Configuring BMC Discovery to use CyberArk credentials

After configuring and testing the CyberArk integration, you can begin to use those credentials that are stored in the CyberArk Vault from BMC Discovery. You can start adding BMC Discovery device login credentials that use CyberArk in the same way as you create other credentials. However, you need to specify a CyberArk query that locates the appropriate credential, instead of a username, password, or SSH key. Your query must locate only one credential at the most. If it locates more than one credential, no credential is used.

To configure BMC Discovery to use CyberArk credentials

  1. From the BMC Discovery main menu bar, select Manage > Credentials.
  2. Click Add and specify the credential details, and check the credential type box, for example, ssh, and Windows.

    Make sure that you leave the username and password fields empty.

  3. In the CyberArk field of the General section, enter the CyberArk query to locate a standard username and password.

    Based on how you have configured your device, you might need to provide additional CyberArk queries to fetch a specific IP address, for example, ssh Key or SNMP v2.

  4. To fetch credentials for a specific IP address, enter the CyberArk query in the text box provided in the device type section.
    The additional query is applicable to only the following device types.

    Device credentialsDetails
    UNIXFor credentials for which you switch to a different user with elevated credentials (su), you can specify an additional CyberArk query in that field.

    Select the Switch User? checkbox and enter the CyberArk query to locate the super user password.

    SSH (with an SSH key)In the ssh Key section, enter the CyberArk query to locate the key and select the Key checkbox. Ensure the Password checkbox is not selected.

    You can also use a CyberArk query to locate the ssh key passphrase, if one is required.

    SNMP v1/v2cEnter the CyberArk query to locate the community string.
    SNMP v3Enter the CyberArk queries to locate the Authentication Key and the Private Key, as required.
  5. Click Apply to save the credential.

Using CyberArk with Cloud Credentials

You can use CyberArk queries to locate cloud credentials.

Cloud ProviderDetails
Amazon Web ServicesA CyberArk query can be used to locate an AWS Access Key ID and secret
Microsoft AzureA CyberArk query can be used to locate an Azure Application ID and password

CyberArk queries can also be used to locate credentials for the authenticating web proxies used by cloud credentials

Rules for creating CyberArk queries

You use CyberArk queries to find appropriate CyberArk credential objects.The queries that you use depend on the way that your CyberArk Vault is configured. The following section explains a subset of the queries that you can create for the CyberArk Vault. For additional information about the CyberArk queries for testing the integration and to extracting credentials from the CyberArk Vault, see the CyberArk Vault documentation. Alternatively, you may contact your CyberArk administrator.

Your cyberArk query can include the following replacement markers:

  • %ip%  The IP address being accessed. This may be IPv4 or IPv6.
  • %type% The type of access being requested, for example, ssh, snmp, or vsphere.
  • %formatted_ip% Formatted version of the IP address being accessed, suitable for use in URLs as defined by RFC2732. For IPv4, the IP address is unchanged, for IPv6 the IP address will be enclosed in square brackets.
  • %devicename% The name of the device, as defined in DNS.
  • %fdqn% The fully qualified domain name of the device, as defined in DNS. If no fully qualified name is defined, %fdqn% will have the same value as %devicename%

Use of DNS

Use of DNS names in CyberArk queries is NOT recommended, as it requires a performant and reliable DNS server. Slow DNS queries will significantly increase scan times. Even with a fast DNS server scan times are impacted.

Where multiple names are defined for an IP address, BMC Discovery will use the first name or FQDN returned by the DNS server, which may not be consistent, depending on the DNS server configuration

Individual credentials per server in the CyberArk Vault

In this scenario there is a separate credential for each server in CyberArk which defines the username and password needed to access that machine. Here, a single BMC Discovery credential matching all IP addresses could be used, with a CyberArk query to fetch the actual username and password (for example) IP address:

Safe=XXX;Folder=Root;Address=%ip%

If the credentials are held in a number of safes or folders then multiple BMC Discovery credentials are required. For example, UNIX SSH credentials may be stored in a folder called SSH, and Windows credentials in a folder called Windows. Two BMC Discovery credentials would be required, with the following queries:

Safe=XXX;Folder=SSH;Address=%ip%

Safe=XXX;Folder=Windows;Address=%ip%

One specific credential for BMC Discovery

In this scenario, there are a limited number of credentials in CyberArk specifically for use by BMC Discovery. Possibly one for UNIX servers, another for Windows, and so on. You can create a BMC Discovery credential for each. In this case, we would create multiple BMC Discovery credentials, one for each CyberArk credential and look it up directly using the object name :

Object=Operating System-UnixSSHKeys-username

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Alexander Stern

    Hi,

    are there any other replacement markers working for a cyberArk query?


    For example %devicename% (gets replaced to the fqdn) is also working, but not documented.


    Thx and regards

    Alex

    Apr 09, 2018 08:49