Topicus Keyhub integration

[DevOma]

If not you need assistance from Topicus - I can't tell you what is missing... if needed I can post you the REST-API-Requests that we perform...

[arjandg]

The vault ID field is empty but i dont get any vaults in the textfield below.

   

[arjandg]

If not you need assistance from Topicus - I can't tell you what is missing... if needed I can post you the REST-API-Requests that we perform...

 If ypu have the REST-API for me, that wil hopefully help with Topicus.I will contact them.

Thx

[DevOma]

Ok - one more try - added in GetVaults - if error occurs on the API-Request => redirect output to MessageBox - if no MessageBox will be shown - the AccountId has no Vaults and the result will be an empty result field

https://d2l2g77p7dyozs.cloudfront.net/TopicusTest3.zip

The API-Request is the following

%Server-Url%/keyhub/rest/v1/account/%AccountId%/vault

So in your case the string looks like

https://keyhub.nehgroup.com/keyhub/rest/...8201/vault

But you can't execute it directly - you have to add the Access-Token to the request...

[arjandg]

I now get this:

GetVaults-Error: NotFound Not Found

   

And GetVaultPAssword-Error: Forbidden Forbidden
   

[DevOma]

If you have no VaultId you can't get a password of a Vault - but I see now that it is "Not found" - I will discuss with support from Keyhub...

[arjandg]

I just created a personal vault, now it doesn't give me a "GetVaults-Error: NotFound Not Found" but a "GetVaults-Error: Forbidden Forbidden"

[DevOma]

Yes - I have some hints that need to be implemented - give me some time for the changes...

[DevOma]

Hi,

we have implemented all the changes now and it seems to work - now we want also support the "Rotating Password" for users - and now think about how it is used - as I understand you login to KeyHub with your account - and now can access your rotating / provisioning password. So we would need a credential object in ASGRD that is set to your user (domain/username) and gets on a daily task the rotating pwd - and this user is then used inside ASGRD to access servers via any protocol - is that right? Or do I missunderstand? Will your Domain-Password be overridden by KeyHub every day?

Just want to understand the requirement from customer perspective :-)

[arjandg]

You are correct.
The password to login to Keyhub will stay the same, the password that you request from Keyhub (to login to the servers) will be changed daily to a new randomized password.

So i log in to keyhub wit MFA, then i activate the cusomer where i want to logon to. Keyhub Activates My user account on the customer domain with the randomized password.
I then go to ASGRD to login to the cusomer with My user account and the randomized password.
The randomized password is the same password for all customers all day long.

[arjandg]

Hi, the current version still does not work Correctly. I solved the problem together with Topicus Keyhub, they will contact you to implement this in the next version.

But i have another issue with the implementation.
Now i make a new folder that i connect to keyhub. in this folder i configure keyhub and click synchronize.

What that means is the folowing:
Go to Folder - Properties - select bottom option - Click sync, login to keyhub, copy password, go to user account - properties - paste password - save - Login to server with that user.

This is way to many steps, even more than just login in to keyhub and copy the password from there.

What i wold like is that ik can globaly configure the connection string to keyhub.
And the end user right clicks on his credential to synchronize his password. (he then gets the login portal to keyhub) and the password is automaticaly fethed

[DevOma]

Sorry, found the issue - missed to copy one line of code from test project to ASGRD solution...

And we will try to find a better way for integrating the Rotating Password - what do you think make more sense - choose a cred object where to store the rotating pwd - or make it more sense to have a global checkbox "Use rotating pwd" for all connections - if checked the password to login to remote machines will be replaced with the rotating pwd - I think the 2nd one should be the easiest way - but as I do not use it in production it's easier for you to decide how it make more sense

[DevOma]

Another idea - an option in credential objects - "Use rotating password for this credential" - it would be an extra category on the left side - and there will be the checkbox - then you can GET the rotating pwd once a day and use connections as usual - what do you think about my suggestions? We want to implement it...

[arjandg]

Another idea - an option in credential objects - "Use rotating password for this credential" - it would be an extra category on the left side - and there will be the checkbox - then you can GET the rotating pwd once a day and use connections as usual - what do you think about my suggestions? We want to implement it...

I was thinkinng the same thing,

A global option to configure th host URL, Client ID and Client Secret, this is the same for everyone.

And in the Credential a sync option.

[arjandg]

And then in the personal credential because the rotating PW is personal

[arjandg]

Maybe a place where you can enter your Topicus Keyhub credentials so you only have to click on sync and it fetches it for you.

[arjandg]

I installed version 13.0.6768.1
Configured the new Topicus settings and enabled it on my test account.
But nothing happens.

   

Is it possible to make a field where the keyhub username and password is filled in by the end user?
That way the Visionapp can collect the daily rotating password with the user credentials from keyhub.

   

Also i am missing a place where i can set the sync time, at what time is the password synced? or does it sync when you login to visionapp?

[DevOma]

We tested it with 2 accounts and it worked...

And NO - Username and Password can not be set outside your Authorization process - this is by design of Topicus Keyhub - you must login via website! And this is also the reason why it is not possible to automate the password sync! It must be triggered manually by the user - because you have to login via the Topicus Keyhub Website!

[arjandg]

I was on vacation but am back now.

How do i trigger the sync? can't get it to work.

Also it is unclear to me why it is not possible to preset my personal topicus username and password in a field in Visionapp that you pick up and fill in when you send the request to topicus?

[arjandg]

Scratch that last line, i talked to the dev at topicus and it is not possible to auto Login.

What should be possible is to have a button to press in visionapp to start the one time password sync, it then opens topicus, i manually login or use my logged in session, then visionapp gets the dayly paswword and sets it in my personal credential.