Configuring CyberArk for Use with Password Manager

FlexNet Manager Suite 2022 R1 (On-Premises)
For integration with CyberArk, FlexNet Beacon expects to find the CyberArk Credential Provider installed on the inventory beacon.
Note: In the CyberArk AIM CD image, this is the installer for Credential Provider. Do not use the Application Server Credential Provider.
Credential Provider must be installed before FlexNet Beacon can display the data needed to configure CyberArk to recognize the inventory beacon as an authorized requester of credentials. (The check is that the 32-bit CPasswordSDK.dll is present in %windir%\System32 on a 32-bit device, or %windir%\SysWOW64 on a 64-bit device.)

Once both the CyberArk Credential Provider and (of course) FlexNet Beacon are installed and operational on the inventory beacon server, your CyberArk administrator can register the application with the level of security required by your corporate operating procedures. For complete details, see the CyberArk documentation (such as the Credential Provider and ACSP Implementation Guide included with your CyberArk installation); but here is a summary that illustrates the relationships between the data provided by FlexNet Beacon and the configuration points provided by CyberArk.

CyberArk supports multiple processes for configuration, including manual interaction and automated processes. This summary assumes the manual process for clarity. However, as you need to configure this integration independently on each inventory beacon, your CyberArk administrator may well prefer to set up automated processes.

The manual process is most conveniently started from the inventory beacon in question, having the FlexNet Beacon interface open (this requires administrator privileges on the inventory beacon), as well as a web browser that can access your CyberArk implementation.

To configure integration between FlexNet Beacon and CyberArk Application Identity Manager (AIM):

  1. Complete the installation of the CyberArk Credential Provider on this inventory beacon, if necessary following instructions provided by CyberArk.
    Do not install the Application Server Credential Provider. In the CyberArk AIM CD image, open the folder for Credential Provider, and run setup.exe from that folder.
    Tip: As part of the installation process, be sure to configure the Credential Provider for access to your CyberArk server hosting the relevant CyberArk Vault.
  2. Use Windows Explorer to validate that CPasswordSDK.dll is present in %windir%\System32 on a 32-bit device, or %windir%\SysWOW64 on a 64-bit device.
    If this is not already the case following installation of the CyberArk Credential Provider on this inventory beacon, you can find a copy of CPasswordSDK.dll (this 32-bit version, and not the equivalent 64-bit version) in the Credential-Provider-installation-path\ApplicationPasswordSdk folder. Copy this to the appropriate location for the architecture of your inventory beacon server.
    Important: Do not copy the 64-bit version. The Password Manager on the inventory beacon requires the 32-bit version (even though the inventory beacon user interface, which is built in .NET, appears to recognize the 64-bit version, if you copied that by mistake).
  3. In FlexNet Beacon, navigate to the Password management page.
    This page displays the values needed for insertion into CyberArk.
  4. In your web browser, log into the CyberArk Password Vault Web Access (PVWA).
  5. From the top navigation bar of PVWA, select the Applications tab.
  6. If this is the first registration of the FlexNet Beacon application, create the base application record in PVWA:
    1. In the top right of the Applications List page, click Add Application.
    2. From FlexNet Beacon, copy the value of the Application ID, and paste it into the Name field in the Add Application dialog in the PVWA.
      Tip: The default value, Flexera_FlexNetBeacon, follows the guidelines in the CyberArk documentation. If your environment requires that you must change this default, edit the [Registry]\PasswordStore\CyberArkAppId setting on the inventory beacon. If you change the registry value, restart FlexNet Beacon before copying the new value to the PVWA.
    3. Complete the remaining details in the Add Application dialog, in line with your corporate protocols.
      For Location, it is typical to select the \Applications folder, but this is not mandatory.
      Tip: It is best practice to not add time restrictions or an expiration date for this application's access to the CyberArk Vault. This is because inventory gathering may be scheduled at any time of day, typically after hours when systems are lightly loaded.
    4. Click Add.
      The application is added and displayed in the Application Details page.
    5. In the Application Details page, below the Authentication tab, select Allow extended authentication restrictions.
      This enables you to specify multiple machines, OS users, path values, and hash values for a single application.
    6. Under the Authentication tab, click Add, and from the drop-down list, choose OS User.
    7. From FlexNet Beacon, copy the value of the Inventory beacon service account, paste into the OS User field in PVWA, and click Add.
    8. Use the Add drop-down again, and choose Path.
    9. From FlexNet Beacon, right-click the Beacon executable path value, copy, and paste into the Path field in the Add Path Authentication dialog in PVWA. Clear the Path is folder check box (because these paths include the file name), and click Add.
    10. In a similar way, copy the Beacon executable hash value from FlexNet Beacon on your inventory beacon, and paste into the Add > Hash > Add Hash Authentication dialog, saving it into the application details in PVWA.
      Tip: You can add a comment (such as the application identifier) after a hash value, separating with spaces around a hash character or pound sign (#). Comments may not include colon or semi-colon characters. Example:
      F0FDE5DA32076B88AE57CB49E8ED61497C5D1601 # Beacon Engine 12.3.1
    11. To test that the configuration is successful, click Test CyberArk integration... in the Password management page of FlexNet Beacon.
      A separate Test CyberArk Integration dialog appears.
    12. Enter a query for which the credential already exists in CyberArk (depending on how the credential is secured, specifying Object=accountName may be sufficient, provided that the answer is exactly one credential), and click Test.
      After a moment, the dialog displays the results:
      • For success, several attributes of the account in CyberArk (but not, obviously, its password) are displayed.
      • For failure, the error message received from CyberArk is displayed unchanged. You should fix the error(s) and repeat the testing until successful.
      Tip: If the Credential Provider service is not running on the inventory beacon, the response waits 30 seconds and then times out.
      For example messages and likely remedial actions, see Typical Errors and Fixes.
    The basic application record now exists in CyberArk. This application record can now be referenced by all your inventory beacons that need access to credentials stored in CyberArk. As you register additional inventory beacons in PVWA (hint: click Search to populate the application list under the Applications tab), validate that:
    • The OS user account that runs the inventory beacon engine is unchanged. If a different account has been used on a particular inventory beacon, update the application record in PVWA with the additional OS user.
    • The installation path of the executable is unchanged. If an inventory beacon has a non-standard installation, add the different path to this application record.
    • The hash value is unchanged for BeaconEngine.exe. This value remains consistent for a given release of the inventory beacon; but of course you should expect the hash to change when an inventory beacon is updated with a later version of FlexNet Beacon. If your environment during upgrade process has a mixture of inventory beacon versions, keep the old hash value in the application definition for the time being while adding another hash for the updated version (see the example shown above with comment identifying the FlexNet Beacon version).
    Of course, this requires logging in to each inventory beacon to check the relevant details on the Password management page of FlexNet Beacon there.
  7. Register each inventory beacon as a device using the registered application details in PVWA:
    1. In the Application Details page for your FlexNet Beacon application in PVWA, select the Allowed Machines tab.
    2. At the top of this tab, click Add.
    3. In the Add allowed machine dialog, enter the host name or fully-qualified domain name for this inventory beacon in the Address field.
      Tip: The IPv4 address of the inventory beacon is another method of identification; but beware of using this where dynamic IP address allocations may alter the IP address of your inventory beacons over time.
    Repeat this registration of the machine details for each relevant inventory beacon.
  8. Configure the required safe and its memberships:
    1. If it does not already exist, create the safe that will store credentials needed by your inventory beacons (navigate to Policies > Access Control (Safes), and click Add Safe). If the safe already exists, select it from the list of safes, and in the bottom right, click Members.
    2. In the Members tab, click Add Member, search for the application you saved, select it in the list of results (the default privilege levels are adequate, and must include Retrieve accounts), and click Add.
      Tip: Look for the success message at the bottom of this dialog, and then click Close. Once the dialog is closed, the list of members is updated and displays your application as a member permitted to access this safe.
  9. Ensure that the credentials needed for the remote execution activities of every inventory beacon are recorded as CyberArk "accounts".
    1. In the Account tab of PVWA, click Add Account.
    2. In the Add Account page, in the Store in Safe drop-down, select the safe you created for credentials accessed by inventory beacons.
    3. Select the Device Type and resulting Platform Name for this credential.
      Here are suggested mappings between the Account type saved in the FlexNet Beacon Password Manager and these two fields in PVWA:
      Account type (FlexNet) Device Type (PVWA) Platform Name (PVWA) Typical Format
      Windows domain account Operating System Windows Domain Account

      Domain\Account

      Local account on Windows device Operating System Windows Server Local Accounts (or Windows Desktop Local Accounts if you are targeting desktop computers)

      Account

      SSH account (password) Operating System Unix via SSH Account
      SSH account (key pair) Operating System Unix via SSH Keys DSA key file
      Account on VMware ESX server Operating System VMWare ESX Account API Domain\Account or Account
      Account on VMware VirtualCenter Application VMWare vCenter Shared Accounts Domain\Account or Account
      Password for Oracle listener Directory (This choice does not require a user name for the credential.) [None] Only requires a password
      Account on Oracle database Database Oracle Database Account
      Oracle VM management API account Operating System VMWare ESX Account API or Unix via SSH (see note) Account
      Note: The Oracle VM management API account is likely to be a local account on Linux, and currently PVWA does not offer a matching platform name. Your CyberArk administrator may perhaps create a custom platform name for your use; or you can use other platform names (such as either of the two suggested above) that provide the correct set of data fields.
    4. Complete the remaining properties for the credential, and click Save.
      • Address may identify the device that requires this credential, either using an IP address, a host name, or a fully-qualified domain name. In cases where this isn't particularly meaningful (such as a Windows domain password), enter free text such as the domain name.
      • Name must be unique in context (for example, within the safe), and is typically used in query strings. For this reason, you may prefer to provide a custom, simpler name rather than use the one that is automatically generated.
      • For Unix via SSH Keys, after saving, click Add SSH Key (upper right), and provide the required details.
    5. Take note of the query string parameters that uniquely identify this credential.
      The query strings must be entered in FlexNet Beacon Password Manager, and are used to request each credential from CyberArk. If the query string does not return a single, unique credential, the request fails. Query string elements that may be used include:
      • Safe — where the credentials for inventory beacon use are stored
      • Address — the same value you provided for this parameter for the credential, identifying the target device where the credential is to be used
      • Object — shown in the Account Details page in PVWA as the Name.
      These values should be sufficient to uniquely identify the credential. For other elements possible in a query string, see the CyberArk documentation.
    Repeat for as many credentials as required. This completes configuration of CyberArk. The last remaining step is to record the various credentials in Password Manager on the various inventory beacons from which they will be used for remote execution.
  10. On each inventory beacon in turn, access Password Manager, and create records of the credentials used from this inventory beacon.
    For details, see the online help for the Password Manager.

FlexNet Manager Suite (On-Premises)

2022 R1