BeyondTrust Password Safe integration is supported for these use cases.

Note: In Automation 360 On-Premises Control Room deployments, A360 Service Account and Database (DB) use cases are not currently supported in BeyondTrust Password Safe integration.

For Bot auto-login use case, Automation 360 retrieves credentials from BeyondTrust Password Safe.

Use case: Retrieve auto-login credentials

Note: This use case is supported for both Automation 360 Nuvem deployments and Automation 360 No local deployments.

Auto-login credentials are used to authenticate to an Automation 360 Agente de bot device and start an active Servidor Windows session. This requires an active Servidor Windows session to function. Auto-login occurs before automations are launched from a remote Agente de bot device.

To enable auto-login, each automation runtime user must be mapped to a target device. This requires mapping of the Control Room username with the secret names so that during runtime, the Bot Runner user can retrieve the device credentials from the BeyondTrust Password Safe.

Note: You cannot enable auto-login for specific unattended Bot Runners by providing device credentials for them. Once key vault is configured, credentials for all unattended Bot Runners will be retrieved from the key vault. Make sure that each Bot Runner’s credentials are stored in the key vault to avoid a Secret not found error.

To map the Control Room username with the secret names:

  1. Navigate to Administration > Settings > External key vault > Device auto login.
  2. Click Edit and select Manage custom secrets mappings.
    Note: The account name that you enter in the Manage custom secrets mappings will be used as the device login username. Account name can be in any of the following formats:
    • sAMAccountName

      For example, CONTOSO\jdoe.

    • UPN

      For example, john.doe@contoso.com.

  3. Download the Custom Secrets Name Mapping Template.csv template and add the following entries in the format specified:
    • Username
    • System name
    • Account name
  4. Click Import .csv and browse to select the Custom Secrets Name Mapping Template.csv template file to map the Control Room usernames with the secret names.Manage custom secrets mapping
  5. Click Import and save. The custom secrets mapping table is populated with the updated entries.Import and save custom secrets mapping

After mapping the Control Room usernames with secret names, you can enable the device auto login settings to retrieve auto-login credentials from the BeyondTrust Password Safe, using the following procedure:

  1. Log in to the Automation 360 Control Room with View Settings > Manage Settings permission.
  2. From the Control Room, navigate to Administration > Settings > External key vault > Device auto login.
  3. Click Edit.
  4. Click Enabled to retrieve the auto-login credentials from that external key vault. Sample screen of BeyondTrust Device auto login
  5. Click Save changes to save the configuration.
Custom secrets mapping management options
You can perform the following actions on custom secrets mapping in the Control Room:
  • Export mapping Export mapping: Exports the current configuration of mappings into a .csv file.
  • Delete rows Delete rows: Allows removal of selected rows from the current mapping.
  • Import mapping Import mapping: Enables the import of mappings from a prepared .csv file.
  • Search option: Filters for easier access to specific mappings in the table. Search mapping
  • Customize mapping Customize mapping: Allows you to customize the mapped columns using show/hide option.
  • Refresh mapping Refresh mapping: Refreshes the mapped entries.

Use case: Retrieve Agent automation credentials

Note: This use case is supported for both Automation 360 Nuvem deployments and Automation 360 No local deployments.

Automation credentials are variables that developers use in automation (bot) actions. These actions help define and get sensitive data from encrypted storage. The automation uses these credentials to log into applications. During runtime, the Automation 360 Agente de bot retrieves the automation credentials. This use case shows how an automation gets credentials (secrets stored in BeyondTrust Password Safe) and uses them during runtime to log into the applications being automated.

To set up automation credentials retrieval and connect with the BeyondTrust Password Safe, you first need to create a cofre and then create credentials.

Note: Se você quiser armazenar credenciais nos cofres de credenciais da Control Room e em cofres de chaves externos, faça isto:
  • Crie cofres separados na Control Room para armazenar credenciais criadas nos cofres de credenciais da Control Room.
  • Crie cofres separados na Control Room para armazenar credenciais criadas em cofres de chaves externos.

A Control Room não oferece suporte ao armazenamento de credenciais dos cofres de credenciais e cofres de chaves externos da Control Room no mesmo cofre.

To create a cofre to integrate with the BeyondTrust Password Safe, perform these steps:

  1. From the Automation 360 Control Room, navigate to Manage > Credentials.

    A user with Manage my credentials and cofres permissions is authorized to create credentials.

  2. Select the Lockers tab, and click Create Locker.
  3. Enter a name for the cofre.

    This name is local to the Control Room and does not have any dependency on the BeyondTrust Password Safe secret name.

  4. Select External Key Vault with the label BeyondTrust Password Safe.
  5. Click Next.
  6. Configure Owners, Managers, Participants, and Consumers for the cofre.
  7. Click Create locker. See Criar cofre.

To create a credential to integrate with the BeyondTrust Password Safe, perform these steps:

  1. From the Automation 360 Control Room, navigate to Manage > Credentials .

    A user with Manage my credentials and cofres permissions is authorized to create credentials.

  2. From the Credentials tab, select Create Credential.
  3. Enter the credential name in the Credential name field.

    This name is local to the Control Room and does not have any dependency on the BeyondTrust Password Safe secret name.

  4. Click External key vault below the name field.
  5. From the list of available cofres, select the appropriate cofre that was set to BeyondTrust Password Safe.
  6. Enter the same System name and Account name as it appears in BeyondTrust Password Safe.
  7. Click Validate and retrieve attributes. When the system successfully retrieves the secret, it will display two attributes: Username and Password.
  8. From the list of attributes, select the attributes to map to the credential.
  9. Click Create credential to save the credential.

    In your bot, use Credential Actions to get and use the secrets while the program is running. For example, a bot can decrypt a password-protected PDF by using a password that is fetched from BeyondTrust Password Safe in real-time.

Use case: Retrieve Control Room system credentials for BeyondTrust Password Safe

Note: This use case applies only to Automation 360 No local deployments.
  1. Set up Active Directory credentials:

    After you complete the initial installation of Automation 360 and configure BeyondTrust Password Safe as the external key vault, you can set up the authentication type for Automation 360 Control Room users in the initial setup as shown below (this occurs directly after the initial installation completes).

    1. From the Authentication type for Control Room users dialog box, click Active Directory.
    2. You can optionally configure the Active Directory integration credential (this is the credential that the Control Room uses to authenticate users with Active Directory) to be retrieved from BeyondTrust Password Safe. Select External Key vault with label BeyondTrust Password Safe.
    3. Enter the System name and Account name.
    4. Click Discover connections or Manually add connections to fetch Active Directory credential from external vault. Once connection is successful, Next button is enabled.
    5. Click Next and configure Owners, Managers, Participants, and Consumers for the locker.
    The Control Room will attempt to retrieve the credential from the BeyondTrust Password Safe and then authenticate to the Domain Controller. If this fails, cause might be one of the following:
    • There is no secret with that name in the BeyondTrust Password Safe
    • There is a secret with that name, but it does not contain a username and password that is authorized for authentication with Active Directory

    You can now log in to the Control Room as admin and add users and roles.

    To change the Active Directory settings,
    1. Log in to the Automation 360 Control Room as the Administrator.
    2. Navigate to: Administration > Settings > Active Directory.
    3. Click External key vault and select BeyondTrust Password Safe.
    4. Enter the System name and Account name to get the Active Directory credentials.
  2. Set up SMTP credentials:
    1. To set up email, log in to the Automation 360 Control Room as the Administrator.
    2. Navigate to: Administration > Settings > Email.
    3. Click External key vault and select BeyondTrust Password Safe as the external key vault.
    4. Enter the System name and Account name to get the Active Directory credentials.

Audit logs

For information about audit log events for external key vault, see Registro de auditoria externa do cofre de chaves.