Create a New Application Platform

Custom application platforms leverage the custom platform functionality, with the added capability of providing an intermediary target (application host) for the custom platform using a script-based approach to managing accounts on application servers specific or customized to your environment.

Custom application platforms only support SSH; Telnet is not supported.

Screenshot of managed system properties highlighting the Allow Managed System to be an Application Host setting.

Prior to creating a new application platform, you must configure a managed system to be an application host by enabling the Allow Managed System to be an Application Host setting in its properties. The application host is the managed system where the scripts for the application are run.

Once a managed system is configured as an application host, other managed systems can be configured to use it, as indicated by the Associated Managed Systems indicator. You cannot disable the Allow Managed System to be an Application Host setting if other managed systems are currently configured to use this application host.

 

To create the new application platform, follow the following steps:

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Custom Platforms.

Screenshot of Create New Application Platform and Actions button on the Custom Platforms page in Password Safe

  1. In the Custom Platforms pane, click Create New Custom Platform, and then select Create New Application Platform.

 

  1. Configure the settings on the Options, Steps, and Check/Change Password tabs as detailed in the following sections.

Configure the Options Tab

Sceenshot of configuring the Options tab to create a custom applicationn platform in Password Safe.

  • Platform Name: Enter a name for the custom platform. The given name appears in the Platform lists throughout BeyondInsight and Password Safe and must be unique. Platform names cannot be changed after they have been created.
  • Platform ID and Platform Type are assigned by the system and cannot be entered or edited.
  • Active: Check this option to make the platform active in BeyondInsight and Password Safe.
  • Enable Login Account: Check this option to display the Use Login Account for SSH Sessions option under the Credentials section in the settings for a managed system. Use this feature when an account other than the functional account is used to log in to the managed system.
  • Enable Account Name Format: Check this option to display the Account Name Format dropdown under the Credentials section in the settings for a managed system.
  • Enable Account Elevation: Check this option if you want to select an Elevation Command.
  • Elevation Command: Select an elevation command from the list to enable the option to elevate the functional account permissions on a managed system. The following elevation command types are supported:
    • sudo
    • pbrun
    • pmrun
    • pbrun jumphost

Configure the StepsTab

The Steps tab is configured in the same way as it is for all custom platforms. However, for application platforms there are 6 additional fields available for Expect statements, as follows:

  • Address
  • App Host Functional Account Keypass
  • App Host Functional Account Key
  • App Host Functional Account Name
  • App Host Functional Account Password
  • Port

Configure the Check/Change Password Tab

Screenshot of the Check/Change Password tab highlighting the Application Host dropdown, when creating a new custom application platform.

The Check/Change Password tab is configured in the same way as it is for all custom platforms; however, you must also select an Application Host.

 

 

Screenshot of selecting a custom application platform and application host in the properties of a managed system.

Once your custom application platform has been created, you can configure a managed system to use it by selecting it from the Platform dropdown. Also select the Application Host for this manged system. When Password Safe rotates or checks a password for an account that exists on this managed system, it connects to the application host and then runs the steps as defined on the Steps tab for this custom application platform instance.