To configure SPS to retrieve the credentials used to login to the target host using a custom plugin, complete the following steps.
To use a custom Credential Store plugin, you need to upload a working Credential Store plugin to SPS. This plugin is a script that uses the SPS API to access an external Credential Store or Password Manager. If you want to create such a plugin, contact our Support Team. For more information on creating a custom plugin, see "Creating a custom plugin" in the Administration Guide.
Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication or an AA plugin. Therefore gateway authentication or an AA plugin must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide and "Integrating external authentication and authorization systems" in the Administration Guide.
To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins, browse for the file and click Upload. Note that it is not possible to upload or delete Credential Store plugins if SPS is in sealed mode.
Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.
Navigate to Policies > Credential Stores.
Click and enter a name for the Credential Store.
Select External Plugin, then select the plugin to use from the Plugin list.
If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.
Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.
Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click .
Depending on your requirements, configure an LDAP policy, or a Local User Database for gateway authentication.
To configure an LDAP policy, navigate to Policies > LDAP Servers. For details, see "Authenticating users to an LDAP server" in the Administration Guide.
To configure a Local User Database, navigate to Policies > Local User Databases. For details, see "Creating a Local User Database" in the Administration Guide.
To configure the plugin, you must edit the parameters in the config_local.py file.
The following is a sample configuration file for gateway authentication:
[safeguard] address=<address-of-the-safeguard> ca=<optional-ca-certificate-for-ssl-verification> check_host_name=1 [auth] use_credential=gateway # provider=<provider-only-for-explicit> # username=<username-only-for-explicit> # password=<provider-only-for-explicit>
Description: The IPv4 address(es) or hostname(s) of the One Identity Safeguard machine or cluster. Use a comma (,) to separate multiple IP addresses/hostnames, ensuring that there is no space inserted around commas.
Description: Optional. The certificate authority (CA) certificate to use for validating the server certificate of Safeguard Vault server(s). The certificate must be in the PEM format. Multi-line values must be specified in the following way:
ca=-----BEGIN CERTIFICATE----- MIIGxzCCBK+gAwIBAgITOgAABd9VJ2E4MStYlQAAAAAF3zANBgkqhkiG9w0BAQsF ... Qpdb3REB/BfQLbA= -----END CERTIFICATE-----
|Type:||boolean (no | yes)|
Description: If set to no, there is no host name checking. The default value is yes for strict host name checking, only when the parameter ca has been configured too.
|Type:||boolean (no | yes)|
Description: Used when the target servers are listed under their hostname in Safeguard Vault as assets.
If set to no, this parameter has no effect. If set to yes, the plugin will resolve the IP address of the remote server to hostname(s) and attempt the password checkout using the hostname(s) as well. See Asset and account lookup for details on the order in which the attempts are made. DNS resolution uses the DNS server specified for SPS (in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields on SPS's web interface).
Description: If users do not provide the full domain name in the connection, this option can be used to automatically expand the domain name with a suffix.
If the user provides the credentials "user\backoffice", then the domain part will be replaced with "backoffice.acme.org". Note the automatically added dot (.). See Asset and account lookup for details on when and how the domain name is used in the attempts to check out the password.