Table Of Contents

Previous topic

8. Credential Store plugin development

Next topic

8.2. Plugin development

8.1. Common configuration options

The common credential store plugin functionality can be configured by the following configuration options.

###### Common plugin options ######
# To enable or change a parameter, uncomment its line by removing the ';'
# character and replacing the right side of '=' with the desired value.
# If the parameter has the following structure
# ; name=<value>
# then the related option is turned off until you replace '<value>'.
#
# If the parameter has the following structure
# ; name=value
# then the related option is is automatically turned on with the default value
# of 'value'.
#
# To handle sensitive data, you can use a local Credential Store to retrieve
# parameters from.
# Enter the name of the local Credential Store (Policies > Credential Store) as
# the value of the 'name' parameter in section [credential_store]. To retrieve a
# parameter from this Credential Store, type the $ character as the value of
# a parameter in this configuration file. To use the $ character as value,
# type $$ instead. For more information, read the "Store sensitive plugin data
# securely" section in the Tutorial document.

[credential_store]
# Name of the local credential store configured in SPS for hosting sensitive
# configuration data. For more information, read the "Store sensitive
# plugin data securely" section in the Tutorial document.
; name=<name-of-credential-store-policy-that-hosts-sensitive-data>

[logging]
# To configure the log level, enter one of the following values:
# 'debug', 'info', 'warning', 'error', 'critical'
; log_level=info

[https-proxy]
# To set the HTTPS proxy environment for the plugin, configure the following.
; enabled=yes
; server=<proxy-server-name-or-ip>
; port=3128
; username=<proxy-server-username>
; password=<proxy-server-password>

[tls]
# Set to 'no' to disable TLS completely
# Default is 'yes'
; enabled = yes

# Set this option to enable client side verification. Certificate from the
# server will be checked with this CA. If the value of the option is `$[<name>]`
# the certificates are retrieved from the trusted CA list configured on the SPS,
# identified by the name. When the certificate is given in the configuration, it
# should be in PEM format and all the new lines must be indented with one
# whitespace. If it is a chain, put the certificates right after each other.
; ca_cert = <ca-certificate-chain>
; ca_cert = $[<trusted_ca_list_name>]

# Client certificate, set this if verification is enabled on server side
# If the value of the option is `$` the certificate identified by the section
# and option pair is retrieved from the configured credential store. When the
# certificate and private key is given in the configuration it should be in
# PEM format and all the new lines must be indented with one whitespace. Note
# that encrypted keys are not supported.
; client_cert = <client-certificate-and-key>

[check-in-trigger]
# The check-in-trigger selects when the credentials are checked in. The choices
# are 'session-ended' or 'authentication-completed'. The 'default' parameter
# applies to all protocols, but may be overruled per protocol.
; default=session-ended
; rdp=session-ended
; ssh=session-ended
; telnet=session-ended

[account]
# You can configure a prefix and/or suffix that will be attached to the generated account identifier
# that should be checked out.
; prefix=<value>
; suffix=<value>

[assets]
# You can configure one or multiple generator functions which will generate assets for the credential fetching method
# <method> is one of ip, hostname, domain, domain_asset_mapping or you can use any custom written generator method.
# You should implement your method in your plugin and then you can configure the method name here to use it.
; generator=<method>(,<method>)*

# You can configure a domain suffix that will be attached to generated hostname and domain assets
# It should be given without a leading "."
; domain_suffix=<domain>

[domain_asset_mapping]
# Define domain -> asset identifier pairs if the asset is stored for an alternatively named directory
# compared to the user domain.
; <asset>=<domain>

New in version 1.4.0. HTTPS proxy configuration can be overridden from plugin config, and password can be stored in a credential store.