Managing Passwords For Services

You can use the Privileged Access Service to store and retrieve passwords for accounts that are used to access services and in scripts. For example, it is common for organizations to run automated scripts to monitor the operation of computers and devices on the network or to perform administrative tasks without human intervention. In many cases, these scripts require service accounts with permission to perform privileged operations such as automatically archive or remove data from a database. If you have scripts or services that require access to password-protected systems, you might run the risk of having plain text passwords visible.

There are two main password management issues when passwords are required to perform automated or administrative tasks in services or scripts without user interaction:

  • Passwords that are hard-coded into scripts are vulnerable to any user who can open the script can see the password displayed as plain text.
  • Passwords that are changed periodically to adhere to an organization’s security policies require all scripts to be updated periodically to set the new password.

With Privileged Access Service, you can address both of these issues by doing the following:

  • Download the Cloud Client package.
  • Identify the computer’s service account passwords that need to be stored securely.
  • Identify which client computers are allowed to access the stored server account passwords.
  • Enroll the server and client computers as systems in the Privileged Access Service.
  • Grant the Agent Auth permission to the local and service user accounts that are allowed to access the stored and managed account passwords.
  • Modify or create scripts on client computers to replace plain text passwords with calls to the cgetaccount command included in the client package.

For more information about managing passwords used to access services and in scripts, see the following topics:

Adding Computers as Systems

Before you can configure application to application password management, you need to add the computers that will be communicating with each other to the Privileged Access Service. You can complete this step by registering computers in the Privileged Access Service as described in "Enrolling a computer".

If you register a computer and enable the aapm feature, the service user account for the computer is automatically added to a Client Management role with administrative rights to use commands such as the csetaccount, cgetaccount, and cdelaccount commands. You can then use these commands in scripts to set, retrieve, and delete manged account passwords. The permissions required are set automatically as part of registration.

Adding Privileged Accounts and Passwords

If you have existing scripts that access protected systems or privileged accounts, you might have existing local account profiles defined in the /etc/passwd file for which you want to manage passwords. If you have an existing local account, you can use the csetaccount command interactively or in a script to add the local account and corresponding password to the Privileged Access Service.

For example, you can type the following command to set the password interactively for the local root account and add the password for the account to the Privileged Access Service:

csetaccount root

This command prompts you for the account password, then stores the account name and password as an unmanaged password in the Privileged Access Service.

To protect the passwords for accounts with privileged access, you can have the passwords managed by the Privileged Access Service. For example, you might have a local administrative account of myoracle that require access to the root account on a remote computer.

If you wanted the Privileged Access Service to manage the password for the myoracle account, you can add the account by running the-following command interactively or in a script:

csetaccoount --managed true myoracle

If you type the correct password for the account, the account is added to the Privileged Access Service and a new randomly-generated password is set. You can verify the new account is listed for the system in the Admin Portal.

alt

If you view details for the account, you can confirm the account password is managed by the Privileged Access Service.

alt

Integrating with other Privileged Access Service

If you don’t already have local accounts for running services and scripts, you can create them using a program such as useradd or by using Access Manager, adedit, or the Access Module for PowerShell if your organization uses additional Privileged Access Service. If you use Privileged Access Service for privilege elevation , you can also define command rights and roles for users who have access to privileged account passwords.

For an example that illustrates how to use client commands in a notification script to set randomly-generated passwords for local accounts, then store those passwords in the Privileged Access Service, see the sample script in the /usr/share/centrifycc/samples/localacctmgmt directory.

Selecting the Password Storage Location

Passwords can be stored securely in the Privileged Access Service or in a key management appliance such as SafeNet KeySecure. However, configuring the password storage location is done separately from adding passwords to the Privileged Access Service. For information about configuring the password storage location, see Managing password storage.

Authorizing Password Check Out

To enable a service user account running a script on a client computer to access the password for a service user account on a server, you must add the client service user account to the list of accounts that have access to the system or to a role with the Agent Auth permission to enable that service user to authenticate using the Cloud Client.

To add the client service user and set the permissions

  1. Open the administrative portal from the account name menu.

  2. Click Resources > Systems to select the server system (centos-6) with the account—such as the local root account—the client service user (sles12$) needs to access.

  3. Select the local account for the server system.

    For example, select the root account for the centos-6 computer to display the account details.

  4. Click Permissions, then click Add to add the service user that needs to check out the password for the account on the system.

  5. Type a search string to locate the client service user account.

  6. For example, if the service user for client computer where the script will run is sles12$@cpubs.net, you might type sl to find the account.

    alt

  7. Select the appropriate account in the results, then click Add.

  8. Select the Checkout permission to allow this account to retrieve the stored password.

    alt

  9. Click Save.

For details about the commandline options for the cgetaccount command, type --help as a command-line option or display the man page.

Retrieving Privileged Account Passwords

You can use the cgetaccount command to check out a password interactively or to retrieve a password silently in a script. For example, you might have a local service account named myoracle with a password that is managed by the Privileged Access Service on the registered computer sles12. To use this account to run a script or open a secure shell, you might need to look up the current password. You can check out the password for the managed account interactively by running a command like this:

cgetaccount --lifetime 5 myoracle

You are prompted to confirm the checkout and checkout lifetime.

Copy 
Password for account "myoracle" will be checked out. The checkout will be logged and expire in 5 minutes.
Do you want to continue and display the password? (y/n) y
If you type y to confirm the checkout, the password is displayed as standard output (stdout). 0
Password for myoracle: ```Fo(\*\~7Ohh()\>UOeO

Retrieving a Remote Password Interactively

In a more complex scenario, you might need to check out the password for an account on a remote computer. To illustrate this scenario, the client computer is an registered SuSE Linux computer (sles12) with the local myoracle account that needs access to the password for the root user account on the remote CentOS Linux computer (centos-6).

For example, If you hare configured a command right for the myoracle account, you might retrieve the password for the root account interactively by running a command similar to the following:

If you have configured the sudoers file for the myoracle account, you might retrieve the password for the root account interactively by running commands similar to the following:

Copy 
cgetaccount --lifetime 10 myoracle

Because this is a managed account you might need to display and copy the password. You can then use the myoracle account to get the password for the root account

Copy 
su myoracle
Copy 
sudo cgetaccount --lifetime 30 CentOS-6.acme.com/root

myoracle's password:

In this example, CentOS-6.acme.com is the name of the system as it is stored in the Privileged Access Service. The system name might be the same as or different from the host name or DNS name. You are prompted to confirm the checkout for the root account. If you type y to continue and the password for the root account is also managed in the Privileged Access Service, the current password is displayed and will be changed when the checkout period—in this example 30 minutes—expires.

Copy 
Password for root: 8epM/qL3GtQ[D\>aYe.\*\|

Retrieving a Password Using A Command Right

If you have configured a command right for the myoracle account, you might retrieve the password for the root account interactively by running a command similar to the following:

Copy 
su myoracle

dzdo cgetaccount CentOS-6.cpubs.net/root

Retrieving a Password In a Script

You can call the cgetaccount command from within a script to silently retrieve an account password from the Privileged Access Service. By calling the command within a script using a dedicated user account such as the myoracle account, you can prevent other services or scripts from using the client service user account to retrieve a server account password. If you want to use the cgetaccount command to check out, use, and update a managed password from within a script, however, additional steps are necessary to configure the appropriate client and server accounts.

The following example illustrates a shell script that retrieves the password for the myoracle account silently on the sles12 system to perform a backup operation. In this example, the password is checked out for 10 minutes and is displayed as standard output (stdout).

Copy 
\#!/bin/bash

if PASSWORD=\$(cgetaccount -s -t 10 sles12/myoracle); then

.\\run_backup.sh sles12/myoracle \$PASSWORD

else

echo "Failed to get the password for the account."

fi

For additional examples of calling the cgetaccount command within a script, see the sample scripts in the /usr/share/centrifycc/samples/apppassword directory.

Rotating Stored Passwords

When you run cgetaccount, you check out the account password for a specified period of time (example: one hour). The account password automatically rotates after that time expires. With crotatepasswd you can force the password to rotate so that no one else can use that password and you can do so without waiting for the specified period of time to expire.

The crotatepasswd command rotates the password for the specified account from Privileged Access Service. The account can be a system, domain, or database account.

  • If you execute crotatepasswd specifying the -f option, it ignores any password checkouts and force a password rotation.
  • To run the crotatepasswd command, you must be logged in as root and the computer where you run crotatepasswd must be registered in Privileged Access Service and the Application-to-Application Password Management feature must be enabled.
  • As a suggestion, during downtime, have a script execute crotatepasswd. If crotatepasswd succeeds, have the script then call cgetaccount to get the freshly-rotated password.
  • You can force a password rotation for the account "user" on "DOMAIN1" and ignore any password checkouts by running a command such as: crotatepasswd -T domain -f DOMAIN1/user.