Build the environment for the Credential Provider

PVWA

The following procedure describes how to build an environment for the Credential Provider in the PVWA.

  1. Add the application(s) that will request passwords from the Credential Provider. You can add applications in the Applications tab of the PVWA either manually or automatically.

    For information about adding applications, refer to Manage applications.

  2. Enforce users to specify a reason for requesting secrets.

    In Privileged Access Security solutions (v8.0 and later), users are required to specify a reason each time they retrieve a password if the Require users to specify reason for access rule is set in the Master Policy. For more information about setting this rule, refer to the Privileged Access Security docs.

    The Credential Provider SDK can be configured to specify a reason for retrieving a password even if this option is not selected. For more information, refer to Application Password SDKs.

  3. To enable object level access, in the Edit Safe page, select Enable Object Level Access Control. For more information about object level access control, refer to the Privileged Access Security docs.

  4. In the Password Safe, add the privileged accounts that will be required by the applications. You can either do this in either of the following ways:

    • Manually – Add accounts manually one at a time, and specify all the account details.
    • Automatically – Add multiple accounts automatically using the Password Upload feature.

    Before adding privileged accounts, define all the standard considerations for controlling and managing the privileged accounts used by the applications within the context of the Credential Provider implementation and the timeframe in which passwords must be supplied:

    Item

    Description

    Access Control

    The users that require access to these accounts, including Provider, automated, and human users.
    Workflows

    The workflows that will be used for accessing these accounts. This refers to dual control, ticketing integration, check-in/check-out, and other standard Vault workflows.
    Compliance

    The compliance requirements for managing these accounts, and whether an account management policy has already been defined for these accounts.

    Account Management

    The methods that will be implemented to enforce the defined compliance requirements.

    Monitoring and auditing

    The way that the enterprise monitors the system and ensures that policies are enforced properly.

  5. Add the Credential Provider and application users as Members of the Password Safes where the applications’ passwords are stored. This can either be done manually in the Safes tab, or by specifying the Safe names in the CSV file for adding multiple applications.

    1. Add the Credential Provider user as a Safe Member with the following authorizations:

      • List accounts

      • Retrieve accounts

      • View Safe Members

    2. Add the application(s) as a Safe Member with the following authorizations:

      • Retrieve accounts

      • List accounts (required for authentication with credential files)

      If this user belongs to a group, make sure that the group has this authorization.

    3. If the Safe is configured for object level access, make sure that both the Credential Provider user and the application have access to the password(s) to retrieve.

    For more information about configuring Safe Members, refer to the Privileged Access Security docs.

Credential Provider machine

The following procedure describes how to build an environment on the Credential Provider machine.

  1. Check the Vault parameter file:

    In the /etc/opt/CARKaim/vault folder, open the Vault parameter file (Vault.ini) and make sure that the parameters specify the Digital Vault that the Credential Provider will access to retrieve the password.

    For more details, refer to Vault.ini.

  2. The application’s OS user requires read and write permissions in the /tmp folder. If this does not conform to enterprise policy standards, an alternative Temp folder can be specified in the following environment variable:

    AIM_TEMP_FOLDER

    In Java, specify the following JVM property:

    DAIM_TEMP_FOLDER=/tmp

    This folder must be available to the application as well as the Credential Provider.

    If you specify a different folder, the application requires write and execute permissions on the folder. The Credential Provider has these permissions by default as it runs under root.

    After changing this environment variable, restart the Credential Provider.