Creating a CyberArk Application for TPP

Before following these steps, verify that CyberArk Vault, CyberArk PVWA, CyberArk SCIM Server (if available) and either CyberArk Central Credential Provider or Windows AIM/AAM Agent are installed and configured.

You will need the following information and access:

  • FQDN of the CyberArk PVWA instance

  • RDP access to the TPP engine

  • Trust Protection Platform administrator with permissions to create credentials in Venafi Configuration Console

Configuring the CyberArk Credential Provider requires creating one or more applications in the CyberArk PVWA interface

  1. Log in to the CyberArk PVWA interface, and select Applications > Add Application.

  2. Provide a name for the application, for example TPPApp. This application will be used to authenticate the TPP server against CyberArk PVWA.

NOTE: This application will need to be a member of the Safe from which you want to retrieve the account (secret).

  1. Click Add.

Complete the following steps only if Central Credential Provider is used to retrieve secrets

  1. Select Applications > Add Application.

  2. In the Name field enter TPP App for CCP.

  3. Using the Location drop-down, select \Applications.

  4. Click Add.

  1. Add the credential provider of the AIM/AAM as a Safe Member.

    For example: Prov_<hostname of the machine where AIM/AAM is installed>.

    These provider objects MUST have these permissions to the CyberArk Safe:

    • Service Account: Select View Safe Members permission and access to the PVWA interface

    • End user account: Select Retrieve accounts

    • Application ID (for TPPApp): Select Retrieve accounts

    • Windows AIM/AAM Agent credential provider (Prov_<hostname> one): Select Retrieve accounts, List accounts and View Safe Members

  2. Click Save.