Configuration considerations for Secrets Manager applications with the Vault

This topic describes considerations and best practices to configure Secrets Manager applications such as CP, CCP, and Vault Synchronizer with the Vault to optimize Vault performance and reduce overhead.

Following the best practices below will help to avoid potential performance or stability issues with the Vault.

PAM considerations and best practices

  • Make sure that the PAM and Secrets Manager components have not reached the end of their lifecycle. For more information, see End of Life policy.

  • The PAM and Secrets Manager components must have compatible versions installed. For more information about compatibility, see Supported performance configurations.

  • We recommend that you upgrade the PAM and Secrets Manager components to the latest Long Term Support (LTS) version This includes both the Vault, PVWA and the Secrets Manager components to take advantage of all the performance improvements and bug fixes. For more information about LTS version support levels, see LTS Version Support levels.

  • For each Secrets Manager component, plan the Safes and their access and make sure that you follow the guidelines below:

    • Set the least number possible of required Safes for each Secrets Manager component.

    • Set each Secrets Manager component user so that only this user has access to the Safe. Configuring multiple Secrets Manager component users to the same Safe may lead to performance degradation due to the database locking. This only applies to Secrets Manager component users, not human users.

    • Set each Safe so that it only contains the application accounts that are used by the specific Secrets Manager component.

    • Using workflows such as one-time password or exclusive may impact performance. Use workflows only when necessary.

      • You can implement this by planning, storing and managing the accounts in Safes where each Safe is assigned to one Secrets Manager component, and the application accounts stored in the Safe are only those that the Secrets Manager component uses.

  • Configure the Safe properties using the following guidelines:

    • Do not enable the Object Level Access Control (OLAC) property. If you have enabled OLAC for the Safe, you must create a new Safe and move the accounts to the new Safe.

    • We recommend to select account history retention using versions, setting the value to 2 versions. These two versions are the current version and the previous version.

    • If you want to use account history retention by days, the retention result should not exceed a total of 2-3 versions per account. In order to calculate this accurately, you will need to change the retention value or the CPM policy.

      Set the CPM rotation policy so that it is identical for all accounts in a Safe.

      If the CPM rotation policy is not identical for all accounts, duplicate the CPM policy and configure the rotation policy for the new Safe configuration. Then, separate the accounts into different Safes according to the CPM rotation policy.

      Example 1:

      If the CPM rotation policy for all platforms in a Safe is configured to rotate the credentials daily, set the retention to 2 days.

      Example 2:

      If the CPM rotation policy for all platforms in a Safe is configured to rotate the credentials monthly, set the retention to 60 days.

Secrets Manager component considerations and best practices

  • According to system requirements, do not exceed the total number of supported Safes, the accounts per component, or the number of Secrets Manager components per Vault architecture. For more information, see Digital Vault Server.

  • Set the refresh interval the Secrets Manager component to 25 minutes or more.

  • The cache capability must be enabled.

    Setting the refresh interval to less than 25 minutes or disabling the cache capability may result in degradation and instability of the Vault performance.

Example

Scenario

The Secrets Manager component (Credential Providers) is installed on a server that serves three applications. The Secrets Manager component needs access to a total of 10 accounts. These accounts are stored in two different Safes because the other applications installed on the server are managed by different teams.

Implementation

Using a human user, create two dedicated Safes for the Credential Providers component. Configure the Safes with the following settings:

  • OLAC disabled

  • For Saved accounts, select Save the last account versions, with a value of 2

  • Set the CPM to manage the relevant platforms

  • For both Safes, configure the human owners who need access to the Safes

The policy for the accounts in the Safes has Access workflow policies disabled.

Identify the Credential Provider user name used for this server and create the accounts that you need in the dedicated Safes created for this Credential Provider.

Verify that each Safe does not have any other Secrets Manager user that is an owner of the Safe, and add the Credential Provider user as an owner of the Safe.

FAQs

When you add permissions to a Safe, the permissions apply to all the secrets in the Safe. In order to determine if you should add a user to a Safe, and which permissions the human user should have, follow the least privilege best practices below:

  • If all human users should have the same access to the accounts in the Safe, add the user to the Safe.

  • If a human user doesn't need access to all the accounts in the Safe, separate the accounts into a different Safe.

  • Follow the best practices above for new Safes.