Configure the Bomgar Vault Instance for the Bomgar Privileged Access Integration

Once you have configured all of the necessary parts in Bomgar Privileged Access (PA), you must now configure your Vault instance.

Create the Privileged Access User in Vault

The administrative user you selected or created in Bomgar Privileged Access must also be a user within Bomgar Vault. In Bomgar Vault, users are granted permissions to perform certain actions on a credential, such as create, delete, modify, and check out, via credential policies (Credentials > Credential Policies). In order for a privileged user to perform credential injection through the access console in Bomgar PA using a credential stored in Bomgar Vault, the user must have permission to check out that specific credential in Bomgar Vault. This is why the user must exist in both instances. To create a user in Bomgar Vault, follow the steps below.

New User Button

  1. Go to Administration > Users.
  2. Click New User.
  3.  

    The Users section where you can add, edit, or delete users from Vault.

  4. Type in the username as seen in Bomgar PA.
  5. Type in the complete name of the user.
  6. Verify that the user's status is Active.
  7. Click New Auth Method.
  8.  

    Administration > New User > User > Authentication Method

  9. Select the authentication method that is relevant for both PA and Vault from the dropdown.
  10. Click Accept.

Note: To learn more about authentication methods, please see the Authentication Settings for Bomgar Vault.

     

    Roles

  1. Next, click on the Roles tab.
  2. Click once on the role or roles you wish to assign to the user.
  3. Click the > arrow to assign the role to the user.

Note: To learn more about authentication methods, please see the User Security Roles.

     

    User and User Groups

  1. If you have user groups configured in Bomgar Vault, click on the User Groups tab.

Note: It is not required for you to have user groups configured for the integration. However, it is highly recommended that you create user groups for your Vault instance to make managing users simpler. To learn more about user groups, please see Create User Groups.

  1. From the list, click once on the user group or groups you wish your user to be assigned to.
  2. Click the > arrow to assign the group to your user.
  3.  

    Contact Method

  4. Next, click on the Contact method tab.
  5. In the Contact Info field, enter the user's email address as seen in Bomgar PA.
  6. Click Add.
  7. Click Save to save your user in Bomgar Vault.
  8.  

Create the Privileged Access Jump Client as an Endpoint in Bomgar Vault

Note: If you are a Vault Go! customer, this section does not apply.

Note: If you are using a shared credential for the integration or only shared credentials in your environment, this section does not apply.

The Jump Client you configured in Bomgar PA must be created as an endpoint in Bomgar Vault. When credential injection is performed in the access console, the ECM looks at the user requesting access to the credentials as well as the endpoint being accessed in Bomgar Vault and returns credentials that are specific to both that user and that endpoint. To create an endpoint in Bomgar Vault, follow these steps.

Endpoints > New Endpoint

  1. Go to Endpoints > Endpoints.
  2. Click New Endpoint.
  3.  

    Endpoints > New Endpoint

  4. Type in the name of the endpoint as seen in Bomgar PA.

important

The endpoint name must match exactly the endpoint listed in PA. If your PA endpoint shows NetBIOS, use NetBIOS. If it uses the fully qualified name, use the the fully qualified name.

  1. Include a description of the endpoint.
  2.  

     

  3. Select the endpoint type from the dropdown.

Note: Depending on the endpoint type selected, you may be required to complete more information for the endpoint, such as SSL requirements or service information.

  1. Choose the network where the endpoint resides.
  2. Include the IP address of the endpoint.

Note: If you have endpoint groups configured in Bomgar Vault, you may assign the endpoint to an endpoint group. To learn more about endpoint groups, please see Create Endpoint Groups.

  1. Click Accept.

Create a Credential for the Endpoint in Bomgar Vault

Note: If you are a Vault Go! customer or are using a shared credential for integration, the endpoint information discussed in this section does not apply to you.

Once the PA user and endpoint have been configured in Bomgar Vault, it is important to create a credential that can log into the endpoint. When configured in Bomgar Vault, the credential appears in the list of options that can be used for credential injection on the endpoint in the access console. To create the credential in Bomgar Vault, follow these steps.

Credentials > New Credential

  1. Go to Credentials > Credentials.
  2. Click New Credential.
  3.  

    New Credential

  4. Under the Basic Information section, choose the credential type.
  5. Select a credential policy for your credential.

Note: Default credential policies are available for selection based on the credential type you select. If you wish to add your own custom credential policies, please see Create Credential Policies. If you receive a message stating, "You do not have permission on any credential policy," follow the steps provided in the next section.

  1. Select a directory from the dropdown.
  2. Select Restricted as the access type.
  3.  

Note: If you are a Vault Go! customer or are using a shared credential for the integration, the endpoint information discussed in this section does not apply to you.

  1. Click Add Endpoints.
  2. From the Unassigned list, select the endpoint you just created.
  3. Click the > arrow.
  4. Click Accept.
  5. Type a description explaining the purpose of the credential.
  6. Enter the username and password for the credential.
  7. Retype the password to confirm it.
  8. Click Create.

Note: If you click the Advanced button, you can configure more options for your credential, such permissions, automation rules, and check out policies. However, to initially create and test the PA and Vault integration, it is not required.

Create Integration in Bomgar Vault

Like in Bomgar PA, you must also configure an integration account in Bomgar Vault. This account is important because it provides you with the authentication credential or shared key you need to enable Vault's connection to the ECM. To create an integration account, follow the steps below.

Integrations

  1. Go to Administration > Settings > Integrations.
  2. Click New Integration.

Note: Only Name, Authentication credential, Status, Justification, and Justification for skipping workflow approval are required fields to establish a new integration account.

     

    New Integration

  1. Enter a name for the integration.
  2. If desired, type a description for the account.
  3. Make sure Active is selected as the status.
  4. Select Application Authentication.
  5. Enter a authentication credential for the integration.

Note: The authentication credential can be a new or existing credential. It is only for establishing Vault's connection to the ECM.

  1. Make a note of the credential in an easy to access place.
  2. Enter IP addresses that are allowed for this integration, such as the Vault server. Click Add IP Address.
  3. Select a checkout reason.
  4. Select a valid checkout request time.
  5. Enter a justification for checking out credentials using this integration.
  6. Enter a justification for skipping workflow approval when checking out credentials using this integration.
  7. Click Accept.