Automation 360

Delinea Secret Server credential retrieval use cases

Download as PDF

Delinea Secret Server credential retrieval use cases

Download as PDF

Updated: 2025/09/05

You can retrieve Delinea Secret Server credentials for several use cases. Some are supported for Automation 360 Cloud deployments, while others are supported for Automation 360 On-Premises deployments.

Use case: Retrieve Agent auto-login credentials

Note: This use case is supported for both Automation 360 Cloud deployments and Automation 360 On-Premises deployments.

This use case explains how Automation 360 retrieves and uses credentials to start automations on specific Automation 360 Bot Agent devices.

Auto-login credentials are used to authenticate to an Automation 360 Bot Agent device and begin an active Windows Server session. This needs an active Windows Server session to function. Auto-login happens before automations are started from a remote Bot Agent device.

To set up auto-login, each automation runtime user needs to be mapped to a secret (name and ID) found in the Delinea Secret Server. This involves connecting the Control Room username with the secret names. This way, during runtime, the Bot Runner user can access the device credentials from the Delinea Secret Server.

To map the Control Room username with the secret names:

Navigate to Administration > Settings > External key vault > Device auto login.
Click Edit and click Manage custom secrets mappings.
Export the CSV file template and add the following entries in the format specified:
- Username:
  - In a non-Active Directory (AD) environment, enter the Automation 360 username for the Bot Runner. For example, if the Bot Runner name is botrunnertest, the username in the CSV should match.
  - (Applicable for On-Premises only) For an AD environment, add the domain name in the username. For instance, if the AD domain is TESTDOMAIN and the Bot Runner's name is botrunnertest, the username in the CSV should be TESTDOMAIN\botrunnertest.
- Secret Name: from Delinea
- Secret ID: Numeric value from Delinea
  Note:
  - If you only give the Secret Name, the system will first find the Secret ID for that name. Then, it will use the Secret ID to look up the secret. If there are duplicate Secret Names, the system will choose the first one from the list of Secret Namesreturned by the Secret Server.
  - If you provide both the Secret Name and the Secret ID, the system will use the Secret ID.
  - If you only have the Secret ID, it will be used to get the secret credential.
Click Import .csv and browse to select the CSV file template to map the Control Room usernames with the secret names or secret IDs.
Note: When you upload a CSV file, you can only import up to 100 entries at a time.
Click Import and save. The custom secrets mapping table is populated with the updated entries.
After mapping the Control Room usernames with secret names, you can enable the device auto-login settings to retrieve auto-login credentials from the Delinea Secret Server.
1. From the Control Room, navigate to Administration > Settings > External key vault > Device auto login.
2. Click Edit.
3. Click Enabled to enable Auto Login Mapping to retrieve the auto-login credentials from the Delinea Secret Server external key vault.
Click Save changes to save the configuration.

Testing the Mapping

To check if the use case setup is correct, first upload the test mapping. When a bot is triggered for a user, Automation 360 gets the mapped secret from Delinea to log into the user's device securely and smoothly.

Note:

If there are duplicate secret names in Delinea within the same folder, it will retrieve the first match it finds.
Templates that users select to create the secret should have Username and Password fields included.

Custom secrets mapping management options

You can perform the following actions on custom secrets mapping in the Control Room:

Export mapping: Exports the current configuration of mappings into a .csv file.
Delete rows: Allows removal of selected rows from the current mapping.
Import mapping: Enables the import of mappings from a prepared .csv file.
Search option: Can search by Secret name. Filters for easier access to specific mappings in the table.
Customize mapping: Allows you to customize the mapped columns using show/hide option.
Refresh mapping: Refreshes the mapped entries.

Use case: Retrieve Agent automation credentials

Note: This use case is supported for both Automation 360 Cloud deployments and Automation 360 On-Premises deployments.

Automation credentials are variables that botdevelopers use in automation (bot) actions. These actions help define and get data from encrypted storage. The automation uses these credentials to log into applications. During runtime, the Automation 360 Bot Agent retrieves the automation credentials. This use case shows how an automation (bot) gets credentials (secrets stored in Delinea) and uses them during runtime to log into the applications being automated.

To set up automation credentials retrieval and connect with the Delinea Secret Server, you first need to create a locker and then create credentials.

Note: If you want to store credentials in the Control Room credential vaults and external key vaults, we recommend that you perform the following:

Create separate lockers in the Control Room to store credentials created in the Control Room credential vaults.
Create separate lockers in the Control Room to store credentials created in external key vaults.

The Control Room does not support storing credentials from the Control Room credential vaults and external key vaults in the same locker.

To create a locker to integrate with the Delinea Secret Server, perform these steps:

From the Automation 360 Control Room, navigate to Manage > Credentials.
A user with Manage my credentials and lockers permissions is authorized to create credentials.
Select the Lockers tab, and click Create Locker.
Enter a name for the locker.
This name is local to the Control Room and does not have any dependency on the Delinea Secret Server secret name.
Click External Key Vault.
Select Delinea Secret Server. The Delinea Secret Server secret name prefix is auto-populated with delinea.
Click Next.
Configure Owners, Managers, Participants, and Consumers for the locker.
Click Create locker. See Create locker.

To create a credential to integrate with the Delinea Secret Server, perform these steps:

From the Automation 360 Control Room, navigate to Manage > Credentials .
A user with Manage my credentials and lockers permissions is authorized to create credentials.
From the Credentials tab, select Create Credential.
Enter the credential name in the Credential name field.
This name is local to the Control Room and does not have any dependency on the Delinea Secret Server secret name.
Click External key vault below the name field.
From the list of available lockers, select the appropriate locker that was previously mapped to the prefix (delinea).
Enter the Delinea Secret Server secret name (as defined in Delinea) in the Secret name field (for example: bot machine).
Click Validate and retrieve attributes When the system successfully retrieves the secret, it will display the Delinea Secret Server secret attributes (the fields within the secret).
From the list of attributes, select the attributes to map to the credential (for example, Password, Username)
Click Create credential to save the credential.
In your bot, use Credential Actions to get and use the secrets while the program is running. For example, a bot can decrypt a password-protected PDF by using a password that is fetched from Delinea in real-time.

Use case: Retrieve Control Room bootstrap credentials for Delinea Secret Server

Note: This use case applies to On-Premises deployments only.

The Automation 360 Control Room uses bootstrap credentials to access supporting services such as database. You configure these credentials during post-installation (using the key vault utility) by specifying the secret name.

When required during the bootup sequence or normal operations (such as refreshing a database authentication), the Control Room uses the key vault connection to retrieve the credential and perform the required authentication.

Note:

Retrieving bootstrap credentials from an external key vault might cause the Control Room to fail if the external key vault is not accessible during boot-up, or if the external key vault is not accessible when the Control Room refreshes database connections.
You must select the Microsoft SQL Server Authentication for this use case; other database authentication methods are not supported for bootstrap.

When you need to get a database credential from the Delinea Secret Server, use the key vault utility called (crutils). Follow these steps:

First, stop these services to avoid any issues:
- Control Room service
- Automation Anywhere Control Room Messaging service
- Automation Anywhere Control Room service
Open the command prompt as an Administrator. Go to the Automation 360 installation location. Run the crutils utility with this command:
jdk11\bin\java -Djavax.net.ssl.trustStore="C:\Program Files\Automation Anywhere\Automation360\pki\trust\store.ks" -Djavax.net.ssl.trustStorePassword=changeit --module-path lib -jar crutils.jar -action UPDATE_DB_AUTHENTICATION_CONFIGURATION -configPath "C:\Program Files\Automation Anywhere\Automation360\config”
1. After the utility loads the current database configuration, you will see this prompt:
```
Database authentication configurations loaded
 Currently configured database authentication [SQL]
Change database authentication. Available options:
 WINDOWS: Connect to database using windows authentication
 SQL: Connect to database using SQL server authentication, manually enter username and password
 KEY_VAULT: Connect to database using SQL server authentication, retrieve username and password from external key Vault
Enter database authentication [WINDOWS/SQL/KEY_VAULT]:
 Enter KEY_VAULT
```
2. Enter the Secret name which contains the database credentials.
3. The key vault utility will run. If the database configuration is successful (meaning it connects to the Delinea Secret Server, retrieves the designated credential, and uses it to connect to the database), you will see these messages on the console:
```
Database Credentials are valid
Database authentication configurations successfully updated
```
Finally, restart these services:
- Control Room service
- Automation Anywhere Control Room Messaging service
- Automation Anywhere Control Room service

Use case: Retrieve Control Room system credentials for Delinea Secret Server

Note: This use case applies to On-Premises deployments only.

If you set up a Delinea Secret Server using the key vault utility after installing it, you can then use the Automation 360 user interface to set up Active Directory (AD) and SMTP credentials.

Set up Active Directory credentials:
1. For a new installation, configure the first Administrator to use Active Directory.
2. Choose the Delinea Secret Server (external key vault) to get the AD username and password.
3. Specify the secret name to get the AD credentials.
4. To change the AD settings, log in to the Automation 360 Control Room as the Administrator.
5. From the Control Room, navigate to: Administration > Settings > Active Directory.
6. Select Delinea Secret Server and enter the secret name to get the AD credentials.
Set up SMTP credentials:
1. To set up email, navigate to: Administration > Settings > Email.
2. Choose Delinea Secret Server as the external key vault and enter the secret name to get the SMTP credentials.