Sendense Documentation

Credential Vault

The central credential store on the SHA: encrypted at rest, scoped per appliance, with connection tests - and every supported credential type and its options.

Documents Home

Concept

Credential Vault

The central credential store on the SHA: encrypted at rest, scoped per appliance, with connection tests - and every supported credential type and its options.

ReadyCurrentcredentialsvaultsecurity

Overview

The Credential Vault is the single central credential store on the SHA, managed under Settings, Credentials. All source-platform, storage, identity, and notification credentials live there.

Credentials are encrypted at rest with AES-256, are never displayed back after saving (sensitive fields show as a masked value), and every action on them is audited. Managing the vault requires an authenticated login.

Scope Decides Which Appliance Uses A Credential

Every credential has a scope that determines which SNA uses it. Sites and appliances do not store credentials themselves - the association comes from the scope. Platform credentials are forwarded to the SNA only for the duration of a request and are never stored on it, so the SNA must be able to reach the source platform on the network.

Global
Any healthy SNA can use the credential.
Specific Site
A healthy SNA at the chosen site uses it. This is the usual choice for platform credentials.
Specific Appliance
The chosen SNA uses it.

Testing, Rotating, And Deleting

  • Test: types that support it show a Test Connection control and store the result as a Verified, Failed, or Untested badge. NFS, CIFS/SMB, and Remote Host SSH validate inputs but do not run a live test.
  • Rotate a password: edit the credential and enter only the new secret; blank fields keep their stored values.
  • Deactivate: mark a credential inactive to stop it being used without deleting it.
  • Delete: deletion is immediate and is not blocked when a credential is in use, so dependent operations fail at next use. Check usage first, and prefer deactivating when unsure.

No automatic rotation

Sendense does not rotate credentials on a schedule. Rotation is an operator action - edit the credential and enter the new secret.

Source Platform Credentials

VMware vCenter
vCenter Host, Username (for example [email protected]), Password; optional Default Datacenter and SSL Thumbprint; Ignore SSL verification is on by default for internal environments. Connection test supported.
CloudStack/OSSEA
API Host, API Key, Secret Key; optional Default Zone and Skip TLS Verification. A default storage backend (ZFS, QCOW2/NFS, Linstor, StorPool, or Raw Block) can be set and is inherited by new VMs unless overridden. Connection test supported.
Nutanix AHV / Prism Element
Prism Element Host, Username, Password; advanced Port (default 9440), Skip TLS Verification (on by default), and iSCSI Data Services IP. Prism Element only, not Prism Central. The test runs from the SNA. Connection test supported.

Storage Credentials

EBA Storage (object storage)
For EBA repositories on object storage: optional Custom Endpoint, Region, Access Key ID, Secret Access Key, and Path-Style URLs. No bucket field - the bucket belongs to the repository. A repository can use a vault credential or keys entered on the repository. Connection test supported.
Azure Blob Storage
Storage Account with an Account Key or Connection String, and an optional Default Container. Connection test supported.
NFS Share
NFS Server, Export Path, and Mount Options. Inputs validated; no live test.
CIFS/SMB Share
Server, Share Name, Username, Password, and optional Domain. Also used for restore-to-server delivery. Inputs validated; no live test.

Identity, Notification, And Host Access

Active Directory
Domain, Domain Controller, Username (UPN), Password, and additional domain controllers for failover; advanced LDAPS, port, base DN, CA certificate, and filters. A successful test can list discovered domain controllers. Connection test supported.
LDAP
LDAP Server, port, STARTTLS or LDAPS, Bind DN and password, Base DN, and CA certificate. Connection test supported.
SMTP Email
SMTP Server, port, optional username and password, STARTTLS or SSL, From Address, and From Name. Connection test supported.
Remote Host SSH
Used to commission a remote EBA host: Host, SSH port, Username, password or private key, optional sudo password, and a required pinned host fingerprint. Inputs validated; no live test.

Related Docs