Add a custom platform in Password Safe Cloud

On the Custom Platforms page, you can add SSH and Telnet platforms, as well as SSH application platforms, tailored to your environment. Password Safe contains several built-in SSH and Telnet platforms designed for the most common configurations, such as Linux, Solaris, and Cisco. You can modify the details of built-in custom platforms to meet the needs of your environment. You can create new custom platforms for advanced configurations that are not supported by the built-in platforms, or for a platform that is currently not supported by Password Safe. You can also create new custom platforms by cloning a built-in or user-created custom platform.

All custom platforms work in the same way: by connecting to a remote SSH or Telnet server and waiting for a response. Once a response is received, a regular expression is evaluated against the response and the platform replies with a command that starts the process of changing a password on the relevant system.

Create a new platform

1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Custom Platforms.

2. In the Custom Platforms pane, click Create New Custom Platform, and then select Create New Platform.

   Alternatively, click the vertical ellipsis button for a platform in the list, and then select Clone to clone an existing platform and modify its settings as desired.

3. Configure the settings on the Options, Steps, and Check/Change Password tabs as detailed in the following sections.

Configure the Options tab

• Platform Name: Enter a name for the custom platform. The given name appears in the Platform lists throughout BeyondInsight and Password Safe and must be unique. Platform names cannot be changed after they have been created.

• Platform ID and Platform Type are assigned by the system and cannot be entered or edited.

• Active: Check this option to make the platform active in BeyondInsight and Password Safe.

• Enable Login Account: Check this option to display the Use Login Account for SSH Sessions option under the Credentials section in the settings for a managed system. Use this feature when an account other than the functional account is used to log in to the managed system.

• Enable Account Name Format: Check this option to display the Account Name Format dropdown under the Credentials section in the settings for a managed system.

• Communications Protocol: Indicate if the custom platform uses Telnet or SSH.

• Port: Use the default port of 22 for SSH or 23 for Telnet. Optionally, enter a port to test the settings.

• Template Fields and Scripting:

  • Prompt regex: Regular expression that evaluates to the shell prompt of the remote system; for example, ~ ]#.
  • Config prompt regexand Elevated prompt regex: These two regular expressions are mainly meant for network appliances that have multiple prompts, depending on a mode. 
  • End of line: The end of line field specifies how the platform indicates to the SSH or Telnet server that it is sending a command. The default is the carriage return character (\r).
  • Exit Command: Leave the default command as exit, or specify a new command for the platform to exit SSH or Telnet.
  • Password command: Enter the command to change the password.

• Enable Account Elevation: Check this option, if you want to select an Elevation Command.

• Elevation Command: Select an elevation command from the list to enable the option to elevate the functional account permissions on a managed system. The following elevation command types are supported:

  • sudo
  • pbrun
  • pmrun
  • pbrun jumphost

• Enable Jump Host: If you use the elevation command pbrun jumphost, you can configure the Privilege Management for Unix & Linux policy server host name to connect to. Check this option to enable the jump host, and then enter the policy server host name details when configuring the Check Password options on the Check/Change Password tab.

• Enable Cisco Enable Password: Check this option to display the Change Enable Password option on the Functional Account tab under Advanced Details for a Cisco managed system.

Configure the Steps tab

From the Steps tab, define the responses that you expect from the server and the replies the platform sends. The options include two groups: After Login and Error Handling.

1. On the Steps tab, select the Step Type from the list. The template for expect statements changes depending on which of the following types is chosen:

   • Change Password: Manually changes the password for the custom platform.
   • Check Password: Tests the password by attempting a logon.
   • Replace Public Key: Runs a script to replace the public key.

2. Use the default statement group to start the custom platform. Additional statements and statement groups can be created as required.

   • To create a new statement, click Add New Statement + at the bottom of an existing statement group.
   • To delete a statement, click the X at the right end of the Expect statement line.
   • To create a new statement group, click Add New Statement Group + at the bottom of the last statement group.
   • To delete a statement group, click the X and the right end of the statement group name.
   • To edit the name of the statement group, hover the cursor over the group name, click in the field, and then enter the name.

3. Enter an Expect statement. There are two ways to populate the Expect field:

   • Type text or a regular expression in the field.
   • Use a template field variable: Click in the field, enter <<, and then select a template from the list.

4. Enter a Response statement. There are two ways to populate the Response field:

   • Type text or a regular expression in the field.
   • Use a template field variable. Click in the field, enter <<, and then select a template from the list. 

5. The Response type can be changed by selecting an option from the Send Response dropdown list. If goto is selected you need to select a statement group from the resulting list.

6. Error Handling is enabled by default. Uncheck this option if error handling is not required. If error handling is required, ensure an error message is entered in the Expect statement for Error handling.

7. The order of statement processing can be changed by clicking the Up or Down icons at the left of each Expect statement.

The following is an explanation of the functionality for each setting on the Steps tab, using a Linux platform as an example:

• Error Handling: The error handling check ensures that when the statement comes in, all of the statements in the error handling section are evaluated first, before Enter your reason for login. For example, when the platform connects to the remote SSH server, the SSH server replies with:

  Welcome to Linux Mint
  * Documentation:  http://www.linuxmint.com
  Last login: Mon Apr 13 10:45:51 2015 from dev-machine
  Enter your reason for login:
  

  The platform tries try to find a match, in the following order:

  - BADCOMMAND
  - Usage:
  - BAD PASSWORD
  - Enter your reason for login:
  

  If a match is found for Enter your reason login, the platform replies with changing password. The platform expects the SSH server to send back the shell prompt and the platform replies with passwd MANACCTNAME.

  When the platform communicates with the remote server, it replaces the tags with data. In the image shown, MANACCTNAME is replaced by the managed account associated with the platform. These are template field variables that are inserted into the Expect box and Response box. If you have a prompt defined in the options tab as ~]$, the platform converts the tag PROMPT to this value when it evaluates the regular expressions.

• Expect Statement: We recommend that you include the prompt in the regex of the Expect field to ensure the platform waits until all the data from the previous command is read from the target system before proceding to the next statement.

  The final Expect statement says expect all authentication tokens updated successfully and the response statement is finish with success. When you create a custom platform, you must be able to detect when a password has been successfully changed on the remote server. When you have detected this event, you must set the Action dropdown to finish with success.

• Goto statements: The flow jumps to the group specified by the goto statement. Flow does not return to the original group. If a group is to be used as a goto, it should be designed such that the intended task of the platform is completed there.

Configure the Check/Change Password tab

Once you complete the fields on the Check/Change Password tab, Password Safe runs the credentials. Log in to the host using the managed account name and follow through the configurations provided on the Steps tab.

1. Select the Host from the dropdown.
2. If you use the elevated credential pbrun jumphost, enter the IP address for the PBUL policy server in the Jumphost field.

ℹ️

Note

Ensure the Enable Jump Host box is checked on the Options tab. Otherwise, the Jumphost field is not displayed on the Check/Change Password tab.

3. Use the default port for SSH or Telnet. Optionally, enter a port to test the settings.
4. Provide the details for the Functional Account Credentials.
5. In the Elevation Command field, enter an elevated account such as sudo or sudoer to elevate the functional account permissions.
6. Provide Managed Account Credentials and a new password.
7. Click Change Password or Check Password, as applicable.
8. When the test returns a successful connection, go to the Options tab, check the Active box, and then click Create Platform.

Create a new application platform

Custom application platforms leverage the custom platform functionality, with the added capability of providing an intermediary target (application host) for the custom platform using a script-based approach to managing accounts on application servers specific or customized to your environment.

ℹ️

Note

Custom application platforms only support SSH; Telnet is not supported.

Prior to creating a new application platform, you must configure a managed system to be an application host by enabling the Allow Managed System to be an Application Host setting in its properties. The application host is the managed system where the scripts for the application are run.

ℹ️

Note

Once a managed system is configured as an application host, other managed systems can be configured to use it, as indicated by the Associated Managed Systems indicator. You cannot disable the Allow Managed System to be an Application Host setting if other managed systems are currently configured to use this application host.

To create the new application platform, follow the following steps:

1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Custom Platforms.
2. In the Custom Platforms pane, click Create New Custom Platform, and then select Create New Application Platform.
3. Configure the settings on the Options, Steps, and Check/Change Password tabs as detailed in the following sections.

Configure the Options tab

• Platform Name: Enter a name for the custom platform. The given name appears in the Platform lists throughout BeyondInsight and Password Safe and must be unique. Platform names cannot be changed after they have been created.

• Platform ID and Platform Type are assigned by the system and cannot be entered or edited.

• Active: Check this option to make the platform active in BeyondInsight and Password Safe.

• Enable Login Account: Check this option to display the Use Login Account for SSH Sessions option under the Credentials section in the settings for a managed system. Use this feature when an account other than the functional account is used to log in to the managed system.

• Enable Account Name Format: Check this option to display the Account Name Format dropdown under the Credentials section in the settings for a managed system.

• Enable Account Elevation: Check this option if you want to select an Elevation Command.

• Elevation Command: Select an elevation command from the list to enable the option to elevate the functional account permissions on a managed system. The following elevation command types are supported:

  • sudo
  • pbrun
  • pmrun
  • pbrun jumphost

Configure the Steps tab

The Steps tab is configured in the same way as it is for all custom platforms. However, for application platforms there are 6 additional fields available for Expect statements, as follows:

• Address
• App Host Functional Account Keypass
• App Host Functional Account Key
• App Host Functional Account Name
• App Host Functional Account Password
• Port

Configure the Check/Change Password tab

The Check/Change Password tab is configured in the same way as it is for all custom platforms; however, you must also select an Application Host.

Once your custom application platform has been created, you can configure a managed system to use it by selecting it from the Platform dropdown. Also select the Application Host for this manged system. When Password Safe rotates or checks a password for an account that exists on this managed system, it connects to the application host and then runs the steps as defined on the Steps tab for this custom application platform instance.

Export or import a custom platform

Export a custom platform

Exporting a custom platform can assist you with troubleshooting.

1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Custom Platforms.
2. Click the Actions (vertical ellipsis) button for the platform you wish to export, and then select Export.
3. Save the XML file.

Import a custom platform or application platform

1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Custom Platforms.
2. In the Custom Platforms pane, click Create New Custom Platform.
3. Select Import Platform (XML).
4. Locate and select the exported platform file. If the platform currently exists, it modifies the existing platform. If the platform does not currently exist, a new custom platform is added.

✅

Example

Linux Platform

In this short synopsis of the Linux platform, you can see how it works by expecting data and responding to the data based on the evaluation of regular expressions. It examines the output of each command to determine if an error occurred or if it can continue sending replies to the server.

1. Platform establishes a connection to the remote SSH server with the provided credentials.
2. SSH server replies with:

Welcome to Linux Mint
* Documentation:  http://www.linuxmint.com
Last login: Mon Apr 13 10:45:51 2015 from dev-machine
dev@dev-machine ~ ]#

3. The platform evaluates a regular expression, looking for the shell prompt "~]#", and replies with the passwd command for the specified managed account.

passwd managedaccount complexpassword

4. If the arguments passed to the passwd command are valid, the server replies with:

Enter new Unix Password:

5. The platform waits for the server’s response and evaluates a regular expression, looking for Enter new Unix Password.
6. If the response is not Enter new Unix Password, the platform waits for other possible responses such as User does not exist.
7. If the regular expression evaluates to true, the platform exits with an error.
8. If the regular expression Enter new Unix Password evaluates to true, the platform replies with the new password.