Exporting Privileged Access Service data using escrow functions

Users with the System Administrator role can securely export encrypted data attributes including account passwords for Systems, Accounts, Domains, and Databases from Privileged Access Service using Centrify commands and the Escrow PowerShell module. The data exported is aggregated into a CSV file, similar to the import Sample.csv template described in Importing systems, accounts, domains, databases.

The exported data can be securely emailed to designated recipients using the PGP encryption program. If the amount of data before encryption and compression exceeds more than 20MB, the additional data is written to another file and sent to recipients in a second email. To open the email attachment that contains the data, you need to enter a passphrase to unlock the OpenPGP secret key.

Note:   The data from the exported file can be imported back into Privileged Access Service (see Importing systems, accounts, domains, databases).

To download the export escrow script and install the PGP program:

  1. Access Github at https://github.com/centrify/centrify-samples-powershell to download the following escrow script files to your local computer.

    • Privileged Access ServicePowerShell script (Centrify.Samples.PowerShell.Example.ps1)

      The script can be used as a template to run the commands.

    • Privileged Access Service PowerShell Escrow module (Centrify.Samples.PowerShell.CPS.Export.psm1)

      The module file is called from the CentrifyPowerShell script and does not require any modification. To import the module you also need https://github.com/centrify/centrify-samples-powershell/module/Centrify.Samples.PowerShell.psm1.

  2. Get a PGP encryption key pair using a PGP key generator and export the public key to your local computer. For more information see, https://www.openpgp.org/software/.

    The encryption key is used to encrypt the data before emailing the data to designated recipients.

  3. Once you have the script files and the encryption keys, export the data and email it to designated recipients (see Export data using Centrify escrow functions).

Export data using Centrify escrow functions

The following commands are available for exporting and emailing data attributes for Systems, Accounts, Domains, and Databases from Privileged Access Service:

Command Description
Set-EscrowKey -Endpoint -Token -FilePath

Uploads the public key to the Admin Portal and stores it in the tenant configuration.

Set-EscrowEmail -Endpoint -Token -Emails Configures the recipients that will receive the email containing the Systems, Accounts, Domains, and Database data and stores it in the tenant configuration. Separate multiple email recipients using one of the following: , ; space.

Get-EscrowEmail -Endpoint -Token

Displays email addresses for recipients designated to receive the exported content.

Run-Escrow -Endpoint -Token Exports the data for Systems, Accounts, Domains, and Databases. Securely sends the .csv file to designated email recipients. If the amount of data before encryption and compression exceeds more than 20MB, the additional data is written to another file and sent in a second email. A passphrase is required in order to open the attachments in the email.
Schedule-Escrow -Endpoint -Token

Sets the escrow job (exports data) to run every 24 hours. To change the default configuration, you use CPS.EscrowJobIntervalTimeSpan. The time span is entered as days, hours, minutes, and seconds (d.hh:mm:ss or hh:mm:ss). For example, entering 2.08:30:10 indicates data will be exported every 2 days 8 hours 30 minutes and 10 seconds.

Unschedule-Escrow -Endpoint -Token Cancels the schedule for the escrow job (data export).
Get-EscrowScheduleStatus -Endpoint -Token

Displays whether a schedule for exporting data is configured to run periodically (default is every 24 hours). Returns a value of True (schedule is configured) or False (schedule is not configured).

To export data using Centrify commands in PowerShell:

Depending on the number of entities you are exporting, the process might take some time to complete.

  1. Verify that the computer you are using to export data has access to the Privileged Access Service Admin Portal and that the user to be logged in to the Admin Portal has the System Administrator role (defined in the Admin Portal).

  2. Open the Centrify.Samples.PowerShell.Example.ps1 script file you downloaded earlier to use as a template to run the commands.

  3. Modify the script file (uncomment the appropriate lines) to run commands in order to export the data attributes for Systems, Accounts, Domains, and Databases from Privileged Access Service and email it to designated recipients.

    At a minimum you must run the following commands (uncomment the command lines) to export the data and email it to recipients:

    • Set-EscrowKey -Endpoint -Token -FilePath
    • Set-EscrowEmail -Endpoint -Token -Emails
    • Run-Escrow -Endpoint -Token
  4. Start Windows PowerShell to open a command window and run the modified script (Centrify.Samples.PowerShell.Example.ps1).

    The script calls the Centrify.Samples.PowerShell.CPS.Export.psm1 module to export Systems, Domains, Databases, Accounts and their attributes into a CSV file and emails it to designated recipients.

CSV file data attribute fields

The following table describes the fields in the CSV output file.

For this template field The following information is displayed

Entity Type

Includes one of the following entity types:

  • System
  • Domain
  • Database
  • Account

Name

The name of the system, domain or database exported.

You can have multiple lines with the same name. For example, if you exported more than one account for the same system, each account is listed as a separate line with the same system name.

Applies to Systems, Domains, and Databases.

FQDN

Fully-qualified domain name or IP address of the System or Database you want to add.

This field applies to Systems and Databases.

Description

Descriptive information added for the entity.

This field applies to Systems, Domains, Databases, and Accounts.

ComputerClass

One of the following values for the type of system added:

  • Windows
  • Unix
  • GenericSsh
  • Cisco AsyncOS
  • CiscoIOS
  • CiscoNXOS
  • JuniperJunos
  • HPNonStopOS
  • IBMi
  • CheckPointGaia
  • PaloAltoNetworksPANOS
  • F5NetworksBIGIP
  • VMwareVMkernel

This field is required and applies to Systems.

ProxyUser

The name of the “proxy” user for a system. This field is optional and applies to Systems.

  • For more information about the “proxy” user for Windows systems, see the following topic:

Configuring a proxy user for password operations

  • For more information about the “proxy” user for UNIX and Juniper systems, see the following topic:

Specifying a proxy account for root

ProxyUserPassword

The password for the “proxy” user for a system. This field is optional and applies to Systems.

  • For more information about the “proxy” user for Windows systems, see the following topic:

Configuring a proxy user for password operations

  • For more information about the “proxy” user for UNIX and Juniper systems, see the following topic:

Specifying a proxy account for root

ProxyUserIsManaged

Whether the password for the “proxy” user is managed. This field is optional and applies to Systems.

TRUE indicates the “proxy” account password is managed by Privileged Access Service. FALSE indicates the password is unmanaged.

ResourceDomain

The domain that the system is joined to. This field is optional and applies to Systems.

ResourceDomainOperationsEnabled

Specify whether you want to use the domain administrative account to enable zone role workflow.

You specify TRUE if you want to use the domain administrative account to enable operations such as zone role workflow, or FALSE if you do not want to use the domain administrative account to enable domain operations.

In order to enable domain operations for a system, the user must have grant rights over the domain or else the import will fail.

This field applies to Systems.

ResourceSessionType

Indicates remote connection type: Ssh for secure shell or Rdp for remote desktop. This field is required and applies to Systems.

ResourceSessionTypePort

The port used for remote connections. The default port for SSH is 22 and for RDP it is 3389. This field applies to Systems.

ResourceWindowsManagementMode

One of the following management modes used to manage the Windows System.

Unknown (this is equivalent to auto-detect in the Admin Portal)

  • Smb
  • WinRMOverHttp
  • WinRMOverHttps
  • RpcOverTcp
  • Disabled

This field applies to Systems.

ResourceWindowsManagementPort

The management port to be used for password management for Windows, F5 Networks BIG-IP, and Palo Alto Networks PAN-OS Systems. This field applies to Systems.

PasswordProfile

Customized password profile name to define the rules applied when managed passwords are generated for systems, domains, or databases. For more information about customized password profiles, see Configuring password profiles.

This field is applies to Systems, Domains, and Databases.

SetName

Name for system, domain, database, or account sets. Sets are logical groups of a particular type (system, domain, database, or account) to simplify management activity and reporting for entities with attributes in common. For more than one set name for an entity, entries are separated by a |. For example, SystemSet1|SystemSet2|SystemSet3.

This field applies to Systems, Domains, Databases, and Accounts.

DefaultCheckoutTime

The length of time (in minutes) that a checked out password is valid. The minimum checkout time is 15 minutes. If no value is specified, the default is 60 minutes. Also see, Setting system‑specific policies.

This field applies to Systems, Domains, Databases, and Accounts.

AllowRemote

TRUE (allows remote connections from a public network for a selected system) or FALSE (does not allow remote connections from a public network).

This field is optional and applies to Systems.

ParentEntityTypeOfAccount

Entity type related to the account (System, Domain or Database).

This field applies to Accounts.

ParentEntityNameOfAccount

Display name of the system, domain or database associated with the account. This field applies to Accounts.

User

User name for an account used with Systems, Domains, and Databases. This field applies to Accounts.

Password

The password for the account used with the system.

This field is optional and applies to Accounts.

IsManaged

TRUE if Privileged Access Service manages the password for the account, or FALSE if the password is unmanaged.

This field applies to Accounts.

AccountMode

Expert if an expert mode account exists for Checkpoint Gaia systems. This field applies to Systems.

UseProxy

TRUE if a “proxy” account is used for the system, or FALSE if a “proxy” account for the system is not used.

For UNIX and Juniper systems, this field is used if your secure shell environment is configured to not allow the root user to access computers remotely using SSH. This field is also used for Windows systems if you use a proxy account for Windows Remote Management (WinRM) connections to a system.

This field applies to Accounts.

DatabaseServiceType

One of the following database types:

  • SQLServer
  • Oracle
  • SAP Adaptive Server Enterprise (ASE)

This field applies to Databases.

OracleServiceName

The service name assigned to the Oracle database. Also see, Adding databases.

This field applies to Databases.

SQLInstanceName

The instance name assigned to the SQL Server database. Also see, Adding databases.

This field applies to Databases.

DatabasePort

The port number used to check the status of the database and when updating database passwords.

This field applies to Databases.

ParentDomain

The name of the parent domain, if a child domain is configured.

This field applies to Domains.

AdministrativeAccount

The administrative account in the format admin@childdomain, admin@mycompany.com or a local account .

This field applies to Systems and Domains.

AllowAutomaticAccountMaintenance

TRUE (allows out-of-sync passwords to be reset and managed accounts to be unlocked during login or checkout), or FALSE (does not allow out-of-sync passwords to be reset and managed accounts to be unlocked during login or checkout). Requires an Administrative Account be defined for the domain.

This field applies to Domains.

AllowManualAccountUnlock

TRUE (allows users with the Unlock Account permission to manually unlock accounts), or FALSE (does not allow accounts to be manually unlocked). Requires an Administrative Account be defined for the domain.

This field is optional and applies to Domains.

AllowMultipleCheckouts

FALSE (only one user is allowed to check out the password at any given time) or TRUE (allows multiple users to have the account password checked out at the same time without waiting for the password to be checked in). Also see, Allow multiple password checkouts.

This field applies to Systems, Domains, and Databases.

AllowPasswordRotation

TRUE (Privileged Access Service rotates managed passwords periodically) or FALSE  (Privileged Access Service does not rotate managed passwords periodically).

This field applies to Systems, Domains, and Databases.

PasswordRotateDuration

The interval at which managed passwords are automatically rotated.

This field applies to Systems, Domains, and Databases.

MinimumPasswordAge

The minimum number of days before a password is rotated.

This field applies to Systems, Domains, and Databases.

AllowPasswordHistoryCleanUp

TRUE (allows periodic password history cleanup), or FALSE (does not allow periodic password history cleanup).

This field applies to Systems, Domains, and Databases.

PasswordHistoryCleanUpDuration

The number of days after which retired passwords matching the duration are deleted.

This field applies to Systems, Domains, and Databases.