Defining connection methods

When adding target system import rules or manually managing discovered systems, you must define which credentials the Bravura Privilege server uses when it attempts to connect to the systems. A discovered system will only pass a target system import rule once it has valid credentials.

There are five methods for defining connection credentials:

Using no credentials (local service mode systems only)
Using a plugin to get credentials
Creating new credentials on a managed system
Using valid credentials from a template target system
Using credentials from a source system (push mode systems only)

Push mode systems

For push mode target systems, these credentials are evaluated immediately, and if they are not valid, the target system will be removed and re-evaluated.

Local service mode systems

For local service mode target systems, this evaluation may take a few polls to confirm – one to receive the information on the administrative credential (either verify or create), and one to report back the results.

To view the status of these confirmations, go to Manage the system > Resources > Discovered objects > Systems > Local service mode systems and view the Admin ID status column.

During the time that Bravura Security Fabric attempts to verify valid administrator credentials based on a discovered system, the Admin ID status of the discovered system is set to Pending. The managed system will have limited capabilities. Once the administrator credentials have been verified the Admin ID status of the discovered system is set to Verified, and the managed system will be ready for use.

If the administrator credentials are not verified, then depending on the LWS RESVALID ADMIN CREDENTIAL setting, the following will occur:

If the setting is Disabled, the system will be a managed system but the administrator credentials will be shown as Failed. Warning messages will inform product administrators which systems have failed to verify administrator credentials.
The managed system will have limited capabilities. Product administrators can manually provide credentials for the discovered target system.
Even if product administrators manually provide credentials for the discovered target system, the status for its administrator ID will still be shown as Failed to mark that it had failed during the creation process.
If the setting is Enabled, the automatically discovered target system will be deleted.
The discovered system will attempt to validate against the next local service mode target system import rule until all rules have been evaluated. Once that occurs, the discovered system will remain unmanaged.

Set the LWS RES VALID ADMIN CREDENTIAL option at Manage the system > Modules > Privileged access .

Using no credentials

For local service mode systems, Bravura Privilege does not require credentials to be specified.

Using a plugin to get credentials

To configure Bravura Privilege to use pre-existing administrator credentials on a managed discovered system using a plugin, type the name of the plugin in the Plugin to get credentials field.

Alternatively, you can define a default plugin in IMPORT ADMIN CRED DEFAULTPLUGIN in Manage the system > Resources > Options . This pre-populates the Plugin to get credentials field when creating target system import rules.

Write a custom plugin to import admin credentials

The plugin will receive as input, the computer attributes. You can view the available attributes by going to Manage the system > Resources > Discovered objects > Systems , and clicking on the system.

The plugin, in the form of a KVGroup should look like:

"" "" = { 
    "ead_computer_attributes" "" = { 
        "sv_attributes" "" = { 
            #...single-valued attributes go here... 
        } 
        "mv_attributes" "" = { 
            #...multi-valued attributes go here... 
        } 
    } 
    "sessionid" = "< session id>" # The session ID 
}

The expected output of the plugin is an account and unencrypted password:

 "" "" = { 
       "admin" = "<account name>"; 
       "adminPW" = "<unencrypted password>"; 
       "isSysPWD" = "[true | false]"; //optional 
       "isConnPWD" = "[true | false]"; //optional 
       "isUpdByPAM" = "[true | false]"; //optional 
       "retval" = "0" 
   }

Alternatively, the output of the plugin can be a managed account:

 "" "" = { 
       "admin" = "<managed account ID>"; 
       "adminPW" = ""; 
       "resourceid" = "<managed system ID>"; 
       "accountID" = "<managed account ID>"; 
       "isSysPWD" = "[true | false]"; //optional 
       "isConnPWD" = "[true | false]"; //optional 
       "isUpdByPAM" = "[true | false]"; //optional 
       "retval" = "0" 
   }

Multiple credentials can be created using the following format:

 "" "" = { 
      "version" = "2" 
      "resultgroup" "" = { 
         "credential" "" = { 
            "admin" = "<account name>"; 
            "adminPW" = "<unencrypted password>"; 
            "isConnPWD" = "[true | false]"; //optional 
            "isUpdByPAM" = "[true | false]"; //optional 
         } 
         "credential" "" = { 
            "admin" = "<account name>"; 
            "adminPW" = "<unencrypted password>"; 
            "isConnPWD" = "[true | false]"; //optional 
            "isUpdByPAM" = "[true | false]"; //optional 
            //To create a system credential add the following kvg group to 
            //a credential 
            "sys" "" = { 
               "admin" = "<sys account name>"; 
               "adminPW" = "<unencrypted password>"; 
               "isConnPWD" = "[true | false]"; //optional 
               "isUpdByPAM" = "[true | false]"; //optional 
            } 
         } 
      } 
      "retval" = "0" 
   }

Add ”switch_strategies” in the output KVGroup to switch between using credentials from the plugin or discovery template:

"switch_strategies" = "true" will use credentials from the discovery template
"switch_strategies" = "false" or not present will use credentials from the plugin output.

Creating new credentials on a managed system

Configure Bravura Privilege to create new credentials on a managed discovered system by setting the options defined in Table 1, “Options for creating new credentials on discovered systems”.

When Bravura Privilege creates the new credentials, it uses the default global password policy. The description for created accounts notes that the account was created by Bravura Privilege , and states which rule (if any) was used to create it.

If account creation fails on the discovered system, then the system is not managed by Bravura Privilege . If evaluated against an import rule:

For push mode, the system will be re-evaluated on the next run and Bravura Privilege will attempt to create the administrator account on the system again.
For local workstation mode, Bravura Privilege will attempt to create the administrator account again according to the RES ADMIN CREATE RETRY INTERVAL (default 1440 minutes).

If Bravura Privilege fails to add the new account to any of the selected administrator groups, then the system is not managed. However, the account remains in the groups that were joined successfully. If this occurs, either fix or remove the incorrect/missing group ID.

Table 1. Options for creating new credentials on discovered systems

Option	Description
Initial credentials to use when creating new local account	This applies to push mode systems only. Select: Use valid credential from template target system Use credentials from source system Plugin to get credentials, and then type the name of a plugin that defines which credentials to use for each discovered system. See Write a custom plugin to get credentials for creating a new account.
Login ID type	Set this to define what to use as the administrator ID: String allows you to specify the Login ID to be created on each discovered system. Use this if you want to use a common ID for the Bravura Privilege administrator on each discovered system. Or, PSLANG expression allows you to define the Login ID based on the discovered system’s attributes. Use this if you want a unique administrator account for each discovered system. For example, using the expression "admin"+$comp["name"][0] could generate the ID admin_user1-ws .
Security group type	Define permissions for the new account: String allows you to type a space-delimited list of group IDs for the groups into which to add the new account; for example, " Administrator" "Domain users" "Custom group" . Use this if you know the group IDs for the groups that you want all new accounts to be added. SID allows you to select from a list of common group SIDs to into which to add the new account. Use this if your discovered systems use non-standard administrator group names. This option is only available for template types that recognize SID. This option is only available when an Active Directory or Windows NT Server template target system is used.
Reuse existing account if found	Enable this option to reuse the ID if it already exists on the discovered system.

Write a custom plugin to get credentials for creating a new account

The plugin will receive as input the computer attributes. You can view the available attributes by going to Manage the system > Resources > Discovered objects > Systems, and clicking on the system.

The plugin, in the form of a KVGroup should look like:

"" "" = { 
    "resource" "" = { 
        #...single-valued attributes go here... 
    } 
    "sessionid" = "<session id>" # The session ID 
}

The expected output from the plugin:

 "" "" = { 
       "admin" = "..."; 
       "adminPW" = "<unencrypted password>"; 
       "return" = "0"; 
   }

Using valid credentials from a template target system

Configure Bravura Privilege to test and copy administrator credentials from the target system template if you have groups of systems using the same set of credentials. This way, you can select which administrator credentials to use based on the target system template selected.

This is also useful if the administrator accounts are unique on each system; for example, IDs that use the format Admin_<computer name>. In this case, the passwords must be identical.

If the credentials are invalid, then the system is not imported or managed by Bravura Privilege . Target systems that require a system password only have the administrator credential validated, not the system credential. If the system is imported and managed by Bravura Privilege , then the system password is copied. If multiple system passwords are configured, then the first alphabetically-sorted password is copied.

Using credentials from a source system

Copy administrator credentials from the source system if you intend to use a domain administrator account to manage all discovered systems. This setting applies to push mode systems only. It is recommended that the administrator ID on the source system follows the format <adminid>@<domain>. Bravura Security Fabric does not verify whether the source system credentials are valid.

If the credentials change on the source system, then Bravura Privilege automatically propagates the new credentials to the managed systems that are using them. However, if the imported credentials get removed from the managed system, then Bravura Privilege stops propagating source system changes to that system.

In this section: