Context:
The Endpoint Credential Manager (ECM) Software Development Kit for BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) allows developers to leverage a Credential Provider other than the one included (Vault) to allow Users to inject credentials when for accessing a Jump Client, a Web Jump, etc. This guide covers a specific example: Hashicorp Vault. This guide also shows how to create a Custom Source to manage the configuration and credentials needed for the Plugin to authenticate to PRA and RS on one side, and to Hashicorp Vault on the other side.
Note: Secure Remote Access (SRA) is used to refer to both PRA and RS.
Disclaimer
The Endpoint Credential Manager (ECM) Software Development Kit
Allows developers to create Custom ECM Plugins. The SDK comes with a Plugin example, which has been used as a starting point to create a new Plugin.
Any sample or proof of concept code (“Code”) provided on the Community is provided “as is” and without any express or implied warranties. This means that we do not promise that it will work for your specific needs or that it is error-free. Such Code is community supported and not supported directly by BeyondTrust, and it is not intended to be used in a production environment. BeyondTrust and its contributors are not liable for any damage you or others might experience from using the Code, including but not limited to, loss of data, loss of profits, or any interruptions to your business, no matter what the cause is, even if advised of the possibility of such damage.
Capabilities
- List secrets from Hashicorp Vault
- Inject the selected secret into a Jump session
- Optional: Use Environment Variables for the Configuration for a deployment via Jenkins or another CI/CD automation solution.
Configure Hashicorp Vault Secrets
Obtain and deploy the ECM Runtime and ECM SDK Example Plugin
The documentation for the ECM SDK is available here:
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/ecm-sdk/index.htm
Here is a quick list of packages that need to be added:
- Json.NET (Newtonsoft.Json);
- Microsoft.Bcl.AsyncInterfaces;
- Microsoft.Bcl.Cryptography;
- System.Formats.Asn1;
- System.ComponentModel.Composition.
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"ECMConfig": {
"SRASiteHostname": "myInstance.beyondtrustcloud.com",
"SRAClientId": "abcde12345",
"SRAClientSecret": "abcdef54321"
},
"ExamplePluginConfig": {
"HCP_ORG_ID": "12345",
"HCP_PROJ_ID": "12345",
"VLT_APPS_NAME": "my-app",
"HCP_SPN_CLIENT_ID": "12345",
"HCP_SPN_CLIENT_SECRET": "abcde",
"EnableSpecialCase": true
}
}
Note: While it is still possible to leverage appsettings.json for config values, the option to use Environment Variables is covered in this guide, with the use of a CI/CD Solution like Jenkins in mind, to deploy the plugin as a Container, e.g. using for example a Microsoft provided Docker image.
See for example: https://learn.microsoft.com/en-us/dotnet/architecture/microservices/net-core-net-framework-containers/official-net-docker-images
//***** Custom Source - Environment Variables - BEGIN
ExamplePluginConfig ExamplePluginConfig = new ExamplePluginConfig
{
HCP_ORG_ID = Environment.GetEnvironmentVariable("HCP_ORG_ID"),
HCP_PROJ_ID = Environment.GetEnvironmentVariable("HCP_PROJ_ID"),
VLT_APPS_NAME = Environment.GetEnvironmentVariable("VLT_APPS_NAME"),
HCP_SPN_CLIENT_ID = Environment.GetEnvironmentVariable("HCP_SPN_CLIENT_ID"),
HCP_SPN_CLIENT_SECRET = Environment.GetEnvironmentVariable("HCP_SPN_CLIENT_SECRET")
};
builder.Services.Configure<ExamplePluginConfig>(builder.Configuration);
//***** Custom Source - Environment Variables – END
//***** Custom Source - Environment Variables - BEGIN
ECMConfig ECMConfig = new ECMConfig {
SRASiteHostname = Environment.GetEnvironmentVariable("SRASiteHostName"),
SRAClientId = Environment.GetEnvironmentVariable("SRAClientId"),
SRAClientSecret = Environment.GetEnvironmentVariable("SRAClientSecret")
};
builder.Services.Configure<ECMConfig>(builder.Configuration);
//***** Custom Source - Environment Variables – END
// Custom Code - START
private static async Task<string> GetAuthToken(string HCP_SPN_CLIENT_ID, string HCP_SPN_CLIENT_SECRET)
{
try
{
var httpClient = new HttpClient
{
DefaultRequestHeaders = {
{ "User-Agent", "BeyondTrust Password Safe" },
{ "host", "auth.idp.hashicorp.com" }
}
};
var content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{"grant_type", "client_credentials"} ,
{"client_id", HCP_SPN_CLIENT_ID} ,
{"client_secret", HCP_SPN_CLIENT_SECRET} ,
{"audience", "https://api.hashicorp.cloud"} ,
}
);
HttpResponseMessage message = httpClient.PostAsync("https://auth.idp.hashicorp.com/oauth2/token", content).Result;
string result = await message.Content.ReadAsStringAsync();
if (message.IsSuccessStatusCode)
{
return result;
}
else
{
throw new Exception("Failed to Authenticate " + result);
}
}
catch (Exception ex)
{
Console.Write("####### Error in method = " + ex.ToString());
throw new Exception("Failed to Authenticate " + ex.ToString());
}
}
private static async Task<string> GetSecrets(string VLT_APP_URL, string HCP_BEARER_TOKEN)
{
try
{
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", HCP_BEARER_TOKEN);
HttpResponseMessage message = httpClient.GetAsync(VLT_APP_URL + "/secrets").Result;
string result = await message.Content.ReadAsStringAsync();
if (message.IsSuccessStatusCode)
{
return result;
}
else
{
throw new Exception("Failed to Discover Secrets " + result);
}
}
catch (Exception ex)
{
Console.Write("####### Error in method = " + ex.ToString());
throw new Exception("Failed to Discover Secrets " + ex.ToString());
}
}
private static async Task<string> GetSecret(string VLT_APP_URL, string HCP_BEARER_TOKEN, string HCP_SECRET_NAME)
{
try
{
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", HCP_BEARER_TOKEN);
HttpResponseMessage message = httpClient.GetAsync(VLT_APP_URL + "/open/" + HCP_SECRET_NAME).Result;
string result = await message.Content.ReadAsStringAsync();
if (message.IsSuccessStatusCode)
{
return result;
}
else
{
throw new Exception("Failed to Get Secret " + result);
}
}
catch (Exception ex)
{
Console.Write("####### Error in method = " + ex.ToString());
throw new Exception("Failed to Get Secret " + ex.ToString());
}
}
// Custom Code – END
private readonly ExamplePluginConfig examplePluginConfig;
public ExamplePlugin(IOptions<ExamplePluginConfig> config)
{
// Possible tasks to handle when the service is instantiated:
// - validate configuration
// - initialize any sort of API client or other types that will be required for servicing requests
// - pre-load any information that may be required for servicing requests (files, API / product version info, etc.)
examplePluginConfig = config.Value;
}
public async Task<ActionResult<IList<CredentialSummary>>> FindCredentialsForSessionAsync(SRASession session)
{
// At this point the user has chosen a Jump Item in the console and attempted to initiate a session to the target system.
// The plugin should retrieve a list of credentials that are either queried or filtered based on the supplied
// information about the user and system to which the user is connecting.
// NOTE: While the operation is async, the SRA site will only wait for a certain period of time (20 seconds by default)
// for the list to be returned before it proceeds without presenting any creds for selection.
try
{
// GET Secrets List
// Authenticate - GET Bearer Token
var token = await GetAuthToken(examplePluginConfig.HCP_SPN_CLIENT_ID, examplePluginConfig.HCP_SPN_CLIENT_SECRET);
dynamic jsonString_token = JsonConvert.DeserializeObject(token);
string access_token = jsonString_token.access_token;
// Get Secrets
var secrets = await GetSecrets("https://api.cloud.hashicorp.com/secrets/2023-06-13/organizations/" + examplePluginConfig.HCP_ORG_ID + "/projects/" + examplePluginConfig.HCP_PROJ_ID + "/apps/" + examplePluginConfig.VLT_APPS_NAME, access_token);
dynamic jsonString_secrets = JsonConvert.DeserializeObject(secrets);
List<CredentialSummary> credentials = new List<CredentialSummary>();
foreach (var i in jsonString_secrets.secrets)
{
Console.Write("####### Discovered Secret = " + i.name + " version = " + i.version.version + "\n");
string MA_Name = i.name;
CredentialSummary credential = new CredentialSummary { CredentialId = i.name, DisplayValue = "Hashicorp Vault : " + i.name };
credentials.Add(credential);
}
// Then put that all in an ActionResult object to be returned
return new ActionResult<IList<CredentialSummary>> { ResultValue = credentials, IsSuccess = true };
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to get list of Credentials");
return new ActionResult<IList<CredentialSummary>> { ResultValue = null, FailureReason = ex.Message, IsSuccess = false };
}
// COMMENTED - throw new NotImplementedException($"The {Name} definition must implement {nameof(FindCredentialsForSessionAsync)} as defined by {nameof(ICredentialActions)}");
}
public async Task<ActionResult<CredentialPackage>> GetCredentialForInjectionAsync(SRASession session, string credentialId)
{
// The user has been presented with a list of credentials (supplied by FindCredentialsForSessionAsync above) and has
// selected one from the list. The plugin should use the information supplied about the session as well as the ID of
// the selected credential to attempt to retrieve / check-out that credential and return it for injection into the session.
// NOTE: As above, it is important to note that while the operation is async, the same timeout applies.
try
{
// Authenticate - GET Bearer Token
var token = await GetAuthToken(examplePluginConfig.HCP_SPN_CLIENT_ID, examplePluginConfig.HCP_SPN_CLIENT_SECRET);
dynamic jsonString_token = JsonConvert.DeserializeObject(token);
string access_token = jsonString_token.access_token;
// Get Secret
var secret = await GetSecret("https://api.cloud.hashicorp.com/secrets/2023-06-13/organizations/" + examplePluginConfig.HCP_ORG_ID + "/projects/" + examplePluginConfig.HCP_PROJ_ID + "/apps/" + examplePluginConfig.VLT_APPS_NAME, access_token, credentialId);
dynamic jsonString_secret = JsonConvert.DeserializeObject(secret);
string secretValue = jsonString_secret.secret.version.value;
// Extract UserName and Password
string ] value_key = secretValue.Split(':');
string value_username = value_key(0];
string value_password = value_keye1];
Console.Write("####### Get secret id = " + credentialId + " username = " + value_username + "\n");
var result = CredentialPackage.BuildUsernamePasswordPackage(credentialId, value_username, value_password);
return new ActionResult<CredentialPackage> { ResultValue = result, IsSuccess = true };
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to inject Credentials");
return new ActionResult<CredentialPackage> { ResultValue = null, FailureReason = ex.Message, IsSuccess = false };
}
// COMMENTED - throw new NotImplementedException($"The {Name} definition must implement {nameof(GetCredentialForInjectionAsync)} as defined by {nameof(ICredentialActions)}");
}
Build and Debug
Next Steps
Once we can successfully Build and test the Plugin App via Debug in Visual Studio, the App and all its dependencies can be deployed. It is not recommended to use appsettings.json to store sensitive configuration information including credentials, so another config Source should be used. Several examples are available on the web, and covering them is out of scope for this guide. However, this guide does include an example using Environment Variables, which can make sense for when the Plugin App is containerized and a CI/CD solution like Jenkins is used to deploy the container to Docker or Kubernetes.
SRA ECM Plugin – Hashicorp Vault - Deploy as a Docker container
