Configuration
All configuration changes must be run from an elevated Command Shell or prompt.
To configure the cache, call Secrets Cache with the cfg options pspca cfg <args>.
# /opt/pbps/pspca cfg
Config:
- Log File (log_file):
- Windows: C:\Program Files\BeyondTrust\Secrets Cache\logs\pspca.log
- Linux: /var/opt/pbps/log/pspca.log
- Log Level (log_level): INFO
- Password Safe:
- Host (host): pbps_bi.example.com
- API RunAS (username): psreq
- API Key (key): ****************************
- REST API Server: Listen Address (address): 0.0.0.0:443
Client API (Secrets Cache connections to Password Safe):
- Certificate Validation (password_safe_verify): disabled
- Ciphers List:
- ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- SSLv2: disabled
- SSLv3: disabled
- TLSv1: disabled
- TLSv1.1: enabled
- TLSv1.2: enabled
REST Server (API Client connections to Secrets Cache):
- Certificate (cache_certificate): bi_client.example.com
- Issuer: ca.company.com
- Fingerprint: 96 47 18 4a db 25 d8 42 84 c4 ad e3 08 58 1f 1f ba 9a bc 91
- Certificate Validation (cache_client_verify): disabled
- Ciphers List:
- ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- SSLv2: disabled
- SSLv3: disabled
- TLSv1: disabled
- TLSv1.1: enabled
- TLSv1.2: enabled
Usage: cfg [options]
| -L --log_file=<arg> | Log File name |
| -l --log_level=<arg> | Logging level (error, warning, info, debug, trace) |
| -h --host=<arg> | Password Safe host[:port] |
| -a --address=<arg> | Secrets Cache Listen Address[:port] |
| -u --username=<arg> | <username> Password Safe API requestor username |
| -k --key=<arg> | <key> Password Safe API Key |
| -c --client_certificate=<arg> | Password Safe Client certificate file (pem) |
| -V --password_safe_verify=<arg> | Password Safe certificate validation 0=no server validation 1=server validation required |
| -C --client_clear | Clears the Password Safe client certificate |
|
-T --password_safe_ca=<arg> |
Trusted Password Safe CA certificate file(s) (pem) |
| -s --cache_certificate=<arg> | Secrets Cache server certificate file (pem) |
| -v --cache_client_verify=<arg> | Secrets Cache client certificate validation 0=no client validation 1=client validation required |
| -t --cache_client_trusted_ca=<arg> | Secrets Cache trusted client CA certificate file(s) (pem) |
| -p --pem=<arg> | PEM encoded private key for Password Safe or cache certificate |
| -P --pem_passwd=<arg> | PEM private key passphrase |
| --export=<arg> | Export the Secrets Cache configuration |
| --import=<arg> | Import the Secrets Cache configuration |
| --export_db=<arg> | Export the Secrets Cache data |
| --import_db=<arg> | Import the Secrets Cache data |
| --passwd=<arg> | Password to be used to encrypt/decrypt the exported Secrets Cache configuration |
| -? --help | Display this usage message |
Examples
Configure the target Password Safe server that the Secrets Cache will communicate with:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -u psreq -k 638AA550-37C4-7126-A9C1-22186D5A40A0 -h pbps_bi.example.com
Linux:
# /opt/pbps/pspca cfg -u psreq -k 638AA550-37C4-7126-A9C1-22186D5A40A0 -h pbps_bi.example.com
To validate the Password Safe server certificate, define a trusted CA and require validation:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -T password_safe_ca.pem -V 1
Linux:
# /opt/pbps/pspca cfg -T password_safe_ca.pem -V 1
To connect the Secrets Cache to the Password Safe REST API using the client certificate:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -c client_cert.pem -p client_key.pem -P <pem_password>
Linux:
# /opt/pbps/pspca cfg -c client_cert.pem -p client_key.pem -P <pem_password>
To change the local configuration for logging and the listen port of the Secrets Cache:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -L /var/log/pspca.log -l warning -a 0.0.0.0:8443
Linux:
# /opt/pbps/pspca cfg -L /var/log/pspca.log -l warning -a 0.0.0.0:8443
To provide custom settings for the server certificate used by the Secrets Cache REST interface:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -s server_cert.pem -p server_key.pem -P <pem_password>
Linux:
# /opt/pbps/pspca cfg -s server_cert.pem -p server_key.pem -P <pem_password>
To require client certificates to be provided to the Secrets Cache REST interface using a defined trusted client CA and require validation:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -t client_ca.pem -v 1
Linux:
# /opt/pbps/pspca cfg -t client_ca.pem -v 1
To export the Secrets Cache configuration for recovering and/or replicating the cache:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg --export=cache_config.cfg --export_db=cache_data.cfg --passwd <secret>
Linux:
# /opt/pbps/pspca cfg --export=cache_config.cfg --export_db=cache_data.cfg --passwd <secret>
To import the Secrets Cache configuration for recovering and/or replicating the cache:
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg --import=cache_config.cfg --import_db=cache_data.cfg --passwd <secret>
Linux:
# /opt/pbps/pspca cfg --import=cache_config.cfg --import_db=cache_data.cfg --passwd <secret>
