CyberArk

CyberArk is a well-known PAM solution that focuses on protecting privileged accounts, credentials, and secrets.

Prerequisites

Ensure all PAM components are correctly installed before proceeding with the integration.

For links to the CyberArk documentation for installing and upgrading the PAM components, refer the References section.

Configuring CyberArk Integration Settings

To configure integration settings for the CyberArk vault:

Go to Platform > VAULT & SECURITY > PAM.
The PAM page is displayed.
Click the + (Add credential) button.
On the Add credential page, select CyberArk from the left menu.

From the top right corner of the page, click CyberArk API Settings.

The CyberArk API Settings pop-up window is displayed.

Table 1. Field descriptions for CyberArk API Settings
Field	Description
*IIS-Server IP/Hostname	Enter the API URL of the cloud machine hosting CyberArk in the format given below. https://<Hostname>:<Port><PathURI>/api/Accounts The default value for <pathURI>, /AIMWebService, is displayed in the text field next to the hostname field. Edit this value as needed. If the <pathURI> parameter is not provided, the default value /AIMWebService will be used automatically.
*Port	Port number on which CyberArk API's are exposed and servicable.
*Data center	Select the appropriate data center where the CyberArk components are located or managed.
*Client certificate	Upload the Client Certificate needed to authenticate/allow the CyberArk API service to communicate with AppViewX, this certificate needs to be configured in IIS server of the CCP application and the SN needs to be configured in Cyberark portal as well in the application config., supports only pfx format.
*Passkey	Enter the passkey for Client Certificates uploaded in the .pfx format.
: Mandatory fields*

Once the details are entered, click Update.
The CyberArk Credential Details page is displayed.
Note: Multiple vaults can not be added by configuring multiple profiles.

Adding CyberArk Credential Details

To configure credential details for the CyberArk vault:

On the Credential Details page for CyberArk, enter the required field information.

Table 2. Field descriptions for Credential details
Field	Description
*Credential name	Name the credential for users to identify it on the device addition page.
Safename / Objectname	Name of the safe/object in CyberArk Vault where the accounts are created in the CyberArk portal. This field is not mandatory. If not entered, it will search all the accounts.
Type	To retrieve a credential from the CyberArk vault, select one of the following options: Device (default) Amazon (AWS/ELB).
*User name	User name that has been used in CyberArk Accounts. Note: This field is displayed when the Device type is selected.
*App ID	App ID that has been created and authorized to provide access to CyberArk and retrieve credentials. Note: This field is displayed when the Device type is selected.
User type	From the drop-down menu, select one of the following: Internal (user created directly/locally in the device for device management) External (user created in the LDAP Active Directory). Note: Server IP Address field is displayed when the User type* is selected External.
*Server IP Address	The server IP Address has to be entered if the user has been created in an external active directory. It is utilized for integrating service accounts, particularly when external integration is required. By selecting "external," the input of the server's (LDAP/AD) IP address is taken, which manages the service account. Note: This field is displayed when the User type is selected as External.
*AWS IAM username	User name that has been added in CyberArk. Note: This field is displayed when the Amazon (AWS/ELB) type is selected.
*AWS access key ID	Access key ID generated from the AWS management console. Note: This field is displayed when the Amazon (AWS/ELB) type is selected.
: Mandatory fields*

Click Save.

References

CyberArk installer documentation