Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - How to connect One Identity Safeguard with One Identity Safeguard for Privileged Sessions

Using a custom Credential Store plugin to authenticate on the target hosts

Purpose:

To configure SPS to retrieve the credentials used to login to the target host using a custom plugin, complete the following steps.

Prerequisites:

To use a custom Credential Store plugin, you need to upload a working Credential Store plugin to SPS. This plugin is a script that uses the SPS API to access an external Credential Store or Password Manager. If you want to create such a plugin, contact our Support Team. For more information on creating a custom plugin, see "Creating a custom plugin" in the Administration Guide.

NOTE:

Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication or an AA plugin. Therefore gateway authentication or an AA plugin must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide and "Integrating external authentication and authorization systems" in the Administration Guide.

To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins, browse for the file and click Upload. Note that it is not possible to upload or delete Credential Store plugins if SPS is in sealed mode.

Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.

Steps:
  1. Navigate to Policies > Credential Stores.

  2. Click and enter a name for the Credential Store.

  3. Select External Plugin, then select the plugin to use from the Plugin list.

  4. If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.

    NOTE:

    Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.

  5. Click Commit.

  6. Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click Commit.

Configuring other related parameters

Steps:
  1. Navigate to Policies > Usermapping Policies and configure a usermapping policy. For details, see "Configuring usermapping policies" in the Administration Guide.
  2. Depending on your requirements, configure an LDAP policy, or a Local User Database for gateway authentication.

  3. Navigate to SSH Control > Authentication Policies and configure the authentication policy with gateway authentication. For details, see "Authentication Policies" in the Administration Guide.
  4. Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field. Select the Authentication Policy that you have configured in Authentication policy field, and the Usermapping Policy in the Usermapping policy field.

SPS One Identity Safeguard Credential Store plugin parameter reference

To configure the plugin, you must edit the parameters in the config_local.py file.

The following is a sample configuration file for gateway authentication:

[safeguard]
address=<address-of-the-safeguard>
ca=<optional-ca-certificate-for-ssl-verification>
check_host_name=1

[auth]
use_credential=gateway
# provider=<provider-only-for-explicit>
# username=<username-only-for-explicit>
# password=<provider-only-for-explicit>

[safeguard]

address
Type: string

Description: The IPv4 address(es) or hostname(s) of the One Identity Safeguard machine or cluster. Use a comma (,) to separate multiple IP addresses/hostnames, ensuring that there is no space inserted around commas.

For example:

address=10.0.0.5,10.0.0.6

ca
Type: string

Description: Optional. The certificate authority (CA) certificate to use for validating the server certificate of Safeguard Vault server(s). The certificate must be in the PEM format. Multi-line values must be specified in the following way:

  • Starting from the second line, each line must begin with a space character.
  • There must be an empty line after the certificate value.

For example:

ca=-----BEGIN CERTIFICATE-----
 MIIGxzCCBK+gAwIBAgITOgAABd9VJ2E4MStYlQAAAAAF3zANBgkqhkiG9w0BAQsF
 ...
 Qpdb3REB/BfQLbA=
 -----END CERTIFICATE-----
				

check_host_name
Type: boolean (no | yes)

Description: If set to no, there is no host name checking. The default value is yes for strict host name checking, only when the parameter ca has been configured too.

For example:

check_host_name=yes

ip_resolving
Type: boolean (no | yes)

Description: Used when the target servers are listed under their hostname in Safeguard Vault as assets.

If set to no, this parameter has no effect. If set to yes, the plugin will resolve the IP address of the remote server to hostname(s) and attempt the password checkout using the hostname(s) as well. See Asset and account lookup for details on the order in which the attempts are made. DNS resolution uses the DNS server specified for SPS (in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields on SPS's web interface).

For example:

ip_resolving=yes

domain_suffix
Type: string

Description: If users do not provide the full domain name in the connection, this option can be used to automatically expand the domain name with a suffix.

For example:

domain_suffix=acme.org

If the user provides the credentials "user\backoffice", then the domain part will be replaced with "backoffice.acme.org". Note the automatically added dot (.). See Asset and account lookup for details on when and how the domain name is used in the attempts to check out the password.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating