Best practices for ESXi and VMware vCenter root account integration for TPAM

Best practices for ESXi and VMware vCenter root account integration for TPAM

Parents
  • Kindly share the best practices to implement TPAM for VMware products like ESXi and vCenter and any automation procedure available for bulk post of servers

  • Hello,

    - Please see the following articles related to the supported platforms for VMware:

    support.oneidentity.com/.../does-tpam-support-password-management-for-accounts-on-vmware-esx-and-esxi-

    support.oneidentity.com/.../can-tpam-manage-vcsa-vcenter-server-appliance-accounts-

    - Firewall ports required to be open between TPAM and target systems:

    support.oneidentity.com/.../firewall-ports-required-for-target-systems-on-tpam

    - You can Add Systems to TPAM using Auto Discovery from AD for example:

    support.oneidentity.com/.../setting-up-auto-discovery-for-active-directory

    - For additional information, please refer to the Administration guide and Client Setup Guide located here:

    https://support.oneidentity.com/tpam/technical-documents

    Thanks!

  • I need to know in specific not generic as i have more than 300 servers

  • Also any process of automating TPAM integration

  • I am not sure here exactly what you are asking. The links give you details of how to on-board systems and accounts to allow TPAM to manage them including the hypervisor. TPAM treats the hypervisor as another platform type at the end of the day.

    On-boarding a virtual system is no different to a physical system.

    Do you know how to on-board physical systems?

    The basics though are as follows:

    To manage a password on any system virtual - physical or hypervisor you need to tell TPAM the name you wish the system to be known by,what the system platform is, details of its network address and provide a functional account that has permissions to be able change the password for the associated account. You can then add the privileged accounts to the system defined in TPAM and build a permission model to allow your users who are authenticating to TPAM to gain access to the privileged resources. For un-supported platforms you have the option of creating "custom platforms".

    Likewise if you wish to start a session you need to on-board a system and then add the account before provisioning access to allow users to start a session.

    As to automation TPAM provides a number of tools to help with this. Users who will authenticate to TPAM and systems can be directly discovered from AD or a DB. Once a system has been discovered you can then use the account discover feature to add accounts. Templates can be used to allow group and collection membership to be assigned as the resources are added. Collision strategy rules define what TPAM will do when an resource is added or removed from AD or DB.

    The Web GUI also provide "Batch" functions to allow on-boarding and update or systems accounts and collection membership from a CLI file.

    Further to this you have both the a CLI and API's that can be used to script/code just about all workflow that is available from the Web GUI. Theses also allows automation of on-boarding tasks.

    A simple CLI script would typically take about 15min just add 300 systems from a CSV.You could make additional scripts to add accounts and place them in collections or make one script to automate the entire process.

    Unfortunately nobody is going to be able to give you anything more specific without a lot more details of your environment and what exactly you are trying to achieve here. On-boarding the systems is just the first part of the process.

    A TPAM deployment requires a lot of planning and it is not clear from your question if you already have a TPAM deployment to which you are just trying to add additional virtual resources or this is a new environment.

    Your normal support and maintenance contract would not cover providing details assistance for this type of configuration question. It is assumed that you have the knowledge to carry out configuration tasks.

    If you have of need assistance with configuration then the One Identity Professional Services team would be able to provide assistance onsite or remotely. You can engage with them via your account manager.

    Best regards

    Tim

  • Absolutely what i expected Tim....really appreciate for the time taken as its a first time we are integrating just was to be proactive to understand the process, we are in the process of defining the template and will stay in contact and in sync with your advice

Reply Children
No Data