Hitachi ID Privileged Access Manager includes a web services API. This is used to onboard and remove systems and applications, to interact with workflow requests (submit, approve, cancel, etc.) and to retrieve plaintext passwords if authorized, for example to replace those embedded in applications and scripts.
The Privileged Access Manager API is accessed as a SOAP web service over HTTPS or a RESTful service with customer-definable method functions, also over HTTPS.
For example, Privileged Access Manager may randomize an Oracle DBMS login password every 24 hours. Web applications which use the password to establish database connections can periodically sign into Privileged Access Manager with their own credentials (see below) and retrieve the current value of this password.
An important design consideration when implementing a privileged password retrieval API is how the client which requests password disclosure (the web application in the above example) authenticates itself to the web service. Privileged Access Manager secures this process with a combination of access controls, one-time passwords and network address validation:
- API clients each have their own ID, used to sign into Privileged Access Manager.
- These IDs are attached to console user groups and assigned access rights to privileged accounts managed by Privileged Access Manager. This allows Privileged Access Manager to determine which passwords a given ID is allowed to retrieve.
- API client login IDs are assigned one-time passwords (OTPs). In effect, the password used by the client software to sign into the Privileged Access Manager API changes to a new, random string after each successful login by the client application into the Privileged Access Manager web service.
- API client login IDs are linked to IP subnets. An API client can only sign into the Privileged Access Manager web service from an IP address in the correct range.
An "API wrapper" library is provided to simplify use of the Privileged Access Manager web service. Different versions of the library are provided for a variety of runtime platforms and programming languages, such as .NET, Java, Linux/C, etc. This wrapper code performs several functions:
- Storing the one time password (OTP) used to authenticate to the API.
- Serializing access to the API, so that the OTP is always valid (avoiding race conditions where two threads receive two OTP values at almost the same time).
- Keeping cached copies of passwords previously retrieved from the API, along with cache expiry time. This improves system performance as calls to the wrapper library do not always trigger web services calls to Privileged Access Manager. This also ensures service resilience, in the event that Privileged Access Manager becomes temporarily unavailable.
- Encrypting both the OTP and locally cached passwords.
Encryption of the OTP and cached passwords implies an encryption key. The API wrapper libraries support a variety of methods to produce this key, all of which are intended to fingerprint the authorized application and its runtime environment. This includes:
- A static key (e.g., embedded into the application or configuration file) -- useful during development or debugging.
- A key generated from characteristics of the machine on which the application runs, such as its MAC addresses, IP addresses, hostname, etc.
- A key generated from characteristics of the program which is calling the API (i.e., a cryptographic hash of the program itself).
- Hashes of configuration files and command-line arguments.
The objective of these key generation mechanisms is to lock down the application and its runtime, so that only the approved application running on an approved system will be able to retrieve a password from Privileged Access Manager or from the local cache. An attacker who compromises the system running an application should be prevented from adding logging statements to display the retrieved password, from moving the application to another server and retrieving passwords there, from running the program with different command-line arguments or configuration files, so that it prints the password to a log file, etc.
Hitachi ID Systems is happy to provide new versions of this wrapper library for different run-times or programming languages based on customer demand.
The wrapper library is also provided in command-line form, suitable for
use in scripts and for troubleshooting.