Managing External Passwords

Enterprise Password Management Settings

To open the Enterprise Password Management settings:

1. From the top right corner of any page, click . The System Settings page opens.
2. In the Categories/Subcategories pane of the System Settings page, expand Access Management, and select External Password Managers. A toggle for enabling Password Manager integration is displayed (see below), with a list of Password Managers that can be enabled, together with their credentials.
   

• Use Password Manager (required, default: switched off) - Toggle on to use password manager integration and allow Axonius to securely pull privileged credentials from the password manager defined.
  Configuring a password manager enables you to manage the passwords used for adapters and enforcement actions using the password manager configured. When you enable and configure a password manager, this does not make any immediate change to your configured adapters or Enforcement Actions. An icon is displayed in the credential fields of the adapters or Enforcement Actions so that users can enter credentials using the password manager according to their company guidelines.

• Password Manager (required, default: AWS Secrets Manager) - Toggle on the password managers for the integration. You can enable more than one password manager:
  • Akeyless Vault
  • AWS Secrets Manager
  • Azure Key Vault
  • BeyondTrust Privileged Identity
  • BeyondTrust Password Safe
  • Click Studios Passwordstate
  • CyberArk Vault
  • GCP Secret Manager
  • HashiCorp Vault
  • Delinea Secret Server

When you choose more than one password manager, the system lets you choose which password manager to use in the password field.

Akeyless Vault

To use Akeyless Vault:
Axonius pulls credentials from Akeyless Vault. Follow Akeyless Vault configuration guidelines,

1. Toggle on Akeyless Vault.
2. Specify the following parameters:
   Akeyless Domain (required) - The URL or IP address of the Akeyless Vault server.
   Port (optional) - The port that the Akeyless Vault listens to 8080/443.
   Akeyless Access ID (required) - An ID for Akeyless
   Akeyless Access key (required) - The key used to unseal the vault.
   Refer to Akeyless API Key for details on how to generate the Access ID and Key
   Tunnel Name - Select the tunnel through which to connect to the Akeyless Vault when working with Axonius-hosted (SaaS).

AWS Secrets Manager

To use AWS Secrets Manager:

1. Toggle on AWS Secrets Manager.
2. Specify the following parameters to fetch secrets from AWS Secrets Manager:
   • Region (required) - Specify the region name for a specific region.
   • Access Key ID (required) - Provide AWS Access Key ID.
   • Access Key Secret (required) - Provide AWS Access Key Secret.

• To fetch secrets from AWS Secrets Manager, you must have the following permissions:
  • secretsmanager:GetSecretValue
  • kms:Decrypt - required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.

For more details about AWS Secrets Manager configuration and guidelines, see AWS Secrets Manager Integration.

Azure Key Vault

To use Azure Key Vault:
Axonius pulls credentials from Azure Key Vault. Follow Azure Key Vault configuration guidelines,

1. Toggle on Azure Key Vault.
2. Specify the following parameters:
   • Client ID (required) - The Application ID of the Axonius application.
   • Client Secret (required) - Specify a non-expired key generated from the new client secret.
   • Tenant ID (required) - Microsoft Azure Tenant ID.

BeyondTrust Privileged Identity

To use BeyondTrust Privileged Identity:
Axonius pulls credentials from BeyondTrust Privileged Identity.

1. Toggle on BeyondTrust Privileged Identity.
2. Specify the following parameters:
   • Hostname or IP address (required) - The hostname or IP address of the BeyondTrust Privileged Identity server.
   • Login type (required) - The login type of the authentication. Valid values:
     NativeStaticAccount (Privileged Identity explicit accounts) or FullyQualifiedAccount.
   • Username and Password (required) - The credentials for the user account

BeyondTrust Password Safe

Axonius pulls credentials from BeyondTrust Password Safe.
To use BeyondTrust Password Safe:

1. Toggle on BeyondTrust Password Safe.

2. Follow BeyondTrust Password Safe configuration guidelines, and specify the following parameters:

   • BeyondTrust Domain (required) - The hostname or IP address of the BeyondTrust Password Safe server.
   • API Token (required) - The API key configured in BeyondInsight for the application.
   • Username - The username of a BeyondInsight user who has been granted permission to use the API key.
   • Password - The relevant password.

   Click Studios Passwordstate

To use Click Studios Passwordstate:
Axonius pulls credentials from Click Studios Passwordstate. Follow Click Studios Passwordstate configuration guidelines,

1. Toggle on Click Studios Passwordstate.
2. Specify the following parameters:

• PasswordState Domain (required) - The domain for the PasswordState password manager.
• API Key (required) - The key needed to authenticate the PasswordState request. Get the API Key by generating an API Key for the password list on Passwordstate. If you are using more than one password list, you should generate a 'System Wide API Key'.
• Tunnel Name - Select the tunnel through which to connect to the Click Studios Passwordstate Password Manager when working with Axonius-hosted (SaaS).

CyberArk Vault

To use CyberArk Vault:
Axonius uses CyberArk’s Application Access Manager (AAM) to pull credentials from CyberArk Vault.

1. Toggle on CyberArk Vault

2. Follow CyberArk integration configuration guidelines, and specify the following parameters:

   • CyberArk Domain (required) - The base URL of the Central Credential Provider (CCP).
   • Port (required) - The port the Central Credential Provider (CCP) is listening to.
   • Application ID (required) - The Application ID which identifies the Axonius application created in CyberArk.
   • Certificate key (PEM format) (optional) - The certificate (PEM format) which will be authenticated against the Certificate Serial Number defined on the Application.
   • Tunnel Name - Select the tunnel through which to connect to the CyberArk Vault when working with Axonius-hosted (SaaS).

GCP Secrets Manager

To use GCP Secret Manager:

1. Toggle on GCP Secret Manager.
2. Configure a connection of Axonius to Google Cloud Platform.
3. To fetch secrets from GCP Secrets Manager, you must have the following permissions:
   Add to the relevant IAM Principal the following role: Secret Manager Secret Accessor.
4. Specify the following parameters to fetch secrets from GCP Secrets Manager:
   • JSON Key Pair (required) - A JSON-document containing service-account credentials for GCP. Refer to Connect Axonius to Google Cloud Platform.

Refer to GCP Secret Manager for further information

HashiCorp Vault

To use HashiCorp Vault:
Axonius pulls credentials from HashiCorp Vault. Follow HashiCorp Vault integration configuration guidelines,

1. Toggle on HashiCorp Vault.
2. Specify the following parameters:
   • HashiCorp Vault Domain (required) - The URL or IP address of the HashiCorp Vault server.
   • Secrets Engine (required, default Cubbyhole) - Set the secrets engine, either KV Version 1, KV Version 2, Cubbyhole, or Active Directory.
   • Port (required, default 8200) - The port the HashiCorp Vault listens to.
   • Token (optional) - The token for authentication.
   • Unseal key (optional) - The key used to unseal the vault.
   • Role ID and Role secret ID (optional) - Use these settings to authenticate using AppRole.
     • Refer to Get RoleID and SecretID for information on retreiving the Role ID
     • Enter the parameters as defined in the AppRole the user defined. Refer to Step 1 and Step 2 in AppRole Pull Authentication. Modify policies according to the secrets you want this AppRole to access.
   • Namespace (optional) - Enter a customized namespace to fetch secrets from, if it is configured.

Delinea Secret Server

To use Delinea Secret Server:
Follow Delinea Integration configuration guidelines,

1. Toggle on Delinea Secret Server.

2. Specify the following parameters:

   • Delinea Secret Server URL (required)
     • For on-prem Delinea Secret Server, needs to be in the following format: https://<hostname>/SecretServer (e.g., https://demo-server/SecretServer)
       * For cloud Delinea Secret Server, needs to be in the following format: https://<tenant>.secretservercloud.com (e.g., https://mycompany.secretservercloud.com)
   • Username and Password (required) - The credentials of a local Delinea user with read-only permissions for the secrets.
   • Port (optional, default: 443)
     • If supplied, the port specified will be used for the connection.
       * If not supplied, default 443 for https URL or if http/https not supplied in URL, default 80 for http URL.
   • Verify SSL (required, default: false) - Select whether to verify the SSL certificate offered by the value supplied in Delinea Secret Server URL. For more details, see SSL Trust & CA Settings.
   • API Version - Select the API version to use, default V10.
   • Certificate File - Upload a certificate file.
   • Tunnel Name - Select the tunnel through which to connect to the Thycotic Secret Server Vault when working with Axonius-hosted (SaaS).