Page tree
    Skip to end of metadata
    Go to start of metadata

    CyberArk Enterprise Password Vault (CyberArk Vault) is a third-party application, which enables you to centrally manage credentials for the various systems that are installed in your environment. BMC Discovery provides an integration with CyberArk Vault to obtain credentials that are required to perform scans. 

    The integration eliminates the need for performing duplicate tasks of using an external import or export mechanism to obtain the credentials that are stored in CyberArk Vault. The CyberArk Vault also enables you to employ the password management policies required for your organization. 


    CyberArk uses the term Vault to refer to the CyberArk server component, which holds information securely (All "Safes" reside in the Vault). This should not be confused with the BMC Discovery Vault.

    To integrate CyberArk Vault with BMC Discovery

    1. Install the CyberArk Application Identity Manager (AIM) Provider – In the BMC Discovery application, first install the AIM provider component.
    2. In the CyberArk Vault, configure the AIM provider user to prepare BMC Discovery to get the credentials from CyberArk.
    3. Enable and test CyberArk Integration from BMC Discovery – In BMC Discovery, complete the integration configuration by enabling and testing the connection.
    4. Configure BMC Discovery to use CyberArk credentials – After the connection is successful, you configure BMC Discovery credentials in that fetch credentials from CyberArk. Instead of using a username and password, you use a query to perform the task.

    See this video (4:40) for a demonstration of the integration between BMC Discovery and the CyberArk Vault. 

    CyberArk logging

    The CyberArk AIM writes a number of log files, depending on the AIM provider version. 

    A fresh install of AIM provider versions 10.4 and earlier use the following log files:

    • Casos.Debug.log  

    A fresh install of the AIM provider version 10.5 and later only use the following log file:

    • CreateEnv.log

    If you upgrade the AIM provider from 10.4 and earlier to 10.5 and later, the AIM provider only writes messages to the CreateEnv.log file. It does not delete the existing Casos.Activity.logCasos.Debug.log, and Casos.Error.log files. To view the CreateEnv.log from the command line, you must be logged in as the root user.

    CyberArk Vault log settings

    Busy BMC Discovery systems take many credentials from the CyberArk Vault and as a result create many log file entries. In such systems, the default CyberArk log retention policies may allow the logs, which are stored on the BMC Discovery appliance, to become very large and fill up available disk space. You can prevent this happening by changing the following log retention settings to a shorter time than the default, for example, change them to seven days:

    • OldLogsRetention
    • OldAuditLogsRetention

    You can change these settings in the CyberArk Vault. See the CyberArk documentation for details on how to do this.

    Related topics