立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.1 - Secrets Vault User Guide

Introduction to the Secrets Broker Vault

The Secrets Broker Vault add-on converts the open source Secrets Broker product into a Secrets Broker Vault which includes a built-in vault and is capable of storing and forwarding credentials using all of the Hashicorp Vault commandline tools. It will also support all of the Hashicorp REST APIs. For information on the open source Secrets Broker product plus initial installation and configuration information required for Secrets Broker Vault, see Secrets Broker open source project site.

Prerequisites

While deploying the Secrets Broker Service does not require any prior configuration to the Safeguard for Privileged Passwords Appliance, deploying the Secrets Broker Vault Add-on requires some preconfiguration. The following outlines the configuration that must be on the Secrets Broker Service as well as the corresponding Safeguard for Privileged Passwords appliance.

The following are required prior to installing the Secrets Broker Vault:

  1. Download and install the Safeguard Secrets Broker for DevOps 6.12 or higher from the Secrets Broker open source project site.

  2. Follow all of the Secrets Broker installation and configuration instructions on the Secrets Broker open source project site.

  3. Configure the Secrets Broker Service using the web interface:

    • Specify the Safeguard for Privileged Passwords appliance that will be connected to the Secrets Broker Service.

    • Create a new client certificate from a CSR or upload a new client certificate.

    • Import the trusted certificates from the connected Safeguard for Privileged Passwords appliance.

  4. Purchase and install the Secrets Broker Vault add-on license. Since the Secrets Broker Vault Add-on is an add-on product, it requires an additional license that must be added to the Safeguard for Privileged Passwords appliance that the Secrets Broker Vault has been connected to.

Deploying the Secrets Broker Vault

Once the Prerequisites have been completed, the Secrets Broker Vault Add-on is ready to be installed on the Secrets Broker Service. By uploading the Secrets Broker Vault Add-on to the Secrets Broker Service, the add-on will automatically convert the Secrets Broker Service into a Secrets Broker Vault.

Deploying the add-on module does not disable any of the existing Secrets Broker Service functionality. The Secrets Broker Vault Add-on is completely additive. Deploying the add-on takes all of the current Secrets Broker functionality and adds an embedded vault that is capable of storing credentials that have been pushed from the Safeguard for Privileged Passwords appliance. These credentials can then be accessed using the existing Hashicorp Vault command line tools. The embedded vault can also be configured with additional functionality in the same way that any other Hashicorp Vault can be modified, such as new secrets engines and authentication methods.

To deploy the Secrets Broker Vault add-on

  1. As stated in the Prerequisites, follow all installation and configuration instructions on the Secrets Broker open source project site.

  2. Once the open source Secrets Broker service has been installed and configured, use the Upload button in the Add-ons section to upload the .sbao file you received from One Identity upon purchasing the add-on. Secrets Broker Vault will validate the license and validate that the add-on .sbao file is valid. If a valid Secrets Broker Vault Add-on license has not been installed on the connected Safeguard for Privileged Passwords, the upload button will not be available

    The Secrets Broker Vault add-on .sbao file will automatically convert the open source Secrets Broker service into a Secrets Broker Vault which includes a built-in vault and is capable of storing and forwarding credentials using all of the Hashicorp Vault commandline tools. It will also support all of the Hashicorp REST APIs.

  3. Once fully deployed, the Secrets Broker Vault requires that the user open the Secrets Broker Vault settings page and finish the configuration.

    1. Click the Secrets Broker Vault button in the Add-ons section.

    2. In the Add-on Settings dialog, click the Configuring Add-on button to complete the configuration.

      Once that is done, the settings page should show that the Secrets Broker Vault add-on is healthy and that it is a valid One Identity add-on.

    3. Enter the Secrets Broker Vault Plugin setup page by clicking on the Manage Accounts button on the plugin tile.

    4. Click on the Test Configuration button to test the configuration of the plugin.

At this point the Secrets Broker instance should have been converted to a Secrets Broker Vault with the following in place:

  • Open Source Secrets Broker service running.

  • Embedded vault running alongside the Secrets Broker service.

    • Configured with a One Identity policy.

    • Configured with a One Identity Key/Value secrets engine.

  • Embedded web proxy listening to port 443 and forwarding requests to the Secrets Broker service or the embedded vault.

  • Secrets Broker Vault plugin configured to push credentials to the embedded vault.

  • The connected Safeguard for Privileged Passwords appliance should have been updated with the following:

    • A new Other type asset that corresponds to the Secrets Broker instance.

    • 5 vault accounts with associated credentials. 1 root account and 4 unseal shards.

    • A new dynamic account group that corresponds to the Secrets Broker instance and contains all of the vault accounts.

Post-deployment configuration and information

Once you have completed Deploying the Secrets Broker Vault, the following configuration is available:

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级