Vault Functionality

Centrify provides "vault" functionality allowing you to store and manage passwords that can be checked out, eliminating the need to store passwords in local computer resources such as scripts, files, etc. In order to access the vault, you must:

You can then use the Agent's Functionality and Commands to perform operations including accessing the vault.

Enroll a Computer with Centrify Identity Services

Enroll a computer via the Admin Portal:

  1. Log in to the Admin Portal of your tenant.
  2. Navigate to Infrastructure > Systems.
  3. Click Add System and proceed through the Add System Wizard to provide the computers details.
  4. Navigate to Infrastructure > Systems > Accounts and add an account to the newly added system. This account corresponds to the system account on the enrolled computer that will access the vault.
  5. Ensure that the new account has the Checkout permission enabled and save the account.

Download and Install the CClient Agent

The Centrify CClient Agent package is required is order to access the vault. The package gets installed on a computer that is enrolled with Centrify Centrify Identity Services and includes a number of command-line utilities include commands to access the vault.

To obtain and install the package:

  1. Log in to the Admin Portal on your tenant.
  2. Navigate to Downloads and locate the Agents section.
  3. Locate the agent row that corresponds to the platform of the computer to enroll.
  4. Click Download to download the Agent installer:
  1. Run the installer on the enrolled computer.

Agent Functionality and Commands

This section highlights some of the key CClient commands that can be used for interacting with the vault from the enrolled computer.

For a complete list of commands see Commands included with the Agent.

Note: ensure that the Agent package is running on the enrolled computer before continuing.

Enrolling a Computer

The cenroll command enrolls a computer with Centrify Identity Services:

cenroll -t mytenant.my.centrify.com -c <enrollment code> --<features> aapm

cinfo

The cinfo command shows information about the computer and the enrolled service account that is in use:

cinfo

The information returned includes the vault URL, the enrolled service account currently that is accessing the vault, the system name, IP address, owner, and tenant (customer) ID:

Enrolled in: https://mytenant.my.centrify.com/
Enrolled as:
     Service account: mytenant.centrify.vms$testuser.com
     Reources name:   mytenant.centrify.vms
     IP/DNS name:     mytenant.centrify.vms
     Owner:           AWS_Linux_Login (Type: Role)
Customer ID: AAA1234

Checking out a Password

Checking out a Password with cgetaccount

The cgetaccount command checks out a password for a user on the computer enrolled with Centrify Identity Services.

Example 1
The following example shows the command to check out a password:

cgetaccount mylocalcomptuer.centrify.vms/localadmin

Enter "y" when the prompt is displayed indicating a password checkout is about to occur. The output will look similar to the following.

Note: you can include the --verbose argument to output additional details.

Password for account "localadmin" will be checked out. The checkout will be logged and expire in 1 minute.
Do you want to continue and display the password? (y/n) y
Password for localadmin: abc1234

Example 2
The following command retrieves the password for an Oracle account on the MACHINE1 system, keeps the password checked out for 10 minutes, includes a confirmation step, and displays the password to on the console:

cgetaccount -t 10 MACHINE1/oracle

Example 3
The following example shows a shell script that retrieves the password for the local account oracle on the system MACHINE1 to perform a backup. The password is checked out for 10 minutes and is displayed on the console:

PASSWORD=$(cgetaccount -s -t 10 MACHINE1/oracle)
if [un_backup.sh;MACHINE1/oracle $PASSWORD
   .
else
   echo "Failed to run cgetaccount to get password for oracle account."
fi

Checking out a Password Programmatically

A password can be checked out programmatically as described in Check Out a Password.

Updating an Account Password

The csetaccount Agent command can be used to update a a user account including its password from the enrolled computer.

Example 1
The following example stores the root password in Centrify Privileged Access Service interactively (i.e. it prompts for confirmation before storing the password):

csetaccount root

Example 2
The following example shows the commands to store the root password in Centrify Privileged Access Service non-interactively. The password is managed, and is automatically rotated every day at the same time. In this example, policy.conf contains the setting password rotation=true, password rotation interval=1:

cenroll -o policy.conf

csetaccount --stdin root < "/root/secure_file"

Centrify HashiCorp Vault Integration

The Centrify Identity Service is integrated with HashiCorp Vault for role-based user authentication and access to the Vault. For more information see this blog.