The CyberArk Vault connector supports fetching secret from vault. It supports 2 modes of integration - PVWA and CCP.
- PVWA mode of integration supports dynamic bearer token authentication.
- CCP mode of integration supports client certificate based authentication.
This is developed using Saviynt Vault Connector Framework, it also enables configuring vault mapping for each secret parameter on the connection page, allowing it to work with connections that have more than one secret parameters.
This document outlines the steps to use this connector.
- Ensure that you have a working .pfx extension client certificate (validated using Postman) for authentication with CCP. Please refer CyberArk documentation for more details on generating the certificate.
- Please raise a Saviynt support ticket for registering the Connector Jar in your EIC environment.
- Log in to EIC.
- Go to Admin -> File Directory -> Connector Files.
- Upload Client certificate (.pfx extension).
- Log in to EIC.
- Go to Connections -> Connection Type List -> Actions -> Create Connection Type.
- Enter Connection Type Name as "CyberArkVault".
- Select Enhanced Connector Framework as true, from the popup windows select "CyberArk Vault::1.0" -> Get Config.
- This will populate default values -> click on Create.
- Go to Connections -> Connection List -> Actions -> Create Connection.
- Enter Connection Name "CyberArkVault".
- Select Connection Type as "CyberArkVault".
- Select Connector Version as "CyberArk Vault::1.0"
- Configure rest parameters as below:
| Parameter Name | Description |
|---|---|
| INTEGRATION_MODE | It is a mandatory parameter, expects administrator to configure CCP or PVWA here. Connector defaults to PVWA if invalid value is configured. |
| HOSTNAME | Enter CCP/PVWA hostname or IP address for e.g. server.example.com or 10.20.30.40 |
| PVWA_USERNAME | Enter Username to authenticate with PVWA service, this is used if INTEGRATION_MODE is PVWA |
| PVWA_PASSWORD | Enter Password to authenticate with PVWA service, this is used if INTEGRATION_MODE is PVWA |
| CCP_AUTH_CERTIFICATE | Enter PFX file name which will be used for CCP client certificate based authentication for e.g. TestCert.pfx, this is used if INTEGRATION_MODE is CCP. This file needs to be uploaded to File Directory -> Connector Files |
| CCP_AUTH_CERTIFICATE_PASSPHRASE | Provide passphrase to be used alongside CCP_AUTH_CERTIFICATE |
- Go to Connections -> Connection List -> Open a connection which requires to fetch a secret value from CyberArk vault, for e.g. any AD connection.
- Select Credential Vault Connection as "CyberArkVault".
- Click on Vault Config -> Advanced.
- Depending on INTEGRATION_MODE used in CyberArkVault connection, enter the vault config.
If INTEGRATION_MODE is CCP:
{
"encryptionmechanism": "None",
"AppID": "App_Saviynt",
"ignoreMapping": [
"AppID",
"Safe",
"Object"
],
"Safe": "Safe_Saviynt",
"Object": "Operating System-DummyPlatform-dummy"
}
If INTEGRATION_MODE is PVWA:
{
"reason": "EIC retrieval",
"encryptionmechanism": "None",
"ignoreMapping": [
"AccountName",
"SafeName",
"reason",
"TicketingSystemName"
],
"SafeName": "Safe One",
"TicketingSystemName": "SNOW",
"AccountName": "Acct one"
}
- You can configure additional attribute mapping as per API support from CyberArk.
- PVWA implementation uses SafeName and AccountName to internally fetch the AccountID and then corresponding secret value.
- If you don't specify a parameter under ignoreMapping, connector automatically prefix the connection name before parameter value during API calls, for e.g. if you don't specify SafeName in ignoreMapping, connector will use "ConnectionName_Safe One" value, if you have AccountName and SafeName etc. created with connection name prefix in CyberArk target, you don't need to specify them in ignoreMapping, however if your objects don't have connection name as prefix in CyberArk target, specify them under ignoreMapping, so while calling CyberArk connector passes the value without prefixing connection name.