Configuring Satellite Vault for break glass
Satellite vault is a standalone independent module of the Sectona Privileged Access Management platform. This module enables secure replication of passwords and secrets from your primary vault instance to other instances to be activated in case of unavailability of the primary vault for any reason.
With Sectona ‘Password Vault’ running and real-time sync activated with ‘Satellite Vault’, the passwords of the accounts will be in sync with the Satellite Vault. As a best practice, Satellite Vault should be configured on a Secured machine (Workstation/Laptop) which is on the same network as the Password Vault. Access to the Satellite Vault system should be secured with Windows login credentials and should allow User(s) to copy their Profile key into this system. Password Vault replicates a copy of the privilege account password to ‘Satellite Vault’ as and when changed as per password rotation policy, to maintain the latest copy.
This section provides steps to configure satellite vault sync from Password vault using Sectona Web Access.
Make sure you have installed Satellite Vault in your environment. For installation refer to Installing Sectona Satellite Vault Component. Also ensure whether the Satellite Vault server can communicate with the Sectona PAM server.
Make sure you have ready access to satellite vault and primary vault including operating system level access with administrative privileges.
Synchronization between primary vault and satellite vault is restrictive by default.
It is recommended to configure administrative users to vault who can allow authorized normal user vault access in case of disaster situations. Administrative users may/may not have access to passwords/secrets and can allow access for other respective users when needed.
Enabling Satellite Vault synchronization
Login to the system and select PAM from the product navigator.
Navigate to Setup in the navigation bar.
To enable secure sync between vault and satellite vault, you will need
access key
andshared key
. The usage of these keys is to enable a secure handshake between vault and satellite vault.Locate the Access from the installed Satellite vault instance. The access key file can be found located in Settings menu option by clicking on your profile button. By clicking on Download you will see an XML file Access Key file downloaded. Access key is generated at 32-bit key at the time of installation of satellite vault and uniquely identifies satellite vault instance(s). You can also provide sync timeout value under
VaultSync TimeoutInMinutes Value
parameter which is found in the AppConfig.xml file of the Satellite Vault application.Go to Setup → Satellite Vault in the sidebar of the primary vault instance. Fill in the Satellite Vault Address and the Communication Port (default: 443).
Enter the pre-located AppConfig.xml file of the installed Satellite Vault in the
Access Key
field.Generate the unique shared key.
Copy the Shared key.
Paste the shared key in the AppConfig.xml of the satellite vault application in the field
<SharedKey Value="enter here" />
and save the file.
Configuring User Access rules
Synchronization levels between primary vault and satellite are based on Account Groups. All passwords grouped under an account group can be allowed to an individual user at a satellite vault. This configuration is independent of access rights at the vault level.
Login to the system and select PAM from the product navigator.
Navigate to Setup from the navigation bar and select Satellite Vault from the sidebar.
Scroll down to Synchronization & Access Configuration. Select the instance, account group, and the Sectona user you wish to allow access to passwords at satellite vault level.
You can also add multiple entries by clicking on the + button and then filling up the required fields and also remove an entry by clicking on the delete button.
Make sure the status slider is Active to enable synchronization between both instances.
Click on Save to save the configuration.
Click on Sync Now to sync secrets with the Satellite vault.
Initiating Satellite Vault sync
Vault sync uses App Service SatelliteVaultService
which is started by default. Check the status of service in the App Services tab. The default service is triggered every 60 minutes. Actual sync time depends on the changes to be updated. You can update default interval time in Platform Configuration → System Default → System Status. Enter Satellite Vault in the search box and click on the action button for TriggerInterval AppService - SatelliteVault (Minutes).
Disabling Satellite Vault sync
Sync can be deactivated by disabling the Status slider from the configuration in the Satellite vault configuration in the primary vault.
Managing user access at Satellite Vault
User authentication for accessing passwords/secrets at the satellite level is based on a security key. The security key must be generated by a user by logging into their primary vault profile. Users must keep the key safely to login to the satellite vault when needed.
The satellite vault does not use an authentication database and uses key-based authentication to recognize a user. The security key identifies validity and authenticity of the user at the satellite vault level. This enables authentication at satellite vault without need for any additional database or authorization source like AD which is normally not available in case of a disaster situation.
Sync can be deactivated by disabling the Active flag from the configuration in the Satellite vault configuration in the primary vault.
Administrative Users: Can be added to invoke access to users and restrict unauthorized access to passwords/secrets. One user must be added as an administrator to invoke access for other users at the time of disasters. Satellite vault does not grant access to all valid users with security access to satellite vault. Multiple administrative users can be created to manage contingencies.
User: Level access can be granted access to specific users with access to specific Account Group access.
The primary vault configuration also allows sharing the Security Key found by clicking on username → Settings → Security Key field to configure users (administrators & users) via email by using 'Share Security Key to Users' option.
Configuring MFA for Satellite Vault login
To configure multi-factor authentication for satellite vault login, follow the below-mentioned steps:
Login to the system and select PAM from the product navigator.
Navigate to Setup from the navigation bar→ Satellite Vault under General on the sidebar.
Under the Satellite Vault Administrator tab, click on the checkbox to Enforce MFA.
Provide the DNS address for easy conversion from domain to IP address to ensure that users are routed to the correct site.
Click on the Save button to save the configuration.
For more information related supported multi-factor types in Sectona PAM, refer to Configuring Multi-factor authentication