Installing the CyberArk Credential Provider
To integrate BMC Discovery with CyberArk Vault, you need to install the CyberArk Credential Provider, also known as the or Credential Provider on the BMC Discovery appliance and then configure the connection to the CyberArk Vault. The CyberArk Credential Provider is a component of the CyberArk Vault.
The CyberArk Credential Provider automatically configures the MaxConcurrentRequests parameter based on the number of BMC Discovery Event Condition Action (ECA) engines and threads of the installation machine. Because this setting is shared by all CyberArk Credential Providers used with BMC Discovery, you might need to update this value for all BMC Discovery systems for optimal performance. Additionally, you might also need to adjust performance settings within the CyberArk Enterprise Vault. For information about how to configure settings in CyberArk Vault, contact your CyberArk administrator.
Before you begin
Before you begin installing the CyberArk Credential Provider, make sure that the following requirements are completed:
- You must have a CyberArk Vault installed and configured in your environment.
- You must have the CyberArk Credential Provider archive for 64 bit Red Hat Enterprise Linux (RHELinux x64.zip) ready.
The CyberArk Credential Provider archive must be one of the following versions:
Credential Provider Archive version Credential Provider RPM version Version Support Notes 9.6 9.60.0.9 9.7 9.70.0.3 9.8 and 9.9 9.80.0.85 9.9.5 9.95.0.42 Supported on BMC Discovery 11.3.00.4 and later.
Although the RPM version number is the same as the row below, to use the version 9.95.0.42 Credential Provider, you must use the 9.9.5 archive otherwise the provider fails to upload.9.10, 10.1, 10.2, 10.3, 10.4 9.95.0.42 Not supported on BMC Discovery 11.3.00.4 Supported on BMC Discovery 11.3.00.5 10.5, 10.6, 10.7, 10.8, 10.9 10.0.5.00.27 Not supported on BMC Discovery 11.3.00.4
Supported on BMC Discovery 11.3.00.5
CyberArk Credential provider archive releases
A CyberArk Credential provider RPM is provided for each CyberArk release. Sometimes, it is identical to the previous version, but the archive version number is changed to reflect that of the release. Identical versions have identical RPM numbers, as a consequence you cannot upgrade from some versions to others. If this is the case, the BMC Discovery UI does not show the Upgrade button.
Compatibility of Credential provider and CyberArk Vault
CyberArk version 9.x Vaults can accept connections from 9.x and 10.x Credential providers.
User permissions required for the installation
When you install the CyberArk Credential Provider, you are prompted to specify permissions for accessing the CyberArk vault. The user you specify must have the correct permissions within the vault. If the user has insufficient permissions, or if the password you specify is incorrect, the Provider environment will not be created correctly. You should use a user with Administrator privileges (see the installation section).
If this occurs, you must uninstall the CyberArk Credential Provider on the appliance, remove the Provider user in the vault, and then reinstall the CyberArk Credential Provider. Alternatively, you can ask your CyberArk administrator to correct the problem. For more information about reinstalling the CyberArk Credential Provider, see Reinstalling the CyberArk Credential Provider .
To prepare for installation by configuring the application name
To install the CyberArk Credential Provider, you must first configure the appliance name for your BMC Discovery installation. This is because the CyberArk integration uses this appliance name to create the provider user, which is later used for configuring access to the CyberArk Vaults (safe). However, the name that you specify for the appliance must follow specific naming conventions, such as it should contain only numeric or alphanumeric character.
If you provide wildcard characters or characters from other language scripts, CyberArk truncates those when creating the provider user.
As illustrated in the above screenshot, the appliance name R Hood-01 - 11.0.90.5
is truncated to Prov_RedHood
after the integration is completed. All CyberArk Credential provider users created have a prefix of Prov_. For a cluster configuration you see a unique Prov_ user created for each appliance in the cluster. Also for a cluster configuration you only need to install the CyberArk Credential provider on one appliance and it is automatically configured and installed on the other members.
- Log in to BMC Discovery.
- From the main menu, select Administration > Appliance> Configuration.
- In the Name field, specify a unique name for the appliance.
If a name is already specified for the appliance, make sure that it follows the naming convention as discussed in this section.
To install and configure the CyberArk Credential Provider connection
This section describes the steps to perform for installing and configuring the CyberArk Credential Provider connection.
- From the BMC Discovery main menu, click Administration.
- From the Discovery section, click Vault Management.
The Vault Management page is displayed. - Click the CyberArk tab.
- In the Credential Provider Archive field, click Upload.
The Upload CyberArk Credential Provider archive window appears. - In the File field, click Browse and navigate to the location where the Credential Provider zip file is stored in your environment, and click Upload.
After you upload the archive, the screen refreshes. You can then configure the connection to the CyberArk server. In the CyberArk Vault Server field, perform the following steps:
Click Configure and provide the following details:
Field Name Description Vault name The name of the CyberArk Vault. This is simply a label, so can be any descriptive name you choose. Address The IP address (IPv4) of the host where CyberArk is installed. You can also specify the expanded name of the host instead of the IP address, such as, <hostname>.<domain>.com. Port The port number to use for connection with the host. Accept the default port number displayed in this field if you do not want any customization. Timeout The duration of time, in seconds, for which the connection must be attempted. Accept the default timeout displayed in this field if you do not want any customization. Click Apply to save.
The connection information is now saved. You can configure additional options by uploading the CyberArkvault.ini
file by using the Upload button. For more information about the CyberArkvault.ini
files, see the CyberArk Vault documentation, or contact your CyberArk administrator. For troubleshooting, you can download the currentvault.ini
file by using the Download button.
- In the Credential Provider field, click Install and perform the following steps:
In the Install CyberArk Credential Provider window, check the Accept End User License Agreement box and provide the CyberArk administrator username and password.
Click Install.
The CyberArk Credential Provider is installed and started, and the screen refreshes to show the status.
The connection to the CyberArk Vault is now configured. You may see a message similar to,"api.cyberark: ERROR: Installing CARKaim RPM: /var/tmp/rpm-tmp.vU7VBN: line 147: /usr/lib/lsb/install_initd: No such file or directory"
in the Cluster Manager logs. You can safely ignore this error message.
To upgrade the CyberArk Credential Provider
This section describes the steps to perform for upgrading the CyberArk Credential Provider.
- From the BMC Discovery main menu, click Administration.
- From the Discovery section, click Vault Management.
The Vault Management page is displayed. - Click the CyberArk tab.
- In the Credential Provider Archive field, click Upload.
The Upload CyberArk Credential Provider archive window appears. - In the File field, click Browse and navigate to the location where the Credential Provider zip file is stored in your environment, and click Upload. After you upload the archive, the screen refreshes.
If you have uploaded a valid archive, an Upgrade button is provided in the Credential Provider Status field. Click Upgrade.
In the Upgrade CyberArk Credential Provider window, provide the CyberArk administrator username and password.
Click Upgrade.
The CyberArk Credential Provider is upgraded and started, and the screen refreshes to show the status.
To uninstall the CyberArk Credential Provider
This section describes the steps to perform for uninstalling the CyberArk Credential Provider.
- Uninstall the CyberArk Credential Provider from the machine on which it is installed.
- From the CyberArk Vault, remove the corresponding Provider user (
Prov_appliancename
).
Otherwise, your attempts to reinstall on the same appliance will fail. The RPM installation reports no errors. However, when you click Install the service does not start. - Click View Logs to and examine the
CreateEnv.log
log.
A log message of the formOwner Prov_
, orappliancename
already exists in Safe SafenameOwner Prov_
appliancename
already exists in SafeSafename
.
To reinstall the CyberArk Credential Provider
To reinstall the CyberArk Credential Provider, follow the steps outlined in the Installing the CyberArk Credential Provider section. However, make sure that you perform the installation prerequisites before you reinstall.
Comments
Hello, ADDM 11.3 is compatible with CyberArk Credential Provider 10.6?
There is a bug with the CyberArk integration (DRUD1-24565) because some changes has been done on the CyberArk AIM provider in version 10.x. Discovery logic needs to adapt. This will be fixed in the coming 11.3 patch.
Log in or register to comment.