Nodegrid OS and access through the PAM Delinea Secret Server (part 2)

Nodegrid OS and access through the PAM Delinea Secret Server (part 2)

Using Delinea, you can configure credentials for managed devices on the Nodegrid platform. The primary objective of this setup is to access the Device Manager (host) and assign credentials for the specified Managed Device (guest), ensuring that the credentials are managed in Delinea Secret Server instead of Nodegrid.

Password rotation or heartbeat verification for managed devices is possible but requires a Remote Password Changer for each device type, as different devices may have unique password update procedures. This aspect is not covered in detail on this page. 

How it works


The managed device Secret has four main variables:
  • The Hostname/IP of the Device Manager (a Nodegrid).
  • The name of the managed device is on the Device Manager.
  • The Username to log in to the managed device.
  • The Password to log in to the managed device.

The managed device Secret is set in such way that it can get credentials from the device manager Secret.
When a request is made for the Remote Password Changer (RPC) to change the password of a managed device, the custom Password Changer for managed devices uses the device manager credentials to authenticate and get in the CLI.
Once in the CLI, it uses the following commands to setup the credentials:
set settings/devices/<DEVICE_NAME>/access/ credentials=set_now
set settings/devices/<DEVICE_NAME>/access/ username=<DEVICE_USERNAME>
set settings/devices/<DEVICE_NAME>/access/ password=<DEVICE_PASSWORD>
commit

You can now click on the Console button on Nodegrid Web UI to automatically log in.
You only need to set the credentials in Delinea, not Nodegrid. Once a remote password change request is made, the changes in Delinea will automatically update on Nodegrid.

Limitations
Using Remote Password Changer (RPC), it is possible to set up the Username and Password of a managed device. This setup, however, does not allow launching a Direct Access console from the Delinea Secret Server. 

Requirements/Pre-requisites:
  1. A device to be managed.
  2. A Nodegrid device with the managed device connected to it.
  3. The Nodegrid device must be setted up in such way that its initial application is CLI (default behavior). The device must also be setted up as a secret on Delinea Secret Server. This will allow the managed device secret to connect using its credentials.
  4. Delinea Secret Server.

Configuration
Adding a custom Password Changer for Managed Devices
Create a custom password changer that uses the Hostname/IP, Username and Password of the Nodegrid device manager (host).
1. Access the path: Administration > Secrets > Configuration > General and click on Remote Password Changing.


2. Click on Options and then Configure Password Changers.

3. Click on Create Password Changer.
4. Select as the Base Password Changer the field Unix Account Custom (SSH).
5. Set the Name to NodegridOS CLI for Managed Devices and click on Save.


6. On Password Change Commands, set it as it follows:

Verify that the Username and Password variables on Authenticate As are preceded with $[1]. That is because you need to use the first associated secret credentials. For more details, see Adding a Secret section.
The commands are:
set settings/devices/$ManagedDeviceName/access/ credential=set_now
set settings/devices/$ManagedDeviceName/access/ username=<DEVICE_USERNAME>
set settings/devices/$ManagedDeviceName/access/ password=<DEVICE_PASSWORD>
commit

7. On the same page, click on Advanced Settings and change Bypass Verify After Password Change setting to Yes, then save it.


8. Click Back.

Creating a Secret Template for Managed Devices



Follow these steps to create a secret template with the required variables to manage the target device. To do this, follow the next steps.
1. Access the path: Administration > Actions > Secret Templates.
Attention: This path is on the Secret Server panel. If you’re on Delinea panel, access the path: Administration > Secrets > Actions (Core Actions) > Secret Templates.
2. Click on Create Template.
3. Check Import XML box.
4. Paste the NodegridOS (Managed Device).xml (available in the end of this document) and click Save.



5. Click on Mapping.
6. Under Password Changing, click on Edit.
7. Check Enable RPC box.
8. Select NodegridOS CLI for Managed Devices on Password Type to use the drop-down.
9. For Machine Name, select Device Manager Host/IP.
10. For Password, select Password.
11. For User Name, select Username.
In the end, you must have:


12. Click  Save.

Adding a Secret

1. Access the path: Secrets > All Secrets.
Attention: This path is on the Secret Server panel. If you have followed the last steps, you’re already on it. If you are on the Delinea panel, access the path: Vault > All Secrets.
2. Click Create Secret.
3. Select the NodegridOS (Managed Device) template.
4. On Secret Name, add a name you want to represent the device.
5. On Device Manager Host/IP, set the Hostname or IP of the Device Manager (the Nodegrid Device).
6. On ManagedDeviceName, set the exact name of the managed device on Nodegrid (case-sensitive).
7. On Username, set the user for the managed device.
8. On Password, set the current password for the managed device.



9. Click on Create Secret.
10. In the Remote Password Changing tab, click on Edit by the side of the Associated Secrets.


11. A new button Add Secret appears. Click on it and select the Device Manager (the Nodegrid Device).
In the end, you should have it as follows:


12. Click on the Change Password Now button in the top right corner to set the username and password for the managed device on Nodegrid.

NodegridOS (Managed Device).xml (Secret Template) is given in attachment. 


    • Related Articles

    • Nodegrid OS and access through the PAM Delinea Secret Server (part 1)

      The Nodegrid OS is compatible with the Delinea secret server, providing seamless integration for secure credential management and session handling from within the secret server. This article briefly discusses the following operations performed from ...

    • Nodegrid Manager Installation in ESXi 5

      Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...

    • Nodegrid Manager Installation in ESXi 6

      Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...

    • Connecting a Raritan/Servertech Pro4 to Nodegrid OS for console access

      Connecting a Raritan/Servertech Pro4 (iX9 controller) to Nodegrid OS for console access To have console access to a Raritan/Servertech Pro4, you will need: 1 x Male USB A to Male USB B cable Connecting the Raritan/Servertech Pro4 to the Nodegrid ...

    • DHCP Server Lease Management

      Nodegrid version 5.10.x provides better visibility into your DHCP network and offers a new feature ease management of your DHCP network. You can find these improvements under Tracking-->Network-->DHCP. The DHCP section here is now split between ...