Manage credentials securely with password servers – Integration of ScriptRunner and Pleasant

Most password servers are designed so that systems (if they do not support Managed Service Accounts) are set up so that the password server changes the password in Active Directory. Subsequently, the service under which the account runs will also be set up. Of course, this is only an auxiliary solution, but it is still today’s way for many systems.

Therefore, many ScriptRunner customers asked for the integration of password servers. Starting from the version ScriptRunner 2018R3 this wish was realized. I had such a customer and therefore took a closer look at this new feature. Of course, I was particularly interested in the user administration and the structure of the connectors.

But let’s start with the simple part. First we take a look at the password server to understand what exactly is possible with it.

Example: Pleasant Password Server

As an example I have looked at the Pleasant password server. ScriptRunner also supports the password servers of CyberArk and Thycotic.

The more complicated a password is, the more secure it is, but also more difficult to remember. Many companies therefore use tools such as KeePass, in which all passwords are stored. Here you only have to remember the master password. Alternatively, a password-protected Excel file with the passwords can be found on a network drive – all in all not really nice, and also not very secure. A password server is a great solution for storing passwords securely, encrypted and centrally. But one should still play through the thought from beginning to end. A password server is not really secure as long as the local admin has full access to  the database, is authorized in the application and the password of the local admin is „Admin1234” as well.

Pleasant has developed a password server for this purpose. This server is used by many companies and integrates perfectly into KeePass.

ScriptRunner and Password Server

By default, ScriptRunner supports the local Windows Credential Manager for storing the necessary passwords. The disadvantage of using Credential Manager is that the passwords are stored locally on the machine and cannot be shared. Therefore, only the user under whom the passwords are created can see and administer them.

This means that once the user under whose account the credentials were stored has been compromised, the attacker has access to the passwords stored under this user.

This is exactly why the support of password servers in ScriptRunner is so important, because ScriptRunner is the hub for administrative tasks in many companies. Password sharing is a common scenario as well, because to test a function you often want to test the user under which the action is executed. In addition, for security reasons it is mandatory for many companies to change passwords at regular intervals. A manual postprocessing in connection with ScriptRunner should be avoided.

Explanation: Communication ScriptRunner – Password Server

The communication between ScriptRunner and Pleasant runs in the following 4 steps:

1. A user/admin starts an action through the ScriptRunner web interface
2. ScriptRunner recognizes that the action is executed by an account managed by a password server and asks for the password.
3. The password server returns the password to ScriptRunner.
4. ScriptRunner executes the action with the managed user.

Password Server Connector

In order to accomplish this task, a new type of connector has been available since version 2018R3 – the Password Server Connector. Currently, we have three manufacturers in our product range: Pleasant, CyberArk and Thycotic. The inclusion of further password servers is planned.

Step-by-step: How to Set Up the Password Server Connector

In order to connect a password server to ScriptRunner, the password server connector must first be set up. This is done with PowerShell on the ScriptRunner host.

With “Get-ASRPasswordServerConnector” the current configuration can be queried.

Configuration

To set up a new connector, you can use the Set-ASRPasswordServerConnector cmdlet.

!Attention – this will restart the service!

Setting up a password server connector

View in the ScriptRunner AdminApp

Usage

If the password server is set up successfully, credentials of the password server can be used. For this purpose, the ID from the direct link must be used for Pleasant.

Entry in Pleasant

Testing the configuration

To test the correct installation and configuration of the password server, I created a small action in ScriptRunner.

Creation of a credential in ScriptRunner

First, a credential is created in the action to connect to a user and password. The password server was used and the ID from the direct link was entered. This ID must be unique.

After creating the credential, a target is created for which the credentials are used.

Creation of a target in ScriptRunner

When creating the credential, the only difference compared to the system without a password server is that I put the account right behind the credential.

Creating a script for an action

For testing purposes, I created an action to view account information from the Active Directory.

Creating an Action in ScriptRunner

Select a target in the Action

If the communication between password server and ScriptRunner works, the action can be executed. There is no difference in time. But here there are dependencies concerning the configuration of the password server and the infrastructure.

Report I

Report II

Conclusion

This was a short introduction to the password server connector of ScriptRunner in connection with Pleasant.

Have fun with this feature and happy automation 🙂