Secret Server has the ability to setup a Java Console API to retrieve values from Secret Server without embedding a password. This allows scripts to retrieve passwords from Secret Server while keeping both the password and credentials to Secret Server secure. The Secret Server Java Console is setup using a user in Secret Server but the password is changed and hardware specific so copying the jar file to other machines will not allow it to access Secret Server. As a user in Secret Server, an admin can choose to share only specific Secrets with the account running the Java Console. As a Java implementation, this can be used on any OS including Windows, Mac, Linux and Unix.
Requires Version 7.8 or higher and Enterprise Plus Edition
Installing the Java Console
- Create a local user account in Secret Server that will be used by the instance of Java Console API you are installing
- Note: Since the hardware is used to secure the API to a specific account, a different user is required for each machine where the jconsole is installed.
- Install Java 7 JRE on the machine available from here.
- By default, Java supports AES-128. As of version 1.1.0 of the java console you can specify AES-256, but you will need to install the correct Java policy files if these aren't already present. These can be downloaded for the Java 7 JRE here.
- Request the jar file by creating a support request at http://my.thycotic.com/myaccount.html
- Once the zip is received in an email, place the jar file in a folder you will access it from. Ex C:\SecretServerAPI\
- Install the jar file using the -i command
- C:\SecretServerAPI> C:\Program Files\java\jre7\java -jar secretserver-jconsole.jar -i (Username) (Password) (URL to Secret Server) [Encryption Level]
- The URL does not include any pages.
- Good example: http:\\mysecretserver.com\SecretServer\
- Bad example: http:\\mysecretserver.com\SecretServer\login.aspx
- Once installed the password on the account is changed based on some encrypted items and the machine hardware
- The secretserver-jconsole.jar can be called with -s or -v to retrieve Secret Field Values
- Single Field => C:\SecretServerAPI> C:\Program Files\java\jre7\java -jar secretserver-jconsole.jar -s (SecretId) (FieldName)
- Multiple Fields => C:\SecretServerAPI> C:\Program Files\java\jre7\java -jar secretserver-jconsole.jar -v (SecretId) (Seperator) (FieldName1) (FieldName2)
- The SecretId can be found by going to SecretView.aspx and in the address bar the QueryString will have SecretId=# that can be used to load the Secret
Troubleshooting Certificate Security Errors
- If you get a certificate error when installing the Java API, please ensure that your certificate is created by a third party. Currently, the Java API does not support connecting to self signed or domain signed certificates.
- If your certificate is a valid third party certificate, follow these steps:
- Download a trusted certificate list from here: http://updates.thycotic.net/secretserver/support/cacerts.zip
- Unzip the file and copy the cacerts file into the directory with secretserver-jconsole.jar
- On the command line, cd to the secretserver-jconsole directory
- You will have to pass in the -Djavax.net.ssl.trustStore="cacerts" parameter when running the jar For example, to install api user with password1: java -Djavax.net.ssl.trustStore="cacerts" -jar secretserver-jconsole.jar -i api password1 https://host/secretserver
Security in the API
- No Password Stored - The credentials to Secret Server are calculated based on Hardware of the machine and encrypted files, so the password is not known by anyone.
- Obfuscation - The Java console is obfuscated to make reversing the encryption more difficult.
- Tied to Hardware - copying the files to another machine will not work to access Secret Server.
- Password Expiration causes Automatic Change - when the local account password expires (based on configuration settings) the console will automatically change the password.
- Locking down the secretserver-jconsole.jar and created config files through file permissions to grant only certain users access to calling the Java Console. This will allow only the allowed scripts or users to use the API.