Log Message:
Update security/vault to 0.9.3.

## 0.9.3 (January 28th, 2018)

A regression from a feature merge disabled the Nomad secrets backend in 0.9.2.
This release re-enables the Nomad secrets backend; it is otherwise identical to
0.9.2.

## 0.9.2 (January 26th, 2018)

SECURITY:

* Okta Auth Backend: While the Okta auth backend was successfully verifying
  usernames and passwords, it was not checking the returned state of the
  account, so accounts that had been marked locked out could still be used to
  log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
* Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
  the AppRole, AWS, and Cert auth backends would expire when the max TTL for
  the backend/mount/system was hit instead of their stated behavior of living
  as long as they are renewed. This is now fixed; existing tokens do not have
  to be reissued as this was purely a regression in the renewal logic.
* Seal Wrapping: During certain replication states values written marked for
  seal wrapping may not be wrapped on the secondaries. This has been fixed,
  and existing values will be wrapped on next read or write. This does not
  affect the barrier keys.

DEPRECATIONS/CHANGES:

* `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool
  returned by `sys/health` could be misleading since it would be `false` both
  when a cluster was not a DR secondary but also when the node is a standby in
  the cluster and has not yet fully received state from the active node. This
  could cause health checks on LBs to decide that the node was acceptable for
  traffic even though DR secondaries cannot handle normal Vault traffic. (In
  other words, the bool could only convey "yes" or "no" but \ 
not "not sure
  yet".) This has been replaced by `replication_dr_mode` and
  `replication_perf_mode` which are string values that convey the current
  state of the node; a value of `disabled` indicates that replication is
  disabled or the state is still being discovered. As a result, an LB check
  can positively verify that the node is both not `disabled` and is not a DR
  secondary, and avoid sending traffic to it if either is true.
* PKI Secret Backend Roles parameter types: For `ou` and `organization`
  in role definitions in the PKI secret backend, input can now be a
  comma-separated string or an array of strings. Reading a role will
  now return arrays for these parameters.
* Plugin API Changes: The plugin API has been updated to utilize golang's
  context.Context package. Many function signatures now accept a context
  object as the first parameter. Existing plugins will need to pull in the
  latest Vault code and update their function signatures to begin using
  context and the new gRPC transport.

FEATURES:

* **gRPC Backend Plugins**: Backend plugins now use gRPC for transport,
  allowing them to be written in other languages.
* **Brand New CLI**: Vault has a brand new CLI interface that is significantly
  streamlined, supports autocomplete, and is almost entirely backwards
  compatible.
* **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends,
  create and browse roles and certificates, and issue and sign certificates via
  the listed roles.

IMPROVEMENTS:

* auth/aws: Handle IAM headers produced by clients that formulate numbers as
  ints rather than strings [GH-3763]
* auth/okta: Support JSON lists when specifying groups and policies [GH-3801]
* autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues,
  including HA scenarios for some Gemalto HSMs.
  (Enterprise)
* cli: Output password prompts to stderr to make it easier to pipe an output
  token to another command [GH-3782]
* core: Report replication status in `sys/health` [GH-3810]
* physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730]
* physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730]
* plugins: Args for plugins can now be specified separately from the command,
  allowing the same output format and input format for plugin information
  [GH-3778]
* secret/pki: `ou` and `organization` can now be specified as a
  comma-separated string or an array of strings [GH-3804]
* plugins: Plugins will fall back to using netrpc as the communication protocol
  on older versions of Vault [GH-3833]

BUG FIXES:

* auth/(approle,aws,cert): Fix behavior where periodic tokens generated by
  these backends could not have their TTL renewed beyond the system/mount max
  TTL value [GH-3803]
* auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
  existing role update [GH-3843]
* core/sealwrap: Speed improvements and bug fixes (Enterprise)
* identity: Delete group alias when an external group is deleted [GH-3773]
* legacymfa/duo: Fix intermittent panic when Duo could not be reached
  [GH-2030]