Hitachi ID Privileged Access Manager includes an API that enables applications to disclose passwords as needed, at runtime and eliminates the storage of static, plaintext passwords. Privileged Access Manager periodically randomizes passwords used to connect to network services (DB, FTP, web, etc.), while applications use the API to retrieve passwords when required.
The Privileged Access Manager API is accessed as a SOAP web service over HTTPS.
For example, Privileged Access Manager may randomize an Oracle DBMS login password every 24 hours. Web applications which use the password to establish database connections can periodically sign into Privileged Access Manager with their own credentials (see below) and retrieve the current value of this password.
An important design consideration when implementing a privileged password retrieval API is how the client which requests password disclosure (the web application in the above example) authenticates itself to the web service. Privileged Access Manager secures this process with a combination of access controls, one-time passwords and network address validation:
An "API wrapper" library is provided to simplify use of the Privileged Access Manager web service. Different versions of the library are provided for a variety of runtime platforms and programming languages, such as .NET, Java, Linux/C, etc. This wrapper code performs several functions:
Encryption of the OTP and cached passwords implies an encryption key. The API wrapper libraries support a variety of methods to produce this key, all of which are intended to fingerprint the authorized application and its runtime environment. This includes:
The objective of these key generation mechanisms is to lock down the application and its runtime, so that only the approved application running on an approved system will be able to retrieve a password from Privileged Access Manager or from the local cache. An attacker who compromises the system running an application should be prevented from adding logging statements to display the retrieved password, from moving the application to another server and retrieving passwords there, from running the program with different command-line arguments or configuration files, so that it prints the password to a log file, etc.
Hitachi ID Systems is happy to provide new versions of this wrapper library for different run-times or programming languages based on customer demand.
The wrapper library is also provided in command-line form, suitable for use in scripts and for troubleshooting.