Configuring Satellite Vault for break glass

Satellite vault is a standalone, independent module of the Sectona Privileged Access Management platform. This module enables secure replication of passwords and secrets from your primary vault instance to other instances to be activated in case of unavailability of the primary vault for any reason.

With Sectona ‘Password Vault’ running and real-time sync activated with ‘Satellite Vault,’ the passwords of the accounts will be in sync with the Satellite Vault. As a best practice, Satellite Vault should be configured on a Secured machine (Workstation/Laptop) on the same network as the Password Vault. Access to the Satellite Vault system should be secured with Windows login credentials and allow User(s) to copy their Profile key into this system. Password Vault replicates a copy of the privilege account password to ‘Satellite Vault’ as and when changed as per password rotation policy to maintain the latest copy.

This section provides steps to configure satellite vault sync from the Password vault using Sectona Web Access.

Make sure you have installed Satellite Vault in your environment. For installation, refer to Installing Sectona Satellite Vault Component. Also, ensure that the Satellite Vault server can communicate with the Sectona PAM server.

Ensure you have ready access to the satellite vault and primary vault, including operating system-level access with administrative privileges.

Synchronization between the primary vault and satellite vault is restrictive by default.

It is recommended to configure administrative users to the vault to allow authorized normal user vault access in disaster situations. Administrative users may/may not have access to passwords/secrets and can allow access for other users when needed.

Enabling vault synchronization

Log in to the Sectona application and navigate to System in the navigation tab.
You will need an access key and a shared key to enable secure sync between the vault and the satellite vault. The usage of these keys is to enable a secure handshake between the vault and the satellite vault.
Locate the Access from the installed Satellite vault instance. The access key can be found on the file location wherein the default path of Satellite vault is C:\inetpub\wwwroot\SatelliteVault\ApplicationData\AppConfig.xml. The access key is generated at 32-bit key at the time of installation of the satellite vault and uniquely identifies satellite vault instance(s). You can also provide a sync timeout value under the VaultSync TimeoutInMinutes Value parameter.
Go to Satellite Vault in the sidebar of the primary vault instance. Fill in the Satellite Vault Address and the Communication Port (default: 443).
Enter the pre-located access key in the Access Key field.
Generate the unique shared key.
Copy the Shared key.
Paste the shared key in the AppConfig.xml of the satellite vault file in the field <SharedKey Value= "enter here" /> and save the file.

Configuring User Access rules

Synchronization levels between the primary vault and satellite are based on Account Groups. All passwords grouped under an account group can be allowed to an individual user at a satellite vault. This configuration is independent of access rights at the vault level.

Navigate to Synchronization & Access Configuration. Select the instance, account group, and the Sectona user you wish to allow access to passwords at the satellite vault level.
You can add multiple entries by clicking on the + button, filling in the required fields, and removing an entry by clicking on the - button.
Make sure the status button is Active to enable synchronization between both instances.
Click on Save to save the configuration.
Click on Sync Now to sync secrets with the Satellite vault.

Initiating vault sync

Vault sync uses App Service SatelliteVaultService, which is started by default. Check the status of the service in the App Services tab. The default service is triggered every 60 minutes. Actual sync time depends on the changes to be updated. You can update the default interval time in System Default → TriggerInterval AppService - SatelliteVault (Minutes)

Disabling satellite vault sync

Sync can be deactivated by disabling the Active flag from the configuration in the Satellite vault configuration in the primary vault.

Managing user access at satellite vault

User authentication for accessing passwords/secrets at the satellite level is based on a security key. Users must generate the security key by logging into their primary vault profile. Users must keep the key safely to log in to the satellite vault when needed.

The satellite vault does not use an authentication database and uses key-based authentication to recognize a user. The security key identifies the validity and authenticity of the user at the satellite vault level. This enables authentication at the satellite vault without needing any additional database or authorization source like AD, which is normally unavailable in a disaster situation.

Sync can be deactivated by disabling the Active flag from the configuration in the Satellite vault configuration in the primary vault.

Administrative Users: Can be added to invoke access to users and restrict unauthorized access to passwords/secrets. One user must be added as an administrator to invoke access for other users during disasters. The satellite vault does not grant access to all valid users with security access to the satellite vault. Multiple administrative users can be created to manage contingencies.

User: Level access can be granted access to specific users with access to specific Account Group access.

The primary vault configuration also allows sharing the Security Key to configured users (administrative & users) via email using the 'Share Security Key to Users' option.

Configuring MFA for Satellite Vault login

To configure multi-factor authentication for satellite vault login, follow the below-mentioned steps:

Login to Sectona PAM as an administrator.
Navigate to System → Satellite Vault
Under the Satellite Vault Administrator tab, check the Yes button to Enforce MFA.
Provide the DNS address for easy conversion from domain to IP address to ensure that users are routed to the correct site.
Click on the Save button to save the configuration.

For more information on supported multi-factor types in Sectona PAM, refer to Configuring Multi-factor authentication.