Managing Secrets

Creating Secrets

Each object that is stored within Secret Server is referred to as a Secret. Usually, a Secret will be a username and password combination. Other examples of Secrets can include SSH keys, contact information, or safe combinations.

To create a Secret, use the “Create Secret” widget.

Create Secret

Select the type of Secret you want to create.

Secret Type/Template

Enter the data for the Secret you want to save, and make sure to choose the Folder that the Secret will be saved into. Click Save, and your Secret has been created.

Save Secret

Configuring Secret Templates

Secret Server manages privileged account credentials through a highly configurable system of secrets. Secret Templates are used to create secrets and define object attributes for secrets. Templates can be configured according to account requirements.

The following is a list of Secret Templates that are compliant with Common Criteria standards available in the Government edition of Secret Server:

  • Active Directory Account
  • Bank Account
  • Combination Lock
  • Contact
  • Credit Card
  • Password
  • Pin
  • Product License Key
  • Security Alarm Code
  • Social Security Number
  • Unix Account (SSH Key Rotation)

To follow Common Criteria standards, navigate to Admin | Secret Templates and click the Active Templates button. Ensure that only the templates listed above are selected in the Active column. Then Save. Users only can create Secrets using templates marked as Active.

To view object attribute data in a template from the dropdown list of Active Templates, select a template from the dropdown list and then click Edit.

Each of the listed templates below only hold object attribute data that are defined locally by Secret Server. The objects, secrets, and templates are as follows:

Object

Attribute

Objects in Secret Server are defined by attribute data. All object attribute data is locally defined by Secret Server.

Secret

Attributes Inherited from Template

Secret templates dictate the fields each secret contains, the launchers for each secret, and the remote password changer used. They also provide a default expiration, which can be changed on a per-secret basis.

Command Restrictions

Command restrictions are limited to SSH sessions and allow administrators to create multiple-choice command menus that users can follow. If SSH command menus are enabled, users cannot issue commands directly to the target system.

Field Data

Each field in a secret template is either “Text,” “Password,” or “Notes.” Password fields can be hidden from users and are updated when a password change has occurred on that secret’s account. Text fields are the standard field type and may include information such as “Domain” or “Username.”

Folder

Folders in Secret Server store individual secrets. Permissions applied to folders dictate which users can view the secrets inside that folder and which users can see the folders.

Password Requirements Rule Override

Password requirements can optionally be enforced on a per-template basis. If the password requirement is not enforced, users can manually type any password they want and will be notified if they enter a weak password that does not meet the password requirements. If the requirements are enforced, users cannot save the new password until it meets the requirements.

Policy Identifier

Secret policies are a collection of security and password settings that are applied to individual secrets or folders. Each setting of a secret policy can be configured as either default or enforced. Default allows users to later change the setting. Enforced locks the settings and cannot be modified on a per-secret basis unless the secret is moved out of the folder that has the secret policy attached. Secret policy settings include items such as “Remote Password Changing Auto Change,” and “Requires Approval for Access.”

Subject Identifier

The secret template of each secret identifies the type of store password or other data. This allows users to see the intended usage of each template.

Secret Name

The secret name is the label or title that describes the content of each secret. When Secret Server creates secrets automatically, the default naming convention is “host/account,” or “domain/account.”

Template

Field Parameters

Field parameters include username, password, and type. Secrets include a combination of field parameters that vary with user input. Secret type is defined by the template for each secret, such as “Bank Account” or “Active Directory Account.” The number of field parameters also are defined at the secret template level.

Password Change Policy

Password rotation is enabled or disabled on a per-secret or per-template basis.Password rotation frequency depends entirely on the expiration period for each secret. The default expiration time is 30 days for all secret templates.

Password Strength Policy

A password policy is a set of instructions on how each new password is created.Administrators must choose a minimum and maximum password length, which character sets are used, and how many characters from each set are required. See section 9.0 for details on setting password requirements.

Secret Expiration Policy

When a secret reaches its expiration date, it is flagged as “Expired.” If automatic password rotation is enabled for that secret, expiration triggers a remote password change. Expiration can be changed on each secret, but the default expiration period is set at the secret template level.

Secret Name Pattern

When Secret Server names a secret via the discovery import process, it uses the naming convention “hostname/username,” or “domain/username.” This is not enforced, so users can name secrets whatever they want.

Template Description

Secret template descriptions allow administrators to describe the purpose of a template when they create a new template, which is a best practice to avoid confusion.

Template Name

The secret template name is what users see in the drop-down menu when they create a new secret. It is also on the Secret Browse page so that users can see which secret template is associated with each secret.

Template Status

Like secrets, users can disable secret templates to make them invisible to users, unless they chose to view inactive templates. The status is either “enabled” or “disabled.”

Secret Access Policy

If users have view (or greater) rights, they can see whether a secret exists and can open the secret to view its data. If a user does not have view rights, the secret is invisible.

Secret Modification Policy

Each secret carries individual access permissions that are typically inherited from the secret’s folder. These permissions determine which users can view the secret and which users can edit the secret’s data. A user can have view, edit, or owner permission. With the view permission, a user can view but not modify a secret. The edit permission allows the user to modify field data. The owner permission allows users to grant or revoke access to other users.

Configuring Password Policy for Secret Templates

When creating and rotating passwords for secrets inside of Secret Server, it is important to uphold strong requirements and to use Secret Server to manage changing requirements effectively.

For example, Secret Server allows administrators to set the minimum password length to 6 characters, observe that a 7-character password and a 16-character password are both accepted, then change the minimum length to 8, observe that a 7-character password is then rejected but that a 16-character password is accepted.

In Secret Server password requirements can be set and applied at the Secret Template level. To adjust requirements:

  1. Navigate to Admin | Secret Templates.

    Manage Secret Templates

  2. Select the type of template you want to adjust from the dropdown menu.

  3. Click Password Requirements to open the Password Requirements" page.

    Password Requirements

    • To edit all your organization’s default password requirements on secret templates, select the Default password requirement from the list.

    • To create a new password requirement specific to this template, select Create New.

  4. Adjust the Password Length and Character Set requirements to the needs of your organization. You may assign your new requirement to any Secret Template or templates.

    Create New Password

Password Requirements set for these templates will be enforced for both human-generated and auto-generated secrets.

Authentication Strength for Non-Password Credentials

Secret Server uses RSA keys of 2048 bits or higher for secure authentication. These SSH keys are non-password credentials that can be managed by Secret Server. To ensure that these are maintained up to encryption standards, make sure that your Unix Account (SSH Key Rotation) Template is configured with an SSH Key Bit Size of 2048 or higher.

By default, the Government Edition of Secret Server will set this Template setting to 2048.

To adjust the bit size:

  1. Navigate to Admin | Secret Templates.

  2. Select Unix Account (SSH Key Rotation) from the dropdown list.

  3. Click the Edit button.

  4. From the Secret Template Designer page, click Edit to adjust settings. You can increase the bit size to 4096 from the default setting of 2048 if you choose, but do not lower this setting to 1024.

    Change Bit Size

To create, store, and manage SSH keys in Secret Server, users must engage this Unix Account (SSH Key Rotation) Template. That means an SSH key will be created only when a standard encryption is enforced.

Configuring Remote Password Changing for SSH Key Rotation

Security Overview for SSH Key Rotation and PuTTY Launcher

SSH Key Rotation allows you to manage your Unix account private keys and passphrases as well as their passwords. The public/private key pair is regenerated and the private key is encrypted with a new passphrase any time a secret's password changes, either manually or automatically. The public key is then updated on the Unix machine referenced on the secret.

To use default SSH Key Rotation commands, the machine being managed must meet the following minimum requirements:

  • SSH Key logins in OpenSSH format should be enabled on the target using keys. A secret can be created with keys in PuTTY format but they will be converted to OpenSSH when the key is rotated.

  • Public keys should be stored in [~userhome]/.ssh/authorized_keys (not authorized_keys2).

  • Grep and Sed should be installed on the target.

  • If doing a privileged SSH Key Rotation, where a privileged user sets the key for another user, the privileged user must have sudo permissions that do not prompt for a password, as well as permissions to edit the user’s authorized keys file with sudo.

If a system does not meet these requirements it may still be possible to do key rotation by modifying the key rotation command sets.

Creating a Unix Account (SSH Key Rotation) Secret

Under Secret Server’s Common Criteria compliance standards, you can set up Secret Server to rotate SSH Keys for Unix Accounts.

To setup a Launcher, you will need a Unix Account (SSH Key Rotation) Secret that is connected to a remote machine

To create a Unix Account (SSH Key Rotation) Secret:

  1. From the Home Dashboard select the Unix Account (SSH Key Rotation) Template from the Create Secret widget.

  2. Enter a Secret Name, Machine Name, Username, and Password for the Unix/Linux Account.

  3. Select the SSH Private Key by browsing to it on your machine.

  4. Enter the Private Key Passphrase for the SSH Key. If there is a corresponding Public Key, upload that as well.

  5. Specify which Secret Server folder you want to store the Key in if it differs from the default folder path. Likewise, determine what secret policies you want to assign to this SSH key, if any.

    Create New Password

To automatically rotate the private and public SSH key pairing upon clicking Save, click Generate New SSH Key. This action is a security measure to ensure that no one can access your SSH key unless they are doing so through Secret Server’s vault.

Enabling the Launcher

By default, the Launcher is enabled.

To verify this, click on Admin | Configuration.  Check the Enable Launcher Setting to ensure that this is set to Yes.

Using the Launcher

Note: SSL Certificates must be properly configured or the Launcher will fail to connect. So when you try to connect to Secret Server you receive a certificate error such as host name mismatch, you must resolve the cause of the error before the putty launcher will function. To directions on setting up certificates, see section CREATE AN INTERNAL LINK 11.2 Configuring X.509v3 Certificates.

  1. From your Home screen, click the SSH secret

  2. Click View Secret.

  3. Click the PuTTY Launcher icon.

    The first time you perform this task you will receive a “Protocol Handler Failed to Launch” message. Select the type of launcher you need and Run the .msi file. Secret Server will download a very small process called a Protocol Handler that facilitates the connection between your machine and the endpoint. Once the Protocol Handler is downloaded, close out the “Failed to Launch” window and refresh your browser page.

    Increase Bit Size

  4. Click the launcher icon on the secret, and provide the machine name if prompted. The credentials will be passed along to the launcher and will open the appropriate launcher PuTTY session.

Enable Remote Password Changing

To maintain compliance with Common Criteria regulations, Remote Password Changing is applicable for SSH Key Rotation ONLY.

  1. Navigate to Admin | Remote Password Changing.

  2. Click Edit

  3. Check to select Enable Remote Password Changing.

  4. Click Save.

    Generate New SSH Key

Rotate SSH Key Remotely

  1. Navigate back to the SSH Key Rotation Secret’s View screen.

  2. At the bottom of the screen, click the Change Password Remotely button.

    Protocol Handler Failed to Launch

  3. From the Change Password Remotely screen, Generate a new Password and Passphrase for your new SSH Key.

  4. Next to Generate New SSH Key, leave the toggle checked.

  5. Click Change. You will be directed to a Password Scheduled for Change screen.

  6. Click Back to return to your secret’s Remote Password Changing tab.

    Enable Remote Password Changing

  7. Navigate to the General tab.

  8. Verify that a new password is listed. In the screenshot below you can see the previous passwords listed in the Notes section, confirming that the rotation was effective.

    Test SSH Key Rotatation

  9. Click the PuTTY Launcher icon to confirm that Secret Server can still connect to the unix/linux machine using the newly rotated SSH Key.

    PuTTY Launcher

Secret Expiration

A core feature of Secret Server is Secret expiration. Any template can be set to expire within a fixed time interval. For a Secret to expire, a field must be selected as the target of the expiration. For example, a Secret template for Active Directory accounts might require a change on the password field every 90 days. If the password remains unchanged past the length of time specified, that Secret is considered expired and will appear in the Expired Secrets panel on either the Dashboard’s Expired Secrets widget or the Home page.

Secret expiration provides additional security by reminding users when sensitive data requires review. This can assist in meeting compliance requirements that mandate certain passwords be changed on a regular basis. When expiration is combined with Remote Password Changing, Secret Server can completely automate the process of regularly changing entire sets of passwords to meet security needs.

Setting up Secret Expiration for the Secret template

To set up expiration on a Secret, you must first enable expiration on the template from which the Secret is created.

To enable Secret expiration for a Secret template, navigate to Administration | Secret Templates. In the Manage Secret templates page, select the template from the dropdown list and click the Edit button. In the Secret template Designer page, click on the Change link. On this subsequent page, check the Expiration Enabled? box. You can now enter the expiration interval (every x number of days) as well as the field on the Secret you wish to expire and require to be changed. The interval setting can be overridden for each individual Secret.

Enabling expiration for a template will enable expiration for all the Secrets that were created using this template.

Setting up Secret Expiration for the Secret

Now that expiration has been enabled for the template, Secret expiration is enabled for the Secrets that were created using that template as well as Secrets created in the future. The Expiration tab will appear on the Secret View page and requires the user to have Owner permission on the Secret. If you would prefer to set a custom expiration at the Secret level, you can adjust the interval of expiration for the Secret by clicking the Expiration tab in the Secret View page. In the Expiration tab, you can set the Secret to expire using the template settings (default), a custom interval, or a specific date in the future.

Forcing Expiration

To force expiration, navigate to the Secret View page. From there, click Expire Now. This will force the Secret to expire immediately regardless of the interval setting. The expiration date will read "Expiration Forced".

Resetting an Expired Secret

To reset an expired Secret, you will need to change the field that has expired and is required to change. For example, if the field set to expire is the Password field and the current Password is "asdf", then a change to "jklh" will reset the expiration interval and thus remove the expiration text on the Secret View page.

If you do not know which field is set to expire, you will need to go to the Secret template that the Secret was created from. Navigate to Administration | Secret Template and select the template. Click the Edit button and then on the next page, click the "Change" link. In the "Change Required On" textbox you will see the field that is set to expire.

AutoChanging an Expired Secret

Remote Password Changing (RPC) is enabled under the Administration, Remote Password Changing page. Click Edit to enable Remote Password Changing, Secret Heartbeat, and Secret Checkout. Once enabled, all Secret templates with RPC configured will be available to use RPC.

The Remote Password Changing tab contains the settings for configuring RPC on an individual Secret. Enabling AutoChange on a Secret will allow Secret Server to Remotely Change the Password when it expires. The user must have Owner permission on the Secret to enable AutoChange. When editing on the RPC tab, the Next Password field can be set. If left blank an auto-generated password will be used.

To auto-change passwords based on secret expiration leave the AutoChange schedule set to "None."

If the password change fails, Secret Server will flag the Secret as Out of Sync and continue to retry until it is successful. If the Secret cannot be corrected or brought In Sync, manually disabling AutoChange will stop the Secret from being retried.

Setting the Password Change Retry Interval

Secret Server checks for expired secrets once every minute. However, if a previous password change attempt failed, Secret Server will not immediately try to change that password again the next time expired secrets are checked. Each secret template has a "Retry Interval" that it uses to determine how often to attempt retries of failed password changes. This exists to prevent unavailable machines or network connection issues from overwhelming the server or network with potentially thousands of password change requests at once. The default retry interval is one hour. To change the default, navigate to Admin | Secret Templates, select the template you wish to change from the dropdown menu, and click Edit.

Manage Secret Templates

At the bottom of the Secret Template Designer page, click Configure Password Changing

Configure Password Changing

On the Secret Template Edit Password Changing page, click Edit. Adjust the Days, Hours, and Minutes values of the Retry Interval. You can also adjust the Maximum Attempts if you want Secret Server to stop attempting to change the password after a specified number of failures. Click Save when done.

Edit Password Changing