Discovery of Password Safe

Password Safe Discovery

You can use Vault to discover and import Managed Accounts and Managed Systems from your Password Safe instance.

ℹ️

The direct integration with Password Safe supports all credential types, with the exception of Application and Kubernetes credentials. To import these credentials, continue using the ECM-based integration. Endpoint discovery and import is limited to Windows endpoints only.

Manual Import

Prerequisites

• A valid commercial CA-signed SSL certificate.
• An API registration for the SRA appliance IP address in the Authentication Rules.
• A user must be chosen or created to be used as the impersonating user. The impersonating user must be in a user group with the following properties:
  • For Features: Password Safe Account Management and Password Safe System Management (read-only).
  • Assigned access to the API registration for the SRA appliance IP address. This is used as a connection in SRA.
  • Any Managed Account Smart Groups added to the user group for import must have the Password Safe Requestor role with an access policy assigned that has a 24x7 schedule and view password set to auto-approve.
• To import domain-linked accounts, the domain account must be linked to the asset.

Create connection

Start by creating a connection between the SRA site and Password Safe. Most of the information entered in this step comes from Password Safe; ensure you have that information on hand. To do create the connection:

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.
2. Click the Connections tab.
   The Password Safe Connections page displays.
3. Click Add.
4. For Name, type a unique name to help identify this role. This is a required field.
5. For Password Safe Host, type the name of the Password Safe Host. This is a required field.
6. For API Key, copy the information from the Key field in Password Safe for the API registration you created and paste it into the API Key field in PRA. This is a required field.
7. For Impersonating Username, select a valid username from one of the following groups: Password Safe's Administrators, Global Approvers, or Secure Remote Access Requestors. This is a required field.
8. Impersonating Username Password is determined by the User required password checkbox on the API registration from Password Safe. If the checkbox is not selected, then no password is required for this field in PRA. If the checkbox is selected, then use the password associated with the username on the Password Safe API registration and enter it in this field in PRA.

Initiate a Password Safe discovery job

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.

2. Click the Discovery tab.
   The Discovery tab displays.

3. Click New Discovery Job.
   The Discovery: New Job page displays.

4. You have the following four options to choose:

   • Windows Domain
   • Local Windows Accounts on Jump Clients
   • AWS Secrets
   • Password Safe

5. Click Password Safe.

6. Click Continue.

7. For the Password Safe Connection, make sure a valid Password Safe connection exists. Select the connection. This is a required field.

8. Click Continue.
   The Discovery: Password Safe Scope page displays.

9. Select the appropriate checkboxes you want to receive information for from Password Safe:

   • Managed Accounts

   • Managed Systems

     

10. Click Start Discovery.
    The Discovery Progress page displays.

11. From the Discovery Results table, select the items you want to import.

ℹ️

The Workgroup Name field is new.

12. Click Import Selected.
    The Import Discovered Items page displays.

13. For Account Group, choose the account group that the selected Managed Accounts is associated with.

14. Create one Jump Item per Managed System is available when importing Managed Systems and a Jumpoint is available. Choose a Jump Group and Jumpoint to associate the created RDP Jump Items with when importing. If you do not want to immediately create jump items for the imported Managed Systems, select Do not create Jump Item.

15. Click Start Import.

16. Click Yes in the following dialog box: "This process cannot be stopped after it is started. Do you want to continue?"

17. On the Importing page, the results of the Managed Accounts and Managed Systems display.

18. To view Managed Systems, click the View Endpoints link. This takes you to the Vault > Endpoints page.

    

19. To view Managed Accounts, click the View Accounts link. This takes you to the Vault > Accounts page. The Password Safe table with Managed Accounts and Managed Systems displays.

    

20. From the Accounts page, you can check out a Password Safe account , edit a Password Safe account , or delete a Password Safe account from the Password Safe table.

ℹ️

• The option to rotate credentials does not exist in discovery of a Password Safe account.
• There are two new fields: System and Workgroup.

Check out a Password Safe account

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.

2. Click the Password Safe tab.

3. From the Password Safe table, locate the account you want to check out. The user must have Inject And Checkout Vault role, otherwise the Checkout button in step 4 does not display.

   

4. Click Check Out .
   The Account Password dialog box displays. The password displays in plain text for one minute when you click Reveal .

   

5. To copy the displayed password, click Copy .

🚧

Important info

Credentials are sourced from Password Safe at time of Check Out and Check In. No passwords are ever stored in the SRA Vault for Password Safe Accounts.

Check out a Directory Linked account

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.

2. Click the Password Safe tab.

3. From the Password Safe table, locate the account you want to check out .

4. For the Target Endpoint for Directory Linked Account Checkout, ensure a valid endpoint exists in Password Safe.

   🚧

   Important info

   Directory Linked accounts must be checked out against a Managed System. If the Target Endpoint for Directory Linked Account Checkout field is left blank in the Connections tab, the following error occurs on checkout:

   System name is not configured for directory linked account checkout.

   If the supplied endpoint name does not match a Managed System in Password Safe, or the account has not been linked to the Managed System in Password Safe, checkout fails with an error.

   This configuration is not necessary for Credential Injection.

5. Click Check Out .
   The Status column should display.

6. To check in the account, click Check In .

Edit a Password Safe account

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.
2. Click the Password Safe tab.
3. From the Password Safe table, locate the account you want to edit.
4. Click the pencil to edit.
5. Make the necessary changes and click Save.

Delete a Password Safe account

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.
2. Click the Password Safe tab.
3. From the Password Safe table, locate the account you want to delete.
4. Click the trash can to delete.
5. A confirmation dialog box displays. Click Yes.

Credential injection of a Password Safe account

Password Safe accounts are available for injection into matching RDP Jump Items or Jump Clients. At the time of injection, the Credential Store dialog box displays.

1. For the Credential Store option, click the dropdown and select the appropriate Password Safe account.
2. Click OK.
3. To view all the Password Safe Vault accounts available for credential injection, click the Vault tab at the top of the screen.
4. In the Search bar, enter password safe.
   A list of only Password Safe account displays.
5. Users with the Inject and Checkout role can also select a Password Safe account from the list and choose the appropriate option of Check In or Check Out.

Automatic import of accounts and endpoints

Vault administrators can automatically import selected domain accounts, endpoints, and local accounts using import rules after scheduled discovery runs using predefined filters. This reduces time and effort required for manual imports.

Automatic import jobs run in three phases:

• Matching phase
• Removal phase
• Import phase

If any rule in the batch fails during the matching or removal phases, all of the rules in that batch fail. However, if any rule fails during the import phase, this does not prevent other rules in the connection from running and completing their imports.

Prerequisites

• Vault administrator privileges

Create a Password Safe connection

Start by creating a connection between the SRA site and Password Safe. Most of the information entered in this step comes from Password Safe; ensure you have that information on hand. To create the connection:

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.
2. Click the Connections tab.
   The Password Safe Connections page displays.
3. Click Add.
4. For Name, type a unique name to help identify this role. This is a required field.
5. For Password Safe Host, type the name of the Password Safe Host. This is a required field.
6. For API Key, copy the information from the Key field in Password Safe for the API registration you created and paste it into the API Key field in PRA. This is a required field.
7. For Impersonating Username, select a valid username from one of the following groups: Password Safe's Administrators, Global Approvers, or Secure Remote Access Requestors. This is a required field.
8. Impersonating Username Password is determined by the User required password checkbox on the API registration from Password Safe. If the checkbox is not selected, then no password is required for this field in PRA. If the checkbox is selected, then use the password associated with the username on the Password Safe API registration and enter it in this field in PRA.

Create the Discovery Schedule

After the Password Safe connection is created, complete the Scheduled Discovery section to automatically import managed credentials and endpoints from Password Safe.

1. In the Scheduled Discovery section, check the Enable Scheduled Discovery box.
2. Set the Discovery Schedule:
   • Set the day(s) discovery recurs on
   • Set the time the discovery recurs on
3. Select the Discovery Scope:
   • Managed Accounts
   • Managed Systems

Create Password Safe import rules

Password Safe import rules determine how accounts and assets are imported after scheduled discoveries. Once import rules are created, they're owned and run by the system user in an automatic fashion. Imported Vault accounts, Vault endpoints, and any associated Jump Items associated with those endpoints are owned by that rule.

ℹ️

• Import rules are only executed automatically following a scheduled discovery. They do not run without one.
• Up to 50 rules can be created per connection, with priority determining which rule applies if an account matches multiple criteria.

Once the connection and discovery schedule are created, create one or more import rules:

1. In the Password Safe Import Rules section, click +Add Import Rule.

   

2. Under Create Password Safe Rule, add a Rule Name.

3. Set filters to define criteria for the import rule.

   ℹ️

   • At least one filter is required per rule. Accounts and endpoints can both have up to 10 filters.
   • Multiple filters use And logic, meaning the rule uses the first filter and any subsequent filters.

   • Check Accounts to add account filters to the rule.

     • Select a Field to filter by from the dropdown list.
     • Select an Operator. Options include Contains and Does not contain.
     • Enter a value to filter by in the Value field. Add multiple values by typing and pressing Enter after each value.

       ℹ️

       Multiple values use Or logic, meaning the filter looks for the selected field, operator, and value one or value 2, etc.

     • Select an option from the Account Group to use if criteria are met dropdown list. This defines the group that accounts matching filter criteria are imported into.

       ℹ️

       • Once an account is imported, it cannot move between Account Groups unless an administrator moves it, or the account is removed and reimported. See the Important note below for more information.
       • If there are overlapping rules (rules are matched on multiple rules), the account is only imported once, and assigned to the Account Group from the filter with the higher precedence at the time of import.

     • Click +Add Filter to add a new account filter.
     • Click to delete an account filter.

       ❗️

       • If a manually imported account is matched on an import rule, the import rule takes ownership of that account, and the account is now considered an automatically imported account.
       • Accounts imported via an import rule are automatically removed if, after a scheduled discovery, they no longer match any previously matched rules. The are also removed if the associated import rules are deleted. For example, if a previously imported account is deleted in Password Safe, it is not found in the next scheduled discovery, and when failed to match against an import rule, is removed from the system.

   • Check System (Assets) to add system filters to the rule.

     • Select a Field to filter by from the dropdown list.
     • Select an Operator. Options include Contains and Does not contain.
     • Enter a value to filter by in the Value field. Add multiple values by typing and pressing Enter after each value.
     • Check the Create Jump Item box to create one remote RDP Jump Item per each of the imported systems. Select the Jump Group and Jumpoint to assign the Jump Item to.

       ❗️

       Jump groups and Jumpoints listed in the dropdowns are limited to those that the Vault administrator has access to. This only applies on rule set up. Once the rule is created, the rule is owned by the system and there is no permission check. The only exception occurs when a user clicks Process Using Rules manually. When a user clicks that button, they're running the job with the user's permissions. If the user doesn't have sufficient permissions to to modify jump items associated with that rule, the job will fail.

     • Click +Add Filter to add a new system filter.
     • Click to delete an account filter.

4. Click Save at the top of the page.

Once import rules are created, the next time a scheduled discovery runs, those rules run on that discovery, find all filter matches, and automatically import those matches.

Accounts, endpoints, and related jump items that no longer match a rule are automatically removed. This also applies when an administrator deletes a rule or connection, which grants the system permission to clean up items tied to those rules.

View and Edit Password Safe import rules

To view or edit import rules associated with a connection:

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.
2. Click the Connections tab.
   The Password Safe Connections page displays.
3. Locate a connection in the list.
4. Click to the right of the connection to view connection information.
5. Locate the import rules in the Password Safe Import Rules section at the bottom of the page.
6. Click to the right of the rule to view and edit information.
7. After changes are made, click Save at the top of the screen.

Change order of import rules

Each rule in the list takes precedence over the rules below it. To change the order of import rules:

1. Click the Change Order button.
2. Drag and drop rules in the order you wish to see them, or enter the order number in the field.
3. Click Save Order once updated.

Process Using Rules outside of scheduled discovery

If you don't want to wait until the next scheduled discovery to automatically import matches, you can run those import rules by clicking the Process Using Rules button, located on the Discovery Results page. Process Using Rules always processes against the entire discovery, and not just against items that haven't been imported.

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.
2. Click the Discovery tab.
   The Discovery Jobs page displays.
3. Locate a manual discovery in the list.
4. Click View Results to the right of the discovery.
   The Discovery Results page displays.
5. Click Process Using Rules at the top of the page.
6. A confirmation dialog box displays. Click Yes.
   The Discovery Jobs page displays.
7. Locate the discovery job in the list.
8. Click View Results to the right of the discovery.
   The Discovery Results page displays.
9. Click the Automatic Import Jobs tab to view jobs run against that discovery. Each import rule has a corresponding job in the results list and includes information associated with that job.

   ℹ️

   The Status column lists the status of the job, including Pending and Complete statuses. If a status of Error displays, hover over the status to view the reason for the error.

   When a rule fails or aborts, no action is taken on existing accounts or endpoints at the point of failure. If the error occurs during matching and removal, they are not removed or imported. If the error occurs during import, they are not imported.

Track Import Rule type

You can track whether the account is manually imported or automatically imported.

To view account import type, select the Vault > Accounts tab to see the Import Type column. Click the Automatic Import link to view which rules the import matched on.

To view endpoint import type, select the Vault > Endpoints tab to see the Import Type column. Click the Automatic Import link to view which rules the import matched on.

To view import rules in Vault or Jump Item reports:

1. From the left menu, click Remote Support > Reports.
   The Reports page opens and the Support tab displays by default.
2. At the top of the page, click the Vault or Jump Item tab.
3. Click Show Report.
4. The Data column displays if Vault accounts were created or deleted using an import rule.

Delete an import rule

1. From the main menu, click Remote Support > Vault.
   The Vault page opens and the Accounts tab displays by default.
2. Click the Connections tab.
   The Password Safe Connections page displays.
3. Locate the import rule in the Password Safe Import Rules list.
4. Click to the right of the import rule.
5. A confirmation dialog box displays. Click Yes.

❗️

Deleting an import rule also deletes any accounts and Jump Items associated with it that do not match any other import rules.