Preparing Delinea (formerly Thycotic) to Work with Keyfactor Command
Preparing Delinea (formerly Thycotic) to Work with Keyfactor Command
Configuring the Delinea Secret Server to interoperate with Keyfactor Command and store Keyfactor Command credentials in the Delinea vault involves these preparatory steps before configuration in Keyfactor Command can begin:
- Install the required Delinea Secret Server software on a web server in the same forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. as the Keyfactor Command server.
- Create at least one secret in Delinea Secret Server for use with your Keyfactor Command certificate stores.
- Create an API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. user for Keyfactor Command use in the Delinea Secret Server.
- Grant the API user appropriate permissions to the secret(s) you created in Delinea Secret Server.
- Create an API application in Delinea Secret Server.
- Grant the Keyfactor Command application pool user local administrative permissions on the Keyfactor Command server to allow the Delinea SDK to create credential files in C:\Windows\System32\inetsrv.
The Delinea Secret Server software needs to be installed on a web server in the same forest as the Keyfactor Command server. Keyfactor does not recommend installing the Delinea software on the Keyfactor Command server. Please see the Delinea documentation for system requirements and installation guidance. Keyfactor Command is delivered with the Delinea dependencies included and enabled to allow interoperability with Delinea Secret Server, so no configuration steps are required on the Keyfactor Command server to enable to Delinea software.
You need to create a secret or secrets in the Delinea Secret Server for each certificate store in Keyfactor Command that you wish to manage with Delinea.
To create a secret in Delinea Secret Server:
- Open the Delinea Secret Server application in a web browser.
- In Secret Server, select Secrets from the left menu.
- On the Secrets page, click the plus button in the top right of the window and choose New Secret.
- In the Create New Secret dialog, select a template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. type of Password (for passwords, usernames, access keys and all similar types of data).
- In the Create New Secret dialog, enter at a minimum a Name and the password, username, access key or other information to pass to Keyfactor Command in the Password field.
- Click Create Secret.
- Back on the screen where you are viewing your freshly created secret, look up at the URL and make note of the number near the end of the URL (see Figure 400: Delinea Secret Key ID Identification). This is the ID for your secret. You will need this when configuring the secret in Keyfactor Command.
Keyfactor Command uses an application user account within Delinea Secret Server to retrieve secrets.
To create an application user account in Delinea Secret Server:
- Open the Delinea Secret Server application in a web browser.
- In Secret Server, select Admin from the left menu and then select Users.
- On the Users page, click Create New.
- Towards the bottom of the Edit User page, click Advanced.
- Enter a User Name, Display Name, Email Address and Password for the API user.
- Under Advanced, check the Application Account box.
- Save the user account.
Figure 401: Create a New Application User in Delinea Secret Server
The application user in Delinea Secret Server needs to have permissions to read the secrets that you create for the Keyfactor Command certificate stores. You will need to grant permission separately to each secret you create.
To grant permission to a secret in Delinea Secret Server:
- Open the Delinea Secret Server application in a web browser.
- In Secret Server, select Secrets from the left menu.
- On the Secrets page, select one of your secrets to open it.
- On your the page for your secret, go to the Sharing tab.
- On the Sharing tab, click Edit.
- In the Add Groups / Users box near the bottom, type in the name of your application user, search and select your user.
- Give the user, at minimum, the View permission.
- Save the secret record.
Figure 402: Grant the Application User Permissions to a Secret in Delinea Secret Server
Keyfactor Command uses an API application in Delinea Secret Server to interact with Secret Server.
To create an API application in Delinea Secret Server:
- Open the Delinea Secret Server application in a web browser.
- In Secret Server, select Admin from the left menu and then select See All.
- On the full Administration menu, select SDK Client Management.
- On the SDK Client Management page, click Client OnBoarding.
- At the top right, move the Disabled/Enabled slider to the right enable this functionality.
- At the bottom right, click the plus next to Rule.
- Enter a Name for the rule. Make note of this name. You will reference it when creating a PAM provider in Keyfactor Command (see PAM Provider Configuration in Keyfactor Command).
- In this Details field, enter the IP address of your Keyfactor Command server.
- In the Assignment dropdown, select the application user you created for API use with Keyfactor Command.
- Check the Require this generated onboarding key box.
- Click Save to save the application.
- On the SDK Client Management page, click Show Key for your new application (see Figure 403: Locate the Delinea Rule Key). Make note of the key shown. This is your rule key. You will need this when creating a PAM provider in Keyfactor Command (see PAM Provider Configuration in Keyfactor Command).
Take care to paste the key in with no leading or trailing spaces.
Keyfactor Command connects to the Delinea Secret Server using Delinea's SDK. The Delinea SDK component on the Keyfactor Command server generates credential files in the C:\Windows\System32\inetsrv directory that allow Keyfactor Command to access Delinea Secret Server. In order to create the files, the service accounts under which the Keyfactor Command application pool and service are running need write access to that directory. Because this is a protected system directory, the only practical way to grant these users the needed access to this directory is to grant the application pool user and service user local administrative permissions on the Keyfactor Command server. Your Keyfactor Command implementation may be using the same service account for both the application pool role and the service role.