11 April,19 at 11:50 AM
This article discusses the different approaches to populate information into the Centrify Privilege Service vault. The stage in process of implementing a PIM solution dictates many of the strategies to be used. At the time of this writing, we are looking at version 17.8, but as you know, releases come every month, therefore, the strategies discussed in this post are subject to change as more capabilities, system types or accounts are added.
We will be focusing on the Linux CLI toolset and the PowerShell Samples.
The Lifecycle
A Shared Account strategy is part of what's needed to continuously overcome the challenges around PIM. These bullets correspond to where many of our prospects or customers are:
Two Types of Activities
I think we can easily condense the strategies into two categories: population and onboarding:
As of this writing, the tools included with privilege service are:
The Import Tool
This tool is useful if you're populating a new vault, or if you have a CSV of the sytsems and accounts that you want to onboard. The import tool is tied to the job system.
Discovery
Privilege Service provides an AD-based Discovery tool. Discovery has the flexibility that it can be used to populate for the first time or in point occasions as well as ongoing.
From system launch to system termination - the process
Enrollment Codes
Enrollment codes allow for a system to automatically be added to privilege service with access control options like owner, # of systems allowed, IP restrictions and sets.
Enrollment codes are a great tool to enable automation or DevOps scenarios.
PowerShell Samples and Onboarding
The idea behind the PowerShell Samples is to be able to align newly-built Windows systems with the registration in the Privilege Service vault to protect shared accounts or to enable the secure access capability. Alternatively, systems can be organized in sets. The samples work with enrollment codes or interactively with user/password combinations. The latter part is reserved for human interaction.
What you need:
PowerShell Samples in Action
Long command lines are split
Enrollment and onboarding a local account
# This is a sample script that runs at POST; once the system is built, # patched and joined to Active Directory. # The assumptions are that an enrollment code has been issued and that # the modules can be loaded (in this case from the X:\CIP drive # and that the proper sets have been put in place. # Loading Modules Import-Module X:\CIP\cps\Centrify.Cloud.PowerShell.CIP.psm1 Import-Module X:\CIP\cps\Centrify.IdentityPlatform.Powershell.psm1 # E.g. Enroll code, FQDN, Name, and endpoint are required, sets are optional. # Enrollment Code: B8674D29-890C-4036-AEAB-682DBEF6CA78 # FQDN or IP: member.centrify.vms # Name: member-vault # Service Address: https://vault.centrify.vms # Sets: PCI and Engineering (JSON notation, attribute Name) $enrollcode = "YADAYADA-YADA-YADA-YADA-YADAYADAYADAYA" $computer = ($(Get-WmiObject Win32_Computersystem).name | Out-String -Stream).ToLower() $computerfqdn = [System.Net.Dns]::GetHostByName(($env:computerName)).HostName | Out-String -Stream $sets = "Engineering, PCI" $sets_json = "[ { 'Name': 'Engineering' }, { 'Name': 'PCI' }]" $vault = 'https://vault.centrify.vms' Enroll-CIPSystem -EnrollCode $enrollcode -FQDN $computerfqdn -ResourceName $computer -Endpoint $vault -Sets $sets_json # Onboard the Local Administrator account. # This is a placeholder. Good script here: # https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a # Return the temporary random password to $localpasswd, this will be rotated # automatically. $localpwd = 'R@nd0mG%$56bagethatWILLC6ng3soon' $accountname = 'Administrator' Set-CIPAccount -AccountName $accountname -AccountPassword $localpwd -isManaged $true # Set Centrify Vault Metadata in the Description of the AD Computer Object $joined = (Get-Date).DateTime | Out-String -Stream $desc = "Sets: $sets. Enrolled to CPS on $joined." Set-ADComputer $computer -Description $Desc
PowerShell Samples Usage
1. First, import modules What's needed: path to the PowerShell modules Import-Module C:\[insert-path-here]\Centrify.IdentityPlatform.Powershell.psm1 Import-Module C:\[insert-path-here]\Centrify.Cloud.PowerShell.psm1 2. Enroll a system What's needed: An enrollment code, the name, the FQDN or IP and the endpoint (tenant URL). Enroll-CIPSystem -EnrollCode [code] -FQDN [fqdn/ip] -ResourceName [system-name] -Endpoint [https://your-url-here] Example: Enroll-CIPSystem -EnrollCode "B8674D29-890C-4036-AEAB-682DBEF6CA78" -FQDN 'member.centrify.vms' -ResourceName 'member-vault' -Endpoint 'https://vault.centrify.vms' What happens when a system is enrolled? 1. The system is added to CPS. 2. A service account is created in CIP with the default suffix. 3. The system is added to a built-in role called "Centrify Agent Computers." 4. The service account is added with the grant, view, edit and delete" permissions at the system level. Note that you can add a system to a set. Another example: Adding a system to the Engineering and PCI Sets: Enroll-CIPSystem -EnrollCode "B8674D29-890C-4036-AEAB-682DBEF6CA78" -FQDN 'member.centrify.vms' -ResourceName 'member-vault' -Endpoint 'https://vault.centrify.vms' -Sets "[ { 'Name': 'Engineering' }, { 'Name': 'PCI' }]" 3. Unenroll a system What's needed: an administrative account. Examples: Unenroll-CIPSystem -Delete $true # proper way to leave CIP this will remove the service account. Unenroll-CIPSystem -cleanupOnly #cleans locally in the system, equivalent to a forced adleave. 4. Vault an account What's needed: resource/domain/database, account name, password and if it's managed or not; if other system, database or domain, the system must be authorized to add accounts in the resource. Examples # Sets the local account opieadmin as managed Set-CIPAccount -AccountName 'opieadmin' -AccountPassword 'ThisStringwillChangeS00n!' -isManaged $true # Sets the remote account testuser in the system engcen6 as unmanaged Set-CIPAccount -resourceName 'engcen6' -AccountName 'testuser' -AccountPassword 'SecretsAreToBeProtected!' -isManaged $false What happens when a system is enrolled? 1. The account is added under the resource in question. 2. The system that performed the addition, is added with all account permissions except portal login. 5. Check-out a password What's needed: credential type, name and checkout lifetime. If other system, database or domain, the system must be authorized to view the top level resource and view+checkout at the account level. Examples: Get-CIPAccount -AccountName 'opieadmin' -lifetime 2 Get-CIPAccount -domainName "example.com" -AccountName "your-user" -lifetime 2 Get-CIPAccount -databaseName "db-name" -AccountName "your-db-account" -lifetime 2 Other Commandlets: - Remove-CIPAccount - removes a system/domain/database account. - Centrify-GetAccountID - gets the unique identifier for an account.
Linux Client CLI Tools
The help topic contains all the commands included with the client. Let's focus on the same sequence above, but for Linux.
What you need:
CLI in Action
Enrollment with cenroll
# E.g. Enroll code, FQDN, Name, and endpoint are required, sets are optional. # Enrollment Code: B8674D29-890C-4036-AEAB-682DBEF6CA78 # FQDN or IP: centos7.centrify.vms # Name: centos7-v # Service Address: https://vault.centrify.vms # Sets: PCI and Engineering $ sudo cenroll --tenant vault.centrify.vms --code B8674D29-890C-4036-AEAB-682DBEF6CA78 --verbose --features all --agentauth identity-broker-users --name centos7 --address centos7.centrify.vms --resource-set PCI, Engineering Enrolling in Centrify identity platform https://vault.centrify.vms/ using enrollment code... Feature enabled: Application-to-Application Password Management Feature enabled: Centrify Agent Authentication Starting Centrify agent... Centrify agent started. [output truncated]
Adding account passwords to the vault with csetaccount
# Set the account password to something random # Send it as a parameter for csetaccount using the --stdin option # Always clean-up. # Creating random string sudo cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 > /tmp/temp.file # Changing account password sudo yes `cat /tmp/temp.file` | passwd root # Vaulting the credential sudo csetaccount --verbose --managed=true --stdin root < /tmp/temp.file verbose: setting account through cclient # Housekeeping sudo rm -f /tmp/temp.file
The account and password are onboarded under the system in question.
The system rotates the password immediately.
The system can read and delete the password (ready for the EoL use case).
Deleting an account and unenrolling a system
# Deleting an account from the vault $ sudo cdelaccount --silent root # Unenrolling a system (e.g. prior to decommision or termination) using the # system account $ sudo cunenroll --delete --machine
The Linux agent allows for the onboarding of database (Oracle, SQL Server) or Active Directory domain retrieval for CLI or machine to machine scenarios (see cgetaccount).
AWS and GCP Automation
In AWS and GCP, the lifecycle (launch instance/terminate instance) can be automated using the methods above and Centrify has provided some assets also available via GitHub.
Below are the variables that require information (to vault systems automatically):
# Specify the customer tenant URL to enroll in cenroll CLI TENANT_URL= # Specify the enrollment code to use in cenroll CLI ENROLLMENT_CODE= # Specify the roles to grant "AgentAuth" right in cenroll CLI AGENT_AUTH_ROLES= # Specify the features to enable in cenroll CLI FEATURES="aapm,agentauth" # Specify the type of network address. Possible values: # "PublicIP" (default), "PrivateIP" or "HostName" NETWORK_ADDR_TYPE="PublicIP" # Specify the prefix of the login name to use for this computer in the Centrify # identity platform. The format is -. COMPUTER_NAME_PREFIX="aws"
Conclusion
Expect the methods to continue to evolve, just like the system types and capabilities are added monthly.
We want to hear from you
What can we improve? Always use the comments or leverage the idea exchange and community.