Skip to main content

Configuration and credentials files

Both the program and library use the following files:

  • The configuration file, supplied as config.ini, which defines configuration parameters.

  • The credentials file, which is specified in the configuration file, holds encrypted passwords.

  • The large credentials configuration file, supplied as lcinfo.ini, which contains information about large credential files.

These file can be renamed and can be placed anywhere on the filesystem.

Configuration file

The configuration file, typically called config.ini, specifies the following parameters, in simple ’key=value’ format:

Options marked with a redstar.png are required.

  • apiurl=https://<server>/<instancename>/idapi2 The URL to the Bravura Privilege API web service. Edit the value to suit your environment. An empty url means do local connection.

  • proxy= A proxy to use when accessing the API SOAP Service (idapisoap) endpoint. If omitted, uses the default proxy from environment variables on Unix/Linux system or the proxy settings in user registry on Windows. If empty, disables all proxy use.

  • capath= For Unix/Linux systems only: The CA directory or file holding the certificates to trust.

  • cert= The certification file in PEM format for client authentication.

    Warning

    This is not recommended for use without supervision from Bravura Security staff.

  • ignorebadservercert=0 Whether to ignore problems with server certificate and identity validation. Default is 0 (do not ignore) if not specified. Valid values are 0 (false) or 1 (true).

  • timeout=30 The API SOAP Service (idapisoap) call timeout in seconds. Default is 300 if not specified. Valid values are between 0 and 3600 inclusive.

  • redstar.png lockfile=/tmp/.pam-lock The filesystem path where a lock will be placed while calling the web service, to ensure that two processes do not simultaneously access the same one-time password (OTP), which could lead to an invalid OTP being retained locally.

  • locktries=200 The number of tries to lock the file. Default is10 if not specified. Valid values are between 0 and 200 inclusive.

  • locksleep=0.1 The delay between attempts to lock the file, in seconds. Default is 2 seconds if not specified. Valid values are between 0 and 100 inclusive. It supports fractional values, like 1.5.

  • redstar.png credsfile=creds.ini The filesystem path where credentials will be stored

  • redstar.png lcinfofile=lcinfo.ini The filesystem path where large credential file information will be stored

  • cacheseconds=60 The lifetime of cached credentials. Default is 60 if not specified. Valid values are between 0 and 86400 (24 hours) inclusive.

  • usemachinekey=1 Whether to include MAC address, IP address and host name in the encryption key. Default is 1 (do include). Valid values are 0 (false) or 1 (true).

  • useargskey=1 Whether to include the command line details to the encryption key. Default is 0 if not specified. Valid values are 0 (false) or 1 (true).

  • filekey=./config.ini Can appear multiple times to use multiple files as keys.

  • filekey=/usr/local/lib/libidapi.so The files to include into the encryption key.

  • synchronouswrite is deprecated and ignored if present. A warning will exist in the log.

Credentials file

The credentials file, specified in the configuration file (config.ini), holds two types of passwords:

  • A one-time password, used by runwithpass and/or pamutil shared object to authenticate to the Bravura Privilege web service.

  • Cached copies of the passwords fetched from the Bravura Privilege web service.

The file has one line of text per system/account/password. For example:

system=__OTP__|user=ID|password=PW|expires=0

Where:

  • ID is the ID of the product administrator (OTP), proxy user, or managed account ID.

  • PW is the password for this ID

The file will be created upon initializing the one-time password user, as detailed in One-time passwords .

Large credentials configuration file

The lcinfo.ini configuration file contains information about large credential files. This file is created upon the first download of a large credential file using pamutil . Each time a new large credential file gets downloaded, its information gets recorded into this configuration file.

The location of lcinfo.ini is configured in config.ini .

Installation and setup of Bravura Privilege Pattern is required in order to upload vaulted files.

The file has one line of text per large credential file. For example:

system=TESTSYS|user=sampleCredFile|attrkey=LC_FILE|filename=sampleCredFile.zip|lchash=zkYU108lTR10b8EGgxLDvQ==

Where:

  • system is the ID of the vault system or team vault the file is associated to

  • user is the ID of the vaulted file

  • attrkey is the attribute key the file is added to (typically LC_FILE)

  • filename is the name of the file

  • lchash is the hash of the file contents

This configuration file does not store password information.

In this section: