Press "Enter" to skip to content

vRA and vRO integration with Secret Server

Hello all,

I have a number of posts on the go and thought I would get this one out first.
When working with vRA formally vCAC and vRO, integration with thirdparty systems or devices is what makes vRA and vRO so flexible. The magic sauce of this integration is vRealize Orchestrator (vRO) There is many plugins available or if there isnt there is many options available to make your own integration.

Today I will be showing off how to integrate with a product from Thycotic called Secret Server. many of my enterprise customers utilize this product to store and generate passwords as well as grant permissions and audit password access based on group membership, basically a big fancy Password safe.

Secret Server has a SOAP API and allows us to integrate seamlessly with IaaS or PaaS deployments or even Password as a Service. the main calls being used are generating passwords, store passwords, retrieve passwords and delete passwords. Using this and tying into IaaS or PaaS deployments we can make sure every deployment has unique passwords and securely stored for the person who requested it. Can automatically generate and change the Root password for Linux boxes or the Administrator account on windows servers on deployment.

Going further we can store the secret ID like mentioned in Extending vRA with ETCD posts HERE, we can grab the password pragmatically for day 2 actions without the end user ever needing to know the password.

I will be supplying the workflows being used today for everyone to have a look at and try out. Also link to the youtube video is also available covering what is seen in this post.
Workflows to SOAP Actions which will need to be replaced with your own operations are:

Add Secret Server Secret – SOAP Operation : AddSecret
Deactivate Secret Server Secret by ID – SOAP Operation: Deactivate Secret
Generate Secret Server Password – SOAP Operation: Generate Password
Get Secret Server Folder – SOAP Operation: FolderGet
Get Secret Server Secret by ID – SOAP Operation: GetSecretLegacy
Get Secret Server Secret Summary – SOAP Operation: SearchSecretsByFieldValue
Get Secret Server Templates – SOAP Operation: GetSecretTemplates

Lets get started

1) Adding Secret Server as a SOAP host. depending on version there is 2 different URLs to use one for Windows authentication and one for local authentication. I recommend going with windows authentication as it doesnt require token generation. Use the add SOAP host workflow and fill in the appropriate details

2) Now lets take a quick look at the workflows. I am not going to go through the creation of all these workflows that would be way to long and way to boring.
As you can see for from the below image. There is a number of smaller workflows that can be made into a larger parent workflow.
The request Secret Workflow is the main one that is called. the inputs are:

  • Server product – What the password is for
  • idVar – This is an ID generally I would use a PaaS ID or something deployment ID something that can be tracked and is unique
  • Username – This is the user name for the password
  • FolderPath – This is where you want the password stored
  • passwordTemplateName – Template used to generate password
  • SecretTemplateName – The template used to store the password
  • RoootfolderID – this is the folder ID of the root folder
  • ServerName – this is the server service this password is for
  • Domainname – domain name of the server or service.

Can watch the video at the end of this post for more detail – The template is a secret server template there is many out of the box but I created my own as shown in the below image, a template dictates the password requirements as well as the fields required or available to be entered.

3) Now running that workflow we enter all of the above like the image below and cross the old fingers 🙂

As you can see there is allot of logging, now I do not recommend logging the password but in this case its to demo it actually works.

Now lets check Secret Server and see if its been stored.

4) Adding into Application Services is easy. vRO has a great API and we can call the workflow and supply the same inputs above, and can retrieve the outputs to supply back to the Service. script I used is similar to the one found HERE at Defined by Software. rolling that into a service and using in blueprints is easy.
From vRA7 we will be able to use the workflow nativaly in Application Services which will be known as Application Authoring, this will make this step even easier.


This allows other services to use the password generated, allowing for more security and unique passwords per deployments.

5) Now to remove the password from secret server we run the deactivate secret workflow which requires the secret ID.

All looks good!! Other use case is to include this in ProvisionedMachine workflow stub to change he passwords for all local accounts on deployment.
Have a look have a tinker, enjoy



I was advised there was a a hard coded reference in the getfolder flow for rootfolderid which was set to 4. I have fixed this and re uploaded the package.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti SPAM BOT Question * Time limit is exhausted. Please reload CAPTCHA.