One Identity Safeguard for Privileged Sessions 7.1.1 - Hashicorp Vault as Credential Store

Introduction

This tutorial describes how you can connect One Identity Safeguard for Privileged Sessions (SPS) and your Hashicorp Vault with a Credential Store Plugin.

SPS can interact with Hashicorp Vault and can automatically retrieve the password or SSH key of the target host to form a comprehensive Privileged Access Management solution to protect critical assets and meet compliance requirements.

Technical requirements

To successfully connect SPS with Hashicorp Vault, you need the following components:

A valid, working Hashicorp Vault server or cluster of servers with the following configuration:
- In case of explicit authentication:
  A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.
- In case of gateway-based authentication:
  SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.
A SPS appliance (virtual or physical), at least version 6.2.0.
A Credential Store plugin for Hashicorp Vault.

SPS uses plugins to interact with third-party credential stores and password vaults. One Identity provides the sample Hashicorp Vault plugin free of charge, and provides help to customize it for your environment.

How SPS and Hashicorp Vault work together

Authentication:

The plugin can use either explicit or gateway-based credentials.

In case of explicit authentication:
A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.
In case of gateway-based authentication:
SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.

Secret lookup:

Interactive scenario: If the secrets in Hashicorp are stored in an unstructured way, SPS will have to retrieve the path to the secret from the end-user.

Alternatively, you can pass the vault path to the plugin by including vp= in the username. For example: vp=secret/linux/webserver/root@gu=exampleusername@root

The proxy will tokenize the above username by the @ delimiter, and parse out the following information:

Target username: root
Gateway username: exampleusername
Vault path: secret/linux/webserver/root

Automatic scenario: If the secrets are organized around server user names in Hashicorp Vault, then the path to the secret is generated from configuration and the server user name.

Hashicorp Vault scenarios

The following scenarios are the most common methods to use SPS and Hashicorp Vault together.

自助服务工具: 知识库; 通知和警报; 产品支持; 下载软件; 技术说明文件; 用户论坛; 视频教程; RSS订阅源

联系我们: 获得许可帮助; 技术支持; 查看全部

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案