Managing External Passwords
  • 28 Mar 2024
  • 10 Minutes to read
  • Dark
    Light
  • PDF

Managing External Passwords

  • Dark
    Light
  • PDF

Article Summary

Enterprise Password Management Settings

To open the Enterprise Password Management settings:

  1. From the top right corner of any page, click image.png. The System Settings page opens.
  2. In the Categories/Subcategories pane of the System Settings page, expand Access Management, and select External Password Managers. A toggle for enabling Password Manager integration is displayed (see below), with a list of Password Managers that can be enabled, together with their credentials.
    EnterprisePasswordManagementSettings1
  • Use Password Manager (required, default: switched off) - Toggle on to use password manager integration and allow Axonius to securely pull privileged credentials from the password manager defined.
    Configuring a password manager enables you to manage the passwords used for adapters and enforcement actions using the password manager configured. When you enable and configure a password manager, this does not make any immediate change to your configured adapters or Enforcement Actions. An icon is displayed in the credential fields of the adapters or Enforcement Actions so that users can enter credentials using the password manager according to their company guidelines.
Note:

In an Axonius-hosted (SaaS) deployment, contact Axonius support for information on how to use Password Managers with your system

When you choose more than one password manager, the system lets you choose which password manager to use in the password field.

ChooseMultiplePAss.png

1Password Connect Server

1PasswordConnectServer

Axonius pulls credentials from 1Password Connect Server. Follow 1Password Connect Server integration configuration guidelines.

To use 1Password Connect Server

  1. Toggle on 1Password Connect Server.
  2. Specify the following parameters:
    • 1Password Connect Server URL (required) - The URL of 1Password Connect Server.
    • Port (required, default 8080) - The port that 1Password Connect Server listens to.
    • API Token (required - The AUTH token needed to authenticate the 1Password Connect Server request. Create the server and API key, as described in Deployment. Make sure to copy down this key and store it in a secure location for your future reference.

Akeyless Vault

PasswordManageAKeyLessVault

To use Akeyless Vault
Axonius pulls credentials from Akeyless Vault. Follow Akeyless Vault configuration guidelines.

  1. Toggle on Akeyless Vault.
  2. Specify the following parameters:
    Akeyless Domain (required) - The URL or IP address of the Akeyless Vault server.
    Port (optional) - The port that the Akeyless Vault listens to 8080/443.
    Akeyless Access ID (required) - An ID for Akeyless
    Akeyless Access key (required) - The key used to unseal the vault.
    Refer to Akeyless API Key for details on how to generate the Access ID and Key
    Gateway Name - Select the gateway through which to connect to the Akeyless Vault when working with Axonius-hosted (SaaS).

AWS Secrets Manager

PasswordManageAWSSecretsManager

To use AWS Secrets Manager

  1. Toggle on AWS Secrets Manager.
  2. Specify the following parameters to fetch secrets from AWS Secrets Manager:
    • Region (required) - Specify the region name for a specific region.
    • Access Key ID (required) - Provide AWS Access Key ID.
    • Access Key Secret (required) - Provide AWS Access Key Secret.
  • To fetch secrets from AWS Secrets Manager, you must have the following permissions:
    • secretsmanager:GetSecretValue
    • kms:Decrypt - required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.

For more details about AWS Secrets Manager configuration and guidelines, see AWS Secrets Manager Integration.

Azure Key Vault

PasswordManagerAzureKeyVault

To use Azure Key Vault
Axonius pulls credentials from Azure Key Vault. Follow Azure Key Vault configuration guidelines,

  1. Toggle on Azure Key Vault.
  2. Specify the following parameters:
    • Client ID (required) - The Application ID of the Axonius application.
    • Client Secret (required) - Specify a non-expired key generated from the new client secret.
    • Tenant ID (required) - Microsoft Azure Tenant ID.

BeyondTrust Privileged Identity

PasswordManagerBeyondTrustPrivilegedIdentity

To use BeyondTrust Privileged Identity
Axonius pulls credentials from BeyondTrust Privileged Identity.

  1. Toggle on BeyondTrust Privileged Identity.
  2. Specify the following parameters:
    • Hostname or IP address (required) - The hostname or IP address of the BeyondTrust Privileged Identity server.
    • Login type (required) - The login type of the authentication. Valid values:
      NativeStaticAccount (Privileged Identity explicit accounts) or FullyQualifiedAccount.
    • Username and Password (required) - The credentials for the user account

BeyondTrust Password Safe

PasswordManagerBeyondTrustPasswordSafe

Axonius pulls credentials from BeyondTrust Password Safe.
To use BeyondTrust Password Safe

  1. Toggle on BeyondTrust Password Safe.

  2. Follow BeyondTrust Password Safe configuration guidelines, and specify the following parameters:

    • BeyondTrust Domain (required) - The hostname or IP address of the BeyondTrust Password Safe server.
    • API Token (required) - The API key configured in BeyondInsight for the application.
    • Username - The username of a BeyondInsight user who has been granted permission to use the API key.
    • Password - The relevant password.

    Click Studios Passwordstate

PasswordManagerClickStudiosPasswordstate

To use Click Studios Passwordstate
Axonius pulls credentials from Click Studios Passwordstate. Follow Click Studios Passwordstate configuration guidelines,

  1. Toggle on Click Studios Passwordstate.
  2. Specify the following parameters:
    • PasswordState Domain (required) - The domain for the PasswordState password manager.
    • API Key (required) - The key needed to authenticate the PasswordState request. Get the API Key by generating an API Key for the password list on Passwordstate. If you are using more than one password list, you should generate a 'System Wide API Key'.
    • Gateway Name - Select the gateway through which to connect to the Click Studios Passwordstate Password Manager when working with Axonius-hosted (SaaS).

CyberArk Vault

PasswordManagerCyberArkVault

To use CyberArk Vault
Axonius uses CyberArk’s Application Access Manager (AAM) to pull credentials from CyberArk Vault.

  1. Toggle on CyberArk Vault

  2. Follow CyberArk integration configuration guidelines, and specify the following parameters:

    • CyberArk Domain (required) - The base URL of the Central Credential Provider (CCP).
    • Port (required) - The port the Central Credential Provider (CCP) is listening to.
    • Application ID (required) - The Application ID which identifies the Axonius application created in CyberArk.
    • Certificate key (PEM format) (optional) - The certificate (PEM format) which will be authenticated against the Certificate Serial Number defined on the Application.
    • API Prefix - Select the API Prefix that is accessible to your CyberArk Vault service. The following options are available:
      • AIMWebService
      • AIMWebServiceCert
      • AIMWebServiceIP
    • Gateway Name - Select the gateway through which to connect to the CyberArk Vault when working with Axonius-hosted (SaaS).

CyberArk Privilege Cloud Vault

CyberArkPrivilegeCloudValut

To use CyberArk Privilege Cloud Vault

  1. Toggle on CyberArk Privilege Cloud Vault

  2. Follow CyberArk Privilege Cloud integration configuration guidelines, and specify the following parameters:

    • CyberArk Privilege Cloud Domain (required) - The base URL of the Central Credential Provider (CCP).
    • User Name (required) - The CyberArk Privilege Cloud user name.
    • Password (required) - The Password.
    • Gateway Name - Select the gateway through which to connect to the CyberArk Privilege Cloud Vault when working with Axonius-hosted (SaaS).

Delinea Secret Server

DelineaSecretServer

To use Delinea Secret Server:
Follow Delinea Integration configuration guidelines,

  1. Toggle on Delinea Secret Server.

  2. Specify the following parameters:

    • Delinea Secret Server URL (required)
      • For on-prem Delinea Secret Server, needs to be in the following format: https://<hostname>/SecretServer (e.g., https://demo-server/SecretServer)
        * For cloud Delinea Secret Server, needs to be in the following format: https://<tenant>.secretservercloud.com (e.g., https://mycompany.secretservercloud.com)
    • Username and Password (required) - The credentials of a local Delinea user with read-only permissions for the secrets.
    • Port (optional, default: 443)
      • If supplied, the port specified will be used for the connection.
        * If not supplied, default 443 for https URL or if http/https not supplied in URL, default 80 for http URL.
    • Verify SSL (required, default: false) - Select whether to verify the SSL certificate offered by the value supplied in Delinea Secret Server URL. For more details, see SSL Trust & CA Settings.
    • API Version - Select the API version to use, default V10.
    • Certificate File - Upload a certificate file.
    • Gateway Name - Select the gateway through which to connect to the Thycotic Secret Server Vault when working with Axonius-hosted (SaaS).

GCP Secrets Manager

GCPSecretManager

To use GCP Secret Manager

  1. Toggle on GCP Secret Manager.
  2. Configure a connection of Axonius to Google Cloud Platform.
  3. To fetch secrets from GCP Secrets Manager, you must have the following permissions:
    Add to the relevant IAM Principal the following role: Secret Manager Secret Accessor.
  4. Specify the following parameters to fetch secrets from GCP Secrets Manager:

Refer to GCP Secret Manager for further information

HashiCorp Vault

PasswordManagerHashiCorpVault

To use HashiCorp Vault
Axonius pulls credentials from HashiCorp Vault. Follow HashiCorp Vault integration configuration guidelines.

  1. Toggle on HashiCorp Vault.
  2. Specify the following parameters:
    • HashiCorp Vault Domain (required) - The URL or IP address of the HashiCorp Vault server.
    • Secrets Engine (required, default Cubbyhole) - Set the secrets engine, either KV Version 1, KV Version 2, Cubbyhole, or Active Directory.
    • Port (required, default 8200) - The port the HashiCorp Vault listens to.
    • Token (optional) - The token for authentication.
    • Unseal key (optional) - The key used to unseal the vault.
    • Role ID and Role secret ID (optional) - Use these settings to authenticate using AppRole.
      • Refer to Get RoleID and SecretID for information on retreiving the Role ID
      • Enter the parameters as defined in the AppRole the user defined. Refer to Step 1 and Step 2 in AppRole Pull Authentication. Modify policies according to the secrets you want this AppRole to access.
    • Namespace (optional) - Enter a customized namespace to fetch secrets from, if it is configured.

Keeper Secrets Manager

KeeperSecretsManager

To use Keeper Secrets Manager:
Follow Keeper Secrets Manager Integration configuration guidelines,

  1. Toggle on Keeper Secrets Manager.

  2. Specify the following parameters:

    • Hostname - The destination host where your Enterprise tenant is located: by default this is keepersecurity.com
    • Client ID - The hashed clientKey where clientKey is the Unique Client Device Identifier
    • Private Key Client Device Private Key
    • Server Public Key ID - Keeper Infrastructure's Public Key ID
    • App Key - Application Private Key
    • App Owner Public Key - Application Owner's Public Key
    • Gateway Name - Select the gateway through which to connect to the Keeper Secrets Manager when working with Axonius-hosted (SaaS).

ManageEngine Password Manager Pro Vault

ManageEnginePasswordManagerProVault

Axonius pulls credentials from ManageEngine Password Manager Pro Vault. Follow ManageEngine Password Manager Pro Vault integration configuration guidelines.

To use ManageEngine Password Manager Pro Vault

  1. Toggle on ManageEngine Password Manager Pro Vault.
  2. Specify the following parameters:
    • ManageEngine Password Manager Pro Server URL (required) - The URL of the ManageEngine Password Manager Pro Vault server.
    • Port (required, default 8282) - The port that the ManageEngine Password Manager Pro Vault listens to.
    • API Key (required - The AUTH token needed to authenticate the ManageEngine Password Manager Pro Vault request. To create an API key, add an API User and generate an API key, as described in Adding an API User. Make sure to copy down this key and store it in a secure location for your future reference.
Note:
  • The API user must have permission to view each resource for which a customer wants to fetch a password.
  • The vault’s API allows access from a single host per user. When creating the user, the customer must supply the Axonius-Instance’s IP as the Host Name. This vault is not supported for Axonius multi node systems.

ManageEngine PAM360 Vault

ManageEnginePAM360Vault

Axonius pulls credentials from ManageEngine PAM360 Vault. Follow ManageEngine PAM360 Vault integration configuration guidelines.

To use ManageEngine PAM360 Vault

  1. Toggle on ManageEngine PAM360 Vault.
  2. Specify the following parameters:
    • ManageEngine PAM360 Server URL (required) - The URL of the ManageEngine PAM360 Vault server.
    • Port (required, default 8282) - The port that the ManageEngine PAM360 Vault listens to.
    • API Key (required - The AUTH token needed to authenticate the ManageEngine PAM360 Vault request. To create an API key, add an API User and generate an API key, as described in Adding an API User. Make sure to copy down this key and store it in a secure location for your future reference.
Note:
  • The API user must have permission to view each resource for which a customer wants to fetch a password.
  • The vault’s API allows access from a single host per user. When creating the user, the customer must supply the Axonius-Instance’s IP as the Host Name. This vault is not supported for Axonius multi node systems.



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.