One-time passwords
The Bravura Privilege API can eliminate static, plaintext passwords embedded in scripts and configuration files. This is done by creating one user ID per application per server; that is, an application running on 10 servers requires 10 user IDs. These IDs are Bravura Privilege product administrator IDs with the "OTP IDAPI caller" privilege, and granted access to just the passwords they need to retrieve, randomize, or override.
OTP IDAPI account IDs are subject to two extra authentication constraints, as compared to human Bravura Privilege users:
They must authenticate to the Bravura Privilege web services API with a one time password; whenever an OTP IDAPI ID successfully signs into the API, it uses the previous passwords but receives a new password, to be used next time.
They must authenticate from a previously defined IP subnet; that is, they must be connecting from a well known application server.
This means that any user of the API has to be initialized with an application ID’s password and must track changes to that password on every call to the API. In turn, this means that API access should be serialized, to avoid a race condition where two processes call the API using the same application ID from the same machine at the same time, and it’s not clear which new password is the most current one.
The runwithpass program and the pamutil library shared object take care of recording changes to the OTP and serializing API access via a lock file.
One-time passwords and cached passwords are both stored in the creds.ini credentials file. The file name may vary, as specified in the configuration file. The ID and password must be initialized before it can be used by this program to connect to the Bravura Privilege web services.
To initialize the creds.ini credential file with an ID and password use the following command:
runwithpass -initial
Enter the ID and password as prompted.
Alternatively, the pamutil API function SetInitialPasswords can also be used.
Note
If the useargskey option is enabled in the config.ini all other arguments that would be normally used need to be specified. See Using useargskey to tie API account, managed account, and command together for more information.
In the scenario where the OTP passwords needs to be reset the previously mentioned command can be used to reset the creds.ini credential file.
Each time an OTP IDAPI account signs into the API, its password gets randomized. You can set how often the password gets randomized, in hour intervals. The option, Number of hours between password randomizations , is available for Bravura Privilege product administrator IDs with the "OTP IDAPI caller" privilege, located in Manage the system > Security > Access to product features > Individual administrators.
By default, passwords that OTP IDAPI accounts use to sign into the API are immediately discarded. However, you can set a limit of how many passwords previously used by an OTP account that will be considered valid when authenticating to the API. These passwords will be stored in a password history, and the oldest password will be removed each time the OTP account signs in again. This option is configured from Manage the system > Security > Options > OTP MAXIMUM.