Creating a CyberArk connector

A connector is required if you want to connect Trust Protection Platform to a CyberArk Enterprise Vault. For detailed information on CyberArk, including prerequisites for configuration, see Using CyberArk with Trust Protection Platform.

Before you continue, set up CyberArk correctly. See Getting CyberArk ready for integration with Trust Protection Platform.

The CyberArk connector works with all Venafi Trust Protection Platform servers that connect to the same database.

To create a CyberArk connector

  1. On the Venafi Trust Protection Platform server, open the Venafi Configuration Console and open the Connectors node.
  2. In the Actions panel, click Create CyberArk Connector.
  3. (Conditional) If requested, enter your Venafi Trust Protection Platform administration credentials.
  4. In the Create CyberArk Connector window, complete the following fields:

    Field

    Description

    Description

    Type any additional information that describes this connection.

    For example, the description could include the name of the server where the CyberArk Application Identity Manager (AIM) is installed.

    Privileged Account Security Web Services URI

    Enter the location of your CyberArk Password Vault Web Access (PVWA) endpoint. For example:

    https://webservices.host.com:1234/PasswordVault/WebServices or https://example.privilegecloud.cyberark.com/PasswordVault/

    Use Proxy

    Check the Use Proxy box if you want the proxy to manage the CyberArk connection. This setting applies to the interaction between Trust Protection Platform, CyberArk Password Vault Web Access (PVWA), and Central Credential Provider. This setting applies to the interaction between Trust Protection Platform, CyberArk Password Vault Web Access (PVWA), and Central Credential Provider.. The Application Identity Manager (AIM/AAM), which is a standalone software component, requires additional Vault.ini configuration as detailed in the CyberArk Application Identity Manager Implementation Guide.

    Web Service User

    Type the user name you created for Trust Protection Platform to use when verifying the permissions a user has been granted to a CyberArk safe.

    NOTE: This is not applicable when Certificate (PKI) authentication method is selected for the Web Services Authentication Method
    NOTE: This is a service account. The account must have View safe members permission to all safes that the end users are allowed to retrieve secrets. Refer to Check permissions on safe members for more details.

    Web Service Password

    Type the password for the user you created for Trust Protection Platform to use to verify CyberArk safe permissions.

    NOTE: This is not applicable when Certificate (PKI) authentication method is selected for the Web Services Authentication Method

    Service Account Authentication Method

    Select the authentication method to use to authenticate to the vault. Supported methods include CyberArk (1st gen API), CyberArk (2nd gen API), LDAP (2nd gen), RADIUS (2nd gen), Windows (2nd gen), and Certificate (PKI).

    NOTE: When Certificate (PKI) authentication method is selected, you MUST specify the certificate credential in WebAdmin > Credentials tree > Credential Drivers > CyberArk Connector .

    SCIM Server URI (optional)

    If you have a configured CyberArk SCIM server, add the SCIM service address.

    For example: https://scimserver.example.com/CyberArk/scim/v2

    The main scenario for which TPP uses the CyberArk SCIM is when the end user (CyberArk, LDAP, RADIUS or Windows) that is retrieving the account (secret) is not a direct member of a Safe but is a member of a CyberArk group. In this case SCIM Server URI, SCIM Server User and SCIM Server Password MUST be provided on the CyberArk connector of TPP (see the TPP setup for CyberArk when retrieving accounts section). The group itself MUST be a member of the Safe and MUST have Retrieve accounts or Use accounts permission to the Safe for the end user to successfully retrieve the account (secret) from the Safe.

    SCIM Server User

    SCIM Server Password

    Enter the SCIM server URI, user name and password so that Trust Protection Platform can authenticate to your SCIM server.

    This is a service account created by the CyberArk administrator for use by TPP. This user MUST be able to authenticate to the CyberArk SCIM server

    Following successful authentication, your CyberArk connector setup is complete.

    DID YOU KNOW?  If you specify the correct URL, user name and password and authentication fails, then Trust Protection Platform attempts to authenticate with the CyberArk user name and password.

    Password Retrieval Method

    Select a method to use for password retrieval.

    • If you select Windows Credential Provider (AAM Agent), then select a version from Windows Credential Provider Version.
    • If you select Central Credential Provider, then enter the Central Credential Provider Web Service URL. If you use Central Credential Provider, then you don’t need to install the CyberArk AIM/AAM agent on a Trust Protection Platform server.
      To configure certificate-based authentication to Central Credential Provider see Configuring and editing the CyberArk Credentials driver in the Policy Tree

    DID YOU KNOW?  You can find the installed version of the Windows AIM/AAM Agent using RDP to the machine where the AIM/AAM agent is installed. Then open Programs and features and search for the CyberArk AIM/AAM Agent installation in the list and check its version.


    Windows Credential Provider Version

    This option is only available when Windows Credential Provider (AIM/AAM Agent) is selected.

    Select the version of the Windows AIM/AAM agent.

    DID YOU KNOW?  You can find the installed version of the Windows AIM/AAM Agent through RDP to the machine where the AIM/AAM Agent is installed. Then open Programs and features, and search for the CyberArk AIM/AAM Agent installation in the list to check its version.

     

  5. Click Create.
  6. Restart IIS.

You can see the new connector in the Credential Connectors section of the Venafi Configuration Console. You will also be able to see the connector, as well as the new server user credential that was created, in Policy Tree, in the Credentials tree.

NOTE  Trust Protection Platform only supports one CyberArk connector. You cannot connect to multiple CyberArk vaults.