Keyfactor Integrations Setup in Secret Server

Before setting up Keyfactor, configure Secret Server to store credentials in the vault. This requires the following steps:

  1. Create a Delinea Secret Server secret.

  2. Add an API user for Keyfactor in Delinea Secret Server.

  3. Grant the Keyfactor API user permissions to secrets.

  4. Create an API application in Delinea Secret Server.

  5. Grant the Keyfactor Service extended permissions to allow the Delinea SDK to create credential files in C:\ Windows\System32\inetsrv.

Create a Delinea Secret Server Secret

To create a Secret Server secret:

  1. Open the Delinea Secret Server application in a web browser.

  2. In Secret Server, select Secrets from the left menu.

  3. On the Secrets page, select the Plus button at the top right of the page and select New Secret.

  4. In the Create New Secret dialog, select a template type of Password (for passwords, usernames, access keys, etc).

  5. In the Create New Secret dialog, enter the (name, password, username, access key, etc) to pass to the Keyfactor in the Password box.

  6. Select Create Secret.

  7. Take note of the number located at the end of the URL on the Secret Server Secrets View screen in Secret Server. This is the ID for your secret and is needed to configure the secret in Keyfactor.

Add an API User for Keyfactor in Delinea Secret Server

Keyfactor uses an application user account in Delinea Secret Server to access secrets.

To create an application user account:

  1. Open the Delinea Secret Server application in a web browser.

  2. In Secret Server, select Admin from the left menu and then select Users.

  3. On the Users page, select Create New.

  4. On the Edit User page, select Advanced and enter the (Username, Display Name, and Email) for the API user.

  5. Under Advanced, select the Application Account checkbox and save the user account.

Grant the Keyfactor API User Permissions to Secrets

The Delinea Secret Server application user must have permission to read created secrets for Keyfactor certificate stores. When creating multiple secrets, it’s important to grant permission to each one separately.

To grant permissions to a secret in Delinea Secret Server:

  1. Open the Delinea Secret Server application in a web browser.

  2. In Secret Server, select Secrets from the left menu.

  3. To open one of your secrets, go to the Secrets page and select the one you want to access.

  4. On the Secrets page, go to the Sharing tab and click Edit.

  5. In the Add Groups/Users, enter the name of your application user, search, and select the user.

  6. Ensure that the user has at least the View permission before saving the secret record.

Create an API Application in Delinea Secret Server

Keyfactor uses an API application in Delinea Secret Server to interact with Secret Server.

To create an API application:

  1. Launch the Delinea Secret Server application using a web browser.

  2. In Secret Server select Admin> See All.

  3. From the Administration menu, select SDK Client Management.

  4. Select Client OnBoarding on the SDK Client Management page and slide the Disabled/Enabled toggle to enable this functionality.

  5. Select the Plus symbol next to Rule.

  6. Enter a Name for the rule (remember this name). You will reference it when creating a PAM provider in Keyfactor.

  7. In the Details box, enter the IP address of your Keyfactor server.

  8. In the Assignment drop-down list, select the application user you created for API use with Keyfactor.

  9. Select the Require this generated onboarding key checkbox and select Save.

  10. On the SDK Client Management page, select Show Key for your new application. Make a note of the displayed key. It is required to create a PAM provider in Keyfactor.

    It's easy to accidentally include an extra space at the end of the rule key when copying. To configure the PAM provider in Keyfactor , it is important to paste the key in the correct way. If you don't do it correctly, you may receive an error message from Delinea Secret Server when Keyfactor tries to connect to it. However, the error message may not clearly indicate that the issue is related to the incorrect way of pasting the key and instead says, “Object reference not set to an instance of an object.”

Grant the Keyfactor Service Extended Permissions

To provide extended permissions to the Keyfactor service, refer to the following information.

  • To use Keyfactor, establish a connection with the Delinea Secret Server using Delinea's SDK.

  • To access the Delinea Secret Server, the Delinea SDK component generates credential files in the C:\Windows\System32\inetsrv directory for Keyfactor server access.

  • To create the necessary files, the Keyfactor application pool and service accounts require write access to the directory.

  • Granting local administrative permissions to the application pool and service users on the Keyfactor server is the most practical way to provide the required access to this protected directory.