orchestrator

2022.10

false

Getting started
- Introduction
- User Options
- Logging in to Orchestrator
- Resetting Your Password
- My Profile
- Robots
  - Robot Statuses
  - Robot Settings
- Auto Updating Client Components
- Orchestrator Configuration Checklist
Best practices
- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Organizing Resources With Tags
- Orchestrator Read-only Replica
Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Robots
  - Managing Robots
  - Connecting Robots to Orchestrator
  - Storing Robot Credentials in CyberArk
  - Storing Unattended Robot Passwords in Azure Key Vault (read-only)
  - Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
  - Deleting Disconnected and Unresponsive Unattended Sessions
  - Robot Authentication
  - Robot Authentication With Client Credentials
  - SmartCard Authentication
- Folders
  - Managing Folders
  - Classic Folders Vs Modern Folders
  - Migrating From Classic to Modern Folders
  - Administration of Modern Folders
  - Personal Workspaces
  - Managing Personal Workspaces
- Monitoring
  - Unattended Sessions
  - User Sessions
  - License
- Managing Access and Automation Capabilities
  - Assigning Roles
  - Managing Roles
  - Default Roles
  - FAQ
  - Enabling Users to Run Personal Automations
  - Enabling Users to Run Automations on Unattended Infrastructure Via Unattended Robots
  - Configuring Robot Accounts to Run Unattended Automations
- Machines
  - Managing Machines
  - Assigning Machine Objects to Folders
  - Configuring Account-machine Mappings
  - EDR Protection Status
- Packages
  - Managing Packages
  - About Libraries
  - Managing Libraries
- Audit
- Credential Stores
  - Managing Credential Stores
  - CyberArk® Integration
  - CyberArk® CCP Integration
  - Azure Key Vault Integration
  - HashiCorp Vault Integration
  - BeyondTrust Integration
  - Thycotic Secret Server Integration
- Webhooks
  - Types of Events
  - Managing Webhooks
- Licensing
  - Managing Your Licenses
- Alerts
  - Configuring User Alerts
  - Alert Emails
  - Setting up Alert Emails
- Settings
  - Deployment Tab
  - Robot Security Tab
  - Scalability Tab
Resource Catalog Service
- About Resource Catalog Service
Folders Context
- About the Folders Context
- Home
Automations
- About Automations
Processes
- About Processes
- Managing Processes
- Managing Package Requirements
- About Recording
Jobs
- About Jobs
- Managing Jobs
- Job States
- Working with long-running workflows
- Running Personal Remote Automations
- Troubleshooting Jobs
Triggers
- About Triggers
- Managing Triggers
- Using Cron Expressions
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
- Orchestrator Logs
Monitoring
- About Monitoring
- Machines
- Processes
- Queues
- Queues SLA
- Exporting usage data
Queues
- About Queues and Transactions
  - Queue Item Statuses
  - Business Exception Vs Application Exception
  - Studio Activities Used With Queues
- Bulk Uploading Queue Items Using a CSV File
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
- Storing Assets in Azure Key Vault (read-only)
- Storing Assets in HashiCorp Vault (read-only)
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
- Moving Bucket Data Between Storage Providers
Orchestrator testing
- Test Automation
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
  - Managing Test Data Queues in Orchestrator
  - Managing Test Data Queues in Studio
  - Field Descriptions for the Test Data Queues Page
  - Test Data Queue Activities
Other Configurations
- Increasing the Size Limit of Package Files
- Setting up Encryption Key Per Tenant
- GZIP Compression
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Classic Robots
- Robots
  - Managing Robots
  - Robot Statuses
  - Setup Samples
- Environments
  - Managing Environments
- Jobs
- Triggers
- Monitoring
  - Robots
- Resources
Host administration
- About the host level
- Managing system administrators
- Managing tenants
- Configuring host authentication settings
  - Reconfiguring authentication after upgrade
  - Allowing or restricting basic authentication
  - Configuring SSO: SAML 2.0
    - ADFS Authentication
    - Google Authentication
    - Okta Authentication
    - PingOne Authentication
    - Custom Mapping
    - Self-signed Certificates
    - Private Key Certificates
  - Configuring SSO: Google
  - Configuring SSO: Azure Active Directory
  - Configuring the Active Directory Integration
    - Switching between Active Directory adapters
- Managing your host license
  - Allocating Licenses to Tenants
- Configuring other host settings
  - Customizing the Login page
  - Session Policy
  - Orchestrator Host Settings
- Configuring system email notifications
- Audit logs for the host portal
- Maintenance Mode
Organization administration
- About organizations
- Managing organization administrators
- Managing organization settings
- Configuring organization authentication
  - Allowing or restricting basic authentication
  - Setting up the Azure AD integration
  - Configuring the SAML integration
- Configuring security options
  - Session policy
- About licensing
  - Activating your license
- Accounts and groups
  - Managing access
  - Managing accounts and groups
- Authorizing external applications
  - Managing external OAuth applications
- Overriding system email settings
- Audit logs
Troubleshooting
- About Troubleshooting
- Alerts troubleshooting
- General troubleshooting
- Upgrade troubleshooting
- Frequently Encountered Orchestrator Errors

OUT OF SUPPORT

Orchestrator user guide

DELIVERY:

Last updated Dec 16, 2025

HashiCorp Vault Integration

HashiCorp Vault is a plugin you can use as a credential store with Orchestrator.

There are two plugins included:

HashiCorp Vault – a read-write plugin (secrets are created through Orchestrator)
HashiCorp Vault (read-only) – a read-only plugin (you must provision the secrets in the vault directly)

Prerequisites

You must configure one of the supported authentication methods:
- AppRole (recommended)
- UsernamePassword
- LDAP
- Token
  
  See how to configure authentication.
You must configure one of the supported secrets engines:
- KeyValueV1 - available for both HashiCorp Vault and HashiCorp Vault (read-only) plugins
- KeyValueV2 - available for both HashiCorp Vault and HashiCorp Vault (read-only) plugins
- ActiveDirectory - available only for HashiCorp Vault (read-only) plugin
The chosen authentication method must have a policy that allows the following capabilities on the path where you plan to store your secrets:
- For HashiCorp Vault (read-only) plugin: read
- For HashiCorp Vault plugin: create, read, update, delete, and optionally delete on the metadata path, if using the KeyValueV2 secrets engine

Configuring the Integration

The following is an example of how to configure a development version of HashiCorp Vault, running in a docker container, to be used as a credential store with Orchestrator. The examples should be adapted to your own environment. Please consult the official documentation of HashiCorp Vault for details.

Configuring Authentication

To start creating and reading secrets, you first need to configure the authentication method by taking the following steps:

Open a shell inside the container:
```
docker exec -it dev-vault shdocker exec -it dev-vault sh
```
Log in as root. Make sure you have the root token displayed in the logs to set an environment variable with it by running the following command:
```
export VAULT_TOKEN=s.hA7RJ5lBqSnKUPd8nrQBaK1fexport VAULT_TOKEN=s.hA7RJ5lBqSnKUPd8nrQBaK1f
```
Check the Vault status by running the following command:
```
vault statusvault status
```

Add a dummy secret for Orchestrator in the KV store:

vault kv put secret/applications/orchestrator/testSecret supersecretpassword=123456vault kv put secret/applications/orchestrator/testSecret supersecretpassword=123456

Give Orchestrator access to the newly created secret/applications/orchestrator path. For this, you must first create a policy for reading and writing to this path and all its subpaths by running the following command:
```
cat <<EOF | vault policy write orchestrator-policy -
path "secret/data/applications/orchestrator/*" {
  capabilities = ["create", "read", "update", "delete"]
}
path "secret/metadata/applications/orchestrator/*" {
  capabilities = ["delete"]
}
EOFcat <<EOF | vault policy write orchestrator-policy -
path "secret/data/applications/orchestrator/*" {
  capabilities = ["create", "read", "update", "delete"]
}
path "secret/metadata/applications/orchestrator/*" {
  capabilities = ["delete"]
}
EOF
```
Note:
When using a KeyValueV2 secrets engine , secrets are written and fetched at path <mount>/data/<secret-path>, as opposed to <mount>/<secret-path> in KeyValueV1. It does not change any of the CLI commands (i.e., you do not specify data in your path).

However, it does change the policies, since capabilities are applied to the real path. In the previous example, the path is secret/data/applications/orchestrator/* since we are working with a KeyValueV2 secrets engine. If a KeyValueV1 were used, the path would have been secret/applications/orchestrator/*.

The capability to delete on the metadata path is needed only if you want to ensure Orchestrator does not leave behind test keys when verifying connectivity. If this capability is not granted, then a key will be created and left behind when creating the Credential Store in Orchestrator.
Enable authentication using the userpass authentication method, then create a user for Orchestrator and assign the previously created policy:
```
vault auth enable userpass
vault write auth/userpass/users/orchestrator password=123456 policies=orchestrator-policyvault auth enable userpass
vault write auth/userpass/users/orchestrator password=123456 policies=orchestrator-policy
```
Note: Orchestrator supports multiple authentication modes. See the HashiCorp Vault documentation for how to configure them.

Check that you have configured everything correctly by logging in and trying to read the secret you created earlier:

vault login -method=userpass username=orchestrator password=123456vault login -method=userpass username=orchestrator password=123456

Output of this command:

WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestratorWARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestratorWARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestratorWARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestrator

Take this token and set it instead of the root token, then try to read the test secret:

export VAULT_TOKEN=s.nwombWQH3gGPDhJumRzxKqgI
vault kv get secret/applications/orchestrator/testSecretexport VAULT_TOKEN=s.nwombWQH3gGPDhJumRzxKqgI
vault kv get secret/applications/orchestrator/testSecret

Output of this command:

====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456

Note:

You can also enable appRole Orchestrator by running the following command:

/# vault auth enable approle
/# vault write auth/approle/role/orchestrator policies=orchestrator-policy
/# vault read auth/approle/role/orchestrator/role-id
/# vault write -f auth/approle/role/orchestrator/secret-id/# vault auth enable approle
/# vault write auth/approle/role/orchestrator policies=orchestrator-policy
/# vault read auth/approle/role/orchestrator/role-id
/# vault write -f auth/approle/role/orchestrator/secret-id

You will now have a role-id and secret-id for configuring in Orchestrator.

Configuring the Active Directory Secrets Engine

To configure the Active Directory secrets engine, take the following steps:

Enable the Active Directory secrets engine by running the following command:
```
vault secrets enable advault secrets enable ad
```

Configure the credentials that HashiCorp Vault uses to communicate with Active Directory to generate passwords:

vault write ad/config \
    binddn=$USERNAME \
    bindpass=$PASSWORD \
    url=ldaps://138.91.247.105 \
    userdn='dc=example,dc=com'vault write ad/config \
    binddn=$USERNAME \
    bindpass=$PASSWORD \
    url=ldaps://138.91.247.105 \
    userdn='dc=example,dc=com'

Configure a role that maps a name in HashiCorp Vault to an account in Active Directory. When applications request passwords, password rotation settings will be managed by this role.
```
vault write ad/roles/orchestrator service_account_name="[email protected]"vault write ad/roles/orchestrator service_account_name="[email protected]"
```

Grant orchestrator access to its credentials at ad/creds/orchestrator using an authentication method, such as AppRole.

cat <<EOF | vault policy write orchestrator-policy -
path "ad/creds/orchestrator" {
  capabilities = ["read"]
}
EOFcat <<EOF | vault policy write orchestrator-policy -
path "ad/creds/orchestrator" {
  capabilities = ["read"]
}
EOF

Using HashiCorp Vault (read-only)

When using HashiCorp Vault (read-only) plugin, the Vault admin is responsible for correctly provisioning the secrets that Orchestrator will use. The format in which these secrets must be provisioned differs between secret types (asset versus robot password) and between secret engines.

For instructions on how to provision the secrets, see the following:

On this page

Prerequisites
Configuring the Integration
Configuring Authentication
Configuring the Active Directory Secrets Engine
Using HashiCorp Vault (read-only)

Was this page helpful?

PREVIOUSAzure Key Vault Integration

NEXTBeyondTrust Integration