IdentityIQ Application Connector for BeyondTrust Privilege Management for Unix & Linux

CoLab Connector Configurations
, ,
1

Marketplace-Gradient
Marketplace-Gradient2401Ă—1351 251 KB
:spiral_notepad: Description IdentityIQ Application Connector for BeyondTrust Privilege Management for Unix & Linux
:balance_scale: Legal Agreement By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: Repository Link N/A
:open_book: New to Connector Configurations in the CoLab? Read the getting started guide for Connector Configurations in the CoLab.
:hospital: Supported by Community Developed

Overview

BeyondTrust Privilege Management for Unix & Linux allows for removing local admin rights, control root access, and enforce true least privilege seamlessly across Unix & Linux desktops and servers.

Capabilities:

  • Accounts Aggregation;
  • Roles Aggregation;
  • Create Account;
  • Add/Remove Roles for Accounts;
  • Enable/Disable Account;
  • Unlock Account;
  • Change Password.

Requirements

IdentityIQ 8.1 and above patched, and BeyondTrust for Unix & Linux 23.1.0-1 and above.

Guide

Deployment

Download the Application/Connector file:
Application_IdentityIQ_BIUL.xml (44.2 KB)

image
Before you import the XML file, edit the file and change the Application name to the desired value.

image
Navigate to Global Setting, Import from File, and import the Application XML.

image
Access the new Application under Applications, Application Definition. Replace myInstance:4443 with your actual instance and port.

image
Access the HTTP Operation Custom Authentication, and replace the myInstance:4443 with actual instance and port.

image
In BeyondTrust for Unix & Linux (BIUL) navigate to Settings, Console Access, and create a new service account for IdentityIQ. Edit the account and grant apiuser and accountadmin roles.

image
Navigate to Body, then replace the username with the name of your IdentityIQ service account.

image
Using debug mode (/debug) access Applications, then click the Application and search for password_CA with CTRL-F. Replace the encrypted test value with the clear text password value for the IdentityIQ service account. Click Save, which will encrypt the clear text value.

Note: If your BIUL instance is using the default self-signed certificate, you will need to import the server certificate into the java keystore for IdentityIQ. On Linux, you can execute the following command to find the location of the java jvm:

image
Result of the command “ps-ef | grep tomcat” on Linux shows the jvm path.

Navigate to the jvm path, then under /lib/security you will find the cacerts certificate store. Use keytool to import the server certificate. You can access the certificate for BIUL using a browser.

This is the keytool command you can use:

keytool -importcert -alias biul -file /tmp/myServerCert.crt -keystore ./cacerts

At this point, you should be able to successfully Test the Connection for the Application.

Now you can nagivate to Setup, Tasks, and create Aggregation Tasks for Groups and Accounts. After you execute the Tasks, you should be able to see Accounts and Groups for Identities.

image
Identity Account with policyadmin Role for the Application.

image
Navigate to Applications, Entitlement Catalog. You should be able to see the Roles for the Application.

1 Like