Verify Privilege Vault Cloud Quick Start
Overview
Verify Privilege Vault Cloud (SSC) is a scalable, multi-tenant cloud platform that provides the same features as the on-premise Verify Privilege Vault Professional edition. With the SSC platform, all backend services, databases, and redundancy are securely managed by IBM Security and hosted on the Microsoft Azure platform. Customers do not have direct access to the databases or application file system.
Cloud Versus On-Premise Verify Privilege Vault
For documentation purposes, SSC is the same as the corresponding on-premise edition. However, there are some feature differences:
- Site Connectors: On-premise versions can use multiple site connectors to manage engine connections, such as RabbitMQ or MemoryMQ. The cloud version manages this for you as an Azure service and is not configurable.
- CRM Integration: On-premise versions can integrate with CRMs via direct database connections or the ConnectWise API. This is not currently available in SSC.
Getting Started
This section walks you through an initial configuration of your cloud instance. To see additional documentation for Verify Privilege Vault features, please refer to the support resources section at the end of this document.
System Requirements
A distributed Engine server is required to communicate with SSC. Distributed engine server recommended specifications:
- Windows Server 2016 or Above
- CPU: 4-core 2 GHz (minimum)
- Memory: 4 GB of RAM (minimum)
Engine Connectivity
SSC's Architecture Diagram shows the network topology of your cloud instance. Your on-premises distributed engines do not need any inbound TCP/IP ports open (unless using RADIUS authentication). If you do not have outbound firewall policies in place, no firewall configuration is necessary. If you do, the distributed engines need outbound access to:
- SSC's multi-tenant front-end Web server
- A shared service bus
- A customer-specific service bus
- A Content Delivery Network (CDN)
The protocols and endpoint details are in the architecture diagram mentioned above.
Initial Setup
After you sign up for a trial, you can choose your URL name and provision your instance:
-
After you sign signed up for a SSC trial, you received an email from IBM Security Sales titled "Verify Privilege Vault Cloud Trial." Click the Cloud Portal link in that email to begin your setup. The Setup Page appears in your browser.
-
Choose your location in the Cloud Environment dropdown list.
-
Click the Continue button. The IBM Security One Portal appears.
-
Create the password for your first user account with administrator credentials. This account will be assigned to the email address you entered to request the trial.
-
After confirming the password, click the Set Password and Login button. The IBM Security log on page appears.
This is the backup admin account that you may need in a "break the glass" or unlimited admin situation. IBM Security recommends you store the password in a secured physical location such as a safe or locked file cabinet. You can reset the password using an email reset, but if this password is forgotten or you no longer have access to the email account, IBM Security cannot reset this password. -
Click the blue button that matches the location you just chose. A setup page appears.
-
Type a name for your subdomain. Do not use special characters or spaces.
-
Read the End User License Agreement.
-
Click to select the check box to signify agreement.
-
From the dropdown, select Yes or No to signify your organization's oversight of EU information.
-
Click the Accept button. It may take several minutes for your new SSC to spin up.
-
When initialization is complete, click go to your SSC URL and click the Login with IBM Security One button. You are automatically redirected to your new SSC dashboard.
Configure Active Directory Integration
Active Directory integration allows users to log in with their domain credentials. Connections to your domain are routed through the distributed engine service running in your network.
-
On the dashboard, create a new Active Directory secret from the create secret widget in the upper right hand corner.
The domain account should be able to read users and groups from the domain you want to sync. For detailed information on the rights required, please see Active Directory Rights for Synchronization Account. -
Type the domain, username, and password in the Create Secret form.
-
Save the secret.
-
Navigate to Admin > Active Directory.
-
Click Edit and check the boxes for Enable Active Directory Integration and Enable Synchronization of Active Directory.
-
Click the Save button.
-
Click the Edit Domains button.
-
Click the Create New button.
-
Type your FQDN and a friendly domain name that users will see on the login page.
-
Click Sync Secret to select the secret you just created.
The domain site is set to default. This means that the Active Directory authentication and synchronization will run through the distributed engine service installed on your network.Do not select "Enable Login from AD." If you do, you cannot set the domain groups later in this instruction. -
Click the Save and Validate button.
-
Click the Back button.
-
Click the Edit Synchronization button. The Synchronization Edit page appears.
-
In the Available Groups list, click each domain group that you want to log on in SSC instance and click the < button to move the group to the Synchronized Groups list.
-
Click the Save button.
-
Click the Synchronize Now button to start the user and group synchronization immediately. The synchronization process runs automatically, but to get immediate results, you can start it manually.
Test Heartbeat and Remote Password Changing
Heartbeat ensures the secrets you have stored have the correct password, and Remote Password Changing (RPC ) changes passwords on demand or a schedule.
-
Navigate to Admin > Remote Password Changing.
-
Click the Edit button.
-
Click to select the Enable Remote Password Changing and Enable Heartbeat check boxes.
-
Click the Save button.
-
Click the Run Now button in the Remote Password Changing and Heartbeat Log sections. This runs the heartbeat and RPC processes immediately.
-
Go to the secret you created for domain synchronization in the previous section or create a new test secret to use.
-
A brand new secret's Last Heartbeat status should be pending or processing. Once heartbeat completes you should one of these statuses:
- Unable to Connect:Verify Privilege Vault could not reach the target machine. This could be a firewall issue or the machine name or IP address is wrong.
- Failed:Verify Privilege Vault could connect but could not authenticate. This likely means the password on the secret is incorrect.
- Success:Verify Privilege Vault successfully connected with the username and password.
-
You can test password changing by viewing a secret and clicking the Change Password Remotely button.
This will change the password on the target system. -
You can view the status of password changes and heartbeats in the log at Admin > Remote Password Changing.
Next Steps
- Add another user to the Administrator role in Verify Privilege Vault. This allows you to have another administrator besides the initial user account created. To assign roles, go to Admin > Roles and click the Assign Roles button.
- Add a folder and share it with the group you synchronized from Active Directory. Create and edit folders from the Folder Tree View on your Dashboard.
- Create a secret in that folder for other users to see. When creating a secret, you can click the Folder link to save it to another folder.
- Have other users log on. Any users synchronized to Verify Privilege Vault through the domain synchronization can log on with their domain credentials.
- Enable Google two-factor authentication by going to Admin > Users, editing the specific user, and assigning a two-factor option.
Troubleshooting and Resources
Get Error: "Site (Default) engines are not currently online" When Saving Domain
This can occur when Verify Privilege Vault was not able to complete a round trip with the installed engine service. This validation may take several minutes for Verify Privilege Vault to perform after the engine has been approved and assigned to the site. To address the issue:
-
On the server you installed engine on, check the logs in the install directory
C:\Program Files\Thycotic Software Ltd\Distributed Engine\log
. -
If you see a message for "Could not configure, trying in 30 seconds" or a "Bus Broken Down Error" verify that the engine is approved and assigned to your default site.
-
Go to the site under Admin > Distributed Engine > Manage Sites.
-
Click the Validate Connectivity button.
-
If a success message appears and the engine status shows as online, try saving the domain again.
Secret Server Cloud Character Limits
Secret Server Cloud allows the following number of characters for the fields:
-
Folder Name: 128. Error Message when exceeded - The folder name must be 128 characters or less.
-
Group Name: 250. Error Message when exceeded - Application Error.
-
Role Name: 255. Error message when exceeded - Please choose a Role name with between 1 and 255 characters.
-
Secret Name: 1,992. Error Message when exceeded - Invalid Secret Name.
-
Secret Text Fields: 9,999. Error message when exceeded - Secret item value exceeds max length characters.
-
Secret Note Field: 9,999
-
Request field 600 (This is a comment field used when requesting access to a secret). No error message given, it prevents exceeding 600 characters. If you paste in more than that it clips the text and still lets you save.
-
Local User Username: 128
-
Local User Display Name: 256
-
Local User password: 500