Chat now with support
Chat with Support

Safeguard for Privileged Sessions On Demand Hosted - Hashicorp Vault as Credential Store

Introduction

This tutorial describes how you can connect One Identity Safeguard for Privileged Sessions (SPS) and your Hashicorp Vault with a Credential Store Plugin.

SPS can interact with Hashicorp Vault and can automatically retrieve the password or SSH key of the target host to form a comprehensive Privileged Access Management solution to protect critical assets and meet compliance requirements.

Technical requirements

To successfully connect SPS with Hashicorp Vault, you need the following components:

  • A valid, working Hashicorp Vault server or cluster of servers with the following configuration:

    • In case of explicit authentication:

      A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.

    • In case of gateway-based authentication:

      SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.

  • A SPS appliance (virtual or physical), at least version 6.2.0.

  • A Credential Store plugin for Hashicorp Vault.

    SPS uses plugins to interact with third-party credential stores and password vaults. One Identity provides the sample Hashicorp Vault plugin free of charge, and provides help to customize it for your environment.

How SPS and Hashicorp Vault work together

Authentication:

The plugin can use either explicit or gateway-based credentials.

  • In case of explicit authentication:

    A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.

  • In case of gateway-based authentication:

    SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.

Secret lookup:

Interactive scenario: If the secrets in Hashicorp are stored in an unstructured way, SPS will have to retrieve the path to the secret from the end-user.

Alternatively, you can pass the vault path to the plugin by including vp= in the username. For example: vp=secret/linux/webserver/root@gu=exampleusername@root

The proxy will tokenize the above username by the @ delimiter, and parse out the following information:

  • Target username: root

  • Gateway username: exampleusername

  • Vault path: secret/linux/webserver/root

Automatic scenario: If the secrets are organized around server user names in Hashicorp Vault, then the path to the secret is generated from configuration and the server user name.

Hashicorp Vault scenarios

The following scenarios are the most common methods to use SPS and Hashicorp Vault together.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating