BeyondTrust

Introduction

BeyondTrust helps in managing, controlling, and monitoring privileged user activities. The SAFE-BeyondTrust integration eliminates the manual entry of the assets’ password on the SAFE platform for assessment. With this integration, SAFE pulls the assets’ credentials from the BeyondTrust server via API, authenticates the assets using these credentials, and does the assessment.

Configure BeyondTrust

SAFE Admins can configure BeyondTrust via three login methods.

• Using Certificate Authentication: Use when the login type is a client certificate.
• Using Native Static Account: Use when the login type is with a privileged identity explicit account.
• Using Fully Qualified Account: Use when the login type is with an LDP, Radius, or Windows Domain user.

Configure BeyondTrust Using Certificate Authentication

SAFE admins can configure BeyondTrust from SAFE Hooks. To configure:

1. Navigate to the SAEF Hooks.
2. Click the BeyondTrust card. The system opens the BeyondTrust Privileged Identity Configuration page.
3. Select the Login type as “Using Certificate Authentication.”
4. Enter the API URL.
5. Click the Choose File button to Browse and Upload the Client Certificate.
6. If required, browse and upload the CA certificate. This is an optional step.
7. Enter the password for the Client Certificate.
8. Mark the Verify SSL Certificate checkbox if the BeyondTrust Privilege Identity server has a CA-signed certificate trusted by the SAFE server.
9. Enter the Certificate Fingerprint if a CA-signed certificate is not available.
10. Click the Test Connection button.
11. Once the connection is verified, click the Save button.
12. Enable the Privileged Identity toggle switch available at the top-right corner of the screen.

Configure BeyondTrust Using Native Static Account

SAFE admins can configure BeyondTrust from Safe Hooks. To configure:

1. Navigate to the Safe Hooks.
2. Click the BeyondTrust card. The system opens the BeyondTrust Privileged Identity Configuration page.
3. Select the Login type as “Using Native Static Account.”
4. Enter the API URL, Username, and Password.
5. Mark the Verify SSL Certificate checkbox if the BeyondTrust Privileged Identity server has a CA-signed certificate trusted by the SAFE server.
6. Enter the Certificate Fingerprint if a CA-signed certificate is not available.
7. Click the Test Connection button.
8. Once the connection is verified, click the Save button.
9. Enable the Privileged Identity toggle switch available at the top-right corner of the screen.

Configure BeyondTrust Using a Fully Qualified Account

SAFE Admin can configure BeyondTrust from Safe Hooks. To configure:

1. Navigate to the Safe Hooks.
2. Click the BeyondTrust card. The system opens the BeyondTrust Privileged Identity Configuration page.
3. Select the Login type as “Using Fully Qualified Account.”
4. Enter the API URL, Username (Domain/Account Name), and Password.
5. Mark the Verify SSL Certificate checkbox if the BeyondTrust Privileged Identity server has a CA-signed certificate trusted by the SAFE server.
6. Enter the Certificate Fingerprint if a CA-signed certificate is not available.
7. Click the Test Connection button.
8. Once the connection is verified, click the Save button.
9. Enable the Privileged Identity toggle switch available at the top-right corner of the screen.