Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Regenerating an API key

If, as the Security Policy Administrator, you discover that the API key has been stolen or misplaced, you can regenerate the API key at any time. When you regenerate an API key, it invalidates the old API key and prevents any services from using that key to access the Application to Application service.

To regenerate an API key

  1. Log in to the Safeguard for Privileged Passwords web client as a Security Policy Administrator.
  2. Navigate to Security Policy Management > Application to Application.
  3. Select an application registration from the list and click (Edit).

  4. On the Access Request Broker tab, click (Regenerate).

You can now view or copy the new API key to the clipboard and use this new API key in your third-party application to access the Application to Application interfaces. See Making a request using the Application to Application service.

Making a request using the Application to Application service

Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:

  • Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
  • Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.

A third-party application authenticates with Safeguard for Privileged Passwords using an API key and a client certificate, rather than the bearer token normally used to authenticate Safeguard for Privileged Passwords API requests. To make a request, you must first retrieve the API key for the application from Safeguard for Privileged Passwords using an authorized user account (that is, using bearer token authentication), and install the correct certificate on the host that will be making the request. The certificate must be installed in the certificate store of the authorized certificate user that will make the request.

Prerequisites

To make a credential retrieval request from the third-party application

  1. Retrieve the relevant API key for the application from Safeguard for Privileged Passwords. You can retrieve the API key using the following methods:

    Using the web client:

    • Log in to the Safeguard for Privileged Passwords client as a Security Policy Administrator.
    • Navigate to Security Policy Management > Application to Application.
    • Select the application and click (Edit).
    • On the Credential Retrieval tab, click .

    Using the Safeguard for Privileged Passwords API:

    • Use the following URL to retrieve the details of the registered application from the Safeguard for Privileged Passwords API. The ID property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.

      https://<Appliance IP>/service/core/V3/A2ARegistrations?filter=AppName%20eq%20%22<ApplicationName>%22

    • Use the ID property in the response retrieved for the application registration to retrieve the API key for the selected account from the Safeguard for Privileged Passwords API:

      https://<Appliance IP>/service/core/V3/A2ARegistrations/<Id>/RetrievableAccounts?filter=AccountName%20eq%20%22<account name>%22%20and%20SystemName%20eq%20%22<system name>%22&fields=ApiKey

  2. Ensure that the certificate matching the application's registered CertificateUserThumbprint is installed on the host that will be making the request.
  3. Ensure that the selected certificate is trusted by Safeguard for Privileged Passwords. That is, install the trusted root certificate in Safeguard for Privileged Passwords.

  4. Create the application request, authenticating with the retrieved API key and the certificate thumbprint.

    • Set the Authorization header in the request to A2A <API key>.
    • The type can be Password or PrivateKey. Note that private keys can only be retrieved for service accounts.

    • Present the certificate with the request as appropriate for the invoking method. For example, when using the Invoke-WebRequest cmdlet, use the option:

      -CertificateThumbprint <thumbprint>

    To retrieve a credential, use the following request:

    GET https://<ApplianceIP>/service/A2A/V3/Credentials?type=Password
    Host: <ApplianceIP>
    Content-Type: application/json
    Accept: text/plain
    Authorization A2A <API Key>

    This URL returns a string response.

To make an access request broker request from the third-party application

  1. Retrieve the relevant API key for the application from Safeguard for Privileged Passwords. You can retrieve the API key using the following methods:

    Using the web client:

    • Log in to the Safeguard for Privileged Passwords client as a Security Policy Administrator.
    • Navigate to Security Policy Management > Application to Application.
    • Select the application and click (Edit).
    • On the Access Request Broker tab, click .

    Using the Safeguard for Privileged Passwords API:

    • Use the following URL is retrieve the details of the registered application from the Safeguard for Privileged Passwords API. The Id property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.

      https://<Appliance IP>/service/core/V3/A2ARegistrations?filter=AppName%20eq%20%22<ApplicationName>%22

    • Use the ID retrieved for the application registration to retrieve the API key from the Safeguard API:

      https://<Appliance IP>/service/core/V3/A2ARegistrations/<Id>/AccessRequestBroker/ApiKey

  2. Ensure that the certificate matching the application's registered CertificateUserThumbprint is installed on the host that will be making the request.
  3. Ensure that the selected certificate is trusted by Safeguard for Privileged Passwords. That is, install the trusted root certificate in Safeguard for Privileged Passwords.

  4. Create the application request, authenticating with the retrieved API key and the certificate thumbprint.

    • Set the Authorization header in the request to A2A <API key>.

    • Present the certificate with the request as appropriate for the invoking method. For example, when using the Invoke-WebRequest cmdlet, use the option:

      -CertificateThumbprint <thumbprint>

    • To create an access request, use the following request:

      POST
      Host: <Appliance IP>
      Accept             application/json
      Content-type       application/json
      Authorization           A2A <API key>
      {
           "ForUser": "<user name>",
           "ForUserId": <user id>,
           "ForProvider": “<providername>”,
      "SystemId": <system id>,
           "SystemName": "<system name>",
           "AccountId": <account id>,
           "AccountName": "<account name>",
           "AccessRequestType": "<request type>",
      “RequestedDurationDays”: <days>
           "RequestedDurationHours": <hours>,
      “RequestedDurationMinutes”: <minutes>,
      “RequestedFor”: “<date>,
           "ReasonCodeId": <reason code id>,
           "ReasonCode": "<reason name>",
           "ReasonComment": "<reason comment>",
      “IsEmergency”: <bool>,
      “TicketNumber”: “<ticket>”
       
      }

      This URL returns the new request if successful.

      Exceptions

      Most of the fields in this access request match those in a normal access request, with the exceptions noted here:

      The following fields are used to identify the target Safeguard for Privileged Passwords user that will be used to create the request. The result must uniquely identify a valid Safeguard for Privileged Passwords user for which the application has been granted permission to create an access request. If the search results in multiple matches or no matches, an error is returned.

      • ForUserId: The database ID of a Safeguard for Privileged Passwords user. This takes priority if it contains a value.
      • ForUser: The name of a Safeguard for Privileged Passwords user. This value is ignored if ForUserId contains a value.
      • ForProvider: An optional provider name, that can be used to limit the search for ForUser.

      The following fields are used to uniquely identify the target system. If the search results in multiple matches or no matches, an error is returned.

      • SystemId: The database ID of a Safeguard for Privileged Passwords asset. This field is used to search for a matching asset in the following order:
        • System Name: Exact match on the system name
        • Network Address: Exact match on the network address
        • String search: A string search on all string properties for the asset

      The following fields are used to uniquely identify the target account. If the search results in multiple matches or no matches, an error is returned.

      • AccountId: The database ID of a Safeguard for Privileged Passwords account. This takes priority if it contains a value.
      • AccountName: This is ignored if AccountId contains a value. This field is used to search for a matching account in the following order:
        • Account Name: Exact match on the account name
        • String search: A string search on all string properties for the account

      The following fields can be used to identify the reason code. If the search results in multiple matches or no matches, the reason code is set to null.

      • ReasonCodeId: The database ID of a predefined reason code. This takes priority if it contains a value.
      • ReasonCode: The name of a predefined reason code. This is ignored if ReasonCodeId contains a value.
    Access request creation

    Once the target user and account have been determined, the Application to Application service attempts to create the access request. Normal policy rules determine whether the attempt is successful.

Cloud Assistant

The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the Safeguard for Privileged Passwords web application.

The Cloud Assistant feature is enabled when you join Safeguard for Privileged Passwords to Starling. For more information, see Starling. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

Go to Cloud Assistant:

  • web client: Navigate to Security Policy Management > Cloud Assistant.

The Cloud Assistant pane displays the following about the users authorized to use the feature.

Table 181: Cloud Assistant: Properties
Setting Description

Name

Name of the Safeguard for Privileged Passwords user.

NOTE: This user must also be added as an approver in an access request policy.

Username

The username associated with the account.

Authentication Provider

The type of authentication provider.

Identity Provider

The name of the authentication provider for the account.

Domain Name

The name of the domain where the account it located.

Email Address

Valid email address for the authorized user.

Use these toolbar buttons to manage the users authorized to use Cloud Assistant.

Table 182: Cloud Assistant: Toolbar
Setting Description

Add

Add Safeguard for Privileged Passwords users who are authorized to use this feature to approve (or deny) access requests.

NOTE: These same users must also be added as approvers in an access request policy.

Remove

Remove the selected user as an authorized user.

Refresh

Update the list of users authorized to use Cloud Assistant.

Adding authorized user for Cloud Assistant

Once Safeguard for Privileged Passwords is joined to Starling, use the Cloud Assistant page to add the Safeguard for Privileged Passwords users that can use the Cloud Assistant feature to approve access requests.

To add users who are authorized to use Cloud Assistant

IMPORTANT: The user information configured in Safeguard for Privileged Passwords must match the user information in the Starling Cloud Assistant channel. If the user information does not match, you will need to remove the user from both Security Policy Management > Cloud Assistant and Starling Cloud Assistant's Recipients page, then re-add the user to Safeguard for Privileged Passwords using the correct user information.

  1. Log in to the Safeguard for Privileged Passwords client as a Security Policy Administrator.
  2. To go to Cloud Assistant:
    • web client: Security Policy Management > Cloud Assistant.
  3. Click Add.

  4. In the Users dialog, select users from the list and click OK.

  5. Add these Cloud Assistant users as approvers in the appropriate access request policy. For more information, see Creating an access request policy.

Once a user is added as a Cloud Assistant user and as an approver in an access request policy, when an access request requires approval, Safeguard for Privileged Passwords sends a notification to the approver's configured channel (this is configured via the Starling Cloud Assistant service). The approver can either approve or deny the access request directly from the channel.

NOTE: Revoking an access request that has already been approved is not available via the channel. You must use the Safeguard for Privileged Passwords web client to perform that action.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating