Advanced Settings

The following advanced settings can be configured outside the configuration tool:

Windows

Windows advanced settings are stored in the registry. If the setting is not there, it uses the default value.

LogFile 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\LogFile

Full path to the log file. If not provided, no log file is created. This value is set to <pspca install directory>\logs\pspca.log during the first run of pspca.

Type: String

runuser 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\runuser

Account to use to run the Secrets Cache service on Linux. This registry value is set to nobody during the first run of pspca, but is not used on Windows.

Type: String.

http_rest\listen_host 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\http_rest\listen_host

The IP address on which Secrets Cache listens for REST API requests. This value is set to 0.0.0.0 during the first run of pspca.

Type: String.

http_rest\listen_port 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\http_rest\listen_port

The port on which Secrets Cache listens for REST API requests. This value is set to 443 during the first run of pspca.

Type: String or DWORD.

password_safe\host 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\host

Password Safe API hostname/IP and port number.

Type: String.

password_safe\http_timeout 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\http_timeout

Maximum number of seconds to wait for a response from the Password Safe API (default: 60). If set to 0, Secrets Cache will wait indefinitely.

Type: String.

password_safe\managed_accounts_limit 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\managed_accou
nts_limit

Maximum number of managed accounts to retrieve from Password Safe (default: 100000). This is used to set the value of the limit query parameter in the GETManagedAccounts request that is sent to the Password Safe API during a cache refresh.

Type: DWORD.

password_safe\refresh_interval 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\refresh_inter
val

Default cache refresh interval (R) in milliseconds (default: 300000). During a cache refresh, the expiry date of each credential release request is examined, and the earliest expiry date (E) and the current time (T) are determined. If T < E < T + R, then the next cache refresh will be rescheduled to take place at time E.

Type: DWORD or QWORD.

password_safe\request_duration 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\request_duration

Default credential release request duration in minutes (default: 120). This is used to set the value of the DurationMinutes field in the body of a POST Requests or POST Aliases/{AliasId}/Requests request that is sent to the Password Safe API during a cache refresh, if the managed account or managed account alias does not have a DefaultReleaseDuration value set.

Type: DWORD or QWORD.

password_safe\request_reason 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\request_reason

Request reason (default: Secrets Cache Refresh, legacy default Password Cache Refresh). This is used to set the value of the Reason field in the body of a POST Requests or a POST Aliases/{AliasId}/Requests request that is sent to the Password Safe API during a cache refresh.

Type: String.

password_safe\rotation_policy 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\rotation_policy

Credential rotation policy:

  • 0 - always rotate (default)
  • 1 - rotate only if credentials are retrieved
  • 2 - never rotate

This is used in the following situations:

  • To set the value of the RotateOnCheckin field in the body of a POST Requests or a POST Aliases/{AliasId}/Requests request that is sent to the Password Safe API during a cache refresh.
  • To decide whether to update a credential release request to rotate the credential on check-in or expiry when that credential is retrieved via the Secrets Cache REST API.

Type: DWORD.

password_safe\secrets_limit 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\secrets_limit

Maximum number of secrets to retrieve from Secrets Safe (default: 100000). This is used to set the value of the limit query parameter in the GETSecrets-Safe/Secrets request that is sent to the Password Safe API during a cache refresh.

Type: DWORD.

password_safe\use_prev_creds 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\use_prev_creds

Whether to return previous credentials if current credentials are unavailable when credentials are requested via the Secrets Cache REST API (default: 0 - no).

Type: DWORD (0/1).

Linux

For the advanced options and values available, refer to the Windows section, above. For Linux, the options and selections are stored in JSON format in /etc/opt/pbps/pspca.conf. The example below shows how the options are entered for the file. If an option is not included, the default value is used. 

{
    "LogFile": "/var/opt/pbps/log/pspca.log",
    "runuser": "nobody",
    "http_rest": {
        "listen_port": 443,
        "listen_host": "0.0.0.0"
    },
    "password_safe": {
        "http_timeout": "psapi",
        "managed_accounts_limit": 100000,
        "refresh_interval": 300000,
        "request_reason": "Secrets Cache Refresh",
        "rotation_policy": 0,
        "use_prev_creds": false
    }
}