Skip to Content

Default language.

Information
Important This documentation space contains information about the on-premises version of BMC Helix Discovery. If you are using the SaaS version of BMC Helix Discovery, see BMC Helix Discovery (SaaS).

Integrating with CyberArk Enterprise Password Vault

CyberArk Enterprise Password Vault (CyberArk Vault) is a third-party application, which enables you to centrally manage credentials for the various systems that are installed in your environment. BMC Discovery provides an integration with CyberArk Vault to obtain credentials that are required to perform scans. 

The integration eliminates the need for performing duplicate tasks of using an external import or export mechanism to obtain the credentials that are stored in CyberArk Vault. The CyberArk Vault also enables you to employ the password management policies required for your organization. CyberArk uses the term Vault to refer to the CyberArk server component, which holds information securely (All "Safes" reside in the Vault). This should not be confused with the BMC Discovery Vault.

Related topics

Integrating-with-credential-brokers

Credentials

Adding-credentials

Managing-the-credential-vault

Before you begin

Information

Credential broker performance testing

Credential brokers are designed with human interaction in mind. When BMC Discovery is scanning, it can make many simultaneous API calls. Before putting an integration with any supported credential broker into production, you should perform scale and performance testing in your IT environment.

We recommend that you do not use DNS names in credential broker fields, as it requires a performant and reliable DNS server. Slow DNS queries significantly increase scan times; even with a fast DNS server scan times are impacted. Where multiple names are defined for an IP address, BMC Discovery uses the first name or FQDN returned by the DNS server, which may not be consistent, depending on the DNS server configuration.

Process overview

Task

Task description

Reference

1.

Create the provider user in the CyberArk Enterprise Password Vault. The user that you create for the first time is used to give access to the CyberArk Vault (Safe).

You define additional users for access from specific BMC Discovery appliances BMC Discovery Outposts as they are required.

2.

Either:
Integrate with CyberArk Enterprise Platform Vault using the REST API


Or:
Integrating with CyberArk Enterprise Platform Vault using the AIM Provider.

Integrating using the CyberArk Enterprise Platform Vault using the AIM Provider requires further steps. The integration uses a locally installed agent (the AIM provider) to interact with CyberArk Enterprise Platform Vault, offering benefits over the REST integration. For more information, contact your CyberArk administrator.

Note: The choice of an integration method is mutually exclusive. If you integrate BMC Discovery with CyberArk Enterprise Platform Vault using the REST API, you cannot access it using the AIM Provider.

3.

After the connection is successful, you configure BMC Discovery credentials that fetch credentials from CyberArk. Instead of using a username and password, you use a query to perform the task.


See this video (4:40) for a demonstration of the integration between BMC Discovery and the CyberArk Vault.

icon-play.pnghttps://youtu.be/WTLoGGOrnUg

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Discovery 23.3 (On-Premises)