Integrate Password Safe with BeyondInsight for Unix & Linux

Use Password Safe to Manage Credentials

You can use Password Safe to manage credentials. Then, when you run actions on your hosts, passwords are retrieved at runtime from Password Safe rather than storing the passwords locally.

This section provides Password Safe configuration information within the console.

For more information on configuring Password Safe, please see BeyondTrust Password Safe Guides.

Configure Password Safe

Configure the settings for the Password Safe server. To configure the Password Safe integration:

BeyondInsight for Unix & Linux and Password Safe integration settings

  1. In the console, select the Settings menu.
  2. Click Integration.
  3. Enter the following information:
    • Password Safe Server: The location of the Password Safe server. This should not have a trailing slash. For example, https://pbps_server.
    • API Key: The API key generated in BeyondInsight.
    • RunAs User: The BeyondInsight account under which the requests will be made. This Password Safe user must be in a User Group with API access and with an access policy that has auto-approve enabled for access.
    • Description: A text entry to provide any additional details (optional).
    • Verify certificate: Disabling this option will bypass certificate validation. 
  4. Click Test Settings to ensure the connection works. This is optional.
  5. Click Save Settings.

Import Password Safe Managed Accounts

A Password Safe managed account must be imported as a BeyondInsight for Unix & Linux credential.

Password Safe account details such as username and password cannot be changed in BIUL. These details are read-only values. The password is managed by Password Safe and retrieved dynamically.

To import a managed account:

  1. In the console, go to Hosts > Credentials.
  2. Click Add Credential and select Import from Password Safe.
  3. Select the managed accounts from the list of results the console can access and click Import Selected. The managed accounts can be filtered by Username and Description. Imported accounts are displayed on the Credentials page.

A status 200 might be displayed if the selected managed account already exists as a console credential.

The following example is intended to provide a high-level configuration and is provided only as an overview.

In this example, the goal is to use an account called biul_user on a host at 10.100.10.10 to perform a Profile Servers action. BeyondInsight/Password Safe is running at https://my_pbps.
  1. Enable biul_user in the Password Safe API.
    • In BeyondInsight, add the 10.100.10.10 asset if required, then choose the Add/ Edit Password Safe option for 10.100.10.10 in the Assets grid.
    • On the Local Accounts tab, select Add then provide the details for biul_user. Ensure the Enable for API Access option is selected.
  2. Get an API Key and whitelist BeyondInsight for Unix & Linux:
    • In BeyondInsight, go to Configure > Password Safe > Application API Registration.
    • Create a new registration.
    • Add the BeyondInsight for Unix & Linux IP address to the source addresses list.
    • Disable the certificate required option.
    • An API key will be generated when the registration is saved. This key will be used in console.
  3. Configure an Access Policy in BeyondInsight:
    • Go to Configure > Password Safe > Access Policies.
    • Create a policy.
    • In the Access section, ensure Approvers is set to auto-approve.
  4. Configure an API User Group in BeyondInsight:
    • Go to Configure > Accounts.
    • Create a group. Ensure Enable API Application is selected and the registered application is selected.
    • In Smart Rules, select the Roles option for the All Managed Accounts rule.
    • Choose Requestor under Password Safe.
    • Select the access policy created earlier as the access policy.
  5. Create an API User in BeyondInsight:
    • Go to Configure > Accounts, and add an account. Ensure it belongs to the group created earlier.
  6. Configure Password Safe in BeyondInsight for Unix & Linux:
    • Go to Settings > Integration.
    • Enter the details for the Password Safe server. The API Key was obtained in step 2 and the RunAs User is the account created in step 5. The URL would be https://my_pbps.
  7. Add biul_user to BeyondInsight for Unix & Linux:
    • Go to Hosts > Credentials.
    • Click Add Credential and select Import from Password Safe.
    • In the list, select biul_user.
    • Click Import Selected. The imported account is displayed on the Credentials page.
  8. Use the biul_user in the console:
    • From the Hosts > Host Inventory page, choose Perform an Action > Profile Servers, select a host, and select Perform Host Actions from the menu.
    • Select Privilege Management for Unix and Linux, and then select Profile.
    • On the Credential Management page, select the biul_user.
    • Go through the remaining pages on the Perform Host Actions wizard.