Support Center Home


Integrating with Thycotic Vault

LogicMonitor stores sensitive information including credentials, secrets, etc., for hosts, devices, services. LogicMonitor also offers integration with Credential Vault and provides better control over credentials management to users using their own Credential Vault. The LogicMonitor Collector provides the integration with Thycotic as a Credential Vault solution. For more information, see Thycotic documentation. 

Thycotic Secret Server REST API:

The Thycotic Secret Server publishes REST API to manage various entities. For more information, see https://docs.thycotic.com/ss/10.9.0/api-scripting/rest-api-reference-download.

The Secret Server (SS) REST API guides are version-specific. Please ensure you refer to the correct version Secret Server guide.

The LM Thycotic Secret Server integration uses the OAuth2 token-based REST API of the Thycotic Secret Server. In this approach, you receive the OAuth2 token for authentication, which is used to perform the various entity operations of the Thycotic Secret Server.

Thycotic Collector Agent Configuration Settings:

The below table contains the collector agent configuration related to the vault.

Agent Configuration Property/TypeDescriptionDefault Value
vault.thycotic.session.timeoutIntegerThe property specifies the interval in the minutes, for which the OAuth2 access token is valid. Once this duration has elapsed, the token becomes invalid.20 minutes
vault.thycotic.max.tokenrefresh.allowedIntegerThe property specifies the maximum number of token refreshes allowed. The token refresh can be done to get the access token for the user using the refresh_token information(without using the user credentials).3
vault.thyotic.secret.path.name.id.cache.expiration
Integer
The property specifies the expiration duration for the cache that maintains the Secret Path(FolderName, SecretName) → Secret Id mapping. The Secret Path mapping approach of the lmvault keys uses this cache internally to retrieve the secret id based on the secret path. 20 minutes
vault.thycotic.secret.report.access.enabled
Boolean
The property specifies whether thycotic secret server report access is enabled or not. User must ensure that all the access for the reporting is granted before enabling this boolean property, Otherwise, it may result in an API Access Denied issue. This access consists of access to users, reports, etc. false
vault.thycotic.secret.report.idIntegerThe property specifies the value of the report id of the report “What Secrets a User can see”, which is a system report for secrets. Note: You must provide the correct report id value.

Thycotic Vault properties

Vault properties, such as Vault Metadata and Vault Keys for the Collector, can be configured at the device or device group level.

Vault Metadata

The following table lists the Vault Metadata properties.

Vault MetadataDescription
vault.meta.urlThe URL of the vault. This URL should contain the folder and application ID only.
vault.meta.typeThe type of the vault. Use the value as Thycotic to connect to the Thycotic Secret Server. 
vault.meta.th.user.passThe password for the Thycotic Secret Server account. This password would be used to get the bearer authentication token using Secret Server OAuth2 API.
vault.meta.th.user.nameThe username for the Thycotic Secret Server account. This username would be used to get the bearer authentication token using Secret Server OAuth2 API.
vault.meta.headerThe headers required for HTTP Get Request. The value for this custom property would be the header separated with “&“ the header key value would be separated with “=” as shown in the below example:vault.meta.header – Content-Type=application/json&Accept-Encoding=gzip, deflate, br

Vault Keys

Vault keys need to be specified at the device level with the suffix .lmvault. For example, ssh.user information should have the key specified as ssh.user.lmvault.

Vault KeysDescription
Property suffixed with .lmvaultThe value for the custom property should be retrieved from the vault and must be specified at the device level by adding suffix .lmvault. The value can either be a secret id or a secret path(containing the secret folder and secret name)in the Thycotic Secret Server. – Secret ID:Example: ssh.user.lmvault = 2For ssh.user.lmvault, you must retrieve the property from the vault. The value of this property “2” represents the secret ID in the Thycotic Secret Server where the credential or secret is stored.

– Secret Path:In the Thycotic Secret Server, the user can create the secrets folders and secret keys within such folders. You can map the secret path and name to the LM Vault Property value. The LM Property value must be specified in the format FolderPath:SecretName.For example: ssh.user.lmvault=\allsecrets\ssh:ssh.passWhere allsecrets is the parent folder containing the nested folder ssh. Within the folder ssh, the secret with the name ssh.pass is present.

Note: LMVault value – i.e. Name of the Secret Folder and Secret should not contain the character “:”, as “:” is the character used for splitting the secret folder and secret name.

In This Article