Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ASGRD 2018 integration with Thycotic
#1
Hi,

I'm trying to integrate Thycotic Sectret Server with Visionapp.
It seems I cannot use SSL in the webservice URL?

.jpg   ASGRD-Thycotic.JPG (Size: 56.17 KB / Downloads: 26)

Our Secret Server automatically redirects HTTP to HTTPS, using the insecure URL results in another error.

.jpg   ASGRD-Thycotic2.JPG (Size: 67.59 KB / Downloads: 15)

Am I missing something?
Reply
#2
Yes our test environment is without SSL - but we will test immediately - I will come back to you
Regards/Gruss
Oliver
Reply
#3
(22-01-2018, 03:25 PM)polymorph Wrote: Hi,

I'm trying to integrate Thycotic Sectret Server with Visionapp.
It seems I cannot use SSL in the webservice URL?


Our Secret Server automatically redirects HTTP to HTTPS, using the insecure URL results in another error.


Am I missing something?

Hey, Polymorph! Nice to virtually meet you, I am Thycotic's Digital Community Manager. Do you happen to have an HTTP redirect? Are you able to load https in a web browser? Hopefully, this will help, but if you continue to have trouble I would recommend submitting a support ticket to our engineers. Hope this helps! Best, Jordan
Reply
#4
(22-01-2018, 04:06 PM)DevOma Wrote: Yes our test environment is without SSL - but we will test immediately - I will come back to you

I'm trying to set-up the thycotic integration but I do not find how to do.  I went in the tools menu ->Extensions and select Thycotic Secret Server Integration but then, how do I use it ?  Is there any documentation on how to set it up ?
Reply
#5
Yes it is documented - in "Working with credentials=>Synchronizing of credential objects=>Thycotic Secret Server" - just create a credential folder object and you will have the Thycotic node in the Tree (Properties dialog)

If you use also https for your webservice please let me know - we have already build a private fix to solve the issue with not working https web service url
Regards/Gruss
Oliver
Reply
#6
(24-01-2018, 03:58 PM)DevOma Wrote: Yes it is documented - in "Working with credentials=>Synchronizing of credential objects=>Thycotic Secret Server" - just create a credential folder object and you will have the Thycotic node in the Tree (Properties dialog)

If you use also https for your webservice please let me know - we have already build a private fix to solve the issue with not working https web service url

Ah, thanks !  Indeed, I need the fix for https :-)
Reply
#7
Excellent, glad you were able to get it to work!

Thank you, @DevOma!
Reply
#8
(24-01-2018, 07:25 PM)ThycoticJordan Wrote: Excellent, glad you were able to get it to work!

Thank you, @DevOma!

Can you provide me the private fix for https not working.
Reply
#9
http://d2l2g77p7dyozs.cloudfront.net/ASG...rivate.exe

or

http://d2l2g77p7dyozs.cloudfront.net/ASG...rivate.exe

Thanks for any feedback!
Regards/Gruss
Oliver
Reply
#10
(25-01-2018, 07:30 PM)DevOma Wrote: http://d2l2g77p7dyozs.cloudfront.net/ASG...rivate.exe

or

http://d2l2g77p7dyozs.cloudfront.net/ASG...rivate.exe

Thanks for any feedback!
I installed that fix and then tried to configure the Thycotic integration but I'm getting the following:

"Reading data from Thycotic Secret Server failed.  An error occurred while making the HTTP request to https://xxx.mydomain.com/secretserver/we...rvice.asmx.  This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case.  This could also be by a mismatch of the security binding between"  (the phrase end that way)

From the same machine, I'm able to reach the web service with a browser with no problem.  The name of the certificate match the one use in the URL.  We are using a certificate from our internal PKI server.

Any ideas ?
Reply
#11
(25-01-2018, 09:57 PM)sylvain.hamel Wrote:
(25-01-2018, 07:30 PM)DevOma Wrote: http://d2l2g77p7dyozs.cloudfront.net/ASG...rivate.exe

or

http://d2l2g77p7dyozs.cloudfront.net/ASG...rivate.exe

Thanks for any feedback!
I installed that fix and then tried to configure the Thycotic integration but I'm getting the following:

"Reading data from Thycotic Secret Server failed.  An error occurred while making the HTTP request to https://xxx.mydomain.com/secretserver/we...rvice.asmx.  This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case.  This could also be by a mismatch of the security binding between"  (the phrase end that way)

From the same machine, I'm able to reach the web service with a browser with no problem.  The name of the certificate match the one use in the URL.  We are using a certificate from our internal PKI server.

Any ideas ?

And If I'm using our load balancer name (which has a public trusted wildcard certificate), I simply get the following: "Reading data from Thycotic Secret Server failed. Could not establish secure channel for SSL/TLS with authority 'server.mydomain.com'.  

Note that if I go to the https://server.mydomain.com/secretserver...rvice.asmx?op=Authenticate manually from my browser, I'm able to authenticate and obtain a token.
Reply
#12
Ok thanks for your feedback - I will contact Thycotic support and try to clarify
Regards/Gruss
Oliver
Reply
#13
Got it working!

After hitting the synchronise button ASGR seemed to hang, actually had to wait half a our in order to finish replication.
Reply
#14
Wow - how many objects do you have organized in Thycotic Secret Server? In my test environment it takes 2-3 seconds for the first call (authenticate) and then the objects get read in some milliseconds...
Regards/Gruss
Oliver
Reply
#15
Big Grin 
(29-01-2018, 01:53 PM)DevOma Wrote: Wow - how many objects do you have organized in Thycotic Secret Server? In my test environment it takes 2-3 seconds for the first call (authenticate) and then the objects get read in some milliseconds...

I guess a couple of thousand items had to sync...
Reply
#16
Ok - does it make sense to filter the data in any way? I'm not a Thycotic expert - but we like to optimize it in a way that our customers like and need. Make it sense to start at any folder level? Or by name? Or something else?
Regards/Gruss
Oliver
Reply
#17
It would be nice if prior to synchronizing, I would have the option to select which folders to include in the sync form a folder tree.

On the other hand, I think the integration with Thycotic could be more elegant.

If you look at the Web Password Filler of Thycotic which I use for logging into websites, you’ll see that instead of copying all the information you’re presented with a popup to select the most likely option. The password filler matches the secret ID based on the URL.

I would think it should be possible to match the secret server ID based on the IP address or FQDN used in the ASGRD connection settings
Reply
#18
We are implementing a folder browse dialog to select start folder for the sync - question is would it be ok to select just one start folder or might it be the best solution to select a couple of folders? We want to integrate for the upcoming patch in the next days.

Second point - we will have a look - but this will be not part of patch1.

Thanks for your feedback!
Regards/Gruss
Oliver
Reply
#19
(30-01-2018, 11:08 AM)DevOma Wrote: We are implementing a folder browse dialog to select start folder for the sync - question is would it be ok to select just one start folder or might it be the best solution to select a couple of folders? We want to integrate for the upcoming patch in the next days.

Second point - we will have a look - but this will be not part of patch1.

Thanks for your feedback!

Hi, based on how we use Secret server (see attachement), it would be nice to be able to select multiple start folders. In our case we have a top-level folder for each customer and multiple subfolders beneath those.

I think we would benefit of being able to select or de-select at the customer level, not so much the individual subfolders of them.


Attached Files
.jpg   ASGRD-Thycotic3.JPG (Size: 47.05 KB / Downloads: 7)
Reply
#20
@sylvain.hamel: Could you post me the complete error message - Thycotic support engineer wants to see the whole thing - or is it only a server name? You can send me more confidential data via private message if you want…
Regards/Gruss
Oliver
Reply




Users browsing this thread: 2 Guest(s)