Centrify provides "vault" functionality allowing you to store and manage passwords that can be checked out, eliminating the need to store passwords in local computer resources such as scripts, files, etc. In order to access the vault, you must:
You can then use the Agent's Functionality and Commands to perform operations including accessing the vault.
Enroll a Computer with Centrify Identity Services
Enroll a computer via the Admin Portal:
- Log in to the Admin Portal of your tenant.
- Navigate to Infrastructure > Systems.
- Click Add System and proceed through the Add System Wizard to provide the computers details.
- Navigate to Infrastructure > Systems > Accounts and add an account to the newly added system. This account corresponds to the system account on the enrolled computer that will access the vault.
- Ensure that the new account has the Checkout permission enabled and save the account.
Download and Install the CClient Agent
The Centrify CClient Agent package is required is order to access the vault. The package gets installed on a computer that is enrolled with Centrify Centrify Identity Services and includes a number of command-line utilities include commands to access the vault.
To obtain and install the package:
- Log in to the Admin Portal on your tenant.
- Navigate to Downloads and locate the Agents section.
- Locate the agent row that corresponds to the platform of the computer to enroll.
- Click Download to download the Agent installer:
- Run the installer on the enrolled computer.
Agent Functionality and Commands
This section highlights some of the key CClient commands that can be used for interacting with the vault from the enrolled computer.
For a complete list of commands see Commands included with the Agent.
Note: ensure that the Agent package is running on the enrolled computer before continuing.
Enrolling a Computer
The cenroll command enrolls a computer with Centrify Identity Services:
cenroll -t mytenant.my.centrify.com -c <enrollment code> --<features> aapm
The cinfo command shows information about the computer and the enrolled service account that is in use:
The information returned includes the vault URL, the enrolled service account currently that is accessing the vault, the system name, IP address, owner, and tenant (customer) ID:
Enrolled in: https://mytenant.my.centrify.com/ Enrolled as: Service account: mytenant.centrify.vms$testuser.com Reources name: mytenant.centrify.vms IP/DNS name: mytenant.centrify.vms Owner: AWS_Linux_Login (Type: Role) Customer ID: AAA1234
Checking out a Password
Checking out a Password with cgetaccount
The cgetaccount command checks out a password for a user on the computer enrolled with Centrify Identity Services.
The following example shows the command to check out a password:
Enter "y" when the prompt is displayed indicating a password checkout is about to occur. The output will look similar to the following.
Note: you can include the
--verbose argument to output additional details.
Password for account "localadmin" will be checked out. The checkout will be logged and expire in 1 minute. Do you want to continue and display the password? (y/n) y Password for localadmin: abc1234
The following command retrieves the password for an Oracle account on the MACHINE1 system, keeps the password checked out for 10 minutes, includes a confirmation step, and displays the password to on the console:
cgetaccount -t 10 MACHINE1/oracle
The following example shows a shell script that retrieves the password for the local account oracle on the system MACHINE1 to perform a backup. The password is checked out for 10 minutes and is displayed on the console:
PASSWORD=$(cgetaccount -s -t 10 MACHINE1/oracle) if [un_backup.sh;MACHINE1/oracle $PASSWORD . else echo "Failed to run cgetaccount to get password for oracle account." fi
Checking out a Password Programmatically
A password can be checked out programmatically as described in Check Out a Password.
Updating an Account Password
The csetaccount Agent command can be used to update a a user account including its password from the enrolled computer.
The following example stores the root password in Centrify Privileged Access Service interactively (i.e. it prompts for confirmation before storing the password):
The following example shows the commands to store the root password in Centrify Privileged Access Service non-interactively. The password is managed, and is automatically rotated every day at the same time. In this example,
policy.conf contains the setting
password rotation=true, password rotation interval=1:
cenroll -o policy.conf csetaccount --stdin root < "/root/secure_file"
Centrify HashiCorp Vault Integration
The Centrify Identity Service is integrated with HashiCorp Vault for role-based user authentication and access to the Vault. For more information see this blog.
Updated over 3 years ago