CyberArk

CyberArk is a well-known PAM solution that focuses on protecting privileged accounts, credentials, and secrets.

Prerequisites for Integrating CyberArk with AppViewX

Ensure all PAM components are correctly installed before proceeding with the integration.

For links to the CyberArk documentation for installing and upgrading the PAM components, see the References section.

Configuring CyberArk Integration Settings

To configure integration settings for the CyberArk vault:
  1. Go to Platform > VAULT & SECURITY > PAM.
    The PAM page is displayed.
  2. Click the + (Add credential) button.
  3. On the Add credential page, select CyberArk from the left menu.
  4. From the top right corner of the page, click CyberArk API Settings.
    The CyberArk API Settings pop-up window is displayed.
    Table 1. Field descriptions for CyberArk API Settings
    Field Description
    *API Profile Name Enter a unique name to identify the API profile. Multiple profiles can be created to retrieve credentials securely from environment-specific CyberArk vaults
    *IIS-Server IP/Hostname Enter the API URL of the cloud machine hosting CyberArk in the format given below.

    https://<Hostname>:<Port><PathURI>/api/Accounts

    The default value for <pathURI>, /AIMWebService, is displayed in the text field next to the hostname field. Edit this value as needed. If the <pathURI> parameter is not provided, the default value /AIMWebService will be used automatically. Aditionally, for each API Profile the hostname can vary.
    *Port Port number on which CyberArk API's are exposed and servicable.
    *Data center Select the appropriate data center where the CyberArk components are located or managed. It is used to perform the communication.
    *Client certificate Upload the Client Certificate needed to authenticate/allow the CyberArk API service to communicate with AppViewX, this certificate needs to be configured in IIS server of the CCP application and the SN needs to be configured in Cyberark portal as well in the application config., supports only pfx format.
    *Passkey Enter the passkey for Client Certificates uploaded in the .pfx format.
    *: Mandatory fields
  5. Once the details are entered, click Update.
    The CyberArk Credential Details page is displayed.
    Note: Multiple vaults can not be added by configuring multiple profiles.

Adding CyberArk Credential Details

To configure credential details for the CyberArk vault:
  1. On the Credential Details page for CyberArk, enter the required field information.
    Table 2. Field descriptions for Credential details
    Field Description
    *Credential name Enter a unique name to identify the credential in AppViewX
    *API Profile name Select the specific API profile name.
    Safename / Objectname Name of the safe/object in CyberArk Vault where credentials are stored. This field is not mandatory. If not entered, it will search credentials from all the Safes.
    Type Choose the Account type linked with the Credential, select one of the following options:
    • Device (default) - Use this for device credentials.
    • Amazon (AWS/ELB) - Use this for AWS/ELB credentials.
    • Microsoft Azure - Use this for Microsoft Azure credentials.
    *User name Enter the User name that has been stored in CyberArk.
    *App ID Enter the App ID which is a unique identifier that has been created and authorized to to retrieve credentials from CyberArk.
    User type This field is displayed when Type = Device.

    From the drop-down menu, select one of the following:

    • Internal (Local user account from CyberArk for device management).
    • External (External User account managed by LDAP/AD in CyberArk).
    Test IP Address This field is displayed when the User type is selected as Internal.

    Enter the IP Address / FQDN to verify credentials from Cyberark.
    *Server IP Address This field is displayed when the User type is selected as External.

    Enter the LDAP/AD server's IP address/FQDN for external user accounts.

    The server IP Address has to be entered if the user has been created in an external active directory. It is utilized for integrating service accounts, particularly when external integration is required. By selecting "external," the input of the server's (LDAP/AD) IP address is taken, which manages the service account.
    *AWS access key ID This field is displayed when the Amazon (AWS/ELB) type is selected.

    Enter the AWS access key ID generated from the AWS Management Console.
    *: Mandatory fields
  2. Click Test Connection.
    When you click the Test Connection button, the system sends a request to CyberArk and verifies whether it receives a valid API response. If the response is received successfully, the system marks the vendor connection as successful with the message Credential validated successfully. If the connection fails, the message Error in validating credentials is displayed. Additionally, a pop-up is displayed with the vendor error code, short description of the error along with the Remediation Recommendations.
  3. Click Save.