Using CyberArk credentials for discovery

After configuring and testing the CyberArk integration, you can begin to use those credentials that are stored in the CyberArk Vault from BMC Discovery. You can start adding BMC Discovery device login credentials that use CyberArk in the same way as you create other credentials. However, you need to specify a CyberArk query that locates the appropriate credential, instead of a user name, password, or SSH key. Your query must locate only one credential at the most. If it locates more than one credential, no credential is used.

Before you begin

Ensure that you have enabled and tested the CyberArk integration.

To configure BMC Discovery to use CyberArk credentials

From the BMC Discovery main menu bar, or from the BMC Discovery Outpost main menu bar select Manage > Credentials.
Click Add and specify the credential details, and check the credential type box, for example, ssh, and Windows.
Tip
Make sure that you leave the user name and password fields empty.
In the CyberArk field of the General section, enter the CyberArk query to locate a standard user name and password.
Based on how you have configured your device, you might need to provide additional CyberArk queries to fetch a specific IP address, for example, ssh Key or SNMP v2.

To fetch credentials for a specific IP address, enter the CyberArk query in the text box provided in the device type section.
The additional query is applicable to only the following device types.

Device credentials	Details
UNIX	For credentials for which you switch to a different user with elevated credentials (su), you can specify an additional CyberArk query in that field. Select the Switch User? check box and enter the CyberArk query to locate the super user password.
SSH (with an SSH key)	In the ssh Key section, enter the CyberArk query to locate the key and select the Key checkbox. Ensure the Password check box is not selected. You can also use a CyberArk query to locate the ssh key passphrase, if one is required.
SNMP v1/v2c	Enter the CyberArk query to locate the community string.
SNMP v3	Enter the CyberArk queries to locate the Authentication Key and the Private Key, as required.

Click Apply to save the credential.

Using CyberArk with Cloud Credentials

You can use CyberArk queries to locate cloud credentials.

Cloud Provider	Details
Amazon Web Services	A CyberArk query can be used to locate an AWS Access Key ID and secret
Microsoft Azure	A CyberArk query can be used to locate an Azure Application ID and password

CyberArk queries can also be used to locate credentials for the authenticating web proxies used by cloud credentials.

Rules for creating CyberArk queries

You use CyberArk queries to find appropriate CyberArk credential objects. The queries that you use depend on the way that your CyberArk Vault is configured. The following section explains a subset of the queries that you can create for the CyberArk Vault. For additional information about the CyberArk queries for testing the integration and extracting credentials from the CyberArk Vault, see the CyberArk Vault documentation. Alternatively, you may contact your CyberArk administrator.

Your CyberArk query can include the following replacement markers:

Marker	Description
%ip%	The IP address being accessed. This may be IPv4 or IPv6.
%port%	This is the port being used for ssh, telnet, SNMP, and so on. For SQL queries this is the port on which the database instance is listening.
%type%	The type of access being requested, for example, ssh, snmp, or vsphere.
%version%	The version number for SNMP queries.
%formatted_ip%	Formatted version of the IP address being accessed, suitable for use in URLs as defined by RFC2732. For IPv4, the IP address is unchanged, for IPv6 the IP address will be enclosed in square brackets.
%devicename%	The name of the device, as defined in DNS.
%fdqn%	The fully qualified domain name of the device, as defined in DNS. If no fully qualified name is defined, %fdqn% will have the same value as %devicename%.
For database queries you can also reference the following, depending on the DBMS in use, for example %instance_name% for Microsoft SQL Server, %sid% and %service% for Oracle:
%instance_name%	The instance name (Microsoft SQL Server).
%sid%	The service name (Oracle).
%service%	The service name (Oracle).
%database%	The database name.

Note

Use of DNS names in CyberArk queries is NOT recommended, as it requires a performant and reliable DNS server. Slow DNS queries will significantly increase scan times. Even with a fast DNS server scan times are impacted.

Where multiple names are defined for an IP address, BMC Discovery will use the first name or FQDN returned by the DNS server, which may not be consistent, depending on the DNS server configuration.

Individual credentials per server in the CyberArk Vault

In this scenario there is a separate credential for each server in CyberArk which defines the user name and password needed to access that machine. Here, a single BMC Discovery credential matching all IP addresses could be used, with a CyberArk query to fetch the actual user name and password (for example) IP address:

Safe=XXX;Folder=Root;Address=%ip%

If the credentials are held in a number of safes or folders then multiple BMC Discovery credentials are required. For example, UNIX SSH credentials may be stored in a folder called SSH, and Windows credentials in a folder called Windows. Two BMC Discovery credentials would be required, with the following queries:

Safe=XXX;Folder=SSH;Address=%ip%

Safe=XXX;Folder=Windows;Address=%ip%

One specific credential for BMC Discovery

In this scenario, there are a limited number of credentials in CyberArk specifically for use by BMC Discovery. Possibly one for UNIX servers, another for Windows, and so on. You can create a BMC Discovery credential for each. In this case, we would create multiple BMC Discovery credentials, one for each CyberArk credential and look it up directly using the object name :

Object=Operating System-UnixSSHKeys-username