立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Application to Application

In order for third-party applications to use the Application to Application service to integrate with the SPP vault, you must first register the application in SPP. This can be done using the Security Policy Management > Application to Application page described below. Once the application is registered, you can enable or disable the service. For more information, see Global Services.

Application to Application displays a list of previously registered third-party applications. From this page, the Security Policy Administrator can add new application registrations, and modify or remove existing registrations. The Application to Application page displays the following details about application registrations.

Table 190: Application to Application: Properties
Property Description

Name

The name assigned to the application's registration.

Certificate User

The name of the certificate user associated with the registered application.

NOTE: If there is no certificate user listed for an application registration, contact your Security Policy Administrator to add one. The Application to Application service on the third-party application will not work with the SPP vault until a certificate user has been specified.

Enable/Disable

Toggle on

Toggle off

Indicates whether the application registration is enabled. The toggle appears blue with the switch to the right when the service is enabled, and gray with the switch to the left when the service is disabled. Click the toggle to enable or disable an application registration.

NOTE: When an application registration is disabled, Application to Application access is disabled for that third-party application until the registration is enabled again.

Description

Information about the application's registration.

Use these toolbar buttons to manage application registrations.

Table 191: Application to Application: Toolbar
Option Description

Add

Add an application registration to SPP. For more information, see Adding an application registration..

Remove

Remove the selected application registration from SPP. For more information, see Deleting an application registration..

Refresh

Update the list of application registrations.

Edit

Modify the selected application registration.

About Application to Application functionality

Using the Application to Application service, third-party applications can interact with SPP in the following ways:

  • Credential retrieval: A third-party application can retrieve a credential from the SPP vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
  • Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to SPP to retrieve a password or start a session.

NOTE: If Offline Workflow Mode is triggered, Application to Application operations will be halted for the number of minutes it takes to move to Offline Workflow Mode. For more information, see About Offline Workflow Mode..

Credential retrieval

A credential retrieval request using the Application to Application service allows the third-party application to retrieve credentials from the SPP vault without having to go through the normal workflow process.

For example, say you have an automated system that performs a routine system diagnostic on various services in the data center every 24 hours. In order for the automated system to perform the diagnostics, it must first authenticate to the target server. Since all of the credentials for the target servers are stored in the SPP vault, the automated system retrieves the credentials for a specified system by calling the Application to Application service.

Access request broker

An access request broker request using the Application to Application service allows the application to create an access request on behalf of another user.

For example, say you have a ticketing system and one of the types of tickets that can be created is to request access to a specific asset. The ticketing system can be integrated with SPP through the Application to Application service to create an access request on behalf of the user that entered the ticket into the system. Once the request is created, it follows the normal access request workflow in SPP and the user who entered the ticket will be notified when access is granted.

In order for a third-party application to perform one of tasks provided by the Application to Application service, the application must first be registered with SPP. This registration will be associated with a certificate user and authentication to the Application to Application service will be done using the certificate and an API key. The registered application will not be allowed to authenticate to SPP other than for the purpose specified. The properties associated with an application registration are:

  • API key: As part of the registration process, an API key is generated. An administrator must then copy this API key and make it available to the third-party application.

  • Certificate user: In addition to the API key, the application registration must be associated with a certificate user. The certificate that is associated with the certificate user must be signed by a certificate authority that is also trusted by SPP.

    NOTE: Use your corporate PKI for issuing this certificate and installing it on the third-party application.

The Application to Application service is disabled by default and must be enabled before any credential retrievals or access request broker functions can be performed.

Using the web client:

  1. Navigate to Security Policy Management > Application to Application.

  2. In the Enabled column for the service, move the toggle to the right to enable the service.

Using the API, use the following URL:

https://appliance/service/appliance/v4/A2AService/Enable

In addition, you can check the current state of the service using the following URL:

https://appliance/service/appliance/v4/A2AService/Status

Setting up Application to Application

In order to use Application to Application integration with SPP, you must perform the following tasks:

  1. Prepare third-party application for integration with SPP.

  2. Appliance Administrator enables Application to Application service in SPP. Use one of the following methods:

    • Using the web client, navigate to Security Policy Management > Application to Application. In the Enabled column for the service, move the toggle to the right to enable the service.

    • Use the following URL: https://appliance/service/appliance/v4/A2AService/Enable.

  3. Asset Administrator adds assets and accounts to SPP. For more information, see Adding an asset and Adding an account.

  4. User Administrator adds certificate users to SPP. For more information, see Adding a user..

  5. Security Policy Administrator adds application registration to SPP. For more information, see Adding an application registration..

  6. Get the API key and copy/paste it into the third-party application in order to make requests from the third-party application. For more information, see Making a request using the Application to Application service..

Adding an application registration

To allow a third-party application to perform one of the tasks provided by the Application to Application service, you must register the third-party application with SPP.

Prerequisites
  • User Administrator adds certificate users to SPP.
  • Asset Administrator adds assets and accounts to SPP.

To add an application registration

  1. Log in to the SPP web client as a Security Policy Administrator.
  2. Navigate to Security Policy Management > Application to Application.
  3. Click Add. The New Registration dialog displays.

  4. Specify the following information: 
    1. Name: Enter a name for the application registration.
    2. Description: Enter information about the application registration.
    3. Certificate User: Click Browse to select a certificate user who is associate with the third-party application being registered.

      A certificate user must be specified. If not specified when you initially add an application registration, click Edit on the Application to Application page to specify the certificate user.

      NOTE: For SignIR, connect as a certificate user using A2A API key for the retrievable account you want to monitor that is assigned an A2A registration for Retrievable Accounts. The connected certificate user will receive event notifications for any events related to that account (for example, password change, update, and delete). For more information, see Making a request using the Application to Application service..

    4. Visible To Certificate Users: Select this check box to make the registration, including the API keys, visible by the certificate user that is configured for the A2A registration.

  5. Click OK. This will save the initial application registration information and open a new dialog with additional settings.
  6. The Access Request Broker tab displays a list of users for which the third-party application can create an access request on behalf of.

    • Click to add a user or user group to the list.
    • Click Edit Restrictions to specify IP address restrictions for all of the users and user groups in the list.

      A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.

      The IP address notation can be:

      • An IPv4 or IPv6 address (for example, 10.5.32.4).

      • An address range in CIDR notation (for example, 10.5.0.0/16).

    • Click to remove the selected user from the list.
  7. The Credential Retrieval tab displays a list for which the third-party can retrieve credentials from SPP without going through the normal workflow process.

    • Click to add an account to the list.
    • Click Restrictions in the Restrictions column to specify IP address restrictions for the selected account.

      A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.

      The IP address notation can be:

      • An IPv4 or IPv6 address (for example, 10.5.32.4).

      • An address range in CIDR notation (for example, 10.5.0.0/16).

    • Click to remove the selected account from the list.
  8. Click OK to save and close the dialog.

Once an application registration is added to SPP, the third-party application can authenticate with SPP using the API key that was generated and the certificate that was associated with the registration. To make a request, you must retrieve the relevant API key for the application using an authorized account (that is, using bearer token authentication) and install the correct certificate on the host that will make the request. For more information, see Making a request using the Application to Application service..

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级