Configure the Bomgar Privileged Access Instance for the Bomgar Vault Integration

After verifying the necessary prerequisites are in place for your server environment, Bomgar Privileged Access (PA), and Bomgar Vault, make sure the following items are in place for your PA instance:

  • A user with administrative access to PA
  • A new API account designated for the integration
  • A Jump Item you wish to use for credential injection

Follow the steps below to make sure your PA instance is appropriately configured.

Select a User for the Privileged Access and Vault Integration

Bomgar Privilege Access Login Screen

  1. Navigate to your PA /login interface and log in (access.example.com/login).
  2.  

    User Accounts

  3. Go to Users & Security > User Accounts.
  4. From the list, select a user that has administrative privileges or create a new user that has administrative privileges to the PA site. If you need to create a new user, please see Users: Add Account Permissions for a User or Admin .
  5.  

    Username and Email for Account

  6. Once you have selected a user, make sure you note the username and email address for that user, as you must add that same user in Bomgar Vault.
  7.  

Create a New API Account for the Privileged Access and Vault Integration

You must configure a special API account forthe Vault integration with PA. The client ID and client secret generated when creating the API account is essential for configuring the ECM.

Note: The ECM is the middleware connecting Bomgar Vault to Bomgar Privileged Access. It is responsible for passing and returning credentials and does not store credential information.

API Configuration

  1. Go to Management > API Configuration.
  2. Verify that Enable XML API is checked.
  3. Under API :: Accounts, click Create New API Account.
  4.  

    API :: Account :: Add

  5. Enter a name for the PA and Vault integration.
  6. Make sure Enabled is checked.
  7. Verify that Full Access is selected for the Command API option.
  8. Check the Allow Access box for the Endpoint Credential Manager API option.
  9. If you wish to place any network restrictions for the account, enter the network address prefixes one per line in the Network Restrictions field.

Note: If adding network restrictions for the account, make sure that you do not restrict the IP address associated with your Bomgar Vault environment.

     

    Oauth Client ID and Oauth Client Secret

  1. Copy the OAuth Client ID and OAuth Client Secret and paste in a place that you can easily access later in the integration process.

Note: If you lose or forget your client secret, you must edit the API account and generate a new client secret. Regenerating a client secret and then saving the account immediately invalidates any OAuth tokens associated with the account. Any API calls using those tokens are unable to access the API.

  1. Click Add API Account.

Review Credential Types

In Bomgar PA, you can use credential injection to acccess endpoints and to login. There are two types of credentials that you can configure for credential injection in Bomgar Vault.

  • Restricted: This type of credential is called Restricted because it is a requirement that you specify the endpoint and the user who can utilize the credential. This is important because you may wish only a specific credential or set of credentials to be returned when accessing a particular endpoint.
    • The endpoint and user account must be configured in both applications.
    • The user account must have permission in Bomgar Vault to use the credential.
    • The endpoint name must be the same in both applications.
  • Shared: This type of credential is called Shared because it does NOT posses an endpoint restriction.
    • The user account must be configured in both applications.
    • The user account must have permission in Bomgar Vault to use the credential.

With those credential types defined, you can choose any of the following scenarios for integration:

  • If using only restricted credentials in your environment, walk through the steps of configuring the same endpoint(s) in Bomgar Privileged Access and Bomgar Vault.
  • If using only shared credentials in your environment or if you are a Vault Go! customer, skip the sections pertaining to endpoint creation in Bomgar Privileged Access and Bomgar Vault.
  • If using a mixture of both shared and restrictred credentials in your environment, walk through the steps of configuring endpoints in Bomgar Privileged Access and Bomgar Vault. However, keep in mind endpoint configuration and association is not required for shared credentials

Choose a Jump Item for the Privileged Access and Vault Integration

Note: If you are a Vault Go! customer, this section does not apply.

Note: If you are using a shared credential for the integration or only shared credentials in your environment, this section does not apply.

In Bomgar PA, it is important to already have a Jump Item configured and deployed on a system in which you wish to use the Bomgar PA and Bomgar Vault integration for credential injection. This is because Bomgar Vault requires that a credential be associated with an endpoint to perform credential injection, and the same endpoint must be configured in both PA and Vault. You can meet this requirement by using a Jump Item you have already deployed in PA or by deploying a new Jump Item through the PA interface.

Select an Existing Jump Item from the Privileged Access Console

Note: If you are a Vault Go! customer, this section does not apply.

Note: If you are using a shared credential for the integration or only shared credentials in your environment, this section does not apply.

If you have an existing Jump Item you can use for the integration, follow these steps.

Access Console Login

  1. Log into the PA access console.
  2.  

    Jump Item List

  3. Locate the Jump Items list.
  4. Click on the Jump Item you wish to view the endpoint details for from the Details pane.

Note: Click on the Jump Item once. If you double-click on the Jump Item, the access console starts a session with the Jump Item.

     

    Jump Item Details

  1. Review the Jump Item details in the right panel and make note of the endpoint's name and IP address in an easy to access place.
  2. Log out of the PA access console.

 

Deploy a New Jump Item

Note: If you are a Vault Go! customer, this section does not apply.

Note: If you are using a shared credential for the integration or only shared credentials in your environment, this section does not apply.

If you are new to PA or have not deployed the Jump Item you need for the integration, you can deploy a new Jump Item through a few different methods. To learn more about deploying Jump Items, please see Deploy Jump Clients from the Administrative Interface . Once you have deployed your new Jump Item, follow the steps in the section above to progreed with the integration.