The Vault helps you to manage usernames, passwords, certificates and other sensitive information you need as part of your monitor setup. It’s a centralized way to stay organized, and to keep track of the different usernames you’ve set up for your monitors. Furthermore, having a central place to store the usernames/passwords for your monitors allows you to define them just once, and use them in multiple monitors. Any change you make in a username/password combination in the Vault will at once be applied to all monitors that use that Vault item.
What kind of data can be stored in the Vault?
The Vault supports several types of data, each of which has a particular purpose.
- Credential set: a credential set is a username and password combination. You can use them in monitor types that accept a username/password for authentication, such as Basic/NTLM/Digest authentication in HTTP(S) and Multi-step API monitors, logins in SMTP/POP3/IMAP/SQL/FTP/SFTP, and usernames and passwords used in transaction scripts.
- Certificate archive: this type can store a security certificate, in the form of a PKCS #12 certificate archive (usually a .p12 or .pfx file) that contains a certificate’s private key and its public key. Once uploaded, you can use the certificate as a client certificate in Multi-step API monitors.
- Certificate public key: this type should be used when you’re setting up Single Sign-on for Uptrends. This Vault item type will store the public key that is generated by your Identity Provider (IdP). When your IdP sends SAML login requests to Uptrends, it will sign those requests using a certificate. Uptrends will use the public key you provide to verify that the incoming request is genuinely coming from your IdP.
- File: this vault item type can be used to store files, which can then be uploaded as part of a Self-Service transaction monitor flow. For more information on how to set up file uploads in your transactions, visit our documentation on page interactions in transaction monitors. Any file type or extension is supported, and we’ll automatically set the correct MIME-type (a universal way of specifying file nature and format on the internet), if applicable. The maximum file size is 2 MB.
Is the Vault a security feature?
Sensitive data you put in the Vault is, as the name suggest, stored securely. The data is encrypted before it is stored, and doesn’t get decrypted until that data is actually needed. Sensitive data is never sent back to your browser, even if you’re editing existing Vault items or accessing the Vault through Uptrends' API. Uptrends employees do not get to see your Vault data either.
Adding a new item to the Vault
To access the Vault and review its contents, go to Account > Vault. You can view and update existing items, and add new items by clicking on the Add Vault item button.
When you’re adding a new item to the Vault, start by giving it a unique name. Select the appropriate Vault item type, and optionally fill in a description if you want to add your own notes.
Depending on the type you selected, fill in the following information:
A credential set is defined as a combination of a username and password. Please specify both values.
Certificate public key
If you want to add a public key to the Vault, you probably already have a public key file (usually a .pem or .cer file). Please copy the contents of that file into the Public key field. It should be Base64 encoded content that can be read as an X.509 certificate.
If you have a certificate archive file (a .p12 or .pfx file) containing your private and public key, select that file in the Upload new archive field. It’s very likely that the archive file is encrypted; please specify the corresponding password in the password field.
Files can be uploaded by clicking the Choose file button that appears when the File vault item type is selected. The Name and MIME type properties will be automatically filled in. We recommend you give the vault item a suitable name, so that you can easily refer to it when setting up the file upload actions in your transaction or Multi-Step API monitor.
Who can access the Vault?
All items stored in the vault are organized into sections. All accounts start out with one vault section, and each item you store belongs in exactly one section. Since members of the administrators group have exclusive access to all items stored in that default section, all administrators can view and change each vault item.
In some cases, it’s useful to have more control: different operators/groups can have different responsibilities, and it’s generally a good idea to limit access to sensitive data as much as possible.
Limiting vault access to specific people
Access rules to the vault can be set on vault section level: you can change the permissions initially set for the default vault section, you can create additional vault sections and grant access to specific operator groups and individual operators.
Two access levels are available for vault sections:
- Change vault section: operators/groups who have this access level for a vault section can add and remove vault items to that section, they can update the vault items stored in that section, and manage the access rights for that section.
- View vault section: this access level is needed in order to see the vault items stored in a section, when selecting a vault item for its intended use (as a certificate or credential set in monitor settings, or as a certificate public key in Single Sign-on settings). Important: as soon as a vault item is configured as part of a monitor, edit privileges for that monitor will be restricted to operators who have View rights for the corresponding vault section. Edit privileges will be restricted in order to prevent unauthorized access to the vault item content.
Automating Vault item management using the Vault API
One of the advantages of setting up a Vault item is that any changes to that Vault item will be automatically applied to all monitors that use it. This is useful if you want to adopt a password expiry policy for the credentials used in your monitors. Suppose that those credentials expire every x days in your own network environment. All you have to do is change the content of the Vault item that holds those credentials in Uptrends: the corresponding monitors will automatically start using the updated credentials.
You can take it a step further by automating the Vault item update. You can call Uptrends' Vault API from your own backend to update the credentials in an existing Vault item. For more information, please look at the API documentation.