Requirements and technology – Security

Password Server Connector

How to achieve maximum security for administrative accounts

 

Password servers are infrastructure components for centrally managing user, application and system passwords, automatically renewing them and making them available to front-end and back-end applications. The password servers manage various safes in which the necessary account information is stored. The access of the respective application can be restricted to a certain safe.

ScriptRunner supports central password safes and password servers to provide more security for your credentials. ScriptRunner can be connected to the following password servers via connectors:

  • CyberArk Password Vault
  • Pleasant Password Server
  • Thycotic Secret Server

Video: Using a Password Server Connector to securely store Credentials

 

 

Separation of roles and administrative rights

Use only in the PowerShell process

If a script starts, a Windows background process for the PowerShell starts on the ScriptRunner host. The background process receives a temporary token. The process uses this token to access the password safe. The associated credential is retrieved via a reference ID.

Token & Reverse Proxy

In addition to the token mechanism, a reverse proxy mechanism can also be used, which uses a reverse request to ensure that only a previously defined and characterized process may submit a password request and only this process is forwarded to the password server and answered by the password safe proxy.

Controlled access to password safe

With this procedure no more account information is available on the ScriptRunner Host. Only the reference ID to the credential remains in the password safe.

Perfect connection

The connection between ScriptRunner and the password server system is established via a connector. The connection is configured via the PowerShell cmdlet.