Creating Adaptable Credentials
Adaptable Credentials automate the retrieval of secrets from your third-party password vaults without compromising the security of your secrets.The Adaptable Credential driver lets you create username/password and password credentials for retrieving their associated secrets that are stored by your third-party password vault. After creating your credentials, you assign them to certificates, applications and devices. During certificate enrollment and provisioning, their associated secrets are retrieved from the vault and are never stored in Trust Protection Platform.
Adaptable drivers depend on a Microsoft PowerShell script hosted in your local environment to execute functions corresponding to standard certificate lifecycle stages or Trust Protection Platform events. Typical of other adaptable drivers, you use a customized PowerShell script for each vault from which it can retrieve required details, including user names, paths, accounts names, etc. You specify which details to retrieve using the custom fields portion of the script.
To learn more about Venafi Adaptable Drivers and PowerShell scripts, see About Venafi Adaptable Driver PowerShell scripts.
First things first
Before you continue, consider the following prerequisite steps:
Depending on your role in using Adaptable Credentials, you'll either need someone to provide you with a customized Adaptable Credential PowerShell script, or you'll need to create one.
If your role is to create the script, then you can begin by using Template.ps1 (included in the drive:\Program Files\Venafi\Scripts\AdaptableCredential folder on your Trust Protection Platform server), or by downloading the HashiCorp Vault sample reference script from marketplace.venafi.com.
To get started, see PowerShell script reference for Adaptable Credential .
However you choose to create the script, it must be customized to your third-party password vault and placed in the correct folder of your Trust Protection Platform server before you can successfully create your new credentials.
Make sure you have View, Write, and Create permissions to the folder where you plan to create your new credential object.
Getting started
With your customized Adaptable Credential PowerShell script placed in the /Venafi/Scripts folder on your Trust Protection Platform server, you're ready to set up your Adaptable Credential to automate the retrieval of secrets from your vault.
Complete the following tasks:
Step 2: Create and configure an Adaptable Credential in Aperture
Step 3: Assign your new credentials to certificates, applications or devices
Step 1: Create an Adaptable Credential connector in VCC
A connector is required if you want to connect Trust Protection Platform to your password vault. Connectors are configured in VCC and are essential for connecting Trust Protection Platform with third-party software and hardware.
When you create an Adaptable Credential connector, you'll select your PowerShell script and specify settings for connecting Trust Protection Platform with your third-party password vault.
TIP The Adaptable Credential Connector is visible to all Venafi Trust Protection Platform servers that connect to the same database.
To create an Adaptable Credential Connector
On the Venafi Trust Protection Platform server, open the Venafi Configuration Console (VCC), and then open the Connectors node.
In the Actions panel, click Create Adaptable Credential Connector.
(Conditional) If requested, enter your Trust Protection Platform administration credentials.
In the Create Adaptable Credential Connector, do the following:
In Connector Name, type a unique and descriptive name for your new connector.
(Optional) In Description, type a description of your new credential.
A strong description can be useful in helping other administrators better understand the purpose of your new object (such as certificates, jobs, credentials, devices, trust stores, etc.), or to remind yourself later why you created it.
Under PowerShell Script, select your custom Adaptable Credential PowerShell script.
If your script is not found in the list, it means that it hasn't yet been placed in the correct folder of your Trust Protection Platform server. See Getting started.
(Conditional) Under Connection details, type the service address and credential needed to connect to your access management platform.
(Optional) Under Identities with access to this connector, select those users and groups who should be allowed to create Adaptable Credentials using your connector.
(Conditional) If this is the first time you're creating an Adaptable Credential connector, then restart the Policy Tree application pool on all Trust Protection Platform web servers.
Step 2: Create and configure an Adaptable Credential in Aperture
With both your Adaptable Credential PowerShell script and connector in place, you can now use Aperture to create your Adaptable Credentials.
To create an Adaptable Credential
- From the TLS Protect menu bar, click Inventory > Credentials, and then click Create a New Credential.
Click the Credential Type list and select Adaptable Credential.
- Click Folder and select the policy folder in which to create your new credential.
In Credential Name, type a unique name for the new credential object, and then click Create and Configure.
- In Edit Credential Settings, click Credential Connector and select the Adaptable Credential connector that you created previously.
- Click the Credential Type list and select either Password Credential or Username Password Credential.
(Conditional) Complete all required custom fields related to your password vault.
These fields are defined by your PowerShell script and should describe which secrets are to be retrieved from your password vault. If you did not write your script and have questions, contact the person who created the script for you.
(Optional) In Description, type a description of your new credential.
A strong description can be useful in helping other administrators better understand the purpose of your new object (such as certificates, jobs, credentials, devices, trust stores, etc.), or to remind yourself later why you created it.
(Optional) Click Contacts and select one or more users or groups to whom you want default system notifications to be sent.
The default contact is the master administrator.
For more information about selecting contacts in Trust Protection Platform, see Specifying who should get default system notifications.
- When you're finished, click Save.
Step 3: Assign your new credentials to certificates, applications or devices
By now, your Adaptable Credentials are ready to use. Because you can use your new credentials with several other types of objects in Trust Protection Platform, here are just a few ways you can use them in Trust Protection Platform:
Authenticating to certificate authorities
Setting the encryption password for private keys
Setting the registration password for Server Agents
Authentication to your Email server for Notifications
How the SSH Protect product authenticates to SSH Servers for managing SSH Keysets agentlessly