Configuration

To configure the cache, call Password Cache with the cfg options pspca cfg <args>.

# /opt/pbps/pspca cfg

Config:

  • Log File (log_file):
    • Windows: C:\Program Files\BeyondTrust\Password Cache\logs\pspca.log
    • Linux: /var/opt/pbps/log/pspca.log
  • Log Level (log_level): INFO
  • Password Safe:
    • Host (host): pbps_bi.example.com
    • API RunAS (username): psreq
    • API Key (key): ****************************
  • REST API Server: Listen Address (address): 0.0.0.0:443

Client API (Password Cache connections to Password Safe):

  • Certificate Validation (password_safe_verify): disabled
  • Ciphers List:
    • ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  • SSLv2: disabled
  • SSLv3: disabled
  • TLSv1: disabled
  • TLSv1.1: enabled
  • TLSv1.2: enabled

REST Server (API Client connections to Password Cache):

  • Certificate (cache_certificate): bi_client.example.com
    • Issuer: ca.company.com
    • Fingerprint: 96 47 18 4a db 25 d8 42 84 c4 ad e3 08 58 1f 1f ba 9a bc 91
  • Certificate Validation (cache_client_verify): disabled
  • Ciphers List:
    • ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  • SSLv2: disabled
  • SSLv3: disabled
  • TLSv1: disabled
  • TLSv1.1: enabled
  • TLSv1.2: enabled

Usage: cfg [options]

-L --log_file=<arg> Log File name
-l --log_level=<arg> Logging level (error, warning, info, debug, trace)
-h --host=<arg> Password Safe host[:port]
-a --address=<arg> Password Cache Listen Address[:port]
-u --username=<arg> <username> Password Safe API requestor username
-k --key=<arg> <key> Password Safe API Key
-c --client_certificate=<arg> Password Safe Client certificate file (pem)
-V --password_safe_verify=<arg> Password Safe certificate validation 0=no server validation 1=server validation required
-C --client_clear Clears the Password Safe client certificate

-T --password_safe_ca=<arg>

Trusted Password Safe CA certificate file(s) (pem)
-s --cache_certificate=<arg> Password Cache server certificate file (pem)
-v --cache_client_verify=<arg> Password Cache client certificate validation 0=no client validation 1=client validation required
-t --cache_client_trusted_ca=<arg> Password Cache trusted client CA certificate file(s) (pem)
-p --pem=<arg> PEM encoded private key for Password Safe or Cache certificate
-P --pem_passwd=<arg> PEM private key passphrase
--export=<arg> Export the Password Cache configuration
--import=<arg> Import the Password Cache configuration
--export_db=<arg> Export the Password Cache data
--import_db=<arg> Import the Password Cache data
--passwd=<arg> Password to be used to encrypt/decrypt the exported Password Cache configuration
-? --help Display this usage message

Examples

Configure the target Password Safe server that the Password Cache will communicate with:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg -u psreq -k 638AA550-37C4-7126-A9C1-22186D5A40A0 -h pbps_bi.example.com

Linux:

# /opt/pbps/pspca cfg -u psreq -k 638AA550-37C4-7126-A9C1-22186D5A40A0 -h pbps_bi.example.com

To validate the Password Safe Server Certificate, define a Trusted CA and require validation:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg -T password_safe_ca.pem -V 1

Linux:

# /opt/pbps/pspca cfg -T password_safe_ca.pem -V 1

To connect the Password Cache to the Password Safe REST API using the Client Certificate:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg -c client_cert.pem -p client_key.pem -P <pem_password>

Linux:

# /opt/pbps/pspca cfg -c client_cert.pem -p client_key.pem -P <pem_password>

To change the local configuration for logging and the listen port of the Password Cache:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg -L /var/log/pspca.log -l warning -a 0.0.0.0:8443

Linux:

# /opt/pbps/pspca cfg -L /var/log/pspca.log -l warning -a 0.0.0.0:8443

To provide custom settings for the Server Certificate used by the Password Cache REST interface:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg -s server_cert.pem -p server_key.pem -P <pem_password>

Linux:

# /opt/pbps/pspca cfg -s server_cert.pem -p server_key.pem -P <pem_password>

To require client certificates to be provided to the Password Cache REST interface using a defined Trusted Client CA and require validation:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg -t client_ca.pem -v 1

Linux:

# /opt/pbps/pspca cfg -t client_ca.pem -v 1

To export the Password Cache configuration for recovery and/or replicating the Cache:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg --export=cache_config.cfg --export_db=cache_data.cfg --passwd <secret>

Linux:

# /opt/pbps/pspca cfg --export=cache_config.cfg --export_db=cache_data.cfg --passwd <secret>

To import the Password Cache configuration for recovery and/or replicating the Cache:

Windows:

C:\Program Files\BeyondTrust\Password Cache\pspca.exe cfg --import=cache_config.cfg --import_db=cache_data.cfg --passwd <secret>

Linux:

# /opt/pbps/pspca cfg --import=cache_config.cfg --import_db=cache_data.cfg --passwd <secret>