Solved: Re: Device Password Vault for NSO

hkubota · ‎01-15-2019

Hi,

In NSO I can configure hard-coded accounts and password to connect to devices (authgroups).

If I do not want that (our security team does not like that) and instead I have to to keep device passwords in a system like HashiCorp Vault, how can this be integrated into NSO?

Typically I'd give NSO at startup time a one-time password which it would use to get a token out of Vault which it can use to get the passwords out of Vault. But I see no way to integrate this in NSO.

Am I missing something or is this simply not implemented and not (easily) implementable?

Is there maybe a hook to get a password out from an external system or Python/Java program instead of having it hard-coded in an authgroup configuration?

vleijon · ‎01-16-2019

Actually, I was behind the curve, it is included in nso-4.7.2, from the CHANGES file:

ncs: Authentication groups are extended to support action callbacks to
retrieve southbound user and credentials for a local user, device and
the authgroup that device belongs to.

(ENG-17868)

It is the 'callback-node' and 'action-name' settings in the umap or default-map configuration.

View solution in original post

joepak · ‎01-16-2019

vleijon · ‎01-16-2019

It is not currently possible to do what you want, but it is a feature that will come in a future release. We have had this request from other customers as well.

I am not entirely sure which release it will be in or when that will be released. If someone from the product management team is watching, they might know.

vleijon · ‎01-16-2019

Actually, I was behind the curve, it is included in nso-4.7.2, from the CHANGES file:

ncs: Authentication groups are extended to support action callbacks to
retrieve southbound user and credentials for a local user, device and
the authgroup that device belongs to.

(ENG-17868)

It is the 'callback-node' and 'action-name' settings in the umap or default-map configuration.