Veritas
Custom platform for PowerShell script – password rotation
Prerequisite: Enable optional OpenSSH on Windows
Note
For information on getting started with OpenSSH for Windows, see Get started with OpenSSH for Windows.
Note
After enabling OpenSSH on Windows, use a terminal tool like PuTTY to confirm that OpenSSH is operational, and to test the Password Safe functional account access.
- Under Configuration > Privileged Access Management > Custom Platforms, clone the built-in Linux custom platform and deploy a new custom platform.
- Add |(>) to Prompt regex.
- Under Steps, select Change Password as the Step Type and keep only the send response for PowerShell script. Add the command to execute the PowerShell script on the Enterprise Vault server.
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -File "C:\Program Files (x86)\Enterprise Vault\PowerShellScripts\SetEVServiceAccountPassword.ps1" <<manacctnewpwd>> {-saveInDatabase:false}
- Add success and failure messages to match for success and failure of password rotation in BeyondTrust Password Safe. Click Save or Update Platform.
- Success message to expect: Successfully updated Enterprise Vault service account password
- Failure message to expect: Script execution failed due to an exception mentioned below
- Go to Managed Systems. Create a new managed system using the new custom platform and ensure it points to actual Enterprise Vault server IP address where PowerShell script for integration needs to be invoked.
Note
- The script needs to be executed on only one Enterprise Vault server in a single Enterprise Vault Directory.
- While creating a managed system, make sure you choose a timeout value suitable to your environment, as the time to execute the script will vary based on the number of Enterprise Vault and File servers in the Enterprise Vault Directory.
-
Assign the functional account.
-
Add a new managed account under the managed system created in step 5 and name it, for example, TestVSA with a random password in Credentials.
-
Go to Managed Accounts and find the Active Directory Account for Enterprise Vault Service account that you want to use as the primary for synced accounts. Using the vertical ellipses on the right, select Go to Advanced Details. Assign the managed account TestVSA created in the step above as a synced account.
Now, on rotating the Active Directory password for a VSA user, the TestVSA account triggers the custom platform steps to execute the PowerShell script on the linked Enterprise Vault server to update the password in Enterprise Vault services on all the Enterprise Vault and file servers in the Enterprise Vault directory.
-
Go back to Managed Accounts. Use the vertical ellipses on the right to initiate a manual password change for the VSA Active Directory user.
- Verify that password is changed for the Enterprise Vault Service AD account.
- Verify that Password History and Last Change Result reflect success for password change in the Managed Accounts UI blade in Password Safe for both the VSA AD user and the TestVSA account.
- Configure email notification in BeyondTrust Password Safe for password rotations.
Note
For more information about email notifications, see Customize email notifications.
Note
It is also possible to test the script with a non-synced managed account from directly under the new managed system.
- Validate that the synced managed account has been automatically updated, after a successful change password on primary.
Troubleshoot integration
Once the managed system and managed account are created using the new custom platform, it is possible to use the custom platform for unit testing.
After populating the Functional and Managed Account dropdowns and respective passwords, you can click Change Password.
The PowerShell script you configured in the custom platform steps will be executed on the linked Enterprise Vault server.
Updated 6 days ago