Integrating BeyondTrust PasswordSafe with Enterprise Vault to manage Enterprise Vault Service account
Description
This article informs you how to integrate BeyondTrust PasswordSafe with Enterprise Vault to manage the Enterprise Vault Service account.
Prerequisites for executing a PowerShell script via BeyondTrust PasswordSafe on an Enterprise Vault server
Open SSH for Windows must be installed on the Enterprise Vault server, which is managed by BeyondTrust PasswordSafe.
For more details, see Get started with OpenSSH for Windows | Microsoft Learn.
Integration steps
- Deploy and Configure BeyondTrust PasswordSafe.
- Identify a domain user belonging to the domain in which Enterprise Vault is configured and assign required permissions to rotate passwords for other users in the Active Directory.
- Configure the above user as a functional account in the BeyondTrust PasswordSafe instance.
- Assign the Enterprise Vault RBA Credential Administrator role to the functional account user.
Refer to the Enterprise Vault PowerShell Cmdlets guide for more information on cmdlets for managing role membership.
Note: Make the functional account local administrator on all the Enterprise Vault servers in the directory, which is implicit for any user(s) assigned to the Enterprise Vault RBA role(s). - Add the Active Directory under which Enterprise Vault is configured as a managed system in the BeyondTrust PasswordSafe instance.
- Add the Active Directory account corresponding to the Enterprise Vault Service account as a managed account in the BeyondTrust PasswordSafe instance.
For steps number 1 to 6 above (except step 4), contact the BeyondTrust administrator for configuration.
Additional information
- See https://www.beyondtrust.com/docs/integrations to configure and test a custom platform for executing SetEVServiceAccountPassword.ps1 on the Enterprise Vault Server via BeyondTrust PasswordSafe. This script executes on the target Enterprise Vault Server. It updates new Enterprise Vault Service Account credentials on all the Enterprise Vault and File servers in the Enterprise Vault Directory.
- Troubleshooting steps:
If password rotation fails:- Retrieve the latest Vault Service Account password from BeyondTrust PasswordSafe by contacting BeyondTrust Administrator and try to manually execute the PowerShell script SetEVServiceAccountPassword.ps1 present on Enterprise Vault Server at <Enterprise_Vault_Install_Directory>\PowerShellScripts\ with -Verbose switch along with other required parameters to troubleshoot further.
Note: To manually execute the script, you must use the PowerShell x86 elevated (Run as Administrator) instance. - Add to Dtrace the following Enterprise Vault processes, re-perform operation, and check logs for more details:
- PowerShell.exe
- DirectoryService.exe
- AdminService.exe
- Retrieve the latest Vault Service Account password from BeyondTrust PasswordSafe by contacting BeyondTrust Administrator and try to manually execute the PowerShell script SetEVServiceAccountPassword.ps1 present on Enterprise Vault Server at <Enterprise_Vault_Install_Directory>\PowerShellScripts\ with -Verbose switch along with other required parameters to troubleshoot further.
Known limitations
BeyondTrust PasswordSafe integration is not supported for Enterprise Vault servers configured in clustered environments.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.