IMPORTANT: Due to the level of customization required, One Identity Support is not available for the Secrets Broker Vault add-on. If you require assistance with configuration or setup, please contact One Identity Professional Services or your Account Management contact to arrange a discussion.
 
The Secrets Broker Vault add-on converts the open source Secrets Broker product into a Secrets Broker Vault which includes a built-in vault and is capable of storing and forwarding credentials using all of the Hashicorp Vault commandline tools. It will also support all of the Hashicorp REST APIs. For information on the open source Secrets Broker product, see One Identity Safeguard for Privileged Passwords - Download Software.
 
    
While deploying the Secrets Broker Service does not require any prior configuration to the Safeguard for Privileged Passwords Appliance, deploying the Secrets Broker Vault Add-on requires some preconfiguration. The following outlines the configuration that must be on the Secrets Broker Service as well as the corresponding Safeguard for Privileged Passwords appliance.
The following are required prior to installing the Secrets Broker Vault:
- 
Download and install the Safeguard Secrets Broker for DevOps 6.12 or higher from the One Identity Safeguard for Privileged Passwords - Download Software. 
- 
Configure the Secrets Broker Service using the web interface: 
- 
Specify the Safeguard for Privileged Passwords appliance that will be connected to the Secrets Broker Service. 
- 
Create a new client certificate from a CSR or upload a new client certificate. 
- 
Import the trusted certificates from the connected Safeguard for Privileged Passwords appliance. 
 
- 
Purchase and install the Secrets Broker Vault add-on license. Since the Secrets Broker Vault Add-on is an add-on product, it requires an additional license that must be added to the Safeguard for Privileged Passwords appliance that the Secrets Broker Vault has been connected to. 
 
    
Once the Prerequisites have been completed, the Secrets Broker Vault Add-on is ready to be installed on the Secrets Broker Service. By uploading the Secrets Broker Vault Add-on to the Secrets Broker Service, the add-on will automatically convert the Secrets Broker Service into a Secrets Broker Vault.
Deploying the add-on module does not disable any of the existing Secrets Broker Service functionality. The Secrets Broker Vault Add-on is completely additive. Deploying the add-on takes all of the current Secrets Broker functionality and adds an embedded vault that is capable of storing credentials that have been pushed from the Safeguard for Privileged Passwords appliance. These credentials can then be accessed using the existing Hashicorp Vault command line tools. The embedded vault can also be configured with additional functionality in the same way that any other Hashicorp Vault can be modified, such as new secrets engines and authentication methods.
To deploy the Secrets Broker Vault add-on
- 
Once the open source Secrets Broker service has been installed and configured, use the Upload button in the Add-ons section to upload the .sbao file you received from One Identity upon purchasing the add-on. Secrets Broker Vault will validate the license and validate that the add-on .sbao file is valid. If a valid Secrets Broker Vault Add-on license has not been installed on the connected Safeguard for Privileged Passwords, the upload button will not be available The Secrets Broker Vault add-on .sbao file will automatically convert the open source Secrets Broker service into a Secrets Broker Vault which includes a built-in vault and is capable of storing and forwarding credentials using all of the Hashicorp Vault commandline tools. It will also support all of the Hashicorp REST APIs. 
- 
Once fully deployed, the Secrets Broker Vault requires that the user open the Secrets Broker Vault settings page and finish the configuration. 
- 
Click the Secrets Broker Vault button in the Add-ons section. 
- 
In the Add-on Settings dialog, click the Configuring Add-on button to complete the configuration. Once that is done, the settings page should show that the Secrets Broker Vault add-on is healthy and that it is a valid One Identity add-on. 
- 
Enter the Secrets Broker Vault Plugin setup page by clicking on the Manage Accounts button on the plugin tile. 
- 
Click on the Test Configuration button to test the configuration of the plugin. 
 
At this point the Secrets Broker instance should have been converted to a Secrets Broker Vault with the following in place:
- 
Open Source Secrets Broker service running. 
- 
Embedded vault running alongside the Secrets Broker service. 
- 
Embedded web proxy listening to port 443 and forwarding requests to the Secrets Broker service or the embedded vault. 
- 
Secrets Broker Vault plugin configured to push credentials to the embedded vault. 
- 
The connected Safeguard for Privileged Passwords appliance should have been updated with the following: 
- 
A new Other type asset that corresponds to the Secrets Broker instance. 
- 
5 vault accounts with associated credentials. 1 root account and 4 unseal shards. 
- 
A new dynamic account group that corresponds to the Secrets Broker instance and contains all of the vault accounts.