What is the default scheduled change time (ChangeTime) for a managed account in Password Safe?

Correct: a. The API-documented default ChangeTime is 23:30 in UTC, 24-hour format. (b) and (c) invent local-time defaults that do not exist, and (d) confuses expiry with the schedule — rotation fires at the configured time and frequency (first/last/xdays), not at an expiry moment.

Priya at Wipro must update a Linux app’s config file with the new password at every rotation of svc_payapp. Which mechanism does she use?

Correct: d. Custom propagation actions (Configuration > Privileged Access Management > Propagation Actions) run PowerShell / Windows Command / Unix Shell scripts after rotation, with %u/%p/%h substitution — %p quoted. (a) detects drift, it doesn’t push secrets; (b) changes the auth type, not the config file; (c) changes WHEN rotation fires, not where the secret propagates.

Aditya at HCL wants a set of accounts rotated on the last day of every month. Which setting does he configure?

Correct: b. ChangeFrequencyType takes first (first day of month), last (last day) or xdays. ChangeTime (a) is the time-of-day, not the day; (c) throttles Smart Rule reprocessing, nothing to do with rotation; (d) caps how long a checkout can be held.

An app on 172.16.8.21 starts failing auth at 3 PM. The vault shows a successful rotation last night; a manual password test NOW returns Success: false. What best explains the gap between last night and 3 PM?

Correct: c. Vault ≠ target with a previously green rotation = out-of-band change, and Password Safe only notices when a test runs (Check Password / Password Test Agent) — the documented reset-on-mismatch timing gotcha. (a) is fiction; (b) would error the test, not return a clean false; (d) propagation pushes vault→dependents, it never writes the vault.

Monday 09:00: every scheduled rotation across Windows, Linux and network platforms failed overnight with authentication errors at the connect step. Which single cause explains ALL of it?

Correct: b. One worker, many jobs: the functional account is the shared dependency, and breaking it (the classic mistake is onboarding it as a managed account) fails everything at connect. (a) would fail only specific platforms at the change step; (c) affects load, not authentication; (d) would only hit SSH-key accounts, not Windows or network passwords.

Leadership wants auto-rotation live on 300 Windows service accounts by Friday. Which rollout plan do you defend?

Correct: d. (d) sequences the work the way the failure modes demand: dependency mapping before rotation, propagation before scale, pilot before fleet, staggering against storms, and the queue as your gauge. (a) misunderstands retries — they fix vault↔target, not dependents, so you buy a lockout storm; (b) leaves long-lived secrets and does not scale; (c) is testing in production where the “test signal” is a 2 AM outage.

Password Safe Credential Rotation: Policies, Propagation Actions & SSH Keys

Q: Karthik at TCS checks in his 2-hour RDP release at 4:00 PM. The account has Change Password After Release enabled and ChangeTime is the default. When does the password actually change?

Correct: b. Change Password After Release is its own trigger: check-in → change queued immediately. (a) and (c) describe the separate scheduled trigger; (d) describes Reset Password on Mismatch, which needs a test to fire. The two triggers coexist — a checked-in account can rotate at 4 PM and again at 23:30.

Q: Mid-rotation, the target rejects the functional account’s connection. What does the vault serve to the next requester checking out this account?

Correct: c. Commit happens after change + verify, so a failed connect leaves the old, still-valid secret in the vault and the job in the Password Change Agent retry queue. (a) reverses the ordering, (b) invents a vault lockout that does not exist, (d) invents an OTP mechanism Password Safe does not have here.

Q: A rotated account is the identity of an IIS website. Which built-in propagation action both fixes the stored credential AND forces the workers to pick it up immediately?

Correct: a. App pools store their own copy of the identity password; the “Update and Restart” variant rewrites it and recycles the pool so workers immediately run on the new secret (plain “Update IIS Application Pools” leaves pickup to the next recycle). (b), (c), (d) target services, auto-logon and DCOM — different dependents.

Q: During an auto-managed SSH key rotation, what does Password Safe do on the target system?

Correct: d. Docs are explicit: generating a new keypair removes the old public key (if present) from authorized_keys and appends the new one. (a) would leave a stale credential valid — defeating rotation; (b) is backwards — the private key lives in the vault, never on the target; (c) confuses the passphrase (vault-side protection via Encryption Enabled) with the key swap itself.

Most engineers think…

Most engineers think auto-rotation is dangerous because “the vault might overwrite a password mid-change and lock everyone out” — so they keep rotation off and change service-account passwords by hand twice a year.

Backwards on both counts. Password Safe commits the new secret to the vault only after the target accepts and verifies it — a failed change leaves the old password valid and simply retries. The real danger is the opposite: rotation succeeds, but the services, scheduled tasks and IIS app pools still running on the old password start failing and lock the account out. The fix is not avoiding rotation — it is propagation actions, configured before you switch auto-rotate on.

① Password policies — length, complexity & the four rotation triggers

Every rotation starts with a question: what should the new secret look like? The answer is a password policy. You build one at Configuration > Privileged Access Management Policies > Password Policies > Create New Password Policy. The form gives you Minimum Length and Maximum Length (anywhere from 4 to 255 characters), four character classes — Uppercase, Lowercase, Numeric and Non-Alphanumeric — each with a permit/deny toggle and a minimum count, plus a First Character Value dropdown and an Allow use for Secrets Safe checkbox.

Here is the part the form will not warn you about: the policy must respect the platform. Old Cisco gear truncates long passwords, some databases choke on certain symbols, and several platforms reject a special character in the first position — that is exactly what First Character Value exists for. Meera at Infosys learned this when her 32-character everything-policy met a network device that silently truncated at 25: the device stored the first 25 characters, the vault stored all 32, and every login after that rotation failed. One policy per platform family is the grown-up pattern.

🖥️ This is the screen you’ll use — Configuration → Privileged Access Management Policies → Password Policies → Create New Password Policy. (Recreated for clarity — your console matches this.)

bi.icicilab.in · Configuration · Password Policies

Policy Name

ICICI-Win-Svc-24char

Minimum Length

Maximum Length

Uppercase Characters

Permitted · minimum 2

Numeric Characters

Permitted · minimum 2

First Character Value

Alphanumeric

Create Password Policy

👉 So far: the password policy is the recipe for the new secret, and it must fit the weakest platform it serves. Next: the four different events that can kick a rotation off.

Now, when does a change fire? Four triggers, four different screens. (1) Scheduled: with Enable Automatic Password Management on, the account rotates at its ChangeTime — default 23:30 UTC — at a frequency of first (first day of month), last (last day) or xdays (every X days). (2) On release: Change Password After Release re-keys the secret the moment a checkout is returned — anything a human saw is treated as burned. (3) Manual / API: an on-demand change from the Managed Accounts grid, or POST ManagedAccounts/{id}/Credentials/Change from a script. (4) Mismatch reset: Reset Password on Mismatch — with the giant caveat that mismatch is only detected when a password test runs. All four land in the same place: the Password Change Agent queue.

The four triggers — tap to lock them in

Each card front is the trigger; the back is where it lives and the gotcha.

⏰

Scheduled

tap to flip

ChangeTime (default 23:30 UTC) + first/last/xdays frequency. Stagger it across estates or you build a rotation storm.

📖

On check-in

tap to flip

Change Password After Release. The bank re-keys the locker after every visit — a seen password is a dead password.

🛠️

Manual / API

tap to flip

Grid action or POST …/Credentials/Change. Use after an admin leaves the team or a secret leaks.

⚖️

Mismatch reset

tap to flip

Reset Password on Mismatch fires only AFTER a password test detects drift — it is not real-time. Pair it with Check Password.

Figure 1 — Four roads into one rotation queue

Trace each amber trigger into the Password Change Agent queue, then out to the managed system. Note the lime callout: if a Smart Rule manages this account, the rule’s settings win — not your account edit. The dashed box is the trap: mismatch reset needs a TEST to fire.

SYMPTOM: “I set Change Frequency to 30 days, next morning it’s back to 7”

The account was onboarded by a Smart Rule whose Manage Account Settings action carries its own rotation settings — and docs are explicit that the Smart Rule overrides what you configure on the system or account, re-applying on every reprocess. Edit the setting inside the Smart Rule (Smart Rules > your rule > Actions), or your change quietly reverts every time the rule runs.

Pause & Predict

Predict: your CISO demands 32-character passwords everywhere. You set Minimum Length 32 and attach the policy to a platform whose devices cap passwords at 25 characters. What happens at the next scheduled rotation? Type your guess.

Answer: The change job fails (or worse — on gear that silently truncates, the device stores 25 characters while the vault holds 32, so every authentication after rotation fails). Policies must align with the managed system’s real limits — that is why you keep one policy per platform family instead of one heroic policy for everything.

Password Safe REST API — queue an immediate rotation

POST https://bi.icicilab.in/BeyondTrust/api/public/v3/ManagedAccounts/482/Credentials/Change
Authorization: PS-Auth key=PS_API_KEY_128CHARS; runas=icici\rahul.verma;
Content-Type: application/json

{ "Queue": true }

Expected output

HTTP/1.1 204 No Content
→ change queued for the Password Change Agent
→ Managed Accounts grid: Last Change Date updates once the agent completes
→ a failed attempt lands in the retry queue (see ②)

Quick check · Q1 of 10

Karthik at TCS checks in his 2-hour RDP release at 4:00 PM. The account has Change Password After Release enabled and ChangeTime is the default. When does the password actually change?

a) At 23:30 UTC, in the scheduled slotb) Right after the 4 PM check-in — the release trigger queues a change with the Password Change Agentc) Only at the next first/last/xdays boundaryd) Only if the next password test detects a mismatch

Correct: b. Change Password After Release is its own trigger: check-in → change queued immediately. (a) and (c) describe the separate scheduled trigger; (d) describes Reset Password on Mismatch, which needs a test to fire. The two triggers coexist — a checked-in account can rotate at 4 PM and again at 23:30.

👉 So far: policy = the recipe, and four triggers (scheduled · check-in · manual/API · mismatch-after-test) all feed one change queue. Next we open the hood on a single rotation.

② Anatomy of one rotation — connect, change, verify, commit

One rotation is four moves. Generate: the vault builds a candidate secret from the password policy — held in memory, not yet committed. Connect: the functional account signs in to the target — think of the society watchman who holds the master key used to change every flat’s lock, but never lives in any flat. Change + verify: the new secret is set on the target, then Password Safe authenticates with it to prove the target really took it. Commit: only now does the vault store the new secret and stamp the account’s Last Change Date.

▶ One rotation, four moves — and the moment it breaks

Follow svc_corebank’s password change from policy to vault commit. Press Play for the healthy path, then Break it to see the failure.

① Generatepolicy ICICI-Win-Svc-24char → 24-char candidate secret (held, NOT committed)

▼

② Connectfunctional acct psafe_fa → target 172.16.8.21:445

▼

③ Change + Verifyset secret on target → re-auth test old → new

▼

④ Commitvault stores new secret · Last Change Date updates · propagation fires

Press Play to step through the healthy path. Then press Break it.

That commit-after-verify ordering is the design decision worth repeating in interviews: a failed rotation cannot strand you. If the change or verify step fails, the vault keeps the last known-good secret and the job sits in the Password Change Agent’s retry queue — tuned at Configuration > Privileged Access Management Agents > Password Change Agent via Retry failed changes after (minutes), Maximum retries, and Unlimited Retries. The flip side: with Unlimited Retries, a misconfigured account fails forever, silently. The failed queue is a dashboard you must watch, not a bin you ignore.

Figure 2 — Commit happens only after the target accepts

The four steps left to right; the red branch is a failed change dropping into the retry queue. Bottom strip: the three vault-vs-target states — and why only the out-of-band change creates a real mismatch.

Pause & Predict

Predict: a rotation to a Linux box fails at the change step. The next engineer checks out that account from the vault. Do they get the new (never-applied) password or the old one — and does it work? Type your guess.

Answer: The old one, and it works. The vault only commits after a verified change, so a failed job leaves the last known-good secret in place and the change waiting in the retry queue. The dangerous state is different: someone changing the password ON the target out-of-band — then the vault is stale, and only a password test will catch it.

Rahul at ICICI faces this

A forced rotation on a freshly onboarded domain account fails instantly. The log reads: “Password change failed. Error: Value cannot be null. (Parameter ‘identityValue’)”.

Likely cause

Password Safe cannot resolve the account’s SID in the directory — the account was renamed after onboarding, so the stored identity points at nothing. This exact string is a known field error for unresolvable SIDs.

Diagnosis

Run a directory query from BeyondInsight for that account and compare the distinguished name with what the managed account record shows. A rename, a deletion, or an unsynced domain will surface immediately.

BeyondInsight > Managed Accounts > svc_corebank > Advanced Details

Fix

Re-onboard the account from the correct directory path (or undo the rename), then queue the change again with POST …/Credentials/Change.

Verify

POST ManagedAccounts/{id}/Credentials/Test returns Success: true, and the grid’s Last Change Date updates after the agent run.

PowerShell — sign in and test whether vault still matches target

$h = @{ Authorization = 'PS-Auth key=PS_API_KEY_128CHARS; runas=icici\svc_psapi; pwd=[S3cure#Pass];' }
$base = 'https://bi.icicilab.in/BeyondTrust/api/public/v3'
Invoke-RestMethod "$base/Auth/SignAppin" -Method Post -Headers $h -SessionVariable ps
Invoke-RestMethod "$base/ManagedAccounts/482/Credentials/Test" -Method Post -WebSession $ps

Expected output

UserName : svc_psapi          ← SignAppIn 200, session held in $ps
Success
-------
   True                       ← vault password matches the target
(False = mismatch — run the triage ladder in Fig 5)

SYMPTOM: every rotation in the estate starts failing on the same morning

Someone “helpfully” onboarded the functional account itself as a managed account, and Password Safe rotated its password while in-flight change jobs still held the old one. BeyondTrust’s own guidance: functional accounts have built-in management capabilities and must not be managed as managed accounts — passwords can fail to synchronise. The watchman’s own key got changed and nobody told him: now no lock in the building can be re-keyed. Monitor functional-account health separately and never vault-manage it.

Last piece: drift detection. Check Password plus the Password Test Agent periodically prove the vaulted secret still works. When a test fails and Reset Password on Mismatch is on, Password Safe re-asserts control by rotating. But understand the timing: like the milkman who only discovers the gate lock changed on his next delivery, mismatch is found at the next test, not at the moment of drift. A real community thread exists precisely because an admin expected reset-on-mismatch to be real-time. It is not.

Quick check · Q2 of 10

Mid-rotation, the target rejects the functional account’s connection. What does the vault serve to the next requester checking out this account?

a) The new password — it was committed when generatedb) Nothing — the account is locked in the vault until an admin intervenesc) The old password — the vault commits only after a verified change, and the job waits in the retry queued) A temporary one-time password generated for the outage

Correct: c. Commit happens after change + verify, so a failed connect leaves the old, still-valid secret in the vault and the job in the Password Change Agent retry queue. (a) reverses the ordering, (b) invents a vault lockout that does not exist, (d) invents an OTP mechanism Password Safe does not have here.

👉 So far: generate → connect (functional account) → change+verify → commit, with retries on failure and tests to catch drift. Now the part that separates juniors from seniors: what about everything ELSE that uses that password?

③ Propagation actions — the 2 AM breakage insurance

A human checks a password out of the vault. A service account’s password is different: it is burned into places that never ask the vault — a Windows service’s Log On As entry, a scheduled task’s stored credential, an IIS application pool identity, a COM+ application. Rotate the account and every one of those copies is instantly wrong. They do not fail at 23:30 when you rotate; they fail at the next restart, recycle or task run — which is why this class of outage so reliably detonates at 2 AM, when nightly jobs wake up.

The Indian-household version: you changed your flat’s main-door lock but forgot that the maid, the milkman and your neighbour all hold duplicate keys. Tomorrow morning, three people rattle the door with dead keys. On Windows the rattling is worse than annoyance: each dependent retries its old password, the domain controller counts every failure, and at the lockout threshold AD locks the account — at which point even the NEW, correct password stops working. The rotation did not break production; the forgotten copies did, and then the lockout took out everything including the vault’s own secret.

Figure 3 — Without vs with propagation actions

Left: the same successful rotation strands three dependents on the old password, sprays 4625s at the DC, and the lockout kills the 2 AM nightly run. Right: propagation actions update and restart every dependent from the Latest Discovery Data set. Bottom-right: the plumbing it needs.

Password Safe ships nine built-in propagation actions: Update Services, Update and Restart Services, Update Scheduled Tasks, Update IIS Application Pools, Update and Restart IIS Application Pools, Update Windows Auto Logon, Update COM+ Applications, Update DCOM Applications and Update SCOM RunAs Identities. You attach them per managed account: open the account’s Advanced Details > Propagation Actions pane and click Assign Propagation Action, choosing both the action and a Propagation Set — Latest Discovery Data (every system where discovery found this account in use) or a Managed System-Based Smart Rule. The action then runs on each system in the set after every successful rotation. Plumbing requirements: the functional account needs ADMIN$ share access, targets need .NET Framework 4.7.2+, and the network path must allow TCP 445 and UDP 137/138/139.

🖥️ Managed account → Advanced Details → Propagation Actions → Assign Propagation Action. Pick the action AND the set it runs against. (Recreated for clarity — your console matches this.)

bi.flipkartlab.in · Managed Accounts · svc_pay · Advanced Details

Propagation Action

Update and Restart Services

Propagation Set

Latest Discovery Data

Assign Propagation Action

Pause & Predict

Predict: Sneha enables auto-rotate on svc_backup — used as the logon identity by a Windows service on 14 servers — with no propagation actions assigned. What happens inside the next 24 hours? Type your guess.

Answer: Rotation itself succeeds. Then each of the 14 services keeps presenting the old password at restarts and re-authentications; failed logons (event 4625) accumulate at the DC until svc_backup hits the lockout threshold. Once locked, even the vault’s correct new password fails. Backups silently stop. The fix order: map dependents via discovery, assign Update and Restart Services with a propagation set, THEN enable auto-rotate.

Sneha at Flipkart faces this

Saturday’s 23:30 rotation of svc_pay went green. Monday 02:00, the payment-reconciliation scheduled task fails across 14 servers; by 02:20 svc_pay is locked out in AD and on-call is paged.

Likely cause

No propagation actions were assigned. The scheduled task and two Windows services on each server still presented the old password; the combined retry spray crossed the AD lockout threshold, which then blocked the new password too.

Diagnosis

On the DC, filter Security log for event 4625 with svc_pay as the target account — every source host is one that runs svc_pay as a service or task identity. Compare that host list against the account’s propagation set (it was empty).

Managed Accounts > svc_pay > Advanced Details > Propagation Actions

Fix

Assign Update and Restart Services + Update Scheduled Tasks with Propagation Set = Latest Discovery Data, unlock svc_pay in AD, then queue a fresh rotation so every dependent picks up the new secret together.

Verify

After the rotation: no new 4625s for svc_pay on the DC, each service shows Running with the new Log On credential, and the task’s Last Run Result is 0x0.

When the dependent is not one of the nine built-ins — say your app reads a password from a config file — build a custom action at Configuration > Privileged Access Management > Propagation Actions > + Create Propagation Action. You choose a script type (PowerShell, Windows Command or Unix Shell), give the full script path, and pass parameters with substitution variables: %u account name, %p password, %h host, %i IP, %j system name, %k system IP. One sharp edge from the docs: %p must be enclosed in quotes when passed on a command line — generated passwords contain characters your shell will happily mangle.

Custom propagation action — Unix Shell (Configuration > Privileged Access Management > Propagation Actions)

# Script type : Unix Shell
# Full path   : /opt/bt/update-app-conf.sh
# Parameters  : %u "%p" %h        ← %p MUST be quoted

#!/bin/sh
# $1=account  $2=new password  $3=host
sed -i "s|^db_pass=.*|db_pass=$2|" /etc/payapp/app.conf
systemctl restart payapp
echo "payapp.conf updated for $1 on $3"

Expected output

payapp.conf updated for svc_pay on 192.168.40.17
● payapp.service — active (running) since 23:31:42 UTC
exit 0 → propagation recorded as success against the rotation

VERIFY: your first propagated rotation, on ONE pilot box

Before fleet-wide rollout, rotate one account on one server and check three things: the service in services.msc shows Running and a fresh start time (the restart happened), the scheduled task’s Last Run Result is 0x0 on its next trigger, and the DC shows zero new 4625 events for that account. Only then widen the propagation set. Dependency mapping first, auto-rotate second — in that order, always.

Quick check · Q3 of 10

A rotated account is the identity of an IIS website. Which built-in propagation action both fixes the stored credential AND forces the workers to pick it up immediately?

a) Update and Restart IIS Application Poolsb) Update Servicesc) Update Windows Auto Logond) Update DCOM Applications

Correct: a. App pools store their own copy of the identity password; the “Update and Restart” variant rewrites it and recycles the pool so workers immediately run on the new secret (plain “Update IIS Application Pools” leaves pickup to the next recycle). (b), (c), (d) target services, auto-logon and DCOM — different dependents.

👉 So far: rotation’s real blast radius is the dependents — nine built-in propagation actions plus custom scripts keep them in sync, and you map them BEFORE enabling auto-rotate. Last stop: accounts that hold keys instead of passwords, and how to watch the whole machine’s health.

④ SSH keys, DSS rotation & monitoring rotation health

On Linux estates, the privileged credential is often not a password at all — it is an SSH key. Password Safe’s docs and API still call this DSS authentication, and the policy engine lives at Configuration > Privileged Access Management Policies > SSH Key Policies. A policy sets the Key Type (RSA or DSA), the bit size (default 2048), and optionally Encryption Enabled — which protects the private key with a passphrase generated from a password policy you pick. The built-in default policy is RSA 2048 with an auto-managed passphrase. Supported platforms: Linux, AIX, HP-iLO, HP-UX, DRAC, macOS, Solaris, Juniper and RACF; uploads are accepted in OpenSSH format including Ed25519 — though policy-driven generation offers RSA/DSA, so pick RSA and skip DSA (modern OpenSSH disables it).

Rotation mechanics differ from passwords in one beautiful way. Enable Auto-Managed SSH Key on the account and key rotation rides the same schedule as password changing — same ChangeTime, same triggers. At rotation, Password Safe generates a fresh keypair, and on the target it removes the old public key from authorized_keys and appends the new one. Think of the bank updating your signature card in their register: the new signature goes in, the old one is struck off, and yesterday’s forged copy is worthless. The private key plus passphrase live only in the vault — nothing secret sits on the target. And for redundancy, the account can fail over to a managed password if key auth ever breaks.

Figure 4 — SSH key rotation: swap the keypair, edit one file

The four-step swap, then the contrast: password rotation replaces a string; key rotation replaces a keypair and edits authorized_keys. Old key = instant Permission denied.

Linux target — prove the key swap after a rotation

sudo grep -c '^ssh-rsa' /home/svc_deploy/.ssh/authorized_keys
sudo tail -1 /home/svc_deploy/.ssh/authorized_keys | cut -c1-44
ssh -i ~/old_svc_deploy_key svc_deploy@192.168.40.17 hostname

Expected output

1                                  ← exactly one managed key: old entry removed
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDk9w2q
svc_deploy@192.168.40.17: Permission denied (publickey).
                                   ↑ the captured/old key is now worthless

Pause & Predict

Predict: an auto-managed SSH key rotates tonight. Name exactly what Password Safe changes ON the target box — and what it deliberately never writes there. Type your guess.

Answer: On the target it edits one file: the old public key is removed from authorized_keys and the new public key is appended. It never writes the private key or its passphrase to the target — those live only in the vault and are injected at session time. That asymmetry is the whole point of key-based rotation.

Now zoom out: rotation is a machine, and machines need gauges. Three you should watch weekly. (1) The failed-change queue: the Password Change Agent retries on its schedule, but with Unlimited Retries a broken account fails forever without a human ever noticing — review failures in the console and get them into your SIEM or ticket queue. (2) Password age: the Managed Accounts grid shows Last Change Date; accounts whose age exceeds their frequency are stuck — that is your earliest signal of a dead functional account or a directory problem. (3) Test results: scheduled Password Test Agent runs catching mismatches tell you about out-of-band changes before a 2 AM incident does. BeyondInsight’s Analytics & Reporting menu carries the account activity reporting you will hang these reviews on.

TIP: treat rotation failures as a security signal, not just an ops chore

In the December 2024 BeyondTrust incident (the US Treasury case), attackers with a stolen Remote Support SaaS API key did not steal passwords — they reset local application passwords to get in. Resetting a credential is an attack action, and your rotation machinery is Tier-0 infrastructure. Alert on rotation activity outside expected windows, on spikes in manual/API-initiated changes, and on failed-queue growth. Scope and rotate the API keys that can drive rotation, exactly as you rotate the passwords themselves.

Figure 5 — Rotation-failure troubleshooting ladder + quick card

Left: the six-step triage ladder — run it top to bottom and you will find the failure class in minutes. Right: every console path, default, API endpoint and port from this lesson on one card.

Quick check · Q4 of 10

During an auto-managed SSH key rotation, what does Password Safe do on the target system?

a) Appends the new public key and keeps the old one as a backup entryb) Replaces the private key stored in ~/.ssh on the targetc) Only changes the passphrase protecting the existing keyd) Removes the old public key from authorized_keys and appends the new public key

Correct: d. Docs are explicit: generating a new keypair removes the old public key (if present) from authorized_keys and appends the new one. (a) would leave a stale credential valid — defeating rotation; (b) is backwards — the private key lives in the vault, never on the target; (c) confuses the passphrase (vault-side protection via Encryption Enabled) with the key swap itself.

🎮 Hands-on: BeyondTrust PAM Essentials room 🔍 Prev lesson: Discovery & auto-onboarding

👉 Wrap: policies write the secret, four triggers queue it, the functional account delivers it with commit-after-verify, propagation saves your 2 AM, SSH keys swap pairs in authorized_keys — and the failed queue is a gauge you watch, not a bin. Next lesson: who is ALLOWED to take credentials out — requests, approvals and JIT.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from BeyondTrust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: A teammate says: “We’ll enable auto-rotation on all 300 service accounts tonight — the change agent retries will absorb any failures.” In 3–4 sentences, what do you correct? Then compare to the expert version.

Expert version: Retries fix the vault↔target conversation, not the dependents: every Windows service, scheduled task and IIS app pool still holding the old password will fail at its next restart or run, spray 4625s, and lock the accounts out — at which point even the new password is dead. Map dependents first (discovery), assign propagation actions (Update and Restart Services, Update Scheduled Tasks, IIS app pools) with a propagation set, pilot on one ring, stagger ChangeTime, and watch the failed-rotation queue as you expand. Rotation is safe by design — unpropagated rotation is the outage.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Rotation at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Password policy: The recipe for generated secrets: length 4–255, character classes with minimum counts, First Character Value.
Functional account: The vault’s worker account that signs in and changes other accounts’ secrets; never checked out, never itself managed.
Password Change Agent: Appliance/broker service that executes queued rotations and retries failures (retry minutes, max retries, unlimited).
Password Test Agent: Scheduled service that authenticates with the vaulted secret to prove it still matches the target.
ChangeTime: Per-account scheduled rotation time; API default 23:30 UTC, frequency first / last / xdays.
Change Password After Release: Trigger that rotates the secret the moment a checkout is checked back in.
Reset Password on Mismatch: Forces a rotation when a password test finds vault ≠ target — fires only after a test, never real-time.
Propagation action: Post-rotation step that pushes the new secret into dependents: services, scheduled tasks, IIS app pools, COM+/DCOM, auto-logon, SCOM.
Propagation set: The systems a propagation action runs on: Latest Discovery Data or a Managed System-Based Smart Rule.
DSS key: Legacy BeyondTrust label for vaulted SSH keys; survives in SSH Key Policies docs and the DSSKeyRules API.
authorized_keys: File on the target listing public keys allowed to log in; rotation removes the old entry and appends the new one.
Ed25519: Modern SSH key type; accepted by Password Safe on upload (OpenSSH format), while generation policies offer RSA/DSA.

📚 Sources

BeyondTrust Password Safe Admin Guide — Create password policies (Configuration > Privileged Access Management Policies > Password Policies; length 4–255, character classes, First Character Value). docs.beyondtrust.com/bips/docs/ps-create-password-policies
BeyondTrust docs — Windows components & propagation actions in Password Safe (the nine built-in actions, Assign Propagation Action, propagation sets, %u/%p/%h variables, ADMIN$ + TCP 445 / UDP 137–139 requirements). docs.beyondtrust.com/bips/docs/ps-add-windows-components
BeyondTrust docs — SSH Key authentication with Password Safe (SSH Key Policies: RSA/DSA, 2048-bit default, Encryption Enabled; Auto-Managed SSH Key; authorized_keys swap; platform list). docs.beyondtrust.com/bips/docs/ps-dss-authentication
BeyondInsight & Password Safe API guide — ManagedAccounts Credentials/Change and Credentials/Test, DSSKeyRules, PS-Auth header, defaults (ChangeTime 23:30 UTC, release 120/525600 min). docs.beyondtrust.com/bips/v24.3/docs/password-safe-api
BeyondTrust docs — Password Change Agent & Password Test Agent (Configuration > Privileged Access Management Agents; retry minutes, maximum retries, Unlimited Retries). docs.beyondtrust.com/bips/docs/configure-password-safe-agents
BeyondTrust Beekeepers community — rotation failure war stories: “Value cannot be null (Parameter identityValue)” SID resolution thread; functional-account rights threads; reset-on-mismatch timing thread. beekeepers.beyondtrust.com
NVD / The Hacker News — CVE-2024-12356 and the December 2024 stolen Remote Support SaaS API key incident, where attackers reset local application passwords (US Treasury). nvd.nist.gov/vuln/detail/cve-2024-12356
PeerSpot — BeyondTrust Password Safe reviews: practitioner pros/cons on rotation, upgrades and error reporting. peerspot.com/products/beyondtrust-password-safe-pros-and-cons

What's next?

The secret now rotates itself — but who is allowed to take it out, who approves, and for how long? Next we wire up requests, approvers, ISA instant access and just-in-time elevation.

Next · Access workflows: requests, approvals & JIT → Practice on exam.techclick.in →

Password Safe Credential Rotation: — Policies, Propagation Actions & SSH Keys

🎯 By the end you will be able to

Pick where you want to start

Policies & triggers

One rotation’s anatomy

Propagation actions

SSH keys & health

① Password policies — length, complexity & the four rotation triggers

The four triggers — tap to lock them in

② Anatomy of one rotation — connect, change, verify, commit

▶ One rotation, four moves — and the moment it breaks

③ Propagation actions — the 2 AM breakage insurance

④ SSH keys, DSS rotation & monitoring rotation health

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?