Configure Delinea Secret Server Integration

Last modified on September 17, 2024

Overview

Delinea Secret Server is a service for securely storing and accessing secrets, such as API keys, passwords, certificates, and cryptographic keys. This guide describes how to integrate Secret Server with StrongDM.

Secret store integrations allow you to use your existing third-party secret stores with StrongDM. Your credentials are stored in a service that is controlled by you, and those credentials are never transmitted to StrongDM in any form. If you would like to learn more about how the Secret Store integration works and why you might wish to use it, please read the Secret Stores Reference.

Prerequisites

The following items are required to integrate Secret Server with StrongDM:

  • StrongDM account with the Administrator permission level
  • Healthy StrongDM gateway or relay to allow authentication with Secret Server
  • Delinea Secret Server account set up with a user’s username and password, and at least one secret to a resource
  • Correct path(s) to the secret(s) stored in Secret Server

Configuration

To integrate StrongDM with Delinea Secret Server, follow the steps in this section to set up your Secret Server account and secrets, configure your gateway or relay, and create the secret store in StrongDM.

Set up Secret Server account and secrets

  1. Log in to your Secret Server account. For the purposes of this guide, we log in with the Local Login option.
  2. Go to Administration > Users, Roles, Access > User Management.
  3. Ensure that you have a user set up with which the StrongDM service can authenticate to Delinea. The user should have a username and password, which are the credentials needed to access secrets stored in Secret Server. Additionally, the user must have the Application Account option set to Yes in order for it to work with StrongDM.
  4. Go to the Secrets section.
  5. Ensure that you have an existing secret. If you do not, click Create Secret to add one.
  6. Select a secret and notice the URL in your web browser’s address bar. It should look similar to https://example.secretservercloud.com/app/#/secret/7/general, with a number value, such as 7. The number represents the key to the secret stored in Secret Server. Remember the URL for when you are done with configuration and want to connect to a StrongDM resource.

Configure your gateway or relay

To allow communication with Secret Server, StrongDM needs to know what credentials to use. You can configure your gateway or relay environment with properties as environment variables.

The following table shows the environment variables that Delinea supports. Add all required environment variables on your relay or gateway. For DELINEA_SERVER_URL and DELINEA_API_TENANT, you must set one but not both. Open the file /etc/sysconfig/sdm-proxy (unless you have moved or renamed your sdm-proxy file) to add or edit these environment variables.

Environment variableRequirementDescription
DELINEA_USERNAMERequiredThe username of the Delinea Secret Server user account that is associated with the secrets stored in Secret Server
DELINEA_PASSWORDRequiredThe password of the Delinea Secret Server user account that is associated with the secrets stored in Secret Server
DELINEA_SERVER_URLOptionalThe URL of the server where your secrets are stored (for example, https://example.com); only needed if you are using an on-premises version of Delinea or Thycotic, where you are not logged in to any Software as a Service (SaaS) but you are logged in to your own server; can be used if you did not already set the server address in the Admin UI when adding the secret store
DELINEA_API_TENANTOptionalYour Secret Server tenant name, which is required if you did not already set the tenant name in the Admin UI when adding the secret store; can be found in your Secret Server URL (for example, in the Secret Server URL https://example.secretservercloud.com, the tenant name is example)

Create a secret store in StrongDM

  1. Log in to the StrongDM Admin UI.
  2. Go to Settings > Credentials Management and to the Secret Stores tab.
  3. Click Add secret store.
  4. On the Add Secret Store form that displays, set all the required secret store properties.
Delinea Secret Store Settings
Delinea Secret Store Settings
  1. Click Create secret store.

If you have configured the relay or gateway server correctly for Secret Server access and authorization, you can see the green online indicator.

Secret store properties

PropertyRequirementDescription
Display NameRequiredThe name for this secret store integration that is displayed throughout StrongDM
TypeRequiredThe type of secret store; select Delinea Secret Server
Server AddressOptionalThe URL of the server where your secrets are stored (for example, https://example.com) if using an on-premises version of Delinea or Thycotic; if you already set environment variables on your gateway or relay, the server address is the same property as the DELINEA_SERVER_URL environment variable; what you set in the Admin UI takes precedence over the environment variable
Tenant NameOptionalYour Delinea Secret Server tenant name, which you can find in your Secret Server URL (for example, in the Secret Server URL https://example.secretservercloud.com, the tenant name is example); if you already set environment variables on your gateway or relay, the tenant name is the same property as the DELINEA_API_TENANT environment variable; what you set in the Admin UI takes precedence over the environment variable

Configuration is now complete.

Connect to a StrongDM Resource

Now that you have set up secret store integration, you can use the Delinea Secret Server secret store to connect to different StrongDM resources.

  1. In the Admin UI, go to Infrastructure > Datasources.
  2. Click Add datasource.
  3. On the form that displays, set the properties for your database resource, including the secret store properties
  4. When all required fields are complete, click Create.

When the resource is ready, the Health icon indicates a positive, green status.

Delinea Secret Server properties

PropertyDescription
Secret StoreThe type of secret store; select Delinea Secret Server
Username (path)The path to your secret key in the format <SECRET_URL_NUMBER>?key=<KEY> where <SECRET_URL_NUMBER> is the number found in the URL of your secret, and where is one of the parameters of the secret in the Delinea interface; for example, if your secret URL is https://example.secretservercloud.com/app/#/secret/7/general, and if you created the secret with the Username parameter set, you would enter 7?key=Username
Password (path)The path to your secret key in the format <SECRET_URL_NUMBER>?key=<KEY> where <SECRET_URL_NUMBER> is the number found in the URL of your secret, and where is one of the parameters of the secret in the Delinea interface; for example, if your secret URL is https://example.secretservercloud.com/app/#/secret/7/general, and if you created the secret with the Password parameter set, you would enter 7?key=Password
Top