Integrating with CyberArk Enterprise Password Vault

CyberArk Enterprise Password Vault (CyberArk Vault) is a third-party application, which enables you to centrally manage credentials for the various systems that are installed in your environment. BMC Discovery provides an integration with CyberArk Vault to obtain credentials that are required to perform scans. 

The integration eliminates the need for performing duplicate tasks of using an external import or export mechanism to obtain the credentials that are stored in CyberArk Vault. The CyberArk Vault also enables you to employ the password management policies required for your organization. 

Note

CyberArk uses the term Vault to refer to the CyberArk server component, which holds information securely (All "Safes" reside in the Vault). This should not be confused with the BMC Discovery Vault.

Process overview

TaskTask descriptionReference
1

In the BMC Discovery application, first install the AIM provider component.

Installing the CyberArk Application Identity Manager (AIM) Provider
2

In the CyberArk Vault, configure the AIM provider user to prepare BMC Discovery to get the credentials from CyberArk.

Configuring the AIM provider user
3

In the CyberArk application, set up first-time user and subsequent users as required. The user that you create for the first time is used to give access to the CyberArk Vault (Safe). The subsequent users are defined for access from specific BMC Discovery appliances.

Configuring access to CyberArk Vault
4

In BMC Discovery, complete the integration configuration by enabling and testing the connection.

5

After the connection is successful, you configure BMC Discovery credentials in that fetch credentials from CyberArk. Instead of using a username and password, you use a query to perform the task.

Configuring BMC Discovery to use CyberArk credentials

See this video (4:40) for a demonstration of the integration between BMC Discovery and the CyberArk Vault.

https://youtu.be/WTLoGGOrnUg

CyberArk log files

The CyberArk AIM writes a number of log files, depending on the AIM provider version. 

A fresh install of AIM provider versions 10.4 and earlier use the following log files:

  • Casos.Debug.log  

A fresh install of the AIM provider version 10.5 and later only use the following log file:

  • CreateEnv.log

If you upgrade the AIM provider from 10.4 and earlier to 10.5 and later, the AIM provider only writes messages to the CreateEnv.log file. It does not delete the existing Casos.Activity.logCasos.Debug.log, and Casos.Error.log files. To view the CreateEnv.log from the command line, you must be logged in as the root user.

CyberArk Vault log settings

Busy BMC Discovery systems take many credentials from the CyberArk Vault and as a result create many log file entries. In such systems, the default CyberArk log retention policies may allow the logs, which are stored on the BMC Discovery appliance, to become very large and fill up available disk space. You can prevent this happening by changing the following log retention settings to a shorter time than the default, for example, change them to seven days:

  • OldLogsRetention
  • OldAuditLogsRetention

You can change these settings in the CyberArk Vault. See the CyberArk documentation for details on how to do this.

Related topics

Was this page helpful? Yes No Submitting... Thank you

Comments