Managing External Passwords

Enterprise Password Management Settings

To open the Enterprise Password Management settings:

1. From the top right corner of any page, click . The System Settings page opens.
2. In the Categories/Subcategories pane of the System Settings page, expand Access Management, and select External Password Managers. A toggle for enabling Password Manager integration is displayed (see below), with a list of Password Managers that can be enabled, together with their credentials.
   

• Use Password Manager (required, default: switched off) - Toggle on to use password manager integration and allow Axonius to securely pull privileged credentials from the password manager defined.
  Configuring a password manager enables you to manage the passwords used for adapters and enforcement actions using the password manager configured. When you enable and configure a password manager, this does not make any immediate change to your configured adapters or Enforcement Actions. An icon is displayed in the credential fields of the adapters or Enforcement Actions so that users can enter credentials using the password manager according to their company guidelines.

• Password Manager (required, default: AWS Secrets Manager) - Toggle on the password managers for the integration. You can enable more than one password manager:

  • 1Password Connect Server
  • Akeyless Vault
  • AWS Secrets Manager
  • Azure Key Vault
  • BeyondTrust Privileged Identity
  • BeyondTrust Password Safe
  • Bitwarden Vault
  • Click Studios Passwordstate
  • CyberArk Vault
  • CyberArk Privilege Cloud Vault
  • Delinea Secret Server
  • GCP Secret Manager
  • HashiCorp Vault
  • Keeper Secrets Manager
  • ManageEngine Password Manager Pro Vault
  • ManageEngine PAM360 Vault

When you choose more than one password manager, the system lets you choose which password manager to use in the password field.

1Password Connect Server

Axonius pulls credentials from 1Password Connect Server. Follow 1Password Connect Server integration configuration guidelines.

To use 1Password Connect Server

1. Toggle on 1Password Connect Server.
2. Specify the following parameters:
   • 1Password Connect Server URL (required) - The URL of 1Password Connect Server.
   • Port (required, default 8080) - The port that 1Password Connect Server listens to.
   • API Token (required - The AUTH token needed to authenticate the 1Password Connect Server request. Create the server and API key, as described in Deployment. Make sure to copy down this key and store it in a secure location for your future reference.

Akeyless Vault

To use Akeyless Vault
Axonius pulls credentials from Akeyless Vault. Follow Akeyless Vault configuration guidelines.

1. Toggle on Akeyless Vault.
2. Specify the following parameters:
   Akeyless Domain (required) - The URL or IP address of the Akeyless Vault server.
   Port (optional) - The port that the Akeyless Vault listens to 8080/443.
   Akeyless Access ID (required) - An ID for Akeyless
   Akeyless Access key (required) - The key used to unseal the vault.
   Refer to Akeyless API Key for details on how to generate the Access ID and Key
   Gateway Name - Select the gateway through which to connect to the Akeyless Vault if required.

AWS Secrets Manager

To use AWS Secrets Manager

1. Toggle on AWS Secrets Manager.
2. Specify the following parameters to fetch secrets from AWS Secrets Manager:
   • Region (required) - Specify the region name for a specific region.
   • Access Key ID (required) - Provide AWS Access Key ID.
   • Access Key Secret (required) - Provide AWS Access Key Secret.

• To fetch secrets from AWS Secrets Manager, you must have the following permissions:
  • secretsmanager:GetSecretValue
  • kms:Decrypt - required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.

For more details about AWS Secrets Manager configuration and guidelines, see AWS Secrets Manager Integration.

Azure Key Vault

To use Azure Key Vault
Axonius pulls credentials from Azure Key Vault. Follow Azure Key Vault configuration guidelines,

1. Toggle on Azure Key Vault.
2. Specify the following parameters:
   • Client ID (required) - The Application ID of the Axonius application.
   • Client Secret (required) - Specify a non-expired key generated from the new client secret.
   • Tenant ID (required) - Microsoft Azure Tenant ID.

BeyondTrust Privileged Identity

To use BeyondTrust Privileged Identity
Axonius pulls credentials from BeyondTrust Privileged Identity.

1. Toggle on BeyondTrust Privileged Identity.
2. Specify the following parameters:
   • Hostname or IP address (required) - The hostname or IP address of the BeyondTrust Privileged Identity server.
   • Login type (required) - The login type of the authentication. Valid values:
     NativeStaticAccount (Privileged Identity explicit accounts) or FullyQualifiedAccount.
   • Username and Password (required) - The credentials for the user account

BeyondTrust Password Safe

Axonius pulls credentials from BeyondTrust Password Safe.

To use BeyondTrust Password Safe

1. Toggle on BeyondTrust Password Safe.
2. Follow BeyondTrust Password Safe configuration guidelines, and specify the following parameters:
   • BeyondTrust Domain (required) - The hostname or IP address of the BeyondTrust Password Safe server.
   • API Token (required) - The API key configured in BeyondInsight for the application.
   • Username - The username of a BeyondInsight user who has been granted permission to use the API key.
   • Password - The relevant password.
   • Gateway Name (optional) - Select the gateway through which to connect to the BeyondTrust Password Safe Password Manager if required.

Bitwarden Vault

To use Bitwarden Vault

1. Toggle on Bitwarden Vault.

2. Follow the Bitwarden Vault integration guidelines, and specify the following parameters - all required unless noted otherwise:

   • Domain for API calls - The domain where the “get vault” request will be sent to.
   • Domain for authentication - The domain in which to authenticate and get a token. The default value is https://identity.bitwarden.com.
   • Client ID and Client Key - to get these, from your Bitwarden account, navigate to Security, select the Keys tab, and then click View API key. The account you use must be an organization account and not a personal account, as the Client ID must start with the word “organization”, for example: organization.32242dc3-2402-34a6-97b0-b26700ccb8f2.
   • Verify SSL (default: false) - Select whether to verify the SSL certificate offered by the value supplied in Delinea Secret Server URL. For more details, see SSL Trust & CA Settings.
   • Master Password - The password used to log into your Bitwarden account.
   • Gateway Name (optional) - Select the gateway through which to connect to the Bitwarden Vault if required.

   Click Studios Passwordstate

To use Click Studios Passwordstate
Axonius pulls credentials from Click Studios Passwordstate. Follow Click Studios Passwordstate configuration guidelines,

1. Toggle on Click Studios Passwordstate.
2. Specify the following parameters:
   • PasswordState Domain (required) - The domain for the PasswordState password manager.
   • API Key (required) - The key needed to authenticate the PasswordState request. Get the API Key by generating an API Key for the password list on Passwordstate. If you are using more than one password list, you should generate a 'System Wide API Key'.
   • Gateway Name - Select the gateway through which to connect to the Click Studios Passwordstate Password Manager if required.

CyberArk Vault

To use CyberArk Vault
Axonius uses CyberArk’s Application Access Manager (AAM) to pull credentials from CyberArk Vault.

1. Toggle on CyberArk Vault

2. Follow CyberArk integration configuration guidelines, and specify the following parameters:

   • CyberArk Domain (required) - The base URL of the Central Credential Provider (CCP).
   • Port (required) - The port the Central Credential Provider (CCP) is listening to.
   • Application ID (required) - The Application ID which identifies the Axonius application created in CyberArk.
   • Certificate key (PEM format) (optional) - The certificate (PEM format) which will be authenticated against the Certificate Serial Number defined on the Application.
     • Certificate Key: You need to upload the unencrypted Private Key + Certificate bundle.
     • To do this cat private.key cert.pem > cyberarkcert.pem.
     • Click Upload File to upload it the generated cyberarkcert.pem file.
     • If you open the file in a text editor, it should begin with "PRIVATE KEY" and also have a "BEGIN CERTIFICATE" section below.
     • Note that the Private Key can't be password encrypted.
   • API Prefix - Select the API Prefix that is accessible to your CyberArk Vault service. The following options are available:
     • AIMWebService
     • AIMWebServiceCert
     • AIMWebServiceIP
   • Gateway Name - Select the gateway through which to connect to the CyberArk Vault if required.

CyberArk Privilege Cloud Vault

To use CyberArk Privilege Cloud Vault

1. Toggle on CyberArk Privilege Cloud Vault.

2. Follow CyberArk Privilege Cloud integration configuration guidelines, and specify the following parameters:

   • CyberArk Privilege Cloud domain (required) - The base URL of the Central Credential Provider (CCP).
   • Authentication Method (required; default: CyberArk) - The authentication method used for the connection. The following authentication methods are supported: CyberArk, Windows, LDAP, Radius, SAML, and OAuth2.
   • Username and Password (required; optional for SAML authentication) - The credentials for a CyberArk Privilege Cloud user account that has the Required Permissions to fetch assets.
   • Tenant ID - Cloud Only (optional) - Tenant ID required for OAuth2 authentication method. The OAuth2 method only works with the cloud version.
   • SAML Response (optional) - Required for the SAML authentication method.
   • Gateway Name (optional) - Select the gateway through which to connect to the CyberArk Privilege Cloud Vault if required.

APIs

Axonius uses the CyberArk REST API.

To use the SAML authentication method you need to enable the SAML IdP initiated SSO flow. Follow instructions in Configure the IdP to implement this. This returns the SAML Response.

Required Permissions

The value supplied in User Name must have Audit users permission.

The Client ID/Secret permissions must be updated to match the Create a Service user for API requests section.

The following permissions are only relevant if you are using the OAuth2 authentication (i.e., with the cloud version):

You must update the domain to be <subdomain>.privilegecloud.cyberark.cloud.

Example: https://ihg.privilegecloud.cyberark.cloud

Delinea Secret Server

To use Delinea Secret Server:
Follow Delinea Integration configuration guidelines,

1. Toggle on Delinea Secret Server.

2. Specify the following parameters:

   • Delinea Secret Server URL (required)

     • For on-prem Delinea Secret Server, needs to be in the following format: https://<hostname>/SecretServer (e.g., https://demo-server/SecretServer)
       * For cloud Delinea Secret Server, needs to be in the following format: https://<tenant>.secretservercloud.com (e.g., https://mycompany.secretservercloud.com)

   • Username and Password (required) - The credentials of a local Delinea user, with permissions according to the state of the 'hide launcher password' security setting.

     • If the setting is activated, the user should be an Owner or Editor of the secret so that the user gets the real password and the vault can properly populate the secrets. (If the user is not an Owner or Editor, the value of the password is *** Not Valid For Display ***)
     • If the setting is not activated, the User can be a Viewer (read-only permission).

   • Port (optional, default: 443)

     • If supplied, the port specified will be used for the connection.
       * If not supplied, default 443 for https URL or if http/https not supplied in URL, default 80 for http URL.

   • Verify SSL (required, default: false) - Select whether to verify the SSL certificate offered by the value supplied in Delinea Secret Server URL. For more details, see SSL Trust & CA Settings.

   • API Version - Select the API version to use, default V10.

   • Certificate File - Upload a certificate file.

   • Gateway Name - Select the gateway through which to connect to the Thycotic Secret Server Vault if required.

GCP Secrets Manager

To use GCP Secret Manager

1. Toggle on GCP Secret Manager.
2. Configure a connection of Axonius to Google Cloud Platform.
3. To fetch secrets from GCP Secrets Manager, you must have the following permissions:
   Add to the relevant IAM Principal the following role: Secret Manager Secret Accessor.
4. Specify the following parameters to fetch secrets from GCP Secrets Manager:
   • JSON Key Pair (required) - A JSON-document containing service-account credentials for GCP. Refer to Connect Axonius to Google Cloud Platform.

Refer to GCP Secret Manager for further information

HashiCorp Vault

To use HashiCorp Vault
Axonius pulls credentials from HashiCorp Vault. Follow HashiCorp Vault integration configuration guidelines.

1. Toggle on HashiCorp Vault.
2. Specify the following parameters:
   • HashiCorp Vault Domain (required) - The URL or IP address of the HashiCorp Vault server.
   • Secrets Engine (required, default Cubbyhole) - Set the secrets engine, either KV Version 1, KV Version 2, Cubbyhole, or Active Directory.
   • Port (required, default 8200) - The port the HashiCorp Vault listens to.
   • Token (optional) - The token for authentication.
   • Unseal key (optional) - The key used to unseal the vault.
   • Role ID and Role secret ID (optional) - Use these settings to authenticate using AppRole.
     • Refer to Get RoleID and SecretID for information on retreiving the Role ID
     • Enter the parameters as defined in the AppRole the user defined. Refer to Step 1 and Step 2 in AppRole Pull Authentication. Modify policies according to the secrets you want this AppRole to access.
   • Namespace (optional) - Enter a customized namespace to fetch secrets from, if it is configured.

Keeper Secrets Manager

To use Keeper Secrets Manager:
Follow Keeper Secrets Manager Integration configuration guidelines,

1. Toggle on Keeper Secrets Manager.

2. Specify the following parameters:

   • Hostname - The destination host where your Enterprise tenant is located: by default this is keepersecurity.com
   • Client ID - The hashed clientKey where clientKey is the Unique Client Device Identifier
   • Private Key Client Device Private Key
   • Server Public Key ID - Keeper Infrastructure's Public Key ID
   • App Key - Application Private Key
   • App Owner Public Key - Application Owner's Public Key
   • Gateway Name - Select the gateway through which to connect to the Keeper Secrets Manager if required.

ManageEngine Password Manager Pro Vault

Axonius pulls credentials from ManageEngine Password Manager Pro Vault. Follow ManageEngine Password Manager Pro Vault integration configuration guidelines.

To use ManageEngine Password Manager Pro Vault

1. Toggle on ManageEngine Password Manager Pro Vault.
2. Specify the following parameters:
   • ManageEngine Password Manager Pro Server URL (required) - The URL of the ManageEngine Password Manager Pro Vault server.
   • Port (required, default 8282) - The port that the ManageEngine Password Manager Pro Vault listens to.
   • API Key (required - The AUTH token needed to authenticate the ManageEngine Password Manager Pro Vault request. To create an API key, add an API User and generate an API key, as described in Adding an API User. Make sure to copy down this key and store it in a secure location for your future reference.

ManageEngine PAM360 Vault

Axonius pulls credentials from ManageEngine PAM360 Vault. Follow ManageEngine PAM360 Vault integration configuration guidelines.

To use ManageEngine PAM360 Vault

1. Toggle on ManageEngine PAM360 Vault.
2. Specify the following parameters:
   • ManageEngine PAM360 Server URL (required) - The URL of the ManageEngine PAM360 Vault server.
   • Port (required, default 8282) - The port that the ManageEngine PAM360 Vault listens to.
   • API Key (required - The AUTH token needed to authenticate the ManageEngine PAM360 Vault request. To create an API key, add an API User and generate an API key, as described in Adding an API User. Make sure to copy down this key and store it in a secure location for your future reference.