Configuring CyberArk for Use with Password Manager
Once both the CyberArk Credential Provider and (of course) FlexNet Beacon are installed and operational on the inventory beacon server, your CyberArk administrator can register the application with the level of security required by your corporate operating procedures. For complete details, see the CyberArk documentation (such as the Credential Provider and ACSP Implementation Guide included with your CyberArk installation); but here is a summary that illustrates the relationships between the data provided by FlexNet Beacon and the configuration points provided by CyberArk.
CyberArk supports multiple processes for configuration, including manual interaction and automated processes. This summary assumes the manual process for clarity. However, as you need to configure this integration independently on each inventory beacon, your CyberArk administrator may well prefer to set up automated processes.
The manual process is most conveniently started from the inventory beacon in question, having the FlexNet Beacon interface open (this requires administrator privileges on the inventory beacon), as well as a web browser that can access your CyberArk implementation.
To configure integration between FlexNet Beacon and CyberArk Application Identity Manager (AIM):
-
Complete the installation of the CyberArk Credential Provider on this inventory beacon, if necessary following instructions provided by
CyberArk.
Do not install the Application Server Credential Provider. In the CyberArk AIM CD image, open the folder for Credential Provider, and run setup.exe from that folder.Tip: As part of the installation process, be sure to configure the Credential Provider for access to your CyberArk server hosting the relevant CyberArk Vault.
-
Use Windows Explorer to validate that
CPasswordSDK.dll is present in
%windir%\System32 on a 32-bit device, or
%windir%\SysWOW64 on a 64-bit device.
If this is not already the case following installation of the CyberArk Credential Provider on this inventory beacon, you can find a copy of CPasswordSDK.dll (this 32-bit version, and not the equivalent 64-bit version) in the Credential-Provider-installation-path\ApplicationPasswordSdk folder. Copy this to the appropriate location for the architecture of your inventory beacon server.Important: Do not copy the 64-bit version. The Password Manager on the inventory beacon requires the 32-bit version (even though the inventory beacon user interface, which is built in .NET, appears to recognize the 64-bit version, if you copied that by mistake).
-
In FlexNet Beacon, navigate to the Password
management page.
This page displays the values needed for insertion into CyberArk.
- In your web browser, log into the CyberArk Password Vault Web Access (PVWA).
- From the top navigation bar of PVWA, select the Applications tab.
-
If this is the first registration of the FlexNet Beacon application,
create the base application record in PVWA:
- In the top right of the Applications List page, click Add Application.
-
From FlexNet Beacon, copy the value of the
Application ID, and paste it into the
Name field in the Add
Application dialog in the PVWA.
Tip: The default value,
Flexera_FlexNetBeacon
, follows the guidelines in the CyberArk documentation. If your environment requires that you must change this default, edit the[Registry]\PasswordStore\CyberArkAppId
setting on the inventory beacon. If you change the registry value, restart FlexNet Beacon before copying the new value to the PVWA. -
Complete the remaining details in the Add
Application dialog, in line with your corporate
protocols.
For Location, it is typical to select the \Applications folder, but this is not mandatory.Tip: It is best practice to not add time restrictions or an expiration date for this application's access to the CyberArk Vault. This is because inventory gathering may be scheduled at any time of day, typically after hours when systems are lightly loaded.
-
Click Add.
The application is added and displayed in the Application Details page.
-
In the Application Details page, below the
Authentication tab, select Allow
extended authentication restrictions.
This enables you to specify multiple machines, OS users, path values, and hash values for a single application.
- Under the Authentication tab, click Add, and from the drop-down list, choose OS User.
- From FlexNet Beacon, copy the value of the Inventory beacon service account, paste into the OS User field in PVWA, and click Add.
-
To test that the configuration is successful, click Test
CyberArk integration... in the Password
management page of FlexNet Beacon.
A separate Test CyberArk Integration dialog appears.
-
Enter a query for which the credential
already exists in CyberArk (depending on how the credential is secured,
specifying Object=accountName
may be sufficient, provided that the answer is exactly one credential),
and click Test.
After a moment, the dialog displays the results:
- For success, several attributes of the account in CyberArk (but not, obviously, its password) are displayed.
- For failure, the error message received from CyberArk is displayed unchanged. You should fix the error(s) and repeat the testing until successful.
Tip: If the Credential Provider service is not running on the inventory beacon, the response waits 30 seconds and then times out.For example messages and likely remedial actions, see Typical Errors and Fixes.
The basic application record now exists in CyberArk. This application record can now be referenced by all your inventory beacons that need access to credentials stored in CyberArk. As you register additional inventory beacons in PVWA (hint: click Search to populate the application list under the Applications tab), validate that:- The OS user account that runs the inventory beacon engine is unchanged. If a different account has been used on a particular inventory beacon, update the application record in PVWA with the additional OS user.
-
Register each inventory beacon as a device using the registered
application details in PVWA:
- In the Application Details page for your FlexNet Beacon application in PVWA, select the Allowed Machines tab.
- At the top of this tab, click Add.
-
In the Add allowed machine dialog, enter the host
name or fully-qualified domain name for this inventory beacon in
the Address field.
Tip: The IPv4 address of the inventory beacon is another method of identification; but beware of using this where dynamic IP address allocations may alter the IP address of your inventory beacons over time.
Repeat this registration of the machine details for each relevant inventory beacon. -
Configure the required safe and its memberships:
- If it does not already exist, create the safe that will store credentials needed by your inventory beacons (navigate to Policies > Access Control (Safes), and click Add Safe). If the safe already exists, select it from the list of safes, and in the bottom right, click Members.
-
In the Members tab, click Add
Member, search for the application you saved, select it
in the list of results (the default privilege levels are adequate, and
must include Retrieve accounts), and click
Add.
Tip: Look for the success message at the bottom of this dialog, and then click Close. Once the dialog is closed, the list of members is updated and displays your application as a member permitted to access this safe.
-
Ensure that the credentials needed for the remote execution activities of every
inventory beacon are recorded as CyberArk "accounts".
- In the Account tab of PVWA, click Add Account.
- In the Add Account page, in the Store in Safe drop-down, select the safe you created for credentials accessed by inventory beacons.
-
Select the Device Type and resulting
Platform Name for this credential.
Here are suggested mappings between the Account type saved in the FlexNet Beacon Password Manager and these two fields in PVWA:
Account type (FlexNet) Device Type (PVWA) Platform Name (PVWA) Typical Format Windows domain account Operating System Windows Domain Account Domain\Account
Local account on Windows device Operating System Windows Server Local Accounts (or Windows Desktop Local Accounts if you are targeting desktop computers) Account
SSH account (password) Operating System Unix via SSH Account SSH account (key pair) Operating System Unix via SSH Keys DSA key file Account on VMware ESX server Operating System VMWare ESX Account API Domain\Account or Account Account on VMware VirtualCenter Application VMWare vCenter Shared Accounts Domain\Account or Account Password for Oracle listener Directory (This choice does not require a user name for the credential.) [None] Only requires a password Account on Oracle database Database Oracle Database Account Oracle VM management API account Operating System VMWare ESX Account API or Unix via SSH (see note) Account Note: The Oracle VM management API account is likely to be a local account on Linux, and currently PVWA does not offer a matching platform name. Your CyberArk administrator may perhaps create a custom platform name for your use; or you can use other platform names (such as either of the two suggested above) that provide the correct set of data fields. -
Complete the remaining properties for the credential, and click
Save.
- Address may identify the device that requires this credential, either using an IP address, a host name, or a fully-qualified domain name. In cases where this isn't particularly meaningful (such as a Windows domain password), enter free text such as the domain name.
- Name must be unique in context (for example, within the safe), and is typically used in query strings. For this reason, you may prefer to provide a custom, simpler name rather than use the one that is automatically generated.
- For Unix via SSH Keys, after saving, click Add SSH Key (upper right), and provide the required details.
-
Take note of the query string parameters that uniquely identify this
credential.
The query strings must be entered in FlexNet Beacon Password Manager, and are used to request each credential from CyberArk. If the query string does not return a single, unique credential, the request fails. Query string elements that may be used include:
Safe
— where the credentials for inventory beacon use are storedAddress
— the same value you provided for this parameter for the credential, identifying the target device where the credential is to be usedObject
— shown in the Account Details page in PVWA as the Name.
Repeat for as many credentials as required. This completes configuration of CyberArk. The last remaining step is to record the various credentials in Password Manager on the various inventory beacons from which they will be used for remote execution. -
On each inventory beacon in turn, access Password Manager, and create records of the credentials used from this
inventory beacon.
For details, see the online help for the Password Manager.
FlexNet Manager Suite (On-Premises)
2023 R1