Configuring BMC Discovery to use CyberArk credentials
After configuring and testing the CyberArk integration, you can begin to use those credentials that are stored in the CyberArk Vault from BMC Discovery. You can start adding BMC Discovery device login credentials that use CyberArk in the same way as you create other credentials. However, you need to specify a CyberArk query that locates the appropriate credential, instead of a username, password, or SSH key. Your query must locate only one credential at the most. If it locates more than one credential, no credential is used.
Before you begin
Ensure that you enable and test the CyberArk integration.
To configure BMC Discovery to use CyberArk credentials
- From the BMC Discovery main menu bar, select Manage > Credentials.
Click Add and specify the credential details, and check the credential type box, for example, ssh, and Windows.
Make sure that you leave the username and password fields empty.
In the CyberArk field of the General section, enter theto locate a standard username and password.
Based on how you have configured your device, you might need to provide additional CyberArk queries to fetch a specific IP address, for example, ssh Key or SNMP v2.
To fetch credentials for a specific IP address, enter the CyberArk query in the text box provided in the device type section.
The additional query is applicable to only the following device types.
Device credentials Details UNIX For credentials for which you switch to a different user with elevated credentials (su), you can specify an additional CyberArk query in that field.
Select the Switch User? checkbox and enter the CyberArk query to locate the super user password.
SSH (with an SSH key) In the ssh Key section, enter the CyberArk query to locate the key and select the Key checkbox. Ensure the Password checkbox is not selected.
You can also use a CyberArk query to locate the ssh key passphrase, if one is required.
SNMP v1/v2c Enter the CyberArk query to locate the community string. SNMP v3 Enter the CyberArk queries to locate the Authentication Key and the Private Key, as required.
- Click Apply to save the credential.
Using CyberArk with Cloud Credentials
You can use CyberArk queries to locate cloud credentials.
|Amazon Web Services||A CyberArk query can be used to locate an AWS Access Key ID and secret|
|Microsoft Azure||A CyberArk query can be used to locate an Azure Application ID and password|
CyberArk queries can also be used to locate credentials for the authenticating web proxies used by cloud credentials.
Rules for creating CyberArk queries
You use CyberArk queries to find appropriate CyberArk credential objects.The queries that you use depend on the way that your CyberArk Vault is configured. The following section explains a subset of the queries that you can create for the CyberArk Vault. For additional information about the CyberArk queries for testing the integration and to extracting credentials from the CyberArk Vault, see the CyberArk Vault documentation. Alternatively, you may contact your CyberArk administrator.
Your CyberArk query can include the following replacement markers:
%ip%The IP address being accessed. This may be IPv4 or IPv6.
%port%in all queries. This is the port being used for ssh, telnet, SNMP, and so on. For SQL queries this is the port on which the database instance is listening.
%type%The type of access being requested, for example, ssh, snmp, or vsphere.
%version%for SNMP queries.
%formatted_ip%Formatted version of the IP address being accessed, suitable for use in URLs as defined by RFC2732. For IPv4, the IP address is unchanged, for IPv6 the IP address will be enclosed in square brackets.
%devicename%The name of the device, as defined in DNS.
%fdqn%The fully qualified domain name of the device, as defined in DNS. If no fully qualified name is defined,
%fdqn%will have the same value as
Use of DNS
Use of DNS names in CyberArk queries is NOT recommended, as it requires a performant and reliable DNS server. Slow DNS queries will significantly increase scan times. Even with a fast DNS server scan times are impacted.
Where multiple names are defined for an IP address, BMC Discovery will use the first name or FQDN returned by the DNS server, which may not be consistent, depending on the DNS server configuration.
For database queries you can also reference the following, depending on the DBMS in use, for example
%instance_name% for Microsoft SQL Server,
%service% for Oracle:
Individual credentials per server in the CyberArk Vault
In this scenario there is a separate credential for each server in CyberArk which defines the username and password needed to access that machine. Here, a single BMC Discovery credential matching all IP addresses could be used, with a CyberArk query to fetch the actual username and password (for example) IP address:
If the credentials are held in a number of safes or folders then multiple BMC Discovery credentials are required. For example, UNIX SSH credentials may be stored in a folder called SSH, and Windows credentials in a folder called Windows. Two BMC Discovery credentials would be required, with the following queries:
One specific credential for BMC Discovery
In this scenario, there are a limited number of credentials in CyberArk specifically for use by BMC Discovery. Possibly one for UNIX servers, another for Windows, and so on. You can create a BMC Discovery credential for each. In this case, we would create multiple BMC Discovery credentials, one for each CyberArk credential and look it up directly using the object name :