Creating or Editing Secret Templates

Editing Secret Templates

  1. Select Admin > Secret Templates in the Core Actions section. The Secret Templates page appears.

  2. Click the template name in the Secret Templates column. That template's page appears.

  3. Click the desired tab for the configuration you want to change. See the Creating or Importing a New Template section for details.

Creating or Importing a New Template

Task 1: Creating the Template

  1. Select Admin > Secret Templates in the Core Actions section. The Secret Templates page appears.

  2. Click the Create / Import Template button. The Create Template pop-up page appears.

  3. If importing the template, click to select the Import XML selection button.

  4. Type the name of the new template in the Template Name text box.

  5. Click the Save button. The new template's setup page on the General tab appears. The page provides all the options for configuring a secret template, as well as which text-entry fields appear on any secret created from that template.

Task 2: Adding General Settings and Setting an Expiration or One-Time Password

  1. On the General tab, click the Edit link in the Template Settings section. The section becomes editable:

  2. Edit the settings as desired. They include:

    • Secret Template Name text box.
    • Name Pattern text box. See Template Naming Patterns.
    • Description: An optional description for the template.
    • All History check box: If this check box is enabled, Secret Server keeps all entries for viewing. This feature creates a record of every name used when a new secret is created.
    • Secret name History Length text box: If All History is disabled, Secret Server keeps this number of entries for viewing.
    • Validate Password Requirements on Create? check box: Ensure requirements are met on secret creation.
    • Validate Password Requirements on Edit? check box: Ensure requirements are met when editing secret.

    • Required Permission To Edit Password Change Configuration dropdown list: Specify which permission is required on the password change configuration on a secret from this template.

  3. Click the Save button.

  4. Click the Edit link for the Template Expiration section. Secret expiration applies to one field of a secret template (most commonly the password field) and may trigger a password change for that secret if auto-change is enabled for RPC.

  5. Click to select the Expiration Enabled? check box. Two additional controls appear.

  6. Type the days till expiration in the Days until Expiration text box.

  7. Click the Change Required On dropdown list to select the field to choose the field the expiration is applied to.

  8. Click the Save button.Secret Server begins providing alerts if the secret text-entry field is not changed within the specified expiration requirements.

  9. Click the Edit link for the One Time Password section if you want the secret to have a one-time password that the user must change.

  10. Click to select the One Time Password Enabled check box. Additional controls appear:

  11. Type or select the options.

  12. Click the Save button.

Task 3: Defining Fields for the Template

Click the Fields tab to add template fields as desired. See Secret Template Fields.

To use a custom SSH RPC port, add a field named "Port" to your secret template. Empty port fields are equivalent to the default port, 22.

Task 4: Mapping Launchers and RPC Type

  1. Click the Mapping tab to configure launchers and RPC.

  2. Click the Edit button in the Password Changing section to enable RPC on secrets based on this template. This enables heartbeat, RPC, and configures the password changer type and fields. For details, see RPC Overview.

  3. Click the Add Mapping button to add a secret launcher or extended mapping. The Add Mapping popup appears.

  4. Click the Mapping Type combination list to search for or select a mapping type:

    Launchers:

    • Command Prompt
    • Custom PuTTY Launcher (Port Field on Secret)
    • Custom Launcher with Host Prompt
    • IBM iSeries Launcher
    • Mac Process - Default Client - No Prompt
    • PowerShell ISE
    • PowerShell Launcher
    • PuTTY
    • PuTTY With Port Prompt
    • Remote Desktop
    • SAP Custom Launcher
    • SQL Server Launcher
    • SQLPlus
    • Sybase iSQL Launcher
    • TextEdit (OSX)
    • Website Login
    • Windows Notepad
    • z/OS Launcher

    Extended Launchers:

    Extended Mappings allows you to tie a text-entry field value to a SS defined system type for additional functionality. For example, you may have a generic password secret template that has a username and password text-entry field. For purposes of looking up credentials, such as a ticket system authentication secret, Secret Server needs to know that actual type of the text-entry fields since the text-entry field name can be custom.
    • OATH Secret Key: For password changing on the Amazon Root Account using the Web Password Changer. If you enter the OATH secret for two factor, SS generates the one-time password (OTP) automatically for password changing and heartbeat, allowing you to automate that while enforcing two-factor authentication on the AWS root credential.

    • Regex List

    • Remote Server SSH Key for Validation: Ensures the machine SHA1 digest for validating the machine connected to is correct.

    • SSH Private Key: Defines which text-entry fields make up the SSH Key components of Private Key, Private Key Passphrase, and Public Key.

    • Username and Password: Defines which text-entry fields contain the username and password.

    The popup changes to accommodate your choice.

    A secret launcher launches applications on other machines and automatically logs on using credentials stored in Secret Server. In general, there are three types of launchers: RDP, SSH, and Custom. In addition to user convenience, launchers can circumvent users needing to know their passwords—a user can still gain access to a needed machine but it is not required to view or copy the password out of Secret Server. A Web launcher automatically logs into websites using the client's browser.

  5. Click to select or type to search the desired dropdown lists.

  6. Click the Save button.

Task 5: Adding Permissions

  1. Click the Permissions tab. This defines who can create secrets of this type or manage this secret template.

  2. Click the Edit button's dropdown and select Add. The Users list appears.

  3. Type the name of the user or group you want to add in the Search text box. Note that the groups are by domain.

  4. Click to select the user or group's check box for those you desire.

  5. Click the Add button. The selected users or groups appear on the Permissions tab.

  6. Click the dropdown list next to each to define if the user or group has the Template Create Secret or Template Owner permission. More than one owner is allowed.

  7. Click the Save button the users or groups now appear in a small table, along with their roles (permissions).

  8. To remove a user or group:

    1. Click the Edit link for the Secret Template Permissions section. The table of users and groups disappears, and the dropdown lists reappear.
    2. Click the dropdown list for the user or group you want to delete and select <None>.
    3. Click the Save button

Task 6: Viewing the Template's Audit Trail

  1. Click the Audit tab to view activity on the secret template.

    You cannot drill down on the entries, but you can define what columns to see by clicking the slider icon on the right. You can also click the download icon to download a text file version of the table.

Settings for Specific Template Types

Oracle Account as SYS

Settings for an Oracle Account secret template to work with Oracle connecting as SYS in SysDBA:

  • Set Oracle Account as the type.

  • Set Oracle Account (AS SYS) as the password type.

  • Create a secret based on the new template to test the template.

SQL Windows Authentication Account Secret Template and Launcher

Settings for an Active Directory template that is specifically for SQL:

You can copy the existing AD template that you have. However, if you copy an existing template that has launchers attached to it, you may need to delete those launchers on the newly created template.

  • Set Active Directory as the type.

  • If necessary, create a field called Server.

  • Add the following parameters for Windows settings (see Creating Custom Launchers):

    • Name: SQL Server Launcher - Windows Authentication
    • Active: Yes
    • Process Arguments: -E -S $Server ($Server should match the field name you created or observed earlier)
    • Run Process as Secret Credentials: Yes
    • Load User Profile: Yes
    • Use Operating System Shell: No
    • Use Additional Prompt (in General Settings): No