Configure Delinea Secret Server Integration
Last modified on October 4, 2023
This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
Overview
Delinea Secret Server is a service for securely storing and accessing secrets, such as API keys, passwords, certificates, and cryptographic keys. This guide describes how to integrate Secret Server with StrongDM.
Secret store integrations allow you to use your existing third-party secret stores with StrongDM. Your credentials are stored in a service that is controlled by you, and those credentials are never transmitted to StrongDM in any form. If you would like to learn more about how the Secret Store integration works and why you might wish to use it, please read the Secret Stores Reference.
Prerequisites
The following items are required to integrate Secret Server with StrongDM:
- StrongDM account with the Administrator permission level
- Healthy StrongDM gateway or relay to allow authentication with Secret Server
- Delinea Secret Server account set up with a user’s username and password, and at least one secret to a resource
- Correct path(s) to the secret(s) stored in Secret Server
Configuration
To integrate StrongDM with Delinea Secret Server, follow the steps in this section to set up your Secret Server account and secrets, configure your gateway or relay, and create the secret store in StrongDM.
Set up Secret Server account and secrets
- Log in to your Secret Server account. For the purposes of this guide, we log in with the Local Login option.
- Go to Administration > Users, Roles, Access > User Management.
- Ensure that you have a user set up with which the StrongDM service can authenticate to Delinea. The user should have a username and password, which are the credentials needed to access secrets stored in Secret Server. Additionally, the user must have the Application Account option set to Yes in order for it to work with StrongDM.
- Go to the Secrets section.
- Ensure that you have an existing secret. If you do not, click Create Secret to add one.
- Select a secret and notice the URL in your web browser’s address bar. It should look similar to
https://example.secretservercloud.com/app/#/secret/7/general, with a number value, such as7. The number represents the key to the secret stored in Secret Server. Remember the URL for when you are done with configuration and want to connect to a StrongDM resource.
Configure your gateway or relay
To allow communication with Secret Server, StrongDM needs to know what credentials to use. You can configure your gateway or relay environment with properties as environment variables.
The following table shows the environment variables that Delinea supports. Add all required environment variables on your relay or gateway. For DELINEA_SERVER_URL and DELINEA_API_TENANT, you must set one but not both. Open the file /etc/sysconfig/sdm-proxy (unless you have moved or renamed your sdm-proxy file) to add or edit these environment variables.
| Environment variable | Requirement | Description |
|---|---|---|
DELINEA_USERNAME | Required | The username of the Delinea Secret Server user account that is associated with the secrets stored in Secret Server |
DELINEA_PASSWORD | Required | The password of the Delinea Secret Server user account that is associated with the secrets stored in Secret Server |
DELINEA_SERVER_URL | Optional | The URL of the server where your secrets are stored (for example, https://example.com); only needed if you are using an on-premises version of Delinea or Thycotic, where you are not logged in to any Software as a Service (SaaS) but you are logged in to your own server; can be used if you did not already set the server address in the Admin UI when adding the secret store |
DELINEA_API_TENANT | Optional | Your Secret Server tenant name, which is required if you did not already set the tenant name in the Admin UI when adding the secret store; can be found in your Secret Server URL (for example, in the Secret Server URL https://example.secretservercloud.com, the tenant name is example) |
DELINEA_API_TENANT and DELINEA_SERVER_URL, the properties set in the Admin UI take precedence over the environment variable. The environment variable is only used if the setting in the Admin UI is empty. See section Create a secret store in StrongDM.Create a secret store in StrongDM
- Log in to the StrongDM Admin UI.
- Go to Network > Secret Stores.
- Click Add secret store.
- On the Add Secret Store form that displays, set all the required secret store properties.
- Click Create secret store.
If you have configured the relay or gateway server correctly for Secret Server access and authorization, you can see the green online indicator.
Secret store properties
| Property | Requirement | Description |
|---|---|---|
| Display Name | Required | The name for this secret store integration that is displayed throughout StrongDM |
| Type | Required | The type of secret store; select Delinea Secret Server |
| Server Address | Optional | The URL of the server where your secrets are stored (for example, https://example.com) if using an on-premises version of Delinea or Thycotic; if you already set environment variables on your gateway or relay, the server address is the same property as the DELINEA_SERVER_URL environment variable; what you set in the Admin UI takes precedence over the environment variable |
| Tenant Name | Optional | Your Delinea Secret Server tenant name, which you can find in your Secret Server URL (for example, in the Secret Server URL https://example.secretservercloud.com, the tenant name is example); if you already set environment variables on your gateway or relay, the tenant name is the same property as the DELINEA_API_TENANT environment variable; what you set in the Admin UI takes precedence over the environment variable |
Configuration is now complete.
Connect to a StrongDM Resource
Now that you have set up secret store integration, you can use the Delinea Secret Server secret store to connect to different StrongDM resources.
- In the Admin UI, go to Infrastructure > Datasources.
- Click Add datasource.
- On the form that displays, set the properties for your database resource, including the secret store properties
- When all required fields are complete, click Create.
When the resource is ready, the Health icon indicates a positive, green status.
Delinea Secret Server properties
| Property | Description |
|---|---|
| Secret Store | The type of secret store; select Delinea Secret Server |
| Username (path) | The path to your secret key in the format <SECRET_URL_NUMBER>?key=<KEY> where <SECRET_URL_NUMBER> is the number found in the URL of your secret, and where https://example.secretservercloud.com/app/#/secret/7/general, and if you created the secret with the Username parameter set, you would enter 7?key=Username |
| Password (path) | The path to your secret key in the format <SECRET_URL_NUMBER>?key=<KEY> where <SECRET_URL_NUMBER> is the number found in the URL of your secret, and where https://example.secretservercloud.com/app/#/secret/7/general, and if you created the secret with the Password parameter set, you would enter 7?key=Password |