Advanced Settings
The following advanced settings can be configured outside the configuration tool:
Windows
Windows advanced settings are stored in the registry. If the setting is not there, it uses the default value.
LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\LogFile
Full path to the log file. If not provided, no log file is created. This value is set to <pspca install directory>\logs\pspca.log during the first run of pspca.
Type: String
runuser
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\runuser
Account to use to run the Secrets Cache service on Linux. This registry value is set to nobody during the first run of pspca, but is not used on Windows.
Type: String.
http_rest\listen_host
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\http_rest\listen_host
The IP address on which Secrets Cache listens for REST API requests. This value is set to 0.0.0.0 during the first run of pspca.
Type: String.
http_rest\listen_port
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\http_rest\listen_port
The port on which Secrets Cache listens for REST API requests. This value is set to 443 during the first run of pspca.
Type: String or DWORD.
password_safe\host
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\host
Password Safe API hostname/IP and port number.
Type: String.
password_safe\http_timeout
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\http_timeout
Maximum number of seconds to wait for a response from the Password Safe API (default: 60). If set to 0, Secrets Cache will wait indefinitely.
Type: String.
password_safe\managed_accounts_limit
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\managed_accou nts_limit
Maximum number of managed accounts to retrieve from Password Safe (default: 100000). This is used to set the value of the limit query parameter in the GETManagedAccounts request that is sent to the Password Safe API during a cache refresh.
Type: DWORD.
password_safe\refresh_interval
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\refresh_inter val
Default cache refresh interval (R) in milliseconds (default: 300000). During a cache refresh, the expiry date of each credential release request is examined, and the earliest expiry date (E) and the current time (T) are determined. If T < E < T + R, then the next cache refresh will be rescheduled to take place at time E.
Type: DWORD or QWORD.
password_safe\request_duration
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\request_duration
Default credential release request duration in minutes (default: 120). This is used to set the value of the DurationMinutes field in the body of a POST Requests or POST Aliases/{AliasId}/Requests request that is sent to the Password Safe API during a cache refresh, if the managed account or managed account alias does not have a DefaultReleaseDuration value set.
Type: DWORD or QWORD.
password_safe\request_reason
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\request_reason
Request reason (default: Secrets Cache Refresh, legacy default Password Cache Refresh). This is used to set the value of the Reason field in the body of a POST Requests or a POST Aliases/{AliasId}/Requests request that is sent to the Password Safe API during a cache refresh.
Type: String.
password_safe\rotation_policy
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\rotation_policy
Credential rotation policy:
- 0 - always rotate (default)
- 1 - rotate only if credentials are retrieved
- 2 - never rotate
This is used in the following situations:
- To set the value of the RotateOnCheckin field in the body of a POST Requests or a POST Aliases/{AliasId}/Requests request that is sent to the Password Safe API during a cache refresh.
- To decide whether to update a credential release request to rotate the credential on check-in or expiry when that credential is retrieved via the Secrets Cache REST API.
Type: DWORD.
password_safe\secrets_limit
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\secrets_limit
Maximum number of secrets to retrieve from Secrets Safe (default: 100000). This is used to set the value of the limit query parameter in the GETSecrets-Safe/Secrets request that is sent to the Password Safe API during a cache refresh.
Type: DWORD.
password_safe\use_prev_creds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BeyondTrust\PBPS\pspca_cfg\password_safe\use_prev_creds
Whether to return previous credentials if current credentials are unavailable when credentials are requested via the Secrets Cache REST API (default: 0 - no).
Type: DWORD (0/1).
Linux
For the advanced options and values available, refer to the Windows section, above. For Linux, the options and selections are stored in JSON format in /etc/opt/pbps/pspca.conf. The example below shows how the options are entered for the file. If an option is not included, the default value is used.
{ "LogFile": "/var/opt/pbps/log/pspca.log", "runuser": "nobody", "http_rest": { "listen_port": 443, "listen_host": "0.0.0.0" }, "password_safe": { "http_timeout": "psapi", "managed_accounts_limit": 100000, "refresh_interval": 300000, "request_reason": "Secrets Cache Refresh", "rotation_policy": 0, "use_prev_creds": false } }