Integrating CyberArk
CyberArk is a security device utilized to guard privileged accounts through password management. It maintains records of passwords at an organization and guarantees password change over all the administrations through cryptographic control.
Core competencies of CyberArk include on-demand password management, authentication, and verification, information security, and business process security.
The CyberArk Application Identity Management (AIM) product uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly sensitive passwords to be centrally stored, logged, and managed within the CyberArk vault. This approach enables organizations to comply with internal and regulatory requirements of periodic password replacement and to monitor activities associated with all types of privileged identities, whether on-premise or in the cloud.
The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential. The credential resolver can also look up the hostname, fqdn, and use reverse DNS lookup to get fqdn.
The following sections provide further information on the CyberArk integration with RN150.
• | Architecture for the CyberArk Integration With RN150 |
• | Configuring RN150 to Integrate with CyberArk |
Architecture for the CyberArk Integration With RN150
The following process diagram and table describe the CyberArk integration architecture with RN150.
Process |
Description |
Gets encrypted query/string |
RN150 gets query strings from the database and decrypts the query string, so it can be used. |
Gets CyberArk Settings |
RN150 gets the CyberArk settings from the database to be able to reach and do requests to the CyberArk server through API. |
Gets password using query/string |
RN150 does a request through CyberArk API by sending a query string. |
Returns password |
CyberArk API returns a JSON response with the password. |
Using credentials |
RN150 uses the password credentials to connect with devices in discovery, inventory, and performance mode. |
Configuring RN150 to Integrate with CyberArk
The following steps describe how to configure RN150 to integrate with CyberArk.
To configure RN150 to integrate with CyberArk:
1. | Read the following caution to ensure you understand the implications of continuing with these steps. |
Caution:If you decide to configure RN150 to integrate with CyberArk, you cannot disable the integration with CyberArk and continue with the existing assessment. If you decide to disable the CyberArk integration, you need to create a new assessment.
2. | Go to the RN150 dashboard and select Interfaces. The dashboard configuration options dialog box opens. |
3. | Select Configure CyberArk. The CyberArk Settings page opens. |
4. | Complete the CyberArk Settings using the information provided in the following tables. |
Best Practice:It is recommended to enable the Windows and SSL authentication methods. If you decide to only enable one authentication method, enable SSL Authentication.
CyberArk Application |
Description |
AppID |
Enter the application used to access the CyberArk service. |
Server Address |
Enter the IP address of the service. |
Proxy |
Select Proxy On if you are using the proxy server to reach the Internet. |
Windows Authentication |
Description |
Username |
Enter the Windows username for the server that houses the CyberArk service. |
Password |
Enter the password associated with the username. |
Domain |
Enter the domain associated with the username. |
SSL Authentication |
Description |
Certificate |
Paste the public SSL certificate PEM text. Important:Ensure the "-----BEGIN CERTIFICATE-----" line and "-----END CERTIFICATE-----" line are included. |
Private Key |
Paste the private key certificate PEM text. Important:Ensure the "-----BEGIN PRIVATE KEY-----" line and "-----END PRIVATE KEY-----" line are included. |
Configure CyberArk Fields |
Description |
SSH, Windows, Database |
You can change any of the default SSH, Windows, and Database fields. To create a custom field, update the default field and click Save. |
After entering the settings, click Verify and Save.
5. | To use credentials with the CyberArk server, go to the RN150 dashboard and select Additional Credentials. The Additional Credentials page opens. You can choose to add a query string or upload a CSV file. |
a. | In the CyberArk Query field, add the query string, which defines a free query using CyberArk account properties, including safe, folder, and object. Following is an example query string for an Oracle database, Safe=test;Object=oracle-test |
b. | In the CSV Upload field, upload a CSV file with 2/3 columns. For example, mysql/mssql/oracle: ip,port. Then, click Add. |
6. | To enable SSH authentication, go to the RN150 dashboard and select SSH. The SSH for Linux/UNIX page opens. |
a. | In the CyberArk Query field, add the query string. For example, Safe=test;Object=ssh-test-1;Address=IP_ADDRESS_PLACEHOLDER |
Note:This field is used to enable the CyberArk query for the CyberArk integration. This field is not required for standard SSH credentials.
b. | Click Add Credential. The Linux/UNIX Server IP Address dialog box opens. |
c. | In the Linux/UNIX Server IP Address field, enter the appropriate IP address. |
d. | Click Test. |
e. | After a successful test, click Save. |
7. | To enable Windows authentication, go to the RN150 dashboard and select Windows. The Windows page opens. |
a. | In the CyberArk Query field, add the query string. For example, Safe=test;Object=win-test-domain-2 |
b. | Click Add Credential. The Windows Server IP Address dialog box opens. |
c. | In the Windows Server IP Address field, enter the appropriate IP address. |
d. | Click Test. |
e. | After a successful test, click Save. |