Exporting Data using Escrow Functions

Users with the System Administrator role can securely export encrypted data attributes including account passwords for Systems, Accounts, Domains, and Databases from Privileged Access Service using Delinea commands and the Escrow PowerShell module. The data exported is aggregated into a CSV file, similar to the import Sample.csv template described in Importing systems, accounts, domains, databases.

The exported data can be securely emailed to designated recipients using the PGP encryption program. If the amount of data before encryption and compression exceeds more than 20MB, the additional data is written to another file and sent to recipients in a second email. To open the email attachment that contains the data, you need to enter a passphrase to unlock the OpenPGP secret key.

The data from the exported file can be imported back into Privileged Access Service (see Importing systems, accounts, domains, databases).

To download the export escrow script and install the PGP program:

Access Github at https://github.com/centrify/centrify-samples-powershell to download the following escrow script files to your local computer.
- Privileged Access Service PowerShell script (Centrify.Samples.PowerShell.Example.ps1)

The script can be used as a template to run the commands.

Privileged Access Service PowerShell Escrow module (Centrify.Samples.PowerShell.CPS.Export.psm1)

The module file is called from the CentrifyPowerShell script and does not require any modification. To import the module you also need https://github.com/centrify/centrify-samples-powershell/module/Centrify.Samples.PowerShell.psm1.

Get a PGP encryption key pair using a PGP key generator and export the public key to your local computer. For more information see, https://www.openpgp.org/software/.

The encryption key is used to encrypt the data before emailing the data to designated recipients.

Once you have the script files and the encryption keys, export the data and email it to designated recipients (see "Exporting Data using Escrow Functions").

Export Data Using Delinea Escrow Functions

The following commands are available for exporting and emailing data attributes for Systems, Accounts, Domains, and Databases from Privileged Access Service:

Command	Description
Set-EscrowKey -Endpoint -Token -FilePath	Uploads the public key to the Admin Portal and stores it in the tenant configuration.
Set-EscrowEmail -Endpoint -Token -Emails	Configures the recipients that will receive the email containing the Systems, Accounts, Domains, and Database data and stores it in the tenant configuration. Separate multiple email recipients using one of the following: , ; space.
Get-EscrowEmail -Endpoint -Token	Displays email addresses for recipients designated to receive the exported content.
Run-Escrow -Endpoint -Token	Exports the data for Systems, Accounts, Domains, and Databases. Securely sends the .csv file to designated email recipients. If the amount of data before encryption and compression exceeds more than 20MB, the additional data is written to another file and sent in a second email. A passphrase is required in order to open the attachments in the email.
Schedule-Escrow -Endpoint -Token	Sets the escrow job (exports data) to run every 24 hours. To change the default configuration, you use CPS.EscrowJobIntervalTimeSpan. The time span is entered as days, hours, minutes, and seconds (d.hh:mm:ss or hh:mm:ss). For example, entering 2.08:30:10 indicates data will be exported every 2 days 8 hours 30 minutes and 10 seconds.
Unschedule-Escrow -Endpoint -Token	Cancels the schedule for the escrow job (data export).
Get-EscrowScheduleStatus -Endpoint -Token	Displays whether a schedule for exporting data is configured to run periodically (default is every 24 hours). Returns a value of True (schedule is configured) or False (schedule is not configured).

To export data using Delinea commands in PowerShell:

Depending on the number of entities you are exporting, the process might take some time to complete.

Verify that the computer you are using to export data has access to the Privileged Access Service Admin Portal and that the user to be logged in to the Admin Portal has the System Administrator role (defined in the Admin Portal).
Open the Centrify.Samples.PowerShell.Example.ps1 script file you downloaded earlier to use as a template to run the commands.
Modify the script file (uncomment the appropriate lines) to run commands in order to export the data attributes for Systems, Accounts, Domains, and Databases from Privileged Access Service and email it to designated recipients.

At a minimum you must run the following commands (uncomment the command lines) to export the data and email it to recipients:
- Set-EscrowKey -Endpoint -Token -FilePath
- Set-EscrowEmail -Endpoint -Token -Emails
- Run-Escrow -Endpoint -Token

Start Windows PowerShell to open a command window and run the modified
script (Centrify.Samples.PowerShell.Example.ps1).

The script calls the Centrify.Samples.PowerShell.CPS.Export.psm1 module to
export Systems, Domains, Databases, Accounts and their attributes into a CSV
file and emails it to designated recipients.
-->

CSV File Data Attribute Fields

The following table describes the fields in the CSV output file.

For this template field	The following information is displayed
Entity Type	Includes one of the following entity types:- System- Domain- Database- Account
Name	The name of the system, domain or database exported. You can have multiple lines with the same name. For example, if you exported more than one account for the same system, each account is listed as a separate line with the same system name. Applies to Systems, Domains, and Databases.
FQDN	Fully-qualified domain name or IP address of the System or Database you want to add. This field applies to Systems and Databases.
Description	Descriptive information added for the entity. This field applies to Systems, Domains, Databases, and Accounts.
ComputerClass	One of the following values for the type of system added:- Windows- Unix- GenericSsh- Cisco AsyncOS- CiscoIOS- CiscoNXOS- JuniperJunos- HPNonStopOS- IBMi- CheckPointGaia- PaloAltoNetworksPANOS- F5NetworksBIGIP- VMwareVMkernel This field is required and applies to Systems.
ProxyUser	The name of the “proxy” user for a system. This field is optional and applies to Systems.- For more information about the “proxy” user for Windows systems, see the following topic: Configuring a proxy user for password operations- For more information about the “proxy” user for UNIX and Juniper systems, see the following topic: Specifying a proxy account for root
ProxyUserPassword	The password for the “proxy” user for a system. This field is optional and applies to Systems. - For more information about the “proxy” user for Windows systems, see the following topic: Configuring a proxy user for password operations - For more information about the “proxy” user for UNIX and Juniper systems, see the following topic:Specifying a proxy account for root
ProxyUserIsManaged	Whether the password for the “proxy” user is managed. This field is optional and applies to Systems. TRUE indicates the “proxy” account password is managed by Privileged Access Service. FALSE indicates the password is unmanaged.
ResourceDomain	The domain that the system is joined to. This field is optional and applies to Systems.
ResourceDomainOperationsEnabled	Specify whether you want to use the domain administrative account to enable zone role workflow. You specify TRUE if you want to use the domain administrative account to enable operations such as zone role workflow, or FALSE if you do not want to use the domain administrative account to enable domain operations. In order to enable domain operations for a system, the user must have grant rights over the domain or else the import will fail. This field applies to Systems.
ResourceSessionType	Indicates remote connection type: Ssh for secure shell or Rdp for remote desktop. This field is required and applies to Systems.
ResourceSessionTypePort	The port used for remote connections. The default port for SSH is 22 and for RDP it is 3389. This field applies to Systems.
ResourceWindowsManagementMode	One of the following management modes used to manage the Windows System. Unknown (this is equivalent to auto-detect in the Admin Portal) - Smb WinRMOverHttp - WinRMOverHttps - RpcOverTcp - Disabled This field applies to Systems.
ResourceWindowsManagementPort	The management port to be used for password management for Windows, F5 Networks BIG-IP, and Palo Alto Networks PAN-OS Systems. This field applies to Systems.
PasswordProfile	Customized password profile name to define the rules applied when managed passwords are generated for systems, domains, or databases. For more information about customized password profiles, see Configuring password profiles. This field is applies to Systems, Domains, and Databases.
SetName	Name for system, domain, database, or account sets. Sets are logical groups of a particular type (system, domain, database, or account) to simplify management activity and reporting for entities with attributes in common. For more than one set name for an entity, entries are separated by a \|. For example, SystemSet1\|SystemSet2\|SystemSet3. This field applies to Systems, Domains, Databases, and Accounts.
DefaultCheckoutTime	The length of time (in minutes) that a checked out password is valid. The minimum checkout time is 15 minutes. If no value is specified, the default is 60 minutes. Also see, Setting systemspecific policies. This field applies to Systems, Domains, Databases, and Accounts.
AllowRemote	TRUE (allows remote connections from a public network for a selected system) or FALSE (does not allow remote connections from a public network).</br/br>This field is optional and applies to Systems.
ParentEntityTypeOfAccount	Entity type related to the account (System, Domain or Database). This field applies to Accounts.
ParentEntityNameOfAccount	Display name of the system, domain or database associated with the account. This field applies to Accounts.
User	User name for an account used with Systems, Domains, and Databases. This field applies to Accounts.
Password	The password for the account used with the system. This field is optional and applies to Accounts.
IsManaged	TRUE if Privileged Access Service manages the password for the account, or FALSE if the password is unmanaged. This field applies to Accounts.
AccountMode	Expert if an expert mode account exists for Checkpoint Gaia systems. This field applies to Systems.
UseProxy	TRUE if a “proxy” account is used for the system, or FALSE if a “proxy” account for the system is not used. For UNIX and Juniper systems, this field is used if your secure shell environment is configured to not allow the root user to access computers remotely using SSH. This field is also used for Windows systems if you use a proxy account for Windows Remote Management (WinRM) connections to a system. This field applies to accounts.
DatabaseServiceType	One of the following database types: - SQLServer - Oracle - SAP Adaptive Server Enterprise (ASE) This field applies to Databases.
OracleServiceName	The service name assigned to the Oracle database. Also see, Adding databases. This field applies to Databases.
SQLInstanceName	The instance name assigned to the SQL Server database. Also see, Adding databases. This field applies to Databases.
DatabasePort	The port number used to check the status of the database and when updating database passwords. This field applies to Databases.
ParentDomain	The name of the parent domain, if a child domain is configured. This field applies to Domains.
AdministrativeAccount	The administrative account in the format admin@childdomain, admin@mycompany.com or a local account . This field applies to Systems and Domains.
AllowAutomaticAccountMaintenance	TRUE (allows out-of-sync passwords to be reset and managed accounts to be unlocked during login or checkout), or FALSE (does not allow out-of-sync passwords to be reset and managed accounts to be unlocked during login or checkout). Requires an Administrative Account be defined for the domain. This field applies to Domains.
AllowManualAccountUnlock	TRUE (allows users with the Unlock Account permission to manually unlock accounts), or FALSE (does not allow accounts to be manually unlocked). Requires an Administrative Account be defined for the domain. This field is optional and applies to Domains.
AllowMultipleCheckouts	FALSE (only one user is allowed to check out the password at any given time) or TRUE (allows multiple users to have the account password checked out at the same time without waiting for the password to be checked in). Also see, Allow multiple password checkouts. This field applies to Systems, Domains, and Databases.
AllowPasswordRotation	TRUE (Privileged Access Service rotates managed passwords periodically) or FALSE (Privileged Access Service does not rotate managed passwords periodically). This field applies to Systems, Domains, and Databases.
PasswordRotateDuration	The interval at which managed passwords are automatically rotated. This field applies to Systems, Domains, and Databases.
MinimumPasswordAge	The minimum number of days before a password is rotated. This field applies to Systems, Domains, and Databases.
AllowPasswordHistoryCleanUp	TRUE (allows periodic password history cleanup), or FALSE (does not allow periodic password history cleanup). This field applies to Systems, Domains, and Databases.
PasswordHistoryCleanUpDuration	The number of days after which retired passwords matching the duration are deleted. This field applies to Systems, Domains, and Databases.