Configuring BMC Discovery to use CyberArk credentials
After configuring and testing the CyberArk integration, you can begin to use those credentials that are stored in the CyberArk Vault from BMC Discovery. You can start adding BMC Discovery device login credentials that use CyberArk in the same way as you create other credentials. However, you need to specify a CyberArk query that locates the appropriate credential, instead of a username, password, or SSH key. Your query must locate only one credential at the most. If it locates more than one credential, no credential is used.
To configure BMC Discovery to use CyberArk credentials
- From the BMC Discovery main menu bar, select Manage > Credentials.
Click Add and specify the credential details, and check the credential type box, for example, ssh, and Windows.
Make sure that you leave the username and password fields empty.
In the CyberArk field of the General section, enter theto locate a standard username and password.
Based on how you have configured your device, you might need to provide additional CyberArk queries to fetch a specific IP address, for example, ssh Key or SNMP v2.
To fetch credentials for a specific IP address, enter the CyberArk query in the text box provided in the device type section. The additional query is applicable to only the following device types.
UNIX For credentials for which you switch to a different user with elevated credentials (su), you can specify an additional CyberArk query in that field.
Select the Switch User? checkbox and enter the CyberArk query to locate the super user password.
SSH (with an SSH key) In the ssh Key section, enter the CyberArk query to locate the key and select the Keycheckbox. Ensure the Password checkbox is not selected.
You can also use a CyberArk query to locate the ssh key passphrase, if one is required.
SNMP v1/v2c Enter the CyberArk query to locate the community string. SNMP v3 Enter the CyberArk queries to locate the Authentication Key and the Private Key, as required.
- Click Apply to save the credential.
Rules for creating CyberArk queries
You use CyberArk queries to find appropriate CyberArk credential objects.The queries that you use depend on the way that your CyberArk Vault is configured. The following section explains a subset of the queries that you can create for the CyberArk Vault. For additional information about the CyberArk queries for testing the integration and to extracting credentials from the CyberArk Vault, see the CyberArk Vault documentation. Alternatively, you may contact your CyberArk administrator.
Your CyberArk query can include the following replacement markers:
%ip%The IP address being accessed. This may be IPv4 or IPv6.
%type%The type of access being requested, for example, ssh, snmp, or vsphere.
From BMC Discovery 11.1 patch 3, you can also include the following replacement markers:
%port%in all queries. This is the port being used for ssh, telnet, SNMP, and so on. For SQL queries this is the port on which the database instance is listening.
%version%for SNMP queries.
For database queries you can also reference the following, depending on the DBMS in use, for example
%instance_name%for Microsoft SQL Server,
Individual credentials per server in the CyberArk Vault
In this scenario there is a separate credential for each server in CyberArk which defines the username and password needed to access that machine. Here, a single BMC Discovery credential matching all IP addresses could be used, with a CyberArk query to fetch the actual username and password (for example) IP address:
If the credentials are held in a number of safes or folders then multiple BMC Discovery credentials are required. For example, UNIX SSH credentials may be stored in a folder called SSH, and Windows credentials in a folder called Windows. Two BMC Discovery credentials would be required, with the following queries:
One specific credential for BMC Discovery
In this scenario, there are a limited number of credentials in CyberArk specifically for use by BMC Discovery. Possibly one for UNIX servers, another for Windows, and so on. You can create a BMC Discovery credential for each. In this case, we would create multiple BMC Discovery credentials, one for each CyberArk credential and look it up directly using the object name :