This documentation supports the 21.05 (12.2) version of BMC Discovery.To view an earlier version of the product, select the version from the Product version menu.

Installing the CyberArk Credential Provider on an appliance

To integrate BMC Discovery with CyberArk Vault, you need to install the CyberArk Credential Provider, also known as the or Credential Provider on the BMC Discovery appliance and then configure the connection to the CyberArk Vault. The CyberArk Credential Provider is a component of the CyberArk Vault.

The CyberArk Credential Provider automatically configures the MaxConcurrentRequests parameter based on the number of  BMC Discovery Event Condition Action (ECA) engines and threads of the installation machine. Because this setting is shared by all CyberArk Credential Providers used with BMC Discovery, you might need to update this value for all BMC Discovery systems for optimal performance. Additionally, you might also need to adjust performance settings within the CyberArk Enterprise Vault. For information about how to configure settings in CyberArk Vault, contact your CyberArk administrator.

Note

You must avoid installing software using RPM commands. In addition to installing the third-party software, these are very likely to update system libraries that may be incompatible with those currently used, or when the operating system or the BMC Discovery application are updated later.

Before you begin

Before you begin installing the CyberArk Credential Provider, make sure that the following requirements are completed:

  • You must have a CyberArk Vault installed and configured in your environment.
  • You must have the CyberArk Credential Provider archive for 64-bit Red Hat Enterprise Linux (AAM-RHELinux-Intel64-Rls-v12.4.1.zip, or AAM-RHELinux-Intel64-Rls-v10.10.14.zip) ready.

Credential Providers

Upgrade the Credential Providers to version 12.4.1.9 or 10.10.14 according to the upgrade instructions in CyberArk's online documentation. See the table below for details. To verify your current version of the Credential Provider, open the CyberArk Password Vault Web Access (PVWA) health dashboard and check the Credential Providers component.

Credential Provider Archive version

Supported versions of BMC Discovery

12.4.1

22.1 (12.4) and its patches.

10.10.14 (LTS version)

20.02 (12.0) patch 6, 20.08 (12.1) patch 4, 21.05 (12.2) patch 5, and 21.3 (12.3) patch 3 are fully tested and supported. Previous patches have not been tested with this version, but are expected to work.

When installing 10.10.14, the BMC Discovery displays warnings that the version is not recommended. These warnings are incorrect and can be ignored.

When upgrading to the 10.10.14 (LTS version), on BMC Discovery 20.02 (12.0) patch 6, 20.08 (12.1) patch 4, 21.05 (12.2) patch 5, and 21.3 (12.3) patch 3, you must restart the services to load CyberArk and complete the installation.

CyberArk Credential provider archive releases

A CyberArk Credential provider RPM is provided for each CyberArk release. Sometimes, it is identical to the previous version, but the archive version number is changed to reflect that of the release. Identical versions have identical RPM numbers, as a consequence, you cannot upgrade from some versions to others. If this is the case, the BMC Discovery UI does not show the Upgrade button. 

User permissions required for the installation

When you install the CyberArk Credential Provider, you are prompted to specify permissions for accessing the CyberArk vault. The user you specify must have the correct permissions within the vault.  If the user has insufficient permissions, or if the password you specify is incorrect, the Provider environment will not be created correctly.  You should use a user with Administrator privileges (see the installation section).

If this occurs, you must uninstall the CyberArk Credential Provider on the appliance, remove the Provider user in the vault, and then reinstall the CyberArk Credential Provider. Alternatively, you can ask your CyberArk administrator to correct the problem. For more information about reinstalling the CyberArk Credential Provider, see Reinstalling the CyberArk Credential Provider.

To prepare for installation by configuring the appliance name

To install the CyberArk Credential Provider, you must first configure the appliance name for your BMC Discovery installation. This is because the CyberArk integration uses this appliance name to create the provider user, which is later used for configuring access to the CyberArk Vaults (safe). However, the name that you specify for the appliance must follow specific naming conventions, such as it should contain only numeric or alphanumeric characters.

If you provide wildcard characters or characters from other language scripts, CyberArk truncates those when creating the provider user. For example, the appliance name RedHood-01 - 12.0 is truncated to Prov_RedHood after the integration is completed.  All CyberArk Credential provider users created have a prefix of Prov_.  For a cluster configuration, you see a unique Prov_ user created for each appliance in the cluster.  Also for a cluster configuration, you only need to install the CyberArk Credential provider on one appliance and it is automatically configured and installed on the other members.

  1. Log in to BMC Discovery.
  2. From the main menu, select Administration > Appliance > Configuration.
  3. In the Name field, specify a unique name for the appliance.
    If a name is already specified for the appliance, make sure that it follows the naming convention as discussed in this section.

To install and configure the CyberArk Credential Provider connection

This section describes the steps to perform for installing and configuring the CyberArk Credential Provider connection.

  1. From the BMC Discovery main menu, click Administration.
  2. From the Discovery section, click Vault Management.
    The Vault Management page is displayed.
  3. Click the CyberArk Credential Provider tab.
    CyberArkBlank.png

  4. In the Credential Provider Archive field, click Upload.
    The Upload CyberArk Credential Provider archive window appears.
  5. In the File field, click Choose File and navigate to the location where the Credential Provider zip file is stored in your environment, and click Upload
    After you upload the archive, the screen refreshes. You can then configure the connection to the CyberArk server.
  6. In the CyberArk Vault Server field, perform the following steps:

    1. Click Configure and provide the following details:

      Field Name

      Description

      Vault name

      The name of the CyberArk Vault. This is simply a label, so can be any descriptive name you choose.

      Address

      The IP address (IPv4) of the host where CyberArk is installed. You can also specify the expanded name of the host instead of the IP address, such as, <hostname>.<domain>.com.

      Port

      The port number to use for connection with the host. Accept the default port number displayed in this field if you do not want any customization.

      Timeout

      The duration of time, in seconds, for which the connection must be attempted. Accept the default timeout displayed in this field if you do not want any customization.

    2. Click Enable and Apply to save.
      The connection information is now saved. You can configure additional options by uploading the CyberArk vault.ini file by using the Upload button. For more information about the CyberArk vault.ini files, see the CyberArk Vault documentation, or contact your CyberArk administrator. For troubleshooting, you can download the current vault.ini file by using the Download button.
  7. In the Credential Provider field, click Install and perform the following steps: 
    1. In the Install CyberArk Credential Provider window, check the Accept End User License Agreement box and provide the CyberArk administrator username and password.
    2. Click Install.
    3. Select Enabled, and then click Apply. The integration will then be enabled.
      The CyberArk Credential Provider is installed and started, and the screen refreshes to show the status.
      CyberArkInstalled.png

    4. You can now test the connection and permissions by using the Test query button.

The connection to the CyberArk Vault is now configured. You may see a message similar to, "api.cyberark: ERROR: Installing CARKaim RPM: /var/tmp/rpm-tmp.vU7VBN: line 147: /usr/lib/lsb/install_initd: No such file or directory" in the Cluster Manager logs. You can safely ignore this error message.

CyberArk Vault log settings

Busy BMC Discovery systems take many credentials from the CyberArk Vault and as a result create many log file entries. In such systems, the default CyberArk log retention policies may allow the logs, which are stored on the BMC Discovery appliance, to become very large and fill up available disk space. You can prevent this happening by changing the following log retention settings to a shorter time than the default, for example, change them to seven days:

  • OldLogsRetention
  • OldAuditLogsRetention

You can change these settings in the CyberArk Vault. See the CyberArk documentation for details on how to do this.

To upgrade the CyberArk Credential Provider

This section describes the steps to perform for upgrading the CyberArk Credential Provider.

You must perform this procedure with discovery stopped.

  1. From the BMC Discovery main menu, click Administration.
  2. From the Discovery section, click Vault Management.
    The Vault Management page is displayed.
  3. Click the CyberArk tab.
  4. In the Credential Provider Archive field, click Upload.
    The Upload CyberArk Credential Provider archive window appears.
  5. In the File field, click Browse and navigate to the location where the Credential Provider zip file is stored in your environment, and click Upload. After you upload the archive, the screen refreshes. 
    If you have uploaded a valid archive, an Upgrade button is provided in the Credential Provider Status field. 
  6. Click Upgrade.
  7. In the Upgrade CyberArk Credential Provider window, provide the CyberArk administrator username and password.
  8. Click Upgrade
    The  CyberArk Credential Provider is upgraded and started, and the screen refreshes to show the status.


To uninstall the CyberArk Credential Provider

This section describes the steps to perform for uninstalling the CyberArk Credential Provider.

  1. Uninstall the CyberArk Credential Provider from the machine on which it is installed.
  2. From the CyberArk Vault, remove the corresponding Provider user (Prov_appliancename).
    Otherwise, your attempts to reinstall on the same appliance will fail. The RPM installation reports no errors. However, when you click Install the service does not start.
  3. Click View Logs to view and examine the CreateEnv.log log.
    A log message of the form Owner Prov_appliancename already exists in Safe Safename, or Owner Prov_appliancename already exists in Safe Safename.

To reinstall the CyberArk Credential Provider

To reinstall the CyberArk Credential Provider, follow the steps outlined in the Installing the CyberArk Credential Provider section. However, make sure that you perform the installation prerequisites before you reinstall.

Where to go from here

Configuring-access-to-the-CyberArk-Vault

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*