Using Resilient Secrets with the Delinea Platform

Secret Server offers Resilient Secrets for organizations to protect and recover their IT infrastructure and data as part of an overall disaster recovery strategy. (Learn more).

The Resilient Secrets functionality does not fully replace a business continuity strategy and should not be used as a failover feature.

Prerequisites

  • A Delinea Platform instance integrated with Secret Server.

    • Delinea Platform customers after November 2023 already have Secret Server Cloud integrated.

    • Legacy customers of Secret Server Cloud who migrate to the Delinea Platform must integrate the two products.

    • Secret Server on-premises customers who purchase the Delinea Platform to use PRA can perform a manual integration.

  • An additional Secret Server cloud or on-premises instance that will act as the replica. This instance must not be connected to any other Delinea Platform.

Customers have the option to buy more than one instance of Secret Server, if they want to have multiple replicas.

The Secret Server requirements for replica instances are the same as for the source instance.

How Do Resilient Secrets Work?

The Resilient Secrets feature copies information from the source Secret Server instance to the replica. Information on the replica Secret Server will be overwritten by the source for anything copied.

The configurations for the Cloud and On-Premises replicas are the same. There is nothing you would need to do differently, configuration wise, when setting up a Cloud replica as opposed to On-Premises and vice-versa. The following diagram represents the flow of data from the source instance to the replica in both the Delinea Platform and Secret Server respectively:

  • The Delinea Platform is connected to Secret Server via an encrypted connection.

  • Secret Server (Source) is connected to a replica (either Secret Server Cloud or Secret Server On-Premises) via an encrypted connection.

  • The replica pulls the data package from the Source.

  • When the Delinea Platform is available, users can log in to the replica with their Delinea Platform credentials.

  • When the Delinea Platform is not available, users can log in to the replica via SAML or via local accounts

Only one Delinea Platform and Secret Server Cloud pair is supported.

Best Practices

  • Read-Only Mode: Replicas should be in read-only mode during operation because there can only be one source of truth – the Source instance.

  • Cloud Replicas: For a replica Secret Server Cloud, Delinea recommends setting it up in a different geographic region (if both replica and cloud instances are in the same region, an issue impacting that region could disrupt both).

  • On-Premises Replicas: For the replica (Secret Server on-premises), Delinea recommends creating local accounts on that instance so that, in the event of a complete service outage, you will still be able to log in to the replica instance with your local account.

    Do not set up directory sync on the replica instance. This can cause duplicate users to appear when syncing users with the Delinea Platform.

    Do not enable User Sync under Directory Services on your replica instance while also having Resilient Secrets replicate Users from the same directory. This configuration can cause conflicts with replication and eventually may cause database deadlocks.

  • On-Premises Systems: On-Premises systems involved in Disaster Recovery/Resilient Secrets a Source or Replica require a site connector using RabbitMQ

Delinea Platform with Secret Server Cloud and Replica Secret Server Cloud

Cloud replicas respect the user login settings of the Delinea Platform. All configurations are copied from the Delinea Platform to the replica Secret Server Cloud.

In the event of a service outage where the source Secret Server Cloud goes down, users will still be able to log in to the replica Secret Server Cloud tenant using their Delinea Platform credentials.

If you have an external user source (Entra ID, Okta, etc.) for Platform login, those log-ins will also work with the Cloud replica, as long as those sources are still online. If federation providers are down, you can log into Secret Server with your local accounts.

Local Accounts should be created ahead of time, before a Disaster Recovery event occurs.

Delinea Platform with Secret Server Cloud and Replica Secret Server On-Premises

 

On-premises replicas respect the user login settings of the Delinea Platform. All configurations are copied from the Delinea Platform to the On-Premises replica.

After logging in to the On-Premises replica with your Delinea Platform credentials, you will still be in the Secret Server On-Premises UI.

Typically, a user could log in to the on-premises replica from its login page using their Delinea Platform credentials, but to prepare for an outage, you must have alternative methods available.

On-Premises Replica Authentication for Delinea Platform-Based Login

In the event of a service outage, the Delinea Platform login capability will not be available. To ensure access during an outage, you should prepare an alternative login method, such as configuring SAML for your IdP source, which will allow users to log in with their Delinea Platform credentials. The IdP can be a self-hosted SAML provider (ADFS or other self-hosted option) and does not need to be the same IdP as used by the Delinea Platform.

On-Premises Replica Authentication for Federation-based Login

In the event of a service outage that interrupts federated credential providers (Entra ID, Okta etc.), users will still be able to log in as long as you have:

  1. Configured both source and replica to accept those federation services.

  2. Configured the on-premises replica to use SAML. If the user source is also down, you will only be able to log in with local accounts.

In the event of a service outage, administrators who set up a local account for their on-premises replica will still be able to log in with that account. Any other local accounts you create will also be able to log in.

Frequently Asked Questions

  1. How does the Secret Server Primary Source connect to Delinea Platform?

    The Primary Secret Server (Source) is connected to the Delinea Platform via an encrypted connection. On the Delinea Platform see (Settings > Secret Server Connection). At this time, only one connection from Delinea Platform to Secret Server is possible.

  2. How are Resilient Secrets licensed? Do you get just Resilient Secrets (Secret Server Cloud) or a new instance of the Delinea Platform + Secret Server Cloud?

    Since Resilient Secrets is a functionality of Secret Server, every instance of Secret Server needs to be licensed. You can only have one instance of the Delinea Platform and Secret Server, acting as the Source, but you may choose to purchase multiple Replica instances.

  3. How does a Secret Server Cloud Replica need to be configured with the Primary Delinea Platform + Secret Server Cloud Source?

    There is no special configuration for Cloud or On-Premises replicas to connect to the Delinea Platform. This is done on the Primary (Source) Secret Server. Please refer to Setting Up Resilient Secrets for more information.

  4. Will Resilient Secrets work if you have 2 instances of the Delinea Platform - each connected to their OWN Secret Server Cloud - EXAMPLE - 2 instances of the Delinea Platform and 2 Instances of Secret Server Cloud.

    No, Secret Server Cloud only supports one Delinea Platform instance at a time. (The Source)

  5. How does Platform in Secret Server Cloud Unified roles and permissions work with Resilient Secrets?

    In unified mode your primary instance of Secret Server Cloud (the source) pulls role and permission assignments from platform. This information is then replicated/copied over to the replica Secret Server.

  6. How do you configure Resilient Secrets to ensure you have access to Secrets when the Delinea Platform Is NOT Available?

    There are two ways you can log in to your Replica instance if the Delinea Platform is not available:

    1. Configure SAML: Configure SAML with your IdP (Identity Providers)

    2. Logging in with local accounts – In the event that everything fails, you will need to have created “break glass” local accounts on the Replica Secret Server. As mentioned in the Best Practices section earlier, Delinea recommends creating these local accounts as soon as you provision the Replica instance.

  7. How do you configure Resilient Secrets to ensure you have access to Secrets when Entra ID (Azure AD) is not available?

    Configure SAML with your IdP and/or create local accounts on the Replica instance so you can log in when no directory services are available.

    If you create local accounts on the source, they will be copied to the replica.

  8. How do I download and Install Resilient Secrets as a Delinea Platform customer?

    Resilient Secrets is built upon Secret Server. To have Resilient Secrets on-premises you will need to install Secret Server On-Premises (see downloading Secret Server). If you want Resilient Secrets in the Cloud, you will need to have a second instance of Secret Server Cloud.

    Please contact Delinea Sales or Support for purchase questions.

  9. I’m in the process of transitioning from Secret Server Cloud to the Delinea Platform. I have a Replica Instance (on-premises or cloud). Upon standing up the Delinea Platform, tenant secrets are no longer synced.

    • Look for errors in the Resilient Secrets replication logs (Disaster Recovery Log tab on the Replica).

    • If secrets are skipped, some vital data may be missing.

    • Run a manual replication by going back a few years or using a date like 1/1/2000 to perform a full sync. If this does not resolve the issue and you cannot determine the errors from the logs, please reach out to support and open a case/work item.