Integrate Password Safe with BIUL

Use Password Safe to Manage Credentials

You can use Password Safe to manage credentials. Then, when you run actions on your hosts, passwords are retrieved at runtime from Password Safe rather than storing the passwords locally.

This section provides Password Safe configuration information within the console.

For more information on configuring Password Safe, see BeyondTrust Password Safe Guides.

Configure Password Safe

Configure the settings for the Password Safe server. To configure the Password Safe integration:

BeyondInsight for Unix & Linux and Password Safe integration settings

  1. In the console, select the Settings menu.
  2. Click Integration.
  3. Enter the following information:
    • Password Safe Server: The location of the Password Safe server. Do not add a trailing slash. For example, https://pbps_server.
    • API Key: The API key generated in BeyondInsight.
    • RunAs User: The BeyondInsight account under which the requests will be made. This Password Safe user must be in a User Group with API access and with an access policy that has auto-approve enabled for access.
    • Description: A text entry to provide any additional details (optional).
    • Verify certificate: Disabling this option bypasses certificate validation. 
  4. (Optional). To ensure the connection works, click Test Settings.
  5. Click Save Settings.

 

Import Password Safe Managed Accounts

A Password Safe managed account must be imported as a BeyondInsight for Unix & Linux (BIUL) credential.

Password Safe account details such as username and password cannot be changed in BIUL. These details are read-only values. The password is managed by Password Safe and retrieved dynamically.

To import a managed account:

  1. In the console, go to Hosts > Host Credentials.
  2. Click Manage Credentials and select Import from Password Safe.
  3. Select the managed accounts from the list of results the console can access and click Import Selected. You can filter the managed accounts by Username and Description. Imported accounts are displayed on the Credentials page.

A status 200 might be displayed if the selected managed account already exists as a console credential.

The following example is intended to provide a high-level configuration and is provided only as an overview.

In this example, the goal is to use an account called biul_user on a host at 10.100.10.10 to perform a Profile Servers action. BeyondInsight/Password Safe is running at https://my_pbps.
  1. Enable biul_user in the Password Safe API.
    • In BeyondInsight, add the 10.100.10.10 asset if required, and then choose the Add/ Edit Password Safe option for 10.100.10.10 in the Assets grid.
    • On the Local Accounts tab, select Add, and then provide the details for biul_user. Ensure the Enable for API Access option is selected.
  2. Get an API Key and whitelist BeyondInsight for Unix & Linux:
    • In BeyondInsight, go to Configure > Password Safe > Application API Registration.
    • Create a new registration.
    • Add the BIUL IP address to the source addresses list.
    • Disable the certificate required option.
    • An API key is generated when the registration is saved. This key is used in console.
  3. Configure an Access Policy in BeyondInsight:
    • Go to Configure > Password Safe > Access Policies.
    • Create a policy.
    • In the Access section, ensure Approvers is set to auto-approve.
  4. Configure an API User Group in BeyondInsight:
    • Go to Configure > Accounts.
    • Create a group. Ensure Enable API Application is selected and the registered application is selected.
    • In Smart Rules, select the Roles option for the All Managed Accounts rule.
    • Choose Requestor under Password Safe.
    • Select the access policy created earlier as the access policy.
  5. Create an API User in BeyondInsight:
    • Go to Configure > Accounts, and add an account. Ensure it belongs to the group created earlier.
  6. Configure Password Safe in BIUL:
    • Go to Settings > Integration.
    • Enter the details for the Password Safe server. The API Key was obtained in step 2 and the RunAs User is the account created in step 5. The URL would be https://my_pbps.
  7. Add biul_user to BIUL:
    • Go to Hosts > Credentials.
    • Click Add Credential and select Import from Password Safe.
    • In the list, select biul_user.
    • Click Import Selected. The imported account is displayed on the Credentials page.
  8. Use the biul_user in the console:
    • From the Hosts > Host Inventory page, choose Perform an Action > Profile Servers, select a host, and select Perform Host Actions from the menu.
    • Select Endpoint Privilege Management for Unix and Linux, and then select Profile.
    • On the Credential Management page, select the biul_user.
    • Go through the remaining pages on the Perform Host Actions wizard.