Integrating Thycotic Secret Server with CloudBolt CMP

Overview

CloudBolt has developed an integration with Thycotic Secret Server utilizing a UI Extension. The value stored in CloudBolt CMP’s Database will be an encrypted value of the reference to a secret in Thycotic, not exposing or storing any information from secret server itself. When that password needs to be utilized, it is decoded and CloudBolt will reach out to Thycotic to gather the current value of that field. The values retrieved from Thycotic are never stored anywhere in the CloudBolt filesystem or database.

Pre-requisites:

• Have an active Thycotic Secret Server.

• Have a service account with access to necessary secrets, but no more. This account will give the CMP the ability to access any secret information that the account has access to.

Note: Required version of CloudBolt CMP: 9.4.7.1

Note: Only “Password” type fields will work to gather values from Thycotic.

Installation

1. Provided by CloudBolt; the UI Extension is not currently available via the Content Library.

2. Upload the .zip file on the Extensions Management Admin page, where you can remove or download locally any UI Extension in CloudBolt. Note the thycotic extension now on this page.

   1. You can see that there is 1 hook as part of this package, and Admin hook.

3. SSH into the CloudBolt appliance.

   1. Once authenticated at the root level in the CB appliance run the following command to restart the web service and recognize the updated code from the extension. While it should only take a few seconds, this will cause an interruption in service to the web server while it restarts, so be sure you’re in a valid maintenance window.

      1. pip install python-tss-sdk

      2. service httpd restart

Configuring Thycotic’s Admin tab

1. Navigate to the Datadog Admin tab in CloudBolt from Admin > Admin Extensions > Thycotic Secret Server Integration

2. To configure and link your Thycotic account, click “New Thycotic Integration” and provide the information requested. You will need:

   1. Thycotic Server URL

   2. Service Account Username

   3. Service Account Password

3. Once you have established your connection to Thycotic, CloudBolt CMP will connect to the server and authenticate to get an Authentication Token. This token will be stored encrypted in the CMP database. Each time a secret is needed from Thycotic, CMP will attempt to use this token. If the token is expired, CMP will use the stored username and password to re-authenticate and gather a new token.
   

Configuring an external password

To utilize this feature, you will need to set the secret value for any field of type password following a specific format. The format needed is <Connection Global ID>::<Secret ID>/<Field Name>. ex. "CON-12345::1/Password" or "CON-12345::2/Secret Key". This will allow CloudBolt to reference the Field value stored at that ID in Thycotic Secret Server.

The Global ID is provided on the Thycotic Secret Server Integration page:

To get the Secret’s ID, navigate to the secret in Thycotic Secret Server UI, and gather the ID from the URL:

To get the Field Name, navigate to the secret and decide which field you would like to reference of the secret. This field will need to be referenced including any spaces in the field. Capitalization does not matter.

The value stored in CloudBolt CMP’s Database will be an encrypted value of the reference to a secret in Thycotic, not exposing or storing any information from secret server itself. When that password needs to be utilized, it is decoded and CloudBolt will reach out to Thycotic to gather the current value of that field. The values retrieved from Thycotic are never stored anywhere in the CloudBolt filesystem or database.