Skip to main content
Skip table of contents

Adding Secrets


To create and configure any type a secret (to be used to manage and access a privileged user account), do the following:

1. Log in to the Management Tool.

2. Click the Password Management navigation link (on the left).

3. On the Password Management page that opens, on the Secrets tab, click the Add button (in the top right of the page).

4. In the Add Secret pop-up window that opens, on the Properties tab, in the General section, specify the following:

• Secret Name: A unique name for the secret.

• Secret Type: Select the type of secret required (Active Directory account / Windows account / Unix account (SSH) / Unix account (Telnet) / Web account / MS SQL account).

• Description: A description for the secret (optional).

Current folder: If required, change the folder where the secret will be stored (in the Tree-View folder structure).

   

5. In the Account section below, specify the location and account credentials of the remote account that users will connect to by using the Ekran System Connection Manager, as follows:

Enter (or select in the drop-down list) the host name (or IP address) of one of the following locations of the account to connect to (depending on the type of secret):

- Domain: The Active Directory domain name.

- Computer Name: The hostname (or IP address) of the computer.

- URLThe URL.

- ServerThe hostname (or IP address) of the computer with the MS SQL database (where the port can also be specified, separating them with a comma).

• Login: Enter the existing name of the account to be accessed by using the secret.

• Password: Enter the existing password for the account to be accessed by using the secret.

NOTE: [For the Unix account (SSH) secret type only:] The "Use SSH key" option can also be selected, in which case, instead of entering a Password for the account, a file containing the Private Key needs to be uploaded, and the Private Key Passphrase entered.

NOTE: [For the Windows account and Unix account (SSH) secret types only:] In the File Transfer section, if this functionality is to be used, please refer to the Transferring Files Using the WinSCP Application page.

6. [For the Active Directory account, Windows account, Unix account (SSH)and MS SQL account secret types only:] On the Automation tab, if the Remote Password Rotation functionality is to be used, do the following:

• Enable remote password rotation: Select this checkbox to allow the account's password to be changed automatically (and manually at any time).

NOTE: After a secret is added, when editing it, the Rotate Now button is also displayed on the Automation tab, which can be clicked at any time to manually change the account's password at any time.

• Rotate Password Every: Select the frequency at which the account's password will be changed automatically.

NOTE: [For the Windows account secret type only:] For Remote Password Rotation to work, several preconditions need first to be met on the remote computer where the Windows account is located (i.e. on the computer that the secret connects to by using the Ekran System Connection Manager).

NOTE: If Remote Password Rotation ever fails, the secret is marked with the red circular (

icon next to its name (on the left) in the list of secrets, and the corresponding error event is displayed on the Health Monitoring page. In this case, subsequent password changes will no longer occur.

NOTE: [For the Active Directory account, Windows account, Unix account (SSH) secret types only:] If the File Transfer functionality is to be used, Remote Password Rotation must be enabled and the password must be rotated at least once, before it is possible to transfer files using the WinSCP application.

   

7. [For the Active Directory account, Windows account, Unix account (SSH)and MS SQL account secret types only:] On the Security tab, security can be enhanced by enabling the Password Checkout functionality, so that only one user will be able to use the secret at any given time, along with several other options for this functionality, as follows:

Requires check out: Select this checkbox to enable the Password Checkout functionality, so that only one user can check out the secret's password (i.e. can connect to the account that the secret connects to) at any given time.

[For the Active Directory account, Windows account, Unix account (SSH)and MS SQL account secret types only:] Change password on check in: Select this checkbox for the password to be rotated every time the secret's password is checked back in (i.e. every time a user disconnects or is disconnected from the account that the secret is connected to).

NOTE: If the File Transfer functionality is to be used, both of the above checkboxes (i.e. "Requires check out" and "Change password on check in") must be selected, before it is possible to transfer files using the WinSCP application.

NOTE: The “Change password on check in” checkbox is completely independent of the “Enable remote password rotation” checkbox (on the Automation tab - see above), both of which can therefore function at the same time without affecting each other.

Check in automatically after: Select this checkbox to specify a time period, after the expiry of which the secret's password will be automatically checked back in (i.e. after which the current user of the secret will be forcibly disconnected from the account that the secret is connected to).

NOTE: The “Check in automatically after” checkbox is completely independent of the “Allow access without approval during work hours” checkbox (on the Restrictions tab - see below), both of which can therefore function at the same time, in which case the user will be automatically logged off at whichever time period expires first.

Force Check In (button): After adding the secret only, while editing it later, this button can be clicked at any time to manually check the secret's password back in (i.e. to forcibly disconnect the current user of the account that the secret is connected to) at any time.

   

8. On the Users & Permissiontab, add the required users who will be able to use the secret by clicking the Add button and then selecting the required users / user groups, along with the permissions to be granted to each of them, as follows:

• Role Type permissions must be granted to the users / user groups listed, by selecting either Owner, Editor or PAM User in the Role Type column.

Advanced permissions can also be granted to any users / user groups listed, by selecting the checkboxes (

) in the following columns:

- View Password (

)Allows the user to view and copy the secret's password in Ekran System Connection Manager.

[For the Active Directory account, Windows account, Unix account (SSH) secret types only:] File Transfer (

): If the File Transfer functionality is configured, allows the user to transfer files using the WinSCP application between the jump server computer (i.e. the computer with the Ekran System Connection Manager) and the remote computer (i.e. the computer accessed by a secret).

    

NOTE: Alternatively, the users / user groups who will be able to use the secret, along with their permissions, can be inherited from the parent folder if configured as required in this folder (except from the "All secrets" folder) by selecting the "Inherit users and their roles from current folder" checkbox (to inherit the users / user groups along with their Role Type permissions from the current folder) and the "Inherit advanced permissions from current folder" checkbox (to inherit the "View Password" and "File Transfer" advanced permissions for the users / user groups from the current folder).

9. On the Restrictions tab, to configure any access restrictions required for the users of the secret, do the following:

 Select the required option:

- Access without any restrictions: If this option is selected, the secret's users will be able to use the secret without any restrictions.

- Always require approval on secret usage: If this option is selected, the secret's users will require approval when they attempt to use the secret.

- Allow access without approval during work hours: If this option is selected, specify the date range, work hours, and days of the week when the secret's users will be able to use the secret without approval.

 Users Who Can Approve Access: Select the Management Tool users (i.e. Approvers) who will be able to approve access requests to use the secret.

 Owners or Approvers also require approval: Select this checkbox to also require approval (e.g. by the default admin user) for Owners and Approvers to use the secret.

NOTE: Approvers receive notifications by email, and can approve access either by clicking the link in the email or by way of the Management Tool (see the Access Requests section).

    

10. Click the Save button (in the bottom right) to complete creating the secret.

11. The secret is then added, and can be edited at any time.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.