One Identity Safeguard for Privileged Sessions 6.9.3 - Hashicorp Vault as Credential Store

secrets_path

Description: The path of the endpoint under which the user names and passwords are stored as secrets. For example, secrets/users. The server username is then appended to the path on-the-fly. This compound path points to an object that has the password or key as one of its fields. You can specify the name of the field that stores the password and the key in the password_field and key_field options.

The user can override this field when using the Interactive scenario, see Interactive scenario.

If the path to the endpoint contains a literal slash (/) or hashmark (#) character, double this character. For example, if the path is secrets/my#endpoint, use secrets/my##endpoint to escape the special character.

key_field

Description: The value field to retrieve the SSH private key secret from.

The user can override this field when using the Interactive scenario, see Interactive scenario.

password_field

Description: The value field to retrieve the password secret from. This parameter is not related to the password parameter.

The user can override this field when using the Interactive scenario, see Interactive scenario.

default_type

Description: Determines the type of credential (key or password) that the plugin retrieves from the Hashicorp Vault. If not specified, the plugin attempts to retrieve both a key and a password.

If the default_type is set, but the user wants to authenticate with another credential type (password instead of key, or key instead of password), the user can specify the credential type in the prompt when using the Interactive scenario by beginning the secret path with password:// or key:// (you can use the p:// or k:// abbreviations as well).

Declaration

[tls]
enabled = yes
ca_cert = $[<trusted-ca-list-name>]
client_cert = <client-certificate-and-key>

enabled

Description: To disable TLS completely, enter no as the value of this parameter.

ca_cert

Description: Configure this parameter to enable client-side verification. The certificate shown by the server will be checked with this CA.

If the value of this parameter is $[<trusted-ca-list-name>], the certificates are retrieved from the trusted CA list configured on SPS, identified by the name.

When the certificate is inserted into the configuration file (<ca-certificate-chain>, it must be in PEM format and all the new lines must be indented with one whitespace. If it is a chain, insert the certificates right after each other.

client_cert

Description: Configure this parameter to enable server-side verification.

If the value of this parameter is $, the certificate identified by the section and option pair is retrieved from the configured Credential Store.

When the certificate is inserted into the configuration file, it must be in PEM format and all the new lines must be indented with one whitespace. Note that encrypted keys are not supported.

Declaration

[credential_store]
name=<name-of-credential-store-policy-that-hosts-sensitive-data>

name

Description: The name of a local Credential Store policy configured on SPS. You can use this Credential Store to store sensitive information of the plugin in a secure way (for example, the secrets_path value in the [hashicorp] section).

For details, see Store sensitive plugin data securely.

Declaration

[logging]
log_level=info

log_level

Description: The logging verbosity of the plugin. The plugin sends the generated log messages to the SPS syslog system. You can check the log messages in the Basic settings > Troubleshooting > View log files section of the SPS web interface. To show only the messages generated by the plugins, filter on the plugin: string.

The possible values are:

• debug

• info

• warning

• error

• critical

For details, see Python logging API's log levels: Logging Levels.