be configured is the database engine. For more information about how to configure a database secrets engine or any of the other secrets engines, see Secrets Engines.

  1. To enable the database secrets engine, use the following command. For more information, see PostgreSQL Database Secrets Engine: Setup.

    vault secrets enable database

  2. To configure the database secrets engine with the PostgreSQL plugin, use the following command. For more information, see PostgreSQL Database Secrets Engine: Setup.

    vault write database/config/postgresql-database plugin_name=postresql-database-plugin allowed_roles=postgresql-role connection_url="postgresql://{{username}}:{{password}}@localhost:5432" username="postgresqluser" password="userpass"

  3. To generate a new credential, use the following command. For more information, see PostgreSQL Database Secrets Engine: Usage.

    vault read database/creds/postgresql-role

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating