Vault
Introduction
The Vault is the section where the credentials of the machines are managed. You can perform backups, restores, add credentials, enable/disable automatic password change.
Backup & Restore
To access this section go to Secure Access > PAM Management > Vault Manager
Legend:
- Backups
- Restore
- Change password
Backup
To back up the credentials of all the machines of a node, click on the appropriate Backup button. A modal will appear asking for the name of the backup and a password (it will be required to execute the restore).
Restore
To restore a backup, click on the appropriate Restore button. The list of all backups that have been performed for each node will be displayed. Choose the backup to restore and click on the appropriate Restore button. A modal will appear asking for the password with which that backup was performed and, if correct, that backup will be restored.
If you are not sure about the restore you are going to do, perform a backup beforehand, so as not to lose the passwords that (possibly) have been changed since the last backup was performed. To perform a backup or a restore, disable the programmed password change by accessing the Workspace module settings, then in the RAG setup panel and setting to FALSE Automatic password change, otherwise you might find yourself in the case where, while the backup or restore is being performed, the module is changing the passwords to the machines.
Change Password
Manual
See Password Entry for an OS Login (Host Vault)
Automatic
From version 10.7, Oplon Secure Access supports automatic password change (scheduled/on-demand) of:
- Linux resources
- Windows resources (administrative users only and with OpenSSH Server installed)
There are two ways to change one or more passwords automatically, i.e. leaving the burden of creating and setting the password on the machine and in the Secure Access configuration to the application.
- Single machine, single user: access the Secure Access > PAM Management > Credentials section. A list of credentials for each machine will be shown. To change the password, just click on the appropriate Change password button.
The table attributes are as follows:
- Where: node name
- What: module name
- Hostname/ip: hostname or ip address of the host
- OS login name: host's operating system username
- Pwd change: enabled/disabled automatic password change
- Last pwd change: date of last automatic password change
- Pwd lease time: number that identifies every how many days the programmed password change is performed
- Host id: host identifier
- All machines, all users: go to the Secure Access > PAM Management > Vault Manager section. To change the password, just click on the appropriate Change password button which will carry out the automatic password change process for the entire Vault.
To enable this feature, set the Enable pwd change field to TRUE for each user on each machine. All credentials that do not have this field set to TRUE, it will be possible to change the password only manually.
Best practice
Per amministrare al meglio le risorse collegate a Secure Access, si consiglia di creare per ognuna di esse delle credenziali con poteri di amministrazione scollegate dal cambiamento automatico delle password di Secure Access, in modo tale da avere sempre un punto di accesso con delle credenziali conosciute ed eventualmente poter effettuare manutenzione sugli altri account.
Scheduled
There is the possibility to enable the password change of the whole vault (only of the credentials that have enabled the automatic password change) every N days. To enable this feature, access the Workspace module settings and in the RAG setup panel, set to TRUE Automatic password change.
To set the password change every how many days, access each credential and set the number of days.