BeyondTrust Credential Cycling Configuration
This section provides details on configuring credential cycling for use with BeyondTrust.
Note that to enable credential cycling with the BeyondTrust PowerBroker Password Safe application, passwords must be configured in the JSON format. For example:
{"bt_user":"MyUserName","bt_password":"MyPasswordValue"}
In the Credential Source section, you configure:
-
The URL to your BeyondTrust source
-
The "run as" user for authenticating to your source
-
An API key for authentication
-
Your BeyondTrust Managed System and Managed Account names. In the Credential Source section, you set values for your overall BeyondTrust implementation.
Note: If specific applications will use different or unique Managed Systems or Managed Accounts, you can set values for those that are specific to particular applications in the Credential Association section. Values set in the Credential Source section are overridden by values of the same name in the Attributes map of each Credential Association.
In the Credential Association section, you configure:
-
The name(s) of your IdentityIQ applications that will use credential cycling
-
The attributes for your application's username and password, and the corresponding BeyondTrust username and password that provides the secure credential to the application at runtime.
-
Any application-specific overrides to the overall BeyondTrust Managed System or Managed Account names
<CredentialSource credentialClass="sailpoint.pam.credential.BeyondTrustCredentialManager" name="beyondTrust ">
<!-- The attributes in this map are used mainly to communicate with BeyondTrust.
Any values here can be overridden by values of the same name in the attributes
map of each credential association. Required attributes must either be configured
here or in every credential source. Attributes:
Required: url
Required: runas
Required: apikey
Required: managedSystemName
Required: managedAccountName
Optional: durationMinutes
Optional: credentialCacheMinutes
Optional: checkInReason
Optional: checkOutReason
-->
<Attributes>
<Map>
<entry key="url">
<value><String>https://your.beyondtrust.server/BeyondTrust/api/public/v3/</String></value>
</entry>
<entry key="runas">
<value><String>runas_user</String></value>
</entry>
<entry key="apikey">
<value><String>your_beyondtrust_api_key_goes_here</String></value>
</entry>
<entry key="managedAccountName" value="beyond_trust_managed_account_name"/>
<entry key="managedSystemName" value="beyond_trust_managed_system_name"/>
</Map>
</Attributes>
<!-- ***Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="bt_user">
<!-- *** Attribute values go here. These attributes can be used to override values from
*** above, or can be left out if not needed -->
<Attributes>
<Map>
<entry key="managedAccountName" value="special_beyond_trust_managed_account_name"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="application_name"
attributeName="application_password_attribute"
credentialAttributeName="bt_password"/>
</CredentialSource>