In the TPAM plugin's configuration file, you need to provide the private key (server_user_key) of the CLI user with Information Security Administrator (ISA) access rights to TPAM (server_user) that SPS will use when communicating with TPAM. To obtain the key, download it from TPAM.
To download the private key of the ISA CLI user
This key must be stored in a local Credential Store in SPS. For details on how to do that, see Storing sensitive plugin data securely.
When mapping target user and target host names to their corresponding counterparts (Account and System names) in TPAM, an extra round of mapping may be necessary if the mapping option system_maptoreal is enabled.
The prerequisite of this extra mapping to happen is the enabling of custom attributes in TPAM.
To enable custom attributes in TPAM
You are now able to set these parameters per account on the Custom Information tab.
This section describes the available options of the TPAM plugin.
The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).
[section name] dirname=%(dir)s/mydirectory dir=/var
All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.
You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.
[tpam] authorization=policy required_policy=<name-of-access-policy-required-to-be-present-for-authorization> server=<hostname-or-IP-address-of-TPAM> server_public_key=<public-key-of-TPAM> server_port=<SSH-port-number-of-TPAM> server_user=<TPAM-CLI-user-with-ISA-rights> server_user_key=<private-key-of-server_user> system_name_resolver=tpam system_maptoreal=no system_prefix=<your-preferred-prefix> reuse_gateway_password=no
[plugin] config_version=1 cred_store=<name-of-credential-store-hosting-sensitive-data> log_level=info
This section contains the options related to the TPAM server.
[tpam] authorization=policy required_policy=<name-of-access-policy-required-to-be-present-for-authorization> server=<hostname-or-IP-address-of-TPAM> server_public_key=<public-key-of-TPAM> server_port=<SSH-port-number-of-TPAM> server_user=<TPAM-CLI-user-with-ISA-rights> server_user_key=<private-key-of-server_user> system_name_resolver=tpam system_maptoreal=no system_prefix=<your-preferred-prefix> reuse_gateway_password=no
Type: | approval | gateway | policy |
Required: | no |
Default: | gateway |
Description: The authorization method used by TPAM to check whether the gateway user can be granted access to the target host. Possible values are:
Type: | string |
Required: | no |
Default: | Privileged Access |
Description: Used only when authorization is set to policy. This parameter specifies the name of the access policy that is required to be present for access to be granted to the target host.
Type: | string |
Required: | yes |
Default: | N/A |
Description: The address of the TPAM server, either a hostname or an IP address.
Type: | string |
Required: | yes |
Default: | N/A |
Description: The public key corresponding to the hostname or IP address of the TPAM server, used for checking the TPAM server's identity.
Must be provided in the Open SSH known_hosts format, which includes:
Examples:
|
TIP:
To find out the public key of TPAM in the required format:
|
Type: | integer |
Required: | no |
Default: | 22 |
Description: The port where TPAM is listening for SSH connections.
Type: | string |
Required: | yes |
Default: | N/A |
Description: The user name of a CLI user with Information Security Administrator (ISA) access rights to TPAM. SPS sets up the SSH connection to TPAM using this ISA CLI user. This user must be present in TPAM.
For details on how to add this user in TPAM or how to obtain its user name if the user is already present, see Adding an ISA CLI user.
Type: | string |
Required: | yes |
Default: | N/A |
Description: The SSH compatible, RSA-encrypted private key of server_user. This key must be stored in a Credential Store defined under cred_store in the [plugin] section.
For details on how to obtain the key, see Obtaining the private key of the ISA CLI user.
For details on how to store the key in a local Credential Store policy on SPS, see Storing sensitive plugin data securely.
Type: | tpam | dns |
Required: | no |
Default: | tpam |
Description: TPAM expects the address of the target host as a hostname rather than as an IP address. You can specify where to take the target hostname from in case the address of the target host has been provided as an IP address:
Type: | yes | no |
Required: | no |
Default: | no |
Description: If this parameter is set to yes, an additional lookup is performed on TPAM to map the Account-System pair to the custom attributes ManagedAccount.AccountCustom1 and ManagedAccount.AccountCustom2. If the mapping is successful, the password corresponding to the custom pair is retrieved.
|
NOTE:
Custom attributes in TPAM must be enabled by a System Administrator. For details, see Enabling custom attributes in TPAM. |
Type: | string |
Required: | no |
Default: | empty string |
Description: Any prefix of your choice. The TPAM plugin appends this prefix followed by an underscore (_) to the target hostname when constructing the System name for TPAM.
Type: | yes | no |
Required: | no |
Default: | no |
Description: If this parameter is set to yes, then if the gateway user is the same as the target user accessing the protected server, the gateway password is reused as the password required to access the target host, effectively skipping password checkout from TPAM.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center