Skip to content

Credential managers overview

Rotating credentials that provide machines privileged access is a critical piece of maintaining robust security in your datacenter. The TLS Protect Cloud integration with credential managers allows TLS Protect Cloud to access credentials stored by credential managers when performing functions like provisioning certificates to machines.

This allows you to take advantage of TLS Protect Cloud's certificate monitoring and provisioning services while continuing to manage your credentials separately.

VSatellites

The connection between TLS Protect Cloud and your credential service is established through a Venafi VSatellite. VSatellite is a small piece of software installed on a Linux server in your data center that can access both TLS Protect Cloud and your credential service, thereby becoming the bridge between the two services.

Important

We recommend setting up multiple VSatellites for redundancy purposes. Multiple VSatellites can be applied to a credential connector in TLS Protect Cloud, so if one becomes unreachable, others are available.

This diagram illustrates the relationship between the components that allow TLS Protect Cloud to use credential managers.

graph TD
    A[TLS Protect Cloud]
    subgraph Datacenter[" "]
        direction TB
        B[VSatellites]
        subgraph row[" "]
            direction LR
            IL(( ))
            D[Application Server]
            C[Credential Provider]
            E[Application Server]
            IR(( ))
        end
    end
    A --> B
    B <-->|"TLS Protect Cloud<br>Machine connector"| D
    B <-->|"TLS Protect Cloud<br>Credential connector"| C
    B <-->|"TLS Protect Cloud<br>Machine connector"| E
    C <--> D
    C <--> E
    style row fill:none,stroke:none,stroke-width:0
    style IL fill:none,stroke:none,stroke-width:0
    style IR fill:none,stroke:none,stroke-width:0

Next steps

Get started connecting to a credential manager.

Configure CyberArk Connection