Installing the CyberArk Credential Provider

To integrate BMC Discovery with CyberArk Vault, you need to install the CyberArk Credential Provider, also known as the or Credential Provider on the BMC Discovery appliance and then configure the connection to the CyberArk Vault. The CyberArk Credential Provider is a component of the CyberArk Vault.

The CyberArk Credential Provider automatically configures the MaxConcurrentRequests parameter based on the number of  BMC Discovery Event Condition Action (ECA) engines and threads of the installation machine. Because this setting is shared by all CyberArk Credential Providers used with BMC Discovery, you might need to update this value for all BMC Discovery systems for optimal performance. Additionally, you might also need to adjust performance settings within the CyberArk Enterprise Vault. For information about how to configure settings in CyberArk Vault, contact your CyberArk administrator.

Before you begin

Before you begin installing the CyberArk Credential Provider, make sure that the following requirements are completed:

  • You must have a CyberArk Vault installed and configured in your environment.
  • You must have the CyberArk Credential Provider archive for 64 bit Red Hat Enterprise Linux (RHELinux x64.zip) ready.
  • The CyberArk Credential Provider archive must be one of the following versions:

    Credential Provider Archive versionCredential Provider RPM versionVersion Support Notes
    9.69.60.0.9
    9.79.70.0.3
    9.8 and 9.99.80.0.85
    9.9.59.95.0.42Supported on BMC Discovery 11.3.00.4 and later. 
    Although the RPM version number is the same as the row below, to use the version 9.95.0.42 Credential Provider, you must use the 9.9.5 archive otherwise the provider fails to upload.
    9.10, 10.1, 10.2, 10.3, 10.49.95.0.42Not supported on BMC Discovery 11.3.00.4 Supported on BMC Discovery 11.3.00.5
    10.5, 10.6, 10.7, 10.8, 10.910.0.5.00.27Not supported on BMC Discovery 11.3.00.4
    Supported on BMC Discovery 11.3.00.5

CyberArk Credential provider archive releases

A CyberArk Credential provider RPM is provided for each CyberArk release. Sometimes, it is identical to the previous version, but the archive version number is changed to reflect that of the release. Identical versions have identical RPM numbers, as a consequence you cannot upgrade from some versions to others. If this is the case, the BMC Discovery UI does not show the Upgrade button. 

Compatibility of Credential provider and CyberArk Vault

CyberArk version 9.x Vaults can accept connections from 9.x and 10.x Credential providers.

User permissions required for the installation

When you install the CyberArk Credential Provider, you are prompted to specify permissions for accessing the CyberArk vault. The user you specify must have the correct permissions within the vault.  If the user has insufficient permissions, or if the password you specify is incorrect, the Provider environment will not be created correctly.  You should use a user with Administrator privileges (see the installation section).

If this occurs, you must uninstall the CyberArk Credential Provider on the appliance, remove the Provider user in the vault, and then reinstall the CyberArk Credential Provider. Alternatively, you can ask your CyberArk administrator to correct the problem. For more information about reinstalling the CyberArk Credential Provider, see Reinstalling the CyberArk Credential Provider .

To prepare for installation by configuring the application name

To install the CyberArk Credential Provider, you must first configure the appliance name for your BMC Discovery installation. This is because the CyberArk integration uses this appliance name to create the provider user, which is later used for configuring access to the CyberArk Vaults (safe). However, the name that you specify for the appliance must follow specific naming conventions, such as it should contain only numeric or alphanumeric character.

If you provide wildcard characters or characters from other language scripts, CyberArk truncates those when creating the provider user.

As illustrated in the above screenshot, the appliance name R Hood-01 - 11.0.90.5 is truncated to Prov_RedHood after the integration is completed.  All CyberArk Credential provider users created have a prefix of Prov_.  For a cluster configuration you see a unique Prov_ user created for each appliance in the cluster.  Also for a cluster configuration you only need to install the CyberArk Credential provider on one appliance and it is automatically configured and installed on the other members.

  1. Log in to BMC Discovery.
  2. From the main menu, select Administration > Appliance> Configuration.
  3. In the Name field, specify a unique name for the appliance.
    If a name is already specified for the appliance, make sure that it follows the naming convention as discussed in this section.

To install and configure the CyberArk Credential Provider connection

This section describes the steps to perform for installing and configuring the CyberArk Credential Provider connection.

  1. From the BMC Discovery main menu, click Administration.
  2. From the Discovery section, click Vault Management.
    The Vault Management page is displayed.
  3. Click the CyberArk tab.



  4. In the Credential Provider Archive field, click Upload.
    The Upload CyberArk Credential Provider archive window appears.
  5. In the File field, click Browse and navigate to the location where the Credential Provider zip file is stored in your environment, and click Upload
    After you upload the archive, the screen refreshes. You can then configure the connection to the CyberArk server.
  6. In the CyberArk Vault Server field, perform the following steps:

    1. Click Configure and provide the following details:

      Field NameDescription
      Vault nameThe name of the CyberArk Vault. This is simply a label, so can be any descriptive name you choose.
      AddressThe IP address (IPv4) of the host where CyberArk is installed. You can also specify the expanded name of the host instead of the IP address, such as, <hostname>.<domain>.com.
      PortThe port number to use for connection with the host. Accept the default port number displayed in this field if you do not want any customization.
      TimeoutThe duration of time, in seconds, for which the connection must be attempted. Accept the default timeout displayed in this field if you do not want any customization.
    2. Click Apply to save.
      The connection information is now saved. You can configure additional options by uploading the CyberArk vault.ini file by using the Upload button. For more information about the CyberArk vault.ini files, see the CyberArk Vault documentation, or contact your CyberArk administrator. For troubleshooting, you can download the current vault.ini file by using the Download button.

  7. In the Credential Provider field, click Install and perform the following steps: 
    1. In the Install CyberArk Credential Provider window, check the Accept End User License Agreement box and provide the CyberArk administrator username and password.

    2. Click Install
      The  CyberArk Credential Provider is installed and started, and the screen refreshes to show the status.


      The connection to the CyberArk Vault is now configured. You may see a message similar to, "api.cyberark: ERROR: Installing CARKaim RPM: /var/tmp/rpm-tmp.vU7VBN: line 147: /usr/lib/lsb/install_initd: No such file or directory" in the Cluster Manager logs. You can safely ignore this error message.

To upgrade the CyberArk Credential Provider

This section describes the steps to perform for upgrading the CyberArk Credential Provider.

  1. From the BMC Discovery main menu, click Administration.
  2. From the Discovery section, click Vault Management.
    The Vault Management page is displayed.
  3. Click the CyberArk tab.
  4. In the Credential Provider Archive field, click Upload.
    The Upload CyberArk Credential Provider archive window appears.
  5. In the File field, click Browse and navigate to the location where the Credential Provider zip file is stored in your environment, and click Upload. After you upload the archive, the screen refreshes. 
    If you have uploaded a valid archive, an Upgrade button is provided in the Credential Provider Status field. 
  6. Click Upgrade.

  7. In the Upgrade CyberArk Credential Provider window, provide the CyberArk administrator username and password.

  8. Click Upgrade
    The  CyberArk Credential Provider is upgraded and started, and the screen refreshes to show the status.

To uninstall the CyberArk Credential Provider

This section describes the steps to perform for uninstalling the CyberArk Credential Provider.

  1. Uninstall the CyberArk Credential Provider from the machine on which it is installed.
  2. From the CyberArk Vault, remove the corresponding Provider user (Prov_appliancename).
    Otherwise, your attempts to reinstall on the same appliance will fail. The RPM installation reports no errors. However, when you click Install the service does not start.
  3. Click View Logs to and examine the CreateEnv.log log.
    A log message of the form Owner Prov_appliancename already exists in Safe Safename, or Owner Prov_appliancename already exists in Safe Safename.

To reinstall the CyberArk Credential Provider

To reinstall the CyberArk Credential Provider, follow the steps outlined in the Installing the CyberArk Credential Provider  section. However, make sure that you perform the installation prerequisites before you reinstall.

Where to go from here

Configuring the provider user


Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Paolo Quaranta

    Hello, ADDM 11.3 is compatible with CyberArk Credential Provider 10.6?

    Jan 23, 2019 11:05
    1. Brice-emmanuel Loiseaux

      There is a bug with the CyberArk integration (DRUD1-24565) because some changes has been done on the CyberArk AIM provider in version 10.x. Discovery logic needs to adapt. This will be fixed in the coming 11.3 patch.

      Feb 27, 2019 01:50