This section provides detailed instructions as to what to configure on SPS:
The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to retrieve the credentials used to login to the target host using a custom plugin.
To use a custom Credential Store plugin, you have to upload a working Credential Store plugin to SPS. This plugin is a script that can be used to access an external Credential Store or Password Manager. If you want to create such a custom Credential Store plugin, contact our Support Team or see or see the documentation about custom Credential Store plugins.
Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication. Therefore, gateway authentication must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide.
To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins > Upload/Update Plugins, browse for the file and click Upload.
It is not possible to upload or delete Credential Store plugins if SPS is in sealed mode.
Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.
To configure SPS to retrieve the credentials used to login to the target host using a custom plugin
Navigate to Policies > Credential Stores.
Click and enter a name for the Credential Store.
Select External Plugin, then select the plugin to use from the Plugin list.
If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.
Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.
Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click .
By default, the configuration of the plugin is stored on SPS in the configuration of SPS. Make sure that you store the sensitive parameters (server_user_key) of the plugin in an encrypted way.
To store sensitive plugin data securely
Log in to SPS and create a local Credential Store. For details, see "Configuring local Credential Stores" in the Administration Guide.
Instead of usernames and passwords, you will store the configuration parameters of the plugin in this Credential Store.
Add the plugin parameters you want to store in an encrypted way to the Credential Store. You can store any configuration parameter of the plugin in the Credential Store, but note that if an option appears in the Credential Store, the plugin will use it. If the same parameter appears in the configuration of the plugin, it will be ignored.
Enter the name of the configuration section without the brackets in the Host field (tpam).
Enter the name of the plugin parameter in the Username field (server_user_key).
Enter the value of the plugin parameter in the SSH Keys field.
Commit your changes, and navigate to the configuration of the plugin on the Policies > Credential Stores page.
In the plugin configuration file, enter the name of the local Credential Store under the [plugin] section, in the cred_store parameter.
To set up gateway authentication on the connection that uses TPAM as the Credential Store, follow the instructions in: