Add a Custom Platform or Application Platform

On the Custom Platforms page, you can add SSH and Telnet platforms, as well as SSH application platforms, tailored to your environment. Password Safe contains several built-in SSH and Telnet platforms designed for the most common configurations, such as Linux, Solaris, and Cisco. You can modify the details of built-in custom platforms to meet the needs of your environment. You can create new custom platforms for advanced configurations that are not supported by the built-in platforms, or for a platform that is currently not supported by Password Safe. You can also create new custom platforms by cloning a built-in or user-created custom platform.

All custom platforms work in the same way: by connecting to a remote SSH or Telnet server and waiting for a response. Once a response is received, a regular expression is evaluated against the response and the platform replies with a command that starts the process of changing a password on the relevant system.

Create a New Platform

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Custom Platforms.

Create New Custom Platform and Options button on the Custom Platforms page in Password Safe

  1. In the Custom Platforms pane, click Create New Custom Platform, and then select Create New Platform.

    Alternatively, click the vertical ellipsis button for a platform in the list, and then select Clone to clone an existing platform and modify its settings as desired.

 

  1. Configure the settings on the Options, Steps, and Check/Change Password tabs as detailed in the following sections.

Configure the Options Tab

  • Platform Name: Enter a name for the custom platform. The given name appears in the Platform lists throughout BeyondInsight and Password Safe and must be unique. Platform names cannot be changed after they have been created.
  • Platform ID and Platform Type are assigned by the system and cannot be entered or edited.
  • Active: Check this option to make the platform active in BeyondInsight and Password Safe.
  • Enable Login Account: Check this option to display the Use Login Account for SSH Sessions option under the Credentials section in the settings for a managed system. Use this feature when an account other than the functional account is used to log in to the managed system.
  • Enable Account Name Format: Check this option to display the Account Name Format dropdown under the Credentials section in the settings for a managed system.
  • Communications Protocol: Indicate if the custom platform uses Telnet or SSH.
  • Port: Use the default port of 22 for SSH or 23 for Telnet. Optionally, enter a port to test the settings.
  • Template Fields and Scripting:
    • Prompt regex: Regular expression that evaluates to the shell prompt of the remote system; for example, ~ ]#.
    • Config prompt regexand Elevated prompt regex: These two regular expressions are mainly meant for network appliances that have multiple prompts, depending on a mode. 
    • End of line: The end of line field specifies how the platform indicates to the SSH or Telnet server that it is sending a command. The default is the carriage return character (\r).
    • Exit Command: Leave the default command as exit, or specify a new command for the platform to exit SSH or Telnet.
    • Password command: Enter the command to change the password.
  • Enable Account Elevation: Check this option, if you want to select an Elevation Command.
  • Elevation Command: Select an elevation command from the list to enable the option to elevate the functional account permissions on a managed system. The following elevation command types are supported:
    • sudo
    • pbrun
    • pmrun
    • pbrun jumphost
  • Enable Jump Host: If you use the elevation command pbrun jumphost, you can configure the Privilege Management for Unix & Linux policy server host name to connect to. Check this option to enable the jump host, and then enter the policy server host name details when configuring the Check Password options on the Check/Change Password tab.
  • Enable Cisco Enable Password: Check this option to display the Change Enable Password option on the Functional Account tab under Advanced Details for a Cisco managed system.

Configure the Steps Tab

From the Steps tab, define the responses that you expect from the server and the replies the platform sends. The options include two groups: After Login and Error Handling.

Enter expect and response statements on the Steps tab when adding a custom platform.

  1. On the Steps tab, select the Step Type from the list. The template for expect statements changes depending on which of the following types is chosen:
    • Change Password: Manually changes the password for the custom platform.
    • Check Password: Tests the password by attempting a logon.
    • Replace Public Key: Runs a script to replace the public key.
  2. Use the default statement group to start the custom platform. Additional statements and statement groups can be created as required.
    • To create a new statement, click Add New Statement + at the bottom of an existing statement group.
    • To delete a statement, click the X at the right end of the Expect statement line.
    • To create a new statement group, click Add New Statement Group + at the bottom of the last statement group.
    • To delete a statement group, click the X and the right end of the statement group name.
    • To edit the name of the statement group, hover the cursor over the group name, click in the field, and then enter the name.

 

  1. Enter an Expect statement. There are two ways to populate the Expect field:
    • Type text or a regular expression in the field.
    • Use a template field variable: Click in the field, enter <<, and then select a template from the list.
  2. Enter a Response statement. There are two ways to populate the Response field:
    • Type text or a regular expression in the field.
    • Use a template field variable. Click in the field, enter <<, and then select a template from the list. 
  3. The Response type can be changed by selecting an option from the Send Response dropdown list. If goto is selected you need to select a statement group from the resulting list.
  4. Error Handling is enabled by default. Uncheck this option if error handling is not required. If error handling is required, ensure an error message is entered in the Expect statement for Error handling.
  5. The order of statement processing can be changed by clicking the Up or Down icons at the left of each Expect statement.

 

The following is an explanation of the functionality for each setting on the Steps tab, using a Linux platform as an example:

  • Error Handling: The error handling check ensures that when the statement comes in, all of the statements in the error handling section are evaluated first, before Enter your reason for login. For example, when the platform connects to the remote SSH server, the SSH server replies with:
    Welcome to Linux Mint
* Documentation:  http://www.linuxmint.com
Last login: Mon Apr 13 10:45:51 2015 from dev-machine
Enter your reason for login:

    The platform tries try to find a match, in the following order:

    - BADCOMMAND
- Usage:
- BAD PASSWORD
- Enter your reason for login:

    Screenshot of configuring the After Login settings for a custom platform.

    If a match is found for Enter your reason login, the platform replies with changing password. The platform expects the SSH server to send back the shell prompt and the platform replies with passwd <<manacctname>>.

    When the platform communicates with the remote server, it replaces the tags with data. In the image shown, <<manacctname>> is replaced by the managed account associated with the platform. These are template field variables that are inserted into the Expect box and Response box. If you have a prompt defined in the options tab as ~]$, the platform converts the tag <<prompt>> to this value when it evaluates the regular expressions.

  • Expect Statement: We recommend that you include the prompt in the regex of the Expect field to ensure the platform waits until all the data from the previous command is read from the target system before proceding to the next statement.

    The final Expect statement says expect all authentication tokens updated successfully and the response statement is finish with success. When you create a custom platform, you must be able to detect when a password has been successfully changed on the remote server. When you have detected this event, you must set the Action dropdown to finish with success.

  • Goto statements: The flow jumps to the group specified by the goto statement. Flow does not return to the original group. If a group is to be used as a goto, it should be designed such that the intended task of the platform is completed there.

Configure the Check/Change Password Tab

Once you complete the fields on the Check/Change Password tab, Password Safe runs the credentials. Log in to the host using the managed account name and follow through the configurations provided on the Steps tab.

Change Password and Check Password options when adding a Custom Platform.

  1. Select the Host from the dropdown.
  2. If you use the elevated credential pbrun jumphost, enter the IP address for the PBUL policy server in the Jumphost field.

Ensure the Enable Jump Host box is checked on the Options tab. Otherwise, the Jumphost field is not displayed on the Check/Change Password tab.

  1. Use the default port for SSH or Telnet. Optionally, enter a port to test the settings.
  2. Provide the details for the Functional Account Credentials.
  3. In the Elevation Command field, enter an elevated account such as sudo or sudoer to elevate the functional account permissions.
  4. Provide Managed Account Credentials and a new password.
  5. Click Change Password or Check Password, as applicable.
  6. When the test returns a successful connection, go to the Options tab, check the Active box, and then click Create Platform.