GENEOS - Password Retrieval from HashiCorp Vault

When the Gateway setup is saved, it fetches the password from a HashiCorp Vault and securely passes it to the netprobe in an encrypted manner.

Current Behavior of HashiCorp Vault Token/Password Retrieval:

1. Initial Load without Netprobe Connection:

   • The Gateway does not make any request to the Vault if no Netprobe is connected.

2. Netprobe Connection Established:

   • Once the Netprobe connects, the Gateway requests the Vault for both the token and password.
   • The retrieved password is stored in-memory and can be observed in the Gateway logs if debug logging for ExternalPasswordManager is enabled.
   • The stored password appears in the format +encs+xxxxxx, representing an in-memory reference rather than a physical file.
   • This password is valid for the duration of the session. If the password in the Vault is rotated, the stored password becomes invalid, as the Gateway does not automatically fetch a new password.

3. Password Refresh Mechanism:

   • A new password is retrieved only during a password re-validation, which occurs in the following scenarios:
     • A change is made to the extPwd field of the sampler.
     • The Gateway is restarted.

A feature request has been submitted to add a mechanism for the Gateway to trigger a refresh of external passwords (CyberArk / HashiCorp) dynamically.

If you have any further questions:

• Please contact with our Client Services team via the chat service box available in any of our websites or via email to support@itrsgroup.com
  
  
  
• Make sure you provide to us:
  • ANY LOG FILE OR DIAGNOSTIC
  • ANY SCREENSHOT