Using CyberArk credentials for discovery
After configuring and testing the CyberArk integration, you can begin to use those credentials that are stored in the CyberArk Vault from the BMC Discovery Outpost. You can start adding credentials that use CyberArk in the same way as you create other credentials. However, you need to specify a CyberArk query that locates the appropriate credential, instead of a user name, password, or SSH key. Your query must locate only one credential at the most. If it locates more than one credential, no credential is used.
Before you begin
Ensure that you have enabled and tested the CyberArk integration.
Windows Domain credentials in CyberArk
For Windows Domain credentials, ensure that you specify the domain in the Log On To: field in the CyberArk vault.
To configure BMC Helix Discovery to use CyberArk credentials
From the BMC Discovery Outpost main menu bar, select Manage > Credentials.
Click Add and specify the credential details, and check the credential type box, for example, ssh, and Windows.
Ensure that you have selected CyberArk Credential Provider from Vault source.
In the User: CyberArk Query field of the General section:
Enter theto locate a standard user name and password.
To use a custom username format such asBased on how you have configured your device, you might need to provide additional CyberArk queries to fetch a specific IP address, for example, ssh Key or SNMP v2.
username@fqdn, select Set Custom Username Format and enter the required format. For example, for
LogonDomainare CyberArk field names corresponding to the username
discoveryand the logon domain
bmc.com. The field names are case insensitive.
To fetch credentials for a specific IP address, enter the CyberArk query in the text box provided in the device type section.
The additional query is applicable to only the following device types.
Device credentials Details UNIX For credentials for which you switch to a different user with elevated credentials (su), you can specify an additional CyberArk query in that field.
Select the Switch User? check box and enter the CyberArk query to locate the super user password.
SSH (with an SSH key) In the ssh Key section, enter the CyberArk query to locate the key and select the Key checkbox. Ensure the Password check box is not selected.
You can also use a CyberArk query to locate the ssh key passphrase, if one is required.
SNMP v1/v2c Enter the CyberArk query to locate the community string. SNMP v3 Enter the CyberArk queries to locate the Authentication Key and the Private Key, as required.
- Click Apply to save the credential.
Using CyberArk with Cloud Credentials
You can use CyberArk queries to locate cloud credentials.
|Amazon Web Services||A CyberArk query can be used to locate an AWS Access Key ID and secret|
|Microsoft Azure||A CyberArk query can be used to locate an Azure Application ID and password|
CyberArk queries can also be used to locate credentials for the authenticating web proxies used by cloud credentials.
Rules for creating CyberArk queries
You use CyberArk queries to find appropriate CyberArk credential objects. The queries that you use depend on the way that your CyberArk Vault is configured. The following section explains a subset of the queries that you can create for the CyberArk Vault. For additional information about the CyberArk queries for testing the integration and extracting credentials from the CyberArk Vault, see the . Alternatively, you may contact your CyberArk administrator.
Your CyberArk query can include the following replacement markers:
The IP address being accessed. This may be IPv4 or IPv6.
This is the port being used for ssh, telnet, SNMP, and so on. For SQL queries this is the port on which the database instance is listening.
The type of access being requested, for example, ssh, snmp, or vsphere.
The version number for SNMP queries.
Formatted version of the IP address being accessed, suitable for use in URLs as defined by RFC2732. For IPv4, the IP address is unchanged, for IPv6 the IP address will be enclosed in square brackets.
The name of the device, as defined in DNS.
The fully qualified domain name of the device, as defined in DNS. If no fully qualified name is defined,
For database queries you can also reference the following, depending on the DBMS in use, for example
|The instance name (Microsoft SQL Server).|
The service name (Oracle).
|The service name (Oracle).|
|The database name.|
Use of DNS names in CyberArk queries is NOT recommended, as it requires a performant and reliable DNS server. Slow DNS queries will significantly increase scan times. Even with a fast DNS server scan times are impacted.
Where multiple names are defined for an IP address, BMC Helix Discovery will use the first name or FQDN returned by the DNS server, which may not be consistent, depending on the DNS server configuration.
Individual credentials per server in the CyberArk Vault
In this scenario there is a separate credential for each server in CyberArk which defines the user name and password needed to access that machine. Here, a single BMC Helix Discovery credential matching all IP addresses could be used, with a CyberArk query to fetch the actual user name and password (for example) IP address:
If the credentials are held in a number of safes or folders then multiple BMC Helix Discovery credentials are required. For example, UNIX SSH credentials may be stored in a folder called SSH, and Windows credentials in a folder called Windows. Two BMC Helix Discovery credentials would be required, with the following queries:
One specific credential for BMC Helix Discovery
In this scenario, there are a limited number of credentials in CyberArk specifically for use by BMC Helix Discovery. Possibly one for UNIX servers, another for Windows, and so on. You can create a BMC Helix Discovery credential for each. In this case, we would create multiple BMC Helix Discovery credentials, one for each CyberArk credential and look it up directly using the object name :