Configuring Password Storage

By default, the passwords for the accounts you add to the Privileged Access Service are stored securely in the Privileged Access Service. If you prefer to store them in a key management appliance or hardware security module appliance—such as an on-site SafeNet KeySecure appliance—you can configure the Privileged Access Service to store and retrieve system passwords using the supported external appliance.

Note that you must have the SafeNet KeySecure appliance installed and configured and available on the network before configuring it for the storage of Privileged Access Service passwords. You can use client certificates created by the Delinea service or a client certificate you have created on your own.

To Store Passwords in SafeNet KeySecure

1. In the Admin Portal, click Settings, then click Resources to display the settings available for Privileged Access Service.

2. Click Password Storage.

   If you have not yet configured secure communication between the Connector and the SafeNet KeySecure appliance, click Configure settings for SafeNet KeySecure to open global settings in the administrative portal for the Privileged Access Service. For more information about configuringSafeNet KeySecure to store passwords for Privileged Access Service accounts, see Managing Password Storage.

3. Select the location for storing passwords.

   For example, select SafeNet KeySecure appliance to store passwords in a SafeNet KeySecure appliance.

4. Click Save to save the password storage location.

   Saving a new password storage location will prompt you to migrate passwords to the new location immediately. Click Yes to migrate all existingpasswords. If you click No, only new passwords are stored in the newlocation. If you click No, you can click Migrate Passwords at a later time to migrate previously stored passwords to the new location.

5. Specify the email address where you want to receive notification of the migration results, then click Yes.

For more information about checking password migration status, see the following topics:

• Viewing Migration Status
• Notification if Managing the Service On-site

Managing Password Storage

By default, the passwords for the accounts you add to the Privileged Access Service are stored securely in a local repository if you are managing the service on your own network or in the Privileged Access Service if you are using the cloud-based service. If you prefer to store them in a key management or hardware security appliance such as an on-site or off-site SafeNet KeySecure appliance, you can configure the Privileged Access Service to store and retrieve account passwords using the supported external appliance.

For more information about managing account passwords using a key management appliance such as SafeNet KeySecure, see the following topics:

• To Store Passwords in SafeNet KeySecure
• Installing and Configuring SafeNet KeySecure
• To Configure Communication Between with SafeNet KeySecure
• To Store Passwords in SafeNet KeySecure
• Protecting Stored Passwords
• Migrating Passwords from one Location to Another
• Working with Appliances in a Cluster
• Deleting a SafeNet KeySecure Configuration

Configuring Communication with SafeNet KeySecure

If you want to use a SafeNet KeySecure appliance to store account passwords, you first must configure secure communication between the appliance and the Connector. Because this is a global setting, it is configured in the Admin Portal for the Privileged Access Service and requires you to have an account in the System Administrator role.

To Configure Communication Between with SafeNet KeySecure

1. Select Switch to Admin Portal from the account name menu.

2. Click the Settings tab.

3. Select Resources from the list of setting categories, then select SafeNet KeySecure Configuration.

4. Type the IP address or the fully-qualified domain name of the key management appliance and specify the port number you configured for the key server instance.

   If you have SafeNet KeySecure running on a cluster, you can specify multiple IP addresses separated by colons (:). For example, if configuringcommunication for a cluster, you would specify a list of IP addresses using a format similar to this:

   192.168.1.1**:192.168.1.1:**192.168.1.3

   This example specifies the IP addresses for appliances in a single tier. For more information about working with KeySecure appliances in clusters and specifying multiple tiers, see Working with appliances in a cluster.

5. Click Upload to navigate to the SafeNet KeySecure Root CA certificate that you downloaded from the KeySecure appliance.

6. Select the client certificate-issuing authority.

   If you select the Delinea-issued certificate, click Download to download the Delinea CA certificate that will make the Delinea-issuedcertificate trusted by the SafeNet KeySecure appliance. After downloadingthe certificate, you can use the SafeNet KeySecure management console toinstall the certificate on the appliance. For more information aboutinstalling the Delinea-issued certificate, see Install the client certificate.

   If you select Customer-issued certificate to use the client certificate you created in the KeySecure management console or using another tool, clickUpload. You can then navigate to and select the client certificate that you want to use for the Connector.

   Uploading a client certificate you created will prompt you for a password. If the client certificate requires a password to authenticate, type thepassword then click Continue. If no password is required, simply clickContinue without specifying a password.

7. Click Save to save the configuration settings.

After you have saved the configuration—including uploading or downloading and installing the client certificate—you can verify communication between the Privileged Access Service and the SafeNet KeySecure appliance. However, the option to test the connection is only available after you complete the configuration.

For complete information about installing and configuring a SafeNet KeySecure key management appliance, see the KeySecure Installation and Configuration Guide.

Viewing Migration Status

After you start the job, you can view the status and results of the job by clicking View Migration Job Status and Reports or wait to receive email notification that migration is complete. The email notification will provide a link to the job history. You can then click the link in the email to see details about the migration results. Because the job history report can list details for different types of jobs, you can use the Search field to filter the jobs displayed.

For complete information about installing and configuring a SafeNet KeySecure hardware appliance, set the KeySecure Installation and Configuration Guide and Managing Password Storage.

Notification if Managing the Service On-site

If you have installed Privileged Access Service on your internal network and are managing the service yourself, you must configure the settings for a custom Simple Mail Transport Protocol (SMTP) mail server in the administrative portal to receive email notification about the results of password migration jobs. For details about post-installation configuration steps when you deploy Privileged Access Service as an on-site service, see the Installation and Configuration Guide for On-Site Deployment.