18.4.6. Procedure – Using a custom Credential Store plugin to authenticate on the target hosts


To configure PSM to retrieve the credentials used to login to the target host using a custom plugin, complete the following steps.


To use a custom Credential Store plugin, you need to upload a working Credential Store plugin to PSM. This plugin is a script that uses the PSM API to access an external Credential Store or Password Manager. If you want to create such a plugin, contact the Balabit Support Team. For more information on creating a custom plugin, see Section 18.7, Creating a custom plugin.


Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on PSM using gateway authentication or an AA plugin. Therefore gateway authentication or an AA plugin must be configured for these connections. For details, see Section 18.2, Configuring gateway authentication and Section 18.5, Integrating external authentication and authorization systems.

To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins, browse for the file and click Upload. Note that it is not possible to upload or delete Credential Store plugins if PSM is in sealed mode.

Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.


  1. Navigate to Policies > Credential Stores.

  2. Click and enter a name for the Credential Store.

  3. Select External Plugin, then select the plugin to use from the Plugin list.

  4. If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.


    Plugins created and issued before the release of PSM 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.

  5. Click .

  6. Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click .