Cloud integration with Delinea Secret Server and Automation 360 helps manage important credentials safely. It also automates tasks, making Cloud environments more secure and efficient.

Prerequisites

Before you start, make sure you have the following:

  • To set up Delinea Secret Server configuration, see Delinea Platform documentation. You will need the following information from Delinea:

    • To create the OAuth connection with Delinea Secret Server:
      • Token URL: This is the URL you use to get access tokens from Delinea Secret Server.
        • For the Delinea platform, the URL is: https://<>.delinea.app/identity/api/oauth2/token/xpmplatform .
        • For the Standalone Delinea Secret Server, the URL is: https://<secretserver>/oauth2/token
      • Scope: This is the scope needed by the Delinea issued tokens. For the Delinea platform, the scope is xpmheadless.
        • If the grant is client_credentials, we need the clientId and clientSecret of the service account.
        • If the grant is resource owner password, we need the username and password of the service account.
    • The service account in Delinea should have at least View access to the secrets in Delinea.
    • The Delinea Secret Server URL.

  • To configure the Automation 360 integration, the Control Room user should have Manage settings and Manage connections permission, or the user must be an Admin user.

Automation 360 configuration

This procedure helps you set up Automation 360 to work with Delinea Secret Server.
  • First, you set up the OAuth connection.
  • Then, you add the vault configuration.

Set up OAuth Connection

To Set up OAuth Connection using Client Credentials Flow grant type

Complete the following steps from the Create OAuth connection procedure.

  1. To set up the OAuth connection, navigate to Manage > OAuth Connections .
  2. Click Create Connection.
  3. From the Connection settings screen, enter the following:
    • Provider Type: Choose a provider type, like Custom or Apigee. If your OAuth provider type is not listed, you can select Custom.
    • Name: Enter a unique name, such as: Delinea-Test-Connection
    • Flow Type: Choose the Client Credentials Flow grant type for the Delinea platform with the Delinea Secret Server. Use the Client authentication method with either Basic or POST.
    • Client Id: Enter the Client Id as it appears in the Delinea server.
    • Client Secret: Enter the Client Secret as it appears in the Delinea server.
    • Token URL: OAuth 2.0 endpoint from Delinea (for example: https://<>.delinea.app/identity/api/oauth2/token/xpmplatform)
    • Scope: For example, if token is for a platform: xpmheadless
  4. Test the OAuth connection to make sure the configuration is correct.
  5. Save the OAuth connection.

To Set up OAuth Connection using Resource Owner Password grant type

Complete the following steps from the Create OAuth connection procedure.

  1. To set up the OAuth connection, navigate to Manage > OAuth Connections .
  2. Click Create Connection.
  3. On the Connection settings screen, do the following:
    • Flow Type: Select the Resource Owner Password Flow grant type. Choose the Client authentication method: Client Authentication Secret POST.
    • Scope: This is optional.
    • Enter the username and password for the service user who can access the secret.
  4. Click Save login credentials.
  5. Test the OAuth connection to make sure the configuration is correct.
  6. Save the OAuth connection.

Once successful, configure the Delinea Secret Server vault configuration and select the created OAuth connection.

Refresh Token management

When you connect with Delinea Secret Server using the OAuth2 password grant flow, the Automation 360Control Room safely keeps the refresh tokens it gets during authentication.

Key considerations:
  • Refresh Token Expiry: Make sure the time before the access token and refresh token expire is long enough for your needs. If you have bots that run for a long time or many bots running at once, a short expiry time might cause unexpected authentication problems.
  • Allowed Number of Refresh Tokens: Delinea Secret Server might limit how many refresh tokens a user or client can have. If you refresh tokens too often and go over this limit, it can cause token refresh failures. leading to automation problems.
  • Idle Periods: If the OAuth connection is not used for a long time (like when no bots are running), the refresh token might expire. In such case, reset the existing OAuth connection.
Recommendations:
  1. Set the access token expiry, refresh token expiry, and allowed token refresh count in Delinea Secret Server to fit your needs.
  2. If the access token or refresh token expires, the only way to make the OAuth connection work again is to reset the existing OAuth connection and re-authenticate using the username and password.

Configure Delinea Secret Server vault

  1. From the Control Room, navigate to Administration > Settings > External key vault .
  2. In the Configuration Settings section, click Edit.
  3. Scroll to the bottom and select the Delinea secret server.
  4. Enter the Vault URL (for example: https://<yourvault>.secretservercloud.com).
  5. Select the OAuth connection name from drop-down list.
  6. The default HTTP header name is Authorization.
  7. (Optional) Enter the Server certificate - PEM format (optional) used to provide secure TLS communication.
  8. Click Save changes to save the vault configuration.

    Delinea secret server external key vault settings