|
NOTE:
This tutorial describes the deprecated version of the plugin. To upgrade your deprecated plugin for One Identity Safeguard for Privileged Sessions 6.0, see Upgrading plugins for One Identity Safeguard for Privileged Sessions version 6.0. |
This tutorial describes how to connect your One Identity Safeguard for Privileged Sessions (SPS) with TPAM using a plugin to automatically retrieve passwords.
Users wishing to access a target host are able to authenticate themselves without actually having access to the credentials required to access that host. Passwords are retrieved by SPS from TPAM using a plugin, with SPS impersonating the authenticated user and TPAM acting as the repository of user credentials (a Credential Store in SPS terminology).
This automatic password retrieval is crucial as this method protects the confidentiality of passwords, enabling you to protect critical assets and meet compliance requirements.
A client attempts to establish a connection to a protected server (the target host) through SPS as a gateway.
In SPS, TPAM is configured as a Credential Store (together with a TPAM plugin) in the connection policy matching the connection.
Performs certain checks about the gateway user.
If the checks are successful and the client is granted access, SPS retrieves from TPAM the password required to establish the connection between the client and the target host.
To successfully connect SPS with TPAM, you need the following components.
If you do not want the password to be automatically provided by TPAM following successful gateway authentication, one of the following is required (depending on the chosen authorization method):
A client attempts to establish a connection to a protected server (the target host) through SPS as a gateway.
In SPS, TPAM is configured as a Credential Store (together with a TPAM plugin) in the connection policy matching the connection.
For details on setting up gateway authentication on the connection that uses TPAM as a Credential Store, see Configuring gateway authentication.
For details on configuring a TPAM plugin, see Using a custom Credential Store plugin to authenticate on the target hosts.
To retrieve the password required to access the target host from the configured Credential Store (that is, TPAM), SPS establishes an SSH connection to TPAM as an Information Security Administrator (ISA) CLI user present in TPAM.
For details on how to add an ISA CLI user in TPAM with ISA permissions at the Account level, see Adding an ISA CLI user and Assign ISA access policies to ISA CLI user.
the private server_user_key of the ISA CLI user
This key must be stored in a local Credential Store on SPS. For details, see Storing sensitive plugin data securely.
The TPAM plugin maps the data received from SPS to corresponding data entries in TPAM so that TPAM receives data that it can process. The goal is to match up SPS data with TPAM data as follows:
Data in SPS | Data in TPAM |
---|---|
gateway user | Requestor |
target user | Account |
target host | System |
The TPAM plugin calculates the hostname of the target host. TPAM expects the address of the target host as a hostname rather than as an IP address.
If the address of the target host is an IP address, there are two options depending on how the system_name_resolver parameter is configured in the TPAM plugin:
If the address of the target host is in FQDN format, then the hostname part of the FQDN is kept.
Optionally, this step might involve an extra round of mapping. If the relevant setting (system_maptoreal) is enabled, the TPAM plugin performs a lookup to check whether the Account-System pair is mapped to custom fields set in TPAM. If yes, then it is the password corresponding to the custom data entries that TPAM will retrieve.
Account-System data in TPAM | Custom data in TPAM |
---|---|
Real Account | ManagedAccount.AccountCustom1 |
Real System | ManagedAccount.AccountCustom2 |
For details on how to enable custom fields in TPAM, see Enabling custom attributes in TPAM.
SPS retrieves information from TPAM through the TPAM plugin. Depending on how the authorization parameter is configured, the following happens:
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center