Using the API to retrieve administrative passwords
You can use API functions to access the API via:
Using a product administrator with OTP rights
You can access the API and retrieve, randomize, and override passwords, or download large credentials, via a product administrator with one time password (OTP) rights.
Configuration
To configure Bravura Privilege access to privileged access API functions:
Create an _OTP_USER product administrator account with the "OTP IDAPI caller" administrative privilege.
The IP address with CIDR bitmask field must specify the list of IP addresses from which the product administrator will access the API Service.
Create a user class with the following properties:
ID: _EXPLICIT_OTP_USERS_
Participants: USERID
Explicit user: _OTP_USER
Create a user group
ID: _OTP_USERGROUP
Access control: For the managed system from which you are requesting passwords, grant Pre-approved check-out of managed accounts managed accounts and Request check-out of managed accounts.
membership criteria: _EXPLICIT_OTP_USERS_
API functions
In order to retrieve an account password that Bravura Privilege is managing you must:
Use the LoginEx function to log in to the API Service.
After a successful login, LoginEx automatically resets the product administrator ’s password to a new 64 byte string. The new password is made available through the newapw argument. The new password has to be used for the next log in.
Use the KMKeyGetByAccount function to retrieve a password.
When using KMKeyGetByAccount, note that the accountID is case sensitive and that the resourceID must be uppercase.
Best practices
Note the following:
If the password is accessed by IDAPI SOAP, either ws binding or basic binding over HTTPS is used.
When saving the OTP password, ensure that it remains encrypted.
When using the OTP account, the calling program cannot access the IDAPI service concurrently. Use a MUTEX or serial access to the OTP account or one OTP account per program/caller.
Once the password is given, it is the caller’s responsibility to use the password correctly and dispose of the password. Storing the current password is not recommended. It should be encrypted if it is stored.
Using the API to check out passwords
You can use API functions Login, WFRequestCheckout, and WFRequestCheckin, to access the API and retrieve passwords being managed by Bravura Privilege , via a workflow-based approval to check out access privileges.
In order to checkout a privileged account password via the API you must use the Login function to log in to the API Service, via a user with the IDAPI Caller privilege. The user must effectively log in as the recipient, using the AuthConsoleUser option for Login.
The checkout availability windows must be valid at the time the WFRequestCheckout/WFRequestCheckin functions are executed.
You can use the API at each stage of the workflow, using the Login function with AuthConsoleUser option to impersonate the appropriate user; that is, you can:
Issue a request for checkout via Privileged access app, or the API (as the requester) using the WFRequestCreate, WFRequestSubmit, WFRequestAttrsSet (PPM_VIEW_TIME_BEGIN, PPM_VIEW_TIME_END), and WFRequestActionsGet (ARCHREQPWD).
Issue a request to approve the checkout request via Requests app, or the API (as the authorizer) using the WFApprove function. Ensure the primary field is set correctly in the WFApprove input.
Issue a request to fetch the password via Privileged access app, or the API (as the recipient) using the WFRequestCheckout function.
Issue a request to check in the password via Privileged access app, or the API (as the recipient) using the WFRequestCheckin function, or check in the password using Privileged access app.
For generic access check-outs, the following API functions must be used instead of the WFRequestCheckout and WFRequestCheckin functions:
WFRequestGenericCheckout
WFRequestGenericCheckin
GenericCheckoutStatusGet
GenericCheckoutDisclose