Creating a Secrets Vault

KeyControl security administrators can create secrets vaults in the webGUI. However, they cannot manage boxes or secrets.

  1. Log into the KeyControlwebGUI using an account with Security Administrator privileges.
  2. In the top menu bar, click Vault.
  3. Select Actions > Create a Secrets Vault.

  4. On the About tab, enter the Name and optional description.

    The vault name can contain standard alphanumeric characters, hyphens (-), underscores (_), and periods (.). It cannot contain spaces or other special characters. The limit is 255 characters.

  5. Click Next.

  6. In the Authentication tab, select the authentication type for the vault tenant user:

    Field

    Description
    Local User Authentication Authenticates vault tenant users who try to access the Secrets Vault Tenant GUI using a password stored in KeyControl.
    Managed Authentication Uses an external authentication service, such as LDAP/AD, OpenLDAP, or OIDC to authenticate users.
  7. Click Next.

  8. On the Admin tab, select the initial user account who will have administrative access to the Secrets Vault Tenant GUI.

  9. If Local User Authentication is selected, specify the local user account details. It will create a new local user exclusive to the vault tenant.

    Field

    Description
    User Name The login name for the vault tenant managed user account.
    Full Name The full name of the user associated with the account.

    Email

    If your system is configured to send email alerts, they will be sent to this email address.

    Password

    Password for the user.

    The requirements for passwords for local users are the same as for KeyControl local users in general, see Configuring Local Authentication Settings.

    Confirm Password

    Confirm the password for the user.

    Password Expiration

    The maximum number of days that a password can be used before it expires. When the password has expired, the user is prompted to change it the next time they log in to the Secrets Vault Tenant GUI.

    If Managed Authentication is selected, select the Directory Service that you want to use for the vault tenant. This can be the LDAP Server already configured in KeyControl or you can provide new LDAP server information for this secrets tenant.

    If you choose Other LDAP, complete the following: 

    1. Click the blue + (Plus sign) in the Directory Service Domain field.

      Enter the following and then click Save & Close

      Field

      Description

      Domain Name

      Enter the LDAP domain controller IP address or hostname.

      Domain Netbios Name

      Enter the netbios or subdomain of the DNS domain.

      Domain Controllers

      Enter the domain controller that you want to use. You can have one or two domain controllers.

    2. Optionally click the Show Advanced Domain settings link to enter a UID attribute.

      Tip: This is the attribute of the user or group object that would be queried during search.

  10. Choose whether to use a User or Group for the Admin user. This user or group is automatically assigned the Vault Administrator role.

    You can only add one user or one group at this time. Additional administrators can be added after the vault is created by editing the admin access policy in the vault. Also, the initial Admin account used for creating the vault can not be disabled. If the initial Admin user needs to be changed, then it can be replaced in the access policy with another user.

    Tip: You need the CN and DN attributes of the non-system domain for the user or group. Retrieve the following attributes from the AD or OpenLDAP administrator and make sure that they are set correctly for the secrets vault:

    • Active Directory: cn and distinguishedName.
    • OpenLDAP: cn and dn.

  11. Choose whether to use a User or Group for the Admin user. This user or group is automatically assigned the Administrator role.

  12. Choose the email address to use for vault communication.
  13. Click Create.