The following are the steps required to configure Safeguard A2A.
Prerequisites- Program or Script to access the Safeguard A2A API.
Customers are strongly encouraged to use the Powershell Safeguard-ps library available here. - Certificate or PKI.
To create a programmatic user, a certificate is required. This KB article creates a certificate using OpenSSL.
Steps1. Certificate CreationCreate a certificate
openssl req -newkey rsa:2048 -nodes -keyout mykey.key -x509 -days 365 -out mycrt.crtTake note of the certificate thumbprint
openssl x509 -noout -fingerprint < mycrt.crtConvert to pfx (Windows only, as this guide uses PowerShell libraries)
openssl pkcs12 -out combined.pfx -in mycrt.crt -inkey mykey.key -export2. Safeguard ConfigurationAdd certificate to Trusted Certificates in Safeguard
Admin Tools | Settings | Certificates | Trusted CertificatesCreate a certificate user
Admin Tools | Users*Use the thumbprint of the certificate you created earlier.Enable A2A via the API
Navigate to https://[appliance]/service/appliance/swagger
Authorize with Operations Admin.
Expand
'A2A' API endpoint.
Expand
POST /v2/A2AService/EnableClick 'Try it out!' (response code should be 200)
*This enables a new API, http://[appliance]/service/a2a/swaggerCreate Registration
Admin Tools | Settings | External Integration | Application to Application
Click '+'
Select name and enable Credential Retrieval
Select accounts the Registration can manage
Copy the API key for the account whose password is to be requested
Admin Tools | Settings | External Integration | Application to Application
Select registration
Click key icon
Copy API key
To request for a credential using the PS Credential Request cmdlet, do the following:
Get Credential: Get-SafeguardA2aPassword –Appliance [ip] –Insecure –CertificateFile [filepath to pfx] –ApiKey [key string]