Vault API Extension is a component of Sectona PAM to retrieve Privileged Account Password from Sectona PAM Vault. This supports multiple programming languages which can be Java, .NET, or any other Windows supported language. Vault API Extension runs as a windows service and it caches the latest password for an account(s) which are required and requested by local application via Vault API Extension interface. In case of a disaster or Sectona PAM Vault server being unavailable, the Vault API Extension service provides a cached password of Privileged Account required by local application.

This section covers

Sectona Vault API Extension Installation Process

Click on the MSI file named Sectona.Vault.APIExtension.Setup.msi then the following screen will appear:

Click on Next. Select the path for the Vault API extension service where you want to install it. Click on Next button.

The following screen will appear to confirm the installation process. Click on the Next button.

The installation process will begin as seen below:

Once the installation is complete, click on the Close button to exit.

Sectona Vault API Extension Service Configuration Parameters

 Parameters

Default Value

Description

 AppServers

https://localhost

It can have multiple servers where Sectona PAM is installed (separated by ;).

 AuthKey

<Dynamic key>

It is a key used to validate the application that is requesting.

 AuthKeyEN

<Encrypted Auth key >

Auth key further encrypted and stored in AuthKeyEN.

 AccessKey

<Dynamic key>

It is a key used to validate the requested account registered on PAM.

 AccessKeyEN

<Encrypted Access Key>

Access Key further encrypted and stored in AccessKeyEN.

 AuthKeyEN

6389

The port used by the Vault API Extension service. The default port is 6389 (can be changed). 

 TriggerTimeInMinutes

60

It updates passwords which are retrieved through the Vault API Extension from Sectona PAM on the value of interval. The default value is 60 minutes (can be changed)

Vault API Extension service restart required after any parameter changes in the configuration file.

Registering Accounts in Sectona PAM

Login to Sectona PAM as administrator.

Go to Manage and select Application Password Management. Click on the Vault API tab.

When you click on the +Add API Registration button, you will get the following form:

Enter the details in the form. Click on the Save button and your API will be registered in Sectona.

The following are the input details for API registration form:

 Parameter

Description

 Description

API Registration name.

 Access Key

Access Key (any key) should be the same in both Vault API Extension Service and PAM.

 Source IP/ Host

Allow retrieval from hosts or IP addresses.

 API Scope

Scope for API for Account credentials only.

 Account Groups

Accounts from a group or multiple groups.

 Expiry

Configuration valid up to date.

 Status

Allows registration.

How the service works

  • Takes requests from the agent.

  • Connect to PAM using the access key(by restful API password vault API).

  • Gives a response to the agent and also cache the account in itself (in encrypted format).

  • If the PAM server is not reachable then it will give a response from the cache if available.

  • If the server is reachable then from the input it will call an API and update the account information and respond to the agent.

Sectona Vault API Extension Agent

 Application parameters

Description

 -e < Auth Key>

It passes authorization key (to validate cross-platform application ).

 -t <Asset type>

It passes asset type.

 -h <Host>

It passes Host Name or IP Address.

 -d <Database Instance>

It passes database instance (optional).

 -a <Account Name>

It passes Account Name.

 -i <Instance Name>

It passes Instance name.

It is a Console Application that takes data inputs through parameters and gives console response of password and then passphrase by communicating with the service.

To get an Account password, one needs to run an agent with the parameters mentioned as follows:

The agent is located on the same directory where the service is installed.

For example, 

Sectona.Vault.APIExtension.Agent.exe -e <Authkey> -t <'Windows Server'/Unix/UBUNTU> -h <HOSTNAME> -d <DBINSTANCENAME> -a <AccountName> -i <InstanceName >

Sectona Vault API Extension service needs to be running while requesting the password.