SECRET SERVER FEATURE: Advanced Scripting
Integrate custom and 3rd-party apps
Web Services API
Secret Server has both SOAP and REST web services APIs. These APIs can be integrated using .NET, Java, Python, Ruby, PowerShell scripting languages.
With the web services API you can build custom workflows, such as automatically creating secrets for new accounts, and tie DevOps build and deployment processes to stored accounts in Secret Server.
Secret Server SDK
The SDK establishes secure access points so that power users can employ Secret Server’s robust API directly through the Command Line, without taking time away to enter privileged account passwords.
The SDK is a console application written in .NET Core that wires up its own credentials based on the machine it is installed on. Those credentials, or “DevOps Users,” don’t have any rights in Secret Server but can be assigned to other Secret Server users or application user accounts, essentially mimicking permissions in order to access secrets. This removes the widespread problem for DevOps team members to hard-code credentials into scripts and configuration files. Instead, the target system will be registered via IP address and added to an allow list, which will allow REST authentication without entering user credentials. The SDK client can be used to retrieve a REST user token for typical REST API use; alternatively, users can utilize the SDK client to perform direct queries against Secret Server.
Client System Requirements:
- Must be running Secret Server 10.4
Types of Operating Systems:
- win10-x64 (Windows 10)
- centos-7-x64 (CentOS 7)
- 7-x64 (Red Hat Enterprise 7)
- 16.10-x64 (Ubuntu 16.10)
- 10.12-x64 (Mac OS 10.12)
Powershell Password Changing
With this feature, IT Admins can upload custom PowerShell scripts to gain greater flexibility for Dependencies and Check Out. They can then set the scripts to run as post-password change actions so applications that rely on the account can be updated or environmental changes can be made.
PowerShell scripts can also run as before and after Hooks when a Secret is checked out, and the Hooks can be used to guarantee that external systems are set to full audit when in use by a Secret Server user.
Secret dependencies are items that rely on the username, password, or SSH private key stored in the secret. They are automatically updated when the secret’s password is changed, ensuring they are up to date with the account on which they depend. File dependencies allow text files with embedded credentials to be changed via Regex.
The supported dependency types are IIS application pools, IIS application pool recycle, scheduled tasks, windows services, passwords embedded in .ini, .config, and other text files. Custom dependencies can be created using SSH, PowerShell, or SQL scripts.
Custom Ticket System Integration
Secret Server can integrate with your ticketing system via PowerShell. This integration includes validating ticket numbers, their status, and adding comments.
Secret Server can integrate with ServiceNow’s Incident and Change Management service. This integration includes validating ticket numbers, their status, and adding Work Detail items to the request. The integration with ServiceNow leverages the out-of-the-box REST-based Web services.
DevOps Secrets Vault
If you have a complex DevOps environment that utilizes continuous integration/continuous delivery (CI/CD), try Delinea DevOps Secrets Vault, a high-velocity vault capable of high-speed secrets creation, archiving, and retrieval. It automates secrets management via the command line or REST API and is built on an AWS serverless architecture. Dynamic secrets management delivered as a service empowers you to adopt modern DevOps principles easily, quickly and securely.
Discovery can also be extended using PowerShell to find privileged accounts in your IT environment if Secret Server doesn’t have an out-of-the-box connector. Discovery scanners can run custom PowerShell scripts as well as our built-in scanners for Active Directory, UNIX, and VMWare ESXi. You can use one or more built-in or custom scanners at each step of the discovery process: host range discovery, machine discovery, local account discovery, and dependency discovery. As a result, you can now determine which dependencies are scanned for each Active Directory domain rather than globally on the Discovery Configuration page.
Learn more about Scriptable Discovery.