Hitachi ID Privileged Access Manager includes an API that enables applications to disclose passwords and eliminates the storage of static, plaintext passwords. Privileged Access Manager periodically randomizes service passwords, while applications use the API to retrieve passwords as/when required.
The Privileged Access Manager API is accessed using SOAP over HTTPS.
For example, Privileged Access Manager may randomize an Oracle DBMS login password every 24 hours. Web applications which use the password to establish database connections can periodically sign into Privileged Access Manager with their own credentials (see below) and retrieve the current Oracle login password.
An important design consideration when implementing a privileged password retrieval API is how the client which requests password disclosure (the web application in the above example) authenticates itself to the API service. Privileged Access Manager secures this process with a combination of ACLs, one-time passwords and IP subnets:
Wrapper code is provided for the SOAP API for a variety of platforms / programming languages, such as .NET, Java, Linux/C, etc. This wrapper code manages several functions:
Encryption of the OTP and of cached passwords implies an encryption key. The API wrappers support a variety of methods to produce this key, including:
Hitachi ID Systems is happy to add platform bindings for this wrapper code based on customer demand (i.e., we add support for the programming language and runtime that customers need as required, and usually at no additional cost).
This wrapper is also provided in command-line form, suitable for retrieving passwords efficiently and securely from Privileged Access Manager (with local, encrypted caching) and injecting those passwords on the command-line, into configuration files or into the input of scripts.