This guide outlines how Zilla will manage credentials to your systems connected to PO Box.
How We Pull Credentials
PO Box calls home via an outbound API call to our Zilla AWS infrastructure frequently. If a sync needs to be made, PO box will pull configurations from AWS secrets manager, where we securely store all credentials.
Please see below on how to configure PO Box Applications in Zilla.
Installation
Note: if there are brackets inside of a code snippet, you will need to replace it with a value. For instance, If there is code that says to enter CREATE USER {username}
, you will need to replace {username} with the proper value.
Store the Credentials Securely Within Zilla’s infrastructure
The recommended way to store config info is by creating applications in Zilla and placing the info we need there. This is recommended for on-prem deployment of PO Box that are connecting to a MySQL Database, a PostGREs Database, or an On-Prem Active Directory.
For Active Directory
login to Zilla as an Administrator
Add a new application:
Search for On Premise AD, then add an instance to Zilla:
Add a Business Owner (Person Reviewing Access for the App) and a Technical Owner (Person setting up syncs and revoking access), then select Add to Applications:
Select the gear box on the top right of the screen:
Fill out the config we need to connect to active directory and pull users. These are outlined below:
Frequency - How often should we pull users?
Server URI - This is the URI of the server that is hosting you Active Directory. The value of this config should be
ldap://{Server IP}
. Be sure to replace the bracketed part with the IP of the server that’s hosting your Domain Controller and Active DirectorySearch Base - This is the tree that you would like to pull users from on AD. We generally recommend selecting the highest level tree in your AD so we pull all of your AD users. If my OU is zsec.io, then the value of this config would be
dc=zsec,dc=io
Login User - this is the username of the service account you created in Active Directory. For more info on how to do this, please see this guide. Please be sure to include the full email of the account. For example, if I created an account called zilla-svc, and my forest’s domain is access-ventures.com, then the value for this config should be zilla-svc@access-ventures.com
Login Password - this is the password for the service account you created in AD.
Note: we will always encrypt passwords and usernames stored in your Zilla config using AWS Secrets Manager
For MySQL Databases
login to Zilla as an Administrator
Add a new application:
Search for MySQL, then add an instance to Zilla:
Add a Business Owner (Person Reviewing Access for the App) and a Technical Owner (Person setting up syncs and revoking access), then select Add to Applications:
Select the gear box on the top right of the screen:
Fill out the config we need to connect to the database and pull users. These are outlined below:
Frequency - How often should we pull users?
Database Server Host - this is the hostname or IP of the database
Database Server Port - this is the port that PO Box will send the query request over. By default, MySQL uses port 3306
Database Name (optional) - by default, Zilla pulls users from the system-level; however, if you would like to also pull from a specific database, then you can enter the name of the database, and we will also pull any database-level users. Please note: you will need to grant SELECT access to the service account you have created for this to work.
Database User - the username of the service account you created. Please see here for more details.
Database Password - the password for the service account you created.
Adding a PostGREs Database to Zilla
login to Zilla as an Administrator
Add a new application:
Search for PostgreSQL, then add an instance to Zilla:
Add a Business Owner (Person Reviewing Access for the App) and a Technical Owner (Person setting up syncs and revoking access), then select Add to Applications:
Select the gear box on the top right of the screen:
Fill out the config we need to connect to the database and pull users. These are outlined below:
Frequency - How often should we pull users?
Database Server Host - this is the hostname or IP of the database
Database Server Port - this is the port that PO Box will send the query request over. By default, PostGREs uses port 5432
Database Name - this is the name of the database you want to pull users from
Database User - the username of the service account you created. Please reviewCreating Service Accounts For PO Box for more details.
Database Password - the password for the service account you created.
Note: if you have multiple databases that you would like to review access to, you will need to add an application per database by repeating steps 1-6 in this section. You can use the same service account so long as you have granted SELECT access to that account for all the databases you’d like to add to Zilla.