Preparing for Delinea Automation

Automation includes unattended silent installation and bypassing password-type credentials reserved for interactive authentication. Delinea recommends the following practices for silent installation and automated management:

  • Delinea software deployment on Unix and Linux is supported using the Delinea repository, which addresses publicly (or mirrored if you are planning to use it for deployment onto systems that cannot access the Internet).

  • For Active Directory management operation, Delinea recommends using a privileged service account and maintaining a Kerberos keytab file to avoid using password authentication.

  • For Delinea Identity Platform Management operation, Delinea recommends using registration codes for system enrollment and OAuth2 protocol for REST API calls.

Configuring Delinea Repo

Ansible aim is to manage the repository configuration (including in the sample Playbooks below). The Delinea requires configuring a repo first on your Ansible server using the appropriate configuration based on your Linux distribution. The setup example below describes how to set up a Yum repository assuming the Ansible server uses RedHat Enterprise Linux or a RedHat derivative distribution (for example, CentOS, Fedora, etc.)

Setup example using the Yum repo:

  1. Obtain your repo token by following instructions in the Delinea Customer Portal.

  2. Setup the repo by creating /etc/yum.repos.d/centrify.repo.

    Copy 
    [centrify]
                    name=centrify
                    baseurl=https://username:password@repo.centrify.com/rpm-redhat/
                    enabled=1
                    repo_gpgcheck=1
                    gpgcheck=1
                    gpgkey=https://downloads.centrify.com/products/RPM-GPG-KEY-centrify

  3. Verify proper operation by running the command:

    Copy 
                    $ sudo yum list Centrify*
                    $ sudo yum info CentrifyDC

                    centrify
                    Available Packages
                    Name        : CentrifyDC
                    Arch        : i386
                    Version     : 5.3.1
                    Release     : 324
                    Size        : 24 M
                    Repo        : centrify
                    Summary     : Centrify DirectControl Agent
                    URL         : http://www.centrify.com/  

For more details on all Delinea repos available, visit the Delinea Customer Portal.

Configuring the Service Account Kerberos Secret

Enrolling servers in the Active Directory using the Delinea agent requires privileged authentication to create or update data in the Active Directory domain. Delinea adjoin command support three different methods to perform the administrative operations in Active Directory:

  • Interactive authentication, using an Active Directory privileged user principal and providing credentials when prompted. This option is ideal for a manual join. Any automation scenario would use either option below, as they do not require password disclosure

  • Kerberos authentication uses Kerberos ticket-granting-ticket for a privileged service account. To use a Kerberos ticket-granting-ticket for a service account, principal Delinea recommends obtaining a Kerberos secret commonly named a keytab file (short for “key table”). A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). Using Kerberos without entering a password, you can use a keytab file to authenticate to various remote systems. However, when you change your Kerberos password, you must recreate all your key tabs. Keytab files are commonly used to allow scripts to automatically authenticate using Kerberos without requiring human interaction or access to password stored in a plain-text file. The script is then able to use the acquired credentials to access files stored on a remote system

  • Self-service authentication, using a pre-created computer account in Active Directory

To create a Kerberos secret named /etc/adjoin.keytab for service account, run the following command:

Copy 
[root@lnx-prodapp01 ~]# adkeytab --keytab /etc/adjoin.keytab --user admin-cathy@domain.com --adopt svc_delineaadjoin
admin-cathy@DOMAIN.COM's password:
Success: Adopt Account: svc_delineaadjoin
[root@lnx-prodapp01 ~]# ls -l /etc/adjoin.keytab
-rw-------. 1 root root 237 Mar 18 09:42 /etc/adjoin.keytab

The user specified to adopt the service account must be a privileged Active Directory user with permission to change the password of the targeted service account. Service Account should be granted permission to join computers to zones, remove computers from zones, and manage computer passwords.

To verify the keytab file by listing the Keylist (Principals) using the Kerberos utility tool, run the following command:

Copy 
[root@lnx-prodapp01 ~]# ktutil
ktutil:  read_kt /etc/adjoin.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1    3          svc_delineaadjoin@DOMAIN.COM
2    3          svc_delineaadjoin@DOMAIN.COM
3    3          svc_delineaadjoin@DOMAIN.COM
ktutil:  quit

As a final verification, use the keytab file to obtain a Kerberos ticket-granting-ticket for the service account principal. Run the following command:

Copy 
[root@lnx-prodapp01 ~]# kinit -kt /etc/adjoin.keytab svc_delineaadjoin@DOMAIN.COM
[root@lnx-prodapp01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_delineaadjoin@DOMAIN.COM
Valid starting     Expires            Service principal
18/03/20 11:20:51  18/03/20 21:20:51  krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 19/03/20 11:20:51

As a final verification, use the keytab file to obtain a Kerberos ticket-granting-ticket for the service account principal. Run the following command:

Creating a Registration Code

To allow unattended enrollment of systems into the Delinea Identity Platform, create a registration code that will be used to authenticate and authorize system enrollment when using the cenroll command from the Delinea Client or a custom script using REST API.

To create a registration code in Delinea Privileged Access Service portal:

  1. Login to the Delinea Privileged Access Service portal with an account member of System Administrators Role.

  2. Navigate to Settings > Enrollment > Enrollment Codes then select Add.

  3. On the Settings tab, choose a Delinea Role as owner of this registration code.

  4. On the IP Range Restrictions tab, it is recommended to list the public IP from which you will allow this code to be used (or internal IP and ranges if using a customer managed PAS installation instead of a Delinea Cloud tenant).

  5. On the System Sets Allowed tab, you can restrict the list of System Sets you allow the system to be added upon enrollment.

  6. After saving the registration code, you will be invited to copy the generated code for future use (you can view the registration code again any time by selecting an existing code and Actions).

The registration code can be limited in time by setting an expiration date or several systems that must be enrolled before expiration. You can create more than one registration code at any time, which can help with the delegation of multiple environments. The owner of a registration code will have permissions automatically set on systems enrolled using the registration code.