Integrating with Thycotic Vault

LogicMonitor stores sensitive information including credentials, secrets, etc., for hosts, devices, services. LogicMonitor also offers integration with Credential Vault and provides better control over credentials management to users using their own Credential Vault. The LogicMonitor Collector provides the integration with Thycotic as a Credential Vault solution. For more information, see Thycotic Secret Server documentation. 

Prerequisites

Thycotic Secret Server REST API:

The Thycotic Secret Server publishes REST API to manage various entities. For more information, see https://docs.thycotic.com/ss/10.9.0/api-scripting/rest-api-reference-download.

The Secret Server (SS) REST API guides are version-specific. Please ensure you refer to the correct version Secret Server guide.

The LM Thycotic Secret Server integration uses the OAuth2 token-based REST API of the Thycotic Secret Server. In this approach, you receive the OAuth2 token for authentication, which is used to perform the various entity operations of the Thycotic Secret Server.

Configuring Thycotic Vault 

To configure the Thycotic vault, complete the following steps: 

1. Configure the vault properties on the devices. The properties consist of the vault metadata and vault keys. For more information, see the Thycotic Vault properties section.

2. Once the vault properties are configured, set the vault.bypass agent configuration as false.


Note: You can change the default agent configuration settings as required. For more information, see Thycotic Collector Agent Configuration Settings

Thycotic Collector Agent Configuration Settings:

The below table contains the collector agent configuration related to the vault.

Agent Configuration Property/TypeTypeDefault ValuesDescription
vault.thycotic.session.timeoutInteger20 minutesThe property specifies the interval in the minutes, for which the OAuth2 access token is valid. Once this duration has elapsed, the token becomes invalid.
vault.thycotic.max.tokenrefresh.allowedInteger3The property specifies the maximum number of token refreshes allowed. The token refresh can be done to get the access token for the user using the refresh_token information(without using the user credentials).
vault.thyotic.secret.path.name.id.cache.expiration
Integer20 minutesThe property specifies the expiration duration for the cache that maintains the Secret Path(FolderName, SecretName) → Secret Id mapping. The Secret Path mapping approach of the lmvault keys uses this cache internally to retrieve the secret id based on the secret path. 

You can view the agent configuration properties by navigating to Settings > Collector > click the gear next to the required collector name > Support > Collector Configuration.

Thycotic Vault properties

Vault properties, such as Vault Metadata and Vault Keys for the Collector, can be configured at the device or device group level.

Vault Metadata

The following table lists the Vault Metadata properties.

Vault MetadataDescription
vault.meta.urlThe URL of the vault. This URL should contain the folder and application ID only.
vault.meta.typeThe type of the vault. Use the value as Thycotic to connect to the Thycotic Secret Server. 
vault.meta.th.user.passThe password for the Thycotic Secret Server account. This password would be used to get the bearer authentication token using Secret Server OAuth2 API.
vault.meta.th.user.nameThe username for the Thycotic Secret Server account. This username would be used to get the bearer authentication token using Secret Server OAuth2 API.
vault.meta.headerThe headers required for HTTP Get Request. The value for this custom property would be the header separated with “&“ the header key value would be separated with “=” as shown in the below example:vault.meta.header – Content-Type=application/json&Accept-Encoding=gzip, deflate, br

Configuring Thycotic lmvault.keys

You can configure lmvault.keys in the following two ways:

  1. Secret id:
    lmvault key value can be configured with the secret id. This is the most efficient method and is recommended by Thycotic.
  2. Secret path:
    LogicMonitor provides another out-of-the-box approach for configuring the lmvault.key value. lmvault value consists of the secret path and secret name. 

LogicMonitor calls the Thycotic API to get the secret id for these secret paths, and these secret ids are further used for the credentials retrieval. 

Note: As this approach will require additional API calls, you must use this approach only when required.

Example:

LogicMonitor provides the two approaches for the secret id retrieval using the secret path: 

1. Default Approach: LogicMonitor searches for the folder and Secrets. In this approach, the folders and the secrets are searched to form the secret_path_name relation with secret id.

2. Thycotic Reporting: LogicMonitor uses Thycotic reporting to retrieve the secret id using a secret path. This is an efficient approach for the secret path as compared to the Default Approach. 

Note: Ensure that you can access the Thycotic Report “What secrets a user can see” in the Thycotic Secret Server portal. For more information on configuring the Thycotic reports, see Configuring Thycotic Report Properties.

Configuring Thycotic Report Properties

To configure Thycotic report properties, complete the following steps:

1. Navigate to Settings > Collector > select the required collector and click the Gear icon.

2. On the Manage Collector dialog box, select Collector Configuration from the Support drop-down list.

3. Click the Agent Configurations tab and enter the following Thycotic report properties :

NameTypeDefaultDetails
vault.thycotic.secret.report.access.enabled
BooleanfalseThe property specifies whether Thycotic secret server report access is enabled or not. Ensure that all the access for the reporting is granted before enabling this boolean property, Otherwise, it may result in an API Access Denied issue. This access consists of access to users, reports, etc.
vault.thycotic.secret.report.idIntegerNote: You must provide the correct report id value.The property specifies the value of the report id of the report “What Secrets a User can see”, which is a system report for secrets. 

Troubleshooting

1. How to confirm API using postman?

Ans: The LogicMonitor Thycotic Secret Server integration uses the OAuth2 token-based REST API of the Thycotic Secret Server. You will receive the OAuth2 token for authentication, which is used to perform the various entity operations of the Thycotic Secret Server. The APIs can be confirmed using the postman. To confirm APIs using Postman, refer to the following images:


Note: For more information on REST APIs, see Thycotic Secret Server REST API.

2. How to get collector vault logs?

Ans: To get the collector vault logs, use the !tail debug command. The vault logs are a part of the wrapper.log file, which you can directly access. For more details, refer to the following screenshot:


 3. How to enable the debug logs for the vault to get more data?

Ans: To enable the debug logs for the vault, complete the following steps:

1. Navigate to Settings > Collectors > select the required collector.

2. On the Manage Collector, select Collector Configuration from the Support drop-down list.

3. Click the Agent Config tab and set the logger.level value as debug.

4. Once you have added the configuration details, click on Save and Restart.
Refer to the following image:

In This Article