6 Replies Latest reply on Apr 25, 2016 1:36 PM by Bill Robinson

    Password Rotation via 3rd Party ID Vault

    Steven O'Brien

      Our access management and security team are working on a project utilizing a third party product from CyberArk called ID Vault, where all application ids are stored affording the ID Vault application the ability to rotate application id passwords on a routine pre-defined schedule. Currently application passwords are difficult to manage and rarely changed creating a security risk in our company. Does BMC support the use of ID Vault with the BSA suite? If not is there a possibility to customize a solution (create a wrapper) that could be utilized to support our goal of rotating application ids?

       

      Thanks,

        • 1. Re: Password Rotation via 3rd Party ID Vault
          Bill Robinson

          by 'application id' do you mean user login passwords for users to access the application, or service accounts stored in the application or something else ?

           

          specifically what bsa 'application ids' are you looking to put under this management ?

          • 2. Re: Password Rotation via 3rd Party ID Vault
            Steven O'Brien

            We are not talking about the user login/passwords for access to the application console. We are talking about the application accounts used when deploying the packages throughout the server environment. The Bladelogic agents run as root and when packages are deployed, the first action is to switch user to the application account that has access to update the application code on the servers. We have all lines of business running code deployments across our server environment and we have multiple application id's used by Bladelogic. Let me know if you need more clarification.

            • 3. Re: Password Rotation via 3rd Party ID Vault
              Bill Robinson

              ok, so the agent runs as root.  are you doing a 'su' in the blpackage and then running whatever or are you mapping to the application account via the rscd user mapping?

               

              in either case, you don't need to know the user's password.  unless you've done something really restrictive su - user as root will not prompt for a password.  and the user mapping via the rscd would not either.

              • 4. Re: Password Rotation via 3rd Party ID Vault
                Santhosh Kurimilla

                Does ID Vault has some CLI (Command Line Interface) or Query language through which you can retrieve the required information? If yes, you may use those commands in the Package or NSH Script (using nexec)?

                • 5. Re: Password Rotation via 3rd Party ID Vault
                  Steven O'Brien

                  The only need for ID vault integration is for the app itself to connect to the data base. The appservers have been configured to use the schema owner id "bladelogic" to connect to the bltprd00_all data base. Our Access Management remotes into the GUI we used during the install of the appserver software for entering the user id/password combination..

                   

                  So that the appserver gets the password for this id (bladelogic) from ID Vault, the appserver has to be compatible with it.

                  Thanks,

                  • 6. Re: Password Rotation via 3rd Party ID Vault
                    Bill Robinson

                    ok, i'm confused.  because you said:

                    "The Bladelogic agents run as root and when packages are deployed, the first action is to switch user to the application account that has access to update the application code on the servers"

                    -> that has nothing to do w/ the bladelogic db user account.

                     

                    "The only need for ID vault integration is for the app itself to connect to the data base."

                    "the app itself" => bladelogic ?

                    "Our Access Management remotes into the GUI we used during the install of the appserver software for entering the user id/password combination.."

                    -> so you need the password provided at install time only or whenever the password is changed ?.  currently the password is stored in the global.properties file on the appserver's file system.

                     

                    right now there is no way for bsa to pull the bladelogic db user password from a 3rd party system.  if you have an API to hit your vault system you could probably write something that would periodically query, get it in plain text and use blasadmin to update the appserver configuration w/ the new password.