Setting up a CyberArk integration¶
Rotating credentials that provide machines privileged access is a critical piece of maintaining robust security in your datacenter. The TLS Protect Cloud integration with CyberArk allows TLS Protect Cloud to access credentials stored in a CyberArk vault when performing functions like provisioning certificates to machines.
This allows you to take advantage of TLS Protect Cloud's certificate monitoring and provisioning services while continuing to manage your credentials in CyberArk.
Overview¶
TLS Protect Cloud uses the CyberArk Central Credential Provider service to access credentials stored in CyberArk. Once the connection between CyberArk and TLS Protect Cloud is established, you can create credential references from TLS Protect Cloud to credentials stored in CyberArk.
Credential references can then be assigned to a machine in TLS Protect Cloud. When you want to provision a certificate to that machine, TLS Protect Cloud uses the CyberArk credential to access the machine.
Since TLS Protect Cloud creates a reference to the CyberArk credential, any update to the credential in CyberArk will be automatically used by TLS Protect Cloud when provisioning a certificate to a machine.
CyberArk feature enablement
Only one CyberArk connector per tenant is allowed in TLS Protect Cloud, and only System Administrators are permitted to create the CyberArk connector and import credentials.
If you don't see the menu options mentioned in the steps below, please contact us.
Supported CyberArk versions
The TLS Protect Cloud integration supports:
- CyberArk Privileged Access Manager (self-hosted) - Versions 12.2, 12.6
- CyberArk Privilege Cloud
VSatellite¶
The connection between TLS Protect Cloud and your CyberArk service is established through a Venafi VSatellite. VSatellite is a small piece of software installed on a Linux server in your data center that can access both TLS Protect Cloud and your CyberArk service, thereby becoming the bridge between the two services.
Important
We recommend setting up multiple VSatellites for redundancy purposes. Multiple VSatellites can be applied to a CyberArk connector in TLS Protect Cloud, so if one becomes unreachable, others are available.
Step 1: Deploy VSatellites in your datacenter¶
If you don't already have any VSatellites installed, you'll need to get those up and running first. VSatellite is the connector between TLS Protect Cloud and CyberArk.
The VSatellites need to be able to access CyberArk in your datacenter. Before proceeding with the next step, make sure to have the IP addresses of the VSatellites readily available.
Follow our documentation to deploy VSatellites.
Step 2: Set up the CyberArk integration in TLS Protect Cloud¶
With VSatellites now in place, you're ready to create an application in CyberArk and then connect TLS Protect Cloud to that application.
Before you begin¶
-
Enable Central Credential Provider in CyberArk. Have the URL to that service readily available.
-
Create a new CyberArk application (or use an existing application). Be sure to whitelist the VSatellites that will have access to the CyberArk service. The application needs to be assigned as a member to all safes that will be used for password retrieval.
Have the application name readily available.
-
If access to the Central Credential Provider is certificate-protected, you'll need that certificate to allow access for TLS Protect Cloud.
Performed by: System Administrator
-
Sign in to Venafi Control Plane.
-
Click Integrations > Credential Managers.
-
Under CyberArk Configuration, complete the fields according to the following guidelines:
- Central Credentials Provider Web Services URL: The URL to the CyberArk Central Credential Provider service.
- Application Name: The name of the application in CyberArk that this connector is allowed to connect to.
- Certificate Credential: (Optional) The certificate credential required to authenticate to the CyberArk service. After you upload the certificate, you'll be prompted to enter the certificate password.
- Choose a VSatellite: The list of VSatellites that are allowed to connect to CyberArk. These VSatellites must be whitelisted on the CyberArk application.
-
Click Test Access.
If your access is unsuccessful, check the troubleshooting tips below.
-
Click Save.
Step 3: Import credentials from CyberArk¶
With the connector now in place, you can import credentials into TLS Protect Cloud. CyberArk credentials in TLS Protect Cloud are just references to the real credentials stored in CyberArk.
Before you begin¶
-
Set up a team in TLS Protect Cloud that will be allowed to use the imported credentials. The team assigned to the credential should be the same team that will be assigned to the machine in Step 4 below.
-
Have the Account Name and the Safe for the CyberArk credential you want to import.
Performed by: System Administrator
-
Click Inventory > Credentials.
-
Click New > CyberArk Credential. Complete the fields on the Add a new credential screen according to the following guidelines.
- Name: The name for this credential to be displayed in TLS Protect Cloud.
- Owning Teams: One or more TLS Protect Cloud teams that have permission to use this credential. These same teams should be assigned to the machine that will use this credential.
- CyberArk Access Type: The type of credential that TLS Protect Cloud will receive from CyberArk. The type you select determines if TLS Protect Cloud will reference only the password, or both the username and password from an account in CyberArk.
- Account Name: The name of the Account in CyberArk that contains the credential you want to import.
- Safe: The CyberArk safe.
- Folder: (Optional) The folder in CyberArk where the credential is located.
-
Click Save. The Credentials page opens with your new credential listed.
-
You can now test the credential you just created. Click the vertical ellipses icon on the row of the new credential, and select Test Access.
If TLS Protect Cloud was unable to access the credential, see the troubleshooting tips below.
Step 4: Assign the CyberArk credential on a TLS Protect Cloud machine¶
Performed by: Resource Owner or higher
Now that the credential is in TLS Protect Cloud, you can assign it to a machine, as long as the Owning Team assigned to the machine matches the Owning Team assigned to the credential.
Troubleshooting¶
Use these tips to troubleshoot common errors.
CyberArk connector access errors¶
Error | Resolution |
---|---|
CyberArk CCP Web service error: Authentication error for the AIM webservice App ID AIMWebService . Reason: APPAP133E Failed to verify application authentication data: IP "<ip>;<hostname> " is unauthorized | Check if the machine where the Central Credential Provider is installed is in the list of the allowed machines of the AIMWebService application. |
CyberArk CCP Web service error: Authentication error for App ID <TLS Protect Cloud App Name> . Reason: APPAP133E Failed to verify application authentication data: IP "<VSat IP>;<VSat hostname> " is unauthorized | Check if the machine where the VSatellite is installed is in the list of the allowed machines of the <TLS Protect Cloud App> application. |
CyberArk credential access errors¶
Error | Resolution |
---|---|
Unable to retrieve Safe ("<safe name> ") password using the Central Credential Provider service. Error: CyberArk CCP Web service error: Password object matching query [Folder=<folder name> ;Object=test_<account name> ;Safe=<>safe name] was not found (Diagnostic Info: 5). Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed in order to use the password. | Check if the Safe Name, Account Name, or Folder Name provided in the CyberArk credential window in TLS Protect Cloud are correct or if they exist. Also check if the required provider permissions for the Safe are correct. |