Configuration
All configuration changes must be run from an elevated Command Shell or prompt.
To configure the cache, call Secrets Cache with the cfg options pspca cfg <args>.
# /opt/pbps/pspca cfg
Config:
- Log File (log_file):
- Windows: C:\Program Files\BeyondTrust\Secrets Cache\logs\pspca.log
- Linux: /var/opt/pbps/log/pspca.log
- Log Level (log_level): INFO
- Password Safe:
- Host (host): pbps_bi.example.com
- API RunAS (username): psreq
- API Key (key): ****************************
- REST API Server: Listen Address (address): 0.0.0.0:443
Client API (Secrets Cache connections to Password Safe):
- Certificate Validation (password_safe_verify): disabled
- Ciphers List:
- ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- SSLv2: disabled
- SSLv3: disabled
- TLSv1: disabled
- TLSv1.1: enabled
- TLSv1.2: enabled
REST Server (API Client connections to Secrets Cache):
- Certificate (cache_certificate): bi_client.example.com
- Issuer: ca.company.com
- Fingerprint: 96 47 18 4a db 25 d8 42 84 c4 ad e3 08 58 1f 1f ba 9a bc 91
- Certificate Validation (cache_client_verify): disabled
- Ciphers List:
- ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- SSLv2: disabled
- SSLv3: disabled
- TLSv1: disabled
- TLSv1.1: enabled
- TLSv1.2: enabled
Usage: cfg [options]
-L --log_file=<arg> | Log File name |
-l --log_level=<arg> | Logging level (error, warning, info, debug, trace) |
-h --host=<arg> | Password Safe host[:port] |
-a --address=<arg> | Secrets Cache Listen Address[:port] |
-u --username=<arg> | <username> Password Safe API requestor username |
-k --key=<arg> | <key> Password Safe API Key |
-c --client_certificate=<arg> | Password Safe Client certificate file (pem) |
-V --password_safe_verify=<arg> | Password Safe certificate validation 0=no server validation 1=server validation required |
-C --client_clear | Clears the Password Safe client certificate |
-T --password_safe_ca=<arg> |
Trusted Password Safe CA certificate file(s) (pem) |
-s --cache_certificate=<arg> | Secrets Cache server certificate file (pem) |
-v --cache_client_verify=<arg> | Secrets Cache client certificate validation 0=no client validation 1=client validation required |
-t --cache_client_trusted_ca=<arg> | Secrets Cache trusted client CA certificate file(s) (pem) |
-p --pem=<arg> | PEM encoded private key for Password Safe or cache certificate |
-P --pem_passwd=<arg> | PEM private key passphrase |
--export=<arg> | Export the Secrets Cache configuration |
--import=<arg> | Import the Secrets Cache configuration |
--export_db=<arg> | Export the Secrets Cache data |
--import_db=<arg> | Import the Secrets Cache data |
--passwd=<arg> | Password to be used to encrypt/decrypt the exported Secrets Cache configuration |
-? --help | Display this usage message |
Examples
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -u psreq -k 638AA550-37C4-7126-A9C1-22186D5A40A0 -h pbps_bi.example.com
Linux:
# /opt/pbps/pspca cfg -u psreq -k 638AA550-37C4-7126-A9C1-22186D5A40A0 -h pbps_bi.example.com
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -T password_safe_ca.pem -V 1
Linux:
# /opt/pbps/pspca cfg -T password_safe_ca.pem -V 1
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -c client_cert.pem -p client_key.pem -P <pem_password>
Linux:
# /opt/pbps/pspca cfg -c client_cert.pem -p client_key.pem -P <pem_password>
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -L /var/log/pspca.log -l warning -a 0.0.0.0:8443
Linux:
# /opt/pbps/pspca cfg -L /var/log/pspca.log -l warning -a 0.0.0.0:8443
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -s server_cert.pem -p server_key.pem -P <pem_password>
Linux:
# /opt/pbps/pspca cfg -s server_cert.pem -p server_key.pem -P <pem_password>
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg -t client_ca.pem -v 1
Linux:
# /opt/pbps/pspca cfg -t client_ca.pem -v 1
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg --export=cache_config.cfg --export_db=cache_data.cfg --passwd <secret>
Linux:
# /opt/pbps/pspca cfg --export=cache_config.cfg --export_db=cache_data.cfg --passwd <secret>
Windows:
C:\Program Files\BeyondTrust\Secrets Cache\pspca.exe cfg --import=cache_config.cfg --import_db=cache_data.cfg --passwd <secret>
Linux:
# /opt/pbps/pspca cfg --import=cache_config.cfg --import_db=cache_data.cfg --passwd <secret>