Setting up a CyberArk integration¶

Certificate Manager - SaaS uses the CyberArk Central Credential Provider service to access credentials stored in CyberArk. Once the connection between CyberArk and Certificate Manager - SaaS is established, you can create credential references from Certificate Manager - SaaS to credentials stored in CyberArk.

Credential references can then be assigned to a machine in Certificate Manager - SaaS. When you want to provision a certificate to that machine, Certificate Manager - SaaS uses the CyberArk credential to access the machine.

Since Certificate Manager - SaaS creates a reference to the CyberArk credential, any update to the credential in CyberArk will be automatically used by Certificate Manager - SaaS when provisioning a certificate to a machine.

Step 1: Deploy VSatellites in your datacenter¶

If you don't already have any VSatellites installed, you'll need to get those up and running first. VSatellite is the connector between Certificate Manager - SaaS and CyberArk.

The VSatellites need to be able to access CyberArk in your datacenter. Before proceeding with the next step, make sure to have the IP addresses of the VSatellites readily available.

Follow our documentation to deploy VSatellites.

Step 2: Set up the CyberArk integration in Certificate Manager - SaaS¶

With VSatellites now in place, you're ready to create an application in CyberArk and then connect Certificate Manager - SaaS to that application.

Performed by: System Administrator

1. Sign in to Venafi Control Plane.

2. Click Integrations > Credential Managers.

3. Under CyberArk Configuration, complete the fields according to the following guidelines:

4. Central Credentials Provider Web Services URL: The URL to the CyberArk Central Credential Provider service.

5. Application Name: The name of the application in CyberArk that this connector is allowed to connect to.

6. Certificate Credential: (Optional) The certificate credential required to authenticate to the CyberArk service.

   • To upload a certificate, select Upload manually, then upload your certificate using the Drag and drop or browse field.

   • To use a certificate from the Certificate Manager - SaaS inventory, click Select from Certificate Inventory, then choose the certificate you want to use.

7. Choose a VSatellite: The list of VSatellites that are allowed to connect to CyberArk. These VSatellites must be whitelisted on the CyberArk application.

8. Click Test Access.

   Troubleshooting certificate renewal warnings messages

   When a certificate used for authentication with a credential provider is renewed, a "Certificate updated. Re-test the configuration to ensure the new certificate is applied." message appears. If authentication with the new certificate fails, the system will automatically fall back to the previous certificate version until the connection is re-tested and properly configured. CyberArk PAM (Privileged Access Management) will not update its certificate reference automatically.

   To clear this message:

   1. Update the certificate reference manually in CyberArk PAM.
   2. Click Test Access to verify the certificate connection.

   You can also clear the message by clicking Test Access from the Credentials or Machines page. Once the connection is successfully tested and both sides reference the new certificate, the message will disappear, and the system will discard the fallback to the old certificate version.

   If your access is unsuccessful, check the troubleshooting tips below.

9. Click Save.

Step 3: Import credentials from CyberArk¶

With the connector now in place, you can import credentials into Certificate Manager - SaaS. CyberArk credentials in Certificate Manager - SaaS are just references to the real credentials stored in CyberArk.

Performed by: System Administrator

1. Click Inventory > Credentials.

2. Click New > CyberArk Credential. Complete the fields on the Add a new credential screen according to the following guidelines.

   • Name: The name for this credential to be displayed in Certificate Manager - SaaS.
   • Owning Teams: One or more Certificate Manager - SaaS teams that have permission to use this credential. These same teams should be assigned to the machine that will use this credential.
   • CyberArk Access Type: The type of credential that Certificate Manager - SaaS will receive from CyberArk. The type you select determines if Certificate Manager - SaaS will reference only the password, or both the username and password from an account in CyberArk.
   • Account Name: The name of the Account in CyberArk that contains the credential you want to import.
   • Safe: The CyberArk safe.
   • Folder: (Optional) The folder in CyberArk where the credential is located.

3. Click Save. The Credentials page opens with your new credential listed.

4. You can now test the credential you just created. Click the vertical ellipses icon on the row of the new credential, and select Test Access.

   Troubleshooting certificate renewal warnings messages

   When a certificate used for authentication with a credential provider is renewed, a "Certificate updated. Re-test the configuration to ensure the new certificate is applied." message appears. If authentication with the new certificate fails, the system will automatically fall back to the previous certificate version until the connection is re-tested and properly configured. CyberArk PAM (Privileged Access Management) will not update its certificate reference automatically.

   To clear this message:

   1. Update the certificate reference manually in CyberArk PAM.
   2. Click Test Access to verify the certificate connection.

   You can also clear the message by clicking Test Access from the Credentials or Machines page. Once the connection is successfully tested and both sides reference the new certificate, the message will disappear, and the system will discard the fallback to the old certificate version.

   If you don't see the menu options mentioned in the steps below, please contact us.

   If Certificate Manager - SaaS was unable to access the credential, see the troubleshooting tips below.

Step 4: Assign the CyberArk credential on a Certificate Manager - SaaS machine¶

Performed by: Resource Owner or higher

Now that the credential is in Certificate Manager - SaaS, you can assign it to a machine, as long as the Owning Team assigned to the machine matches the Owning Team assigned to the credential.

Troubleshooting¶

Use these tips to troubleshoot common errors.

CyberArk connector access errors¶

CyberArk credential access errors¶