Skip to main content

Configuration and credentials files

Both the program and library use the following files:

  • The configuration file, supplied as config.ini, which defines configuration parameters.

  • The credentials file, which is specified in the configuration file, holds encrypted passwords.

  • The large credentials configuration file, supplied as lcinfo.ini, which contains information about large credential files.

These file can be renamed and can be placed anywhere on the filesystem.

Configuration file

The configuration file, typically called config.ini, specifies the following parameters, in simple ’key=value’ format:

Options marked with a redstar.png are required.

  • apiurl=https://<server>/<instancename>/idapi2 The URL to the Bravura Privilege API web service. Edit the value to suit your environment. An empty URL means do a local connection.

  • proxy= A proxy to use when accessing the API SOAP Service (idapisoap) endpoint. If omitted, uses the default proxy from environment variables on Unix/Linux system or the proxy settings in user registry on Windows. If empty, disables all proxy use.

  • capath= For Unix/Linux systems only: The CA directory or file holding the certificates to trust.

  • cert= The certification file in PEM format for client authentication.

    Warning

    This is not recommended for use without supervision from Bravura Security staff.

  • ignorebadservercert=0 Whether to ignore problems with server certificate and identity validation. Default is 0 (do not ignore) if not specified. Valid values are 0 (false) or 1 (true).

  • timeout=30 The API SOAP Service (idapisoap) call timeout in seconds. Default is 300 if not specified. Valid values are between 0 and 3600 inclusive.

  • redstar.png lockfile=/tmp/.pam-lock The filesystem path where a lock will be placed while calling the web service, to ensure that two processes do not simultaneously access the same one-time password (OTP), which could lead to an invalid OTP being retained locally.

  • locktries=200 The number of tries to lock the file. Default is10 if not specified. Valid values are between 0 and 200 inclusive.

  • locksleep=0.1 The delay between attempts to lock the file, in seconds. Default is 2 seconds if not specified. Valid values are between 0 and 100 inclusive. It supports fractional values, like 1.5.

  • redstar.png credsfile=creds.ini The filesystem path where credentials will be stored

  • redstar.png lcinfofile=lcinfo.ini The filesystem path where large credential file information will be stored

  • cacheseconds=60 The lifetime of cached credentials. Default is 60 if not specified. Valid values are between 0 and 86400 (24 hours) inclusive.

  • usemachinekey=1 Whether to include MAC address, IP address and host name in the encryption key. Default is 1 (do include). Valid values are 0 (false) or 1 (true).

    Note

    Data is encrypted whether this setting is enabled or not. See Credentials file encryption.

  • useargskey=1 Whether to include the command line details to the encryption key. Default is 0 if not specified. Valid values are 0 (false) or 1 (true).

  • filekey=./config.ini Can appear multiple times to use multiple files as keys.

  • filekey=/usr/local/lib/libidapi.so The files to include into the encryption key.

  • synchronouswrite is deprecated and ignored if present. A warning will exist in the log.

Credentials file

The credentials file, specified in the configuration file (config.ini), holds two types of passwords:

  • A one-time password, used by runwithpass and/or pamutil shared object to authenticate to the Bravura Privilege web service.

  • Cached copies of the passwords fetched from the Bravura Privilege web service.

The file has one line of text per system/account/password. For example:

system=__OTP__|user=ID|password=PW|expires=0

Where:

  • ID is the ID of the product administrator (OTP), proxy user, or managed account ID.

  • PW is the password for this ID

The file will be created upon initializing the one-time password user, as detailed in One-time passwords .

Credentials file encryption

The usemachinekey setting (Fingerprinting) in pamutil incorporates machine-specific information (MAC address, IP, hostname) into the encryption key used for credential files, preventing unauthorized access from other machines. When disabled (changed from 1 to 0 in the configuration file) using runwithpass causes existing credentials to become undecryptable because the key no longer includes machine-specific information, so it requires reinitialization with the -initial command. 

After using the -initial option with runwithpass, the creds.ini file is reset and will contain only the essential predefined credentials. Specifically, it will contain one record for the __OTP__ credential (which stores the API user and password), and if a proxy is configured in config.ini, it will also contain a __PROXY__ credential record. All previously cached account credentials are removed during this reinitialization process. 

After changing usemachinekey to 0 and reinitializing with the -initial option, PAMUtil will still encrypt the credential data in the creds.ini file. The difference is that the encryption key will no longer include machine-specific information. The credentials remain encrypted for security, but they're now encrypted with a key that doesn't depend on the machine's hardware identifiers, making the credential file portable across different machines.

Large credentials configuration file

The lcinfo.ini configuration file contains information about large credential files. This file is created upon the first download of a large credential file using pamutil . Each time a new large credential file gets downloaded, its information gets recorded into this configuration file.

The location of lcinfo.ini is configured in config.ini .

Installation and setup of Bravura Privilege Pattern is required in order to upload vaulted files.

The file has one line of text per large credential file. For example:

system=TESTSYS|user=sampleCredFile|attrkey=LC_FILE|filename=sampleCredFile.zip|lchash=zkYU108lTR10b8EGgxLDvQ==

Where:

  • system is the ID of the vault system or team vault the file is associated to

  • user is the ID of the vaulted file

  • attrkey is the attribute key the file is added to (typically LC_FILE)

  • filename is the name of the file

  • lchash is the hash of the file contents

This configuration file does not store password information.

In this section: