Vault API Extension is a component of Sectona PAM to retrieve Privileged Account Password from Sectona PAM Vault. This supports multiple programming languages, including Java, .NET, or any other Windows-supported language. Vault API Extension runs as a windows service and caches the latest password for an account(s) required and requested by the local application via the Vault API Extension interface. In case of a disaster or the Sectona PAM Vault server is unavailable, the Vault API Extension service provides a cached password of the Privileged Account required by the local application.
This section covers
Sectona Vault API Extension Installation Process
Click on the MSI file named Sectona.Vault.APIExtension.Setup.msi then the following screen will appear:
Click on Next. Select the path for the Vault API extension service where you want to install it. Click on the Next button.
The following screen will appear to confirm the installation process. Click on the Next button.
The installation process will begin as seen below:
Once the installation is complete, click on the Close button to exit.
Sectona Vault API Extension Service Configuration Parameters
It can have multiple servers where Sectona PAM is installed (separated by ;).
It is a key used to validate the application that is requesting.
<Encrypted Auth key >
Auth key further encrypted and stored in AuthKeyEN.
It is a key used to validate the requested account registered on PAM.
<Encrypted Access Key>
Access Key further encrypted and stored in AccessKeyEN.
The port used by the Vault API Extension service. The default port is 6389 (can be changed).
It updates passwords which are retrieved through the Vault API Extension from Sectona PAM on the value of interval. The default value is 60 minutes (can be changed)
Vault API Extension service restart is required after any configuration file parameter changes.
Registering Accounts in Sectona PAM
Login to Sectona PAM as administrator.
Go to Manage and select Application Password Management. Click on the Vault API tab.
When you click on the +Add API Registration button, you will get the following form:
Enter the details in the form. Click the Save button, and your API will be registered in Sectona.
The following are the input details for the API registration form:
API Registration name.
Access Key (any key) should be the same in both Vault API Extension Service and PAM.
Source IP/ Host
Allow retrieval from hosts or IP addresses.
Scope for API for Account credentials only.
Accounts from a group or multiple groups.
Configuration valid up to date.
How the service works
Takes requests from the agent.
Connect to PAM using the access key(restful API password vault API).
Gives a response to the agent and also caches the account in itself (in encrypted format).
If the PAM server is not reachable, then it will give a response from the cache if available.
If the server is reachable, then from the input, it will call an API and update the account information and respond to the agent.
Sectona Vault API Extension Agent
-e < Auth Key>
It passes authorization key (to validate cross-platform applications).
-t <Asset type>
It passes asset type.
It passes the Host Name or IP Address.
-d <Database Instance>
It passes the database instance (optional).
-a <Account Name>
It passes Account Name.
-i <Instance Name>
It passes Instance name.
It is a Console Application that takes data inputs through parameters and gives a console response of password and then passphrase by communicating with the service.
To get an Account password, one needs to run an agent with the parameters mentioned as follows:
The agent is located in the same directory where the service is installed.
Sectona.Vault.APIExtension.Agent.exe -e <Authkey> -t <'Windows Server'/Unix/UBUNTU> -h <HOSTNAME> -d <DBINSTANCENAME> -a <AccountName> -i <InstanceName >
Sectona Vault API Extension service needs to be running while requesting the password.