- 24 Mar 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
AAM Installation and Configuration
- Updated on 24 Mar 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
Axonius uses the Agentless AAM method (called Central Credential Provider (CCP)) to integrate with CyberArk.
In the below section, the term “Application” refers, in this case, to Axonius.
License for Central Credential Provider (CCP) is a prerequisite for CyberArk integration
Central Credentials Provider Installation
- For installation and configuration, please refer to the CyberArk’s “Central Credential Provider Implementation guide”.
- No specific steps are required to configure Central Credential Provider (CCP) with Axonius.
Defining the Application ID (APPID) and Authentication Details
To define the Application, here are the instructions to define it manually via CyberArk’s PVWA (Password Vault Web Access) Interface:
While logged in as a user allowed to manage applications (this requires Manage Users authorization), click Add Application in the Applications tab; the Add Application page appears.
Specify the following information:
- In the Name edit box, specify the unique name (ID) of the application. The recommended Application ID for this integration is: APPID = Axonius
- In the Description, specify a short description of the application that will help you identify it.
- In the Business owner section, specify contact information about the application’s Business owner.
- In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the user who is creating this application.
Click Add; the application is added and is displayed in the Application Details
page.- Allowing extended authentication restrictions. This enables you to specify an unlimited number of machines and Windows domain OS users for a single application.
- Allowing extended authentication restrictions. This enables you to specify an unlimited number of machines and Windows domain OS users for a single application.
Specify the application’s Authentication details. This information enables the Credential Provider to check certain application characteristics before retrieving the application password.
In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
- Protect the Application ID with a client certificate serial number. Specify the Certificate Serial number:
- Protect the Application ID with a client certificate serial number. Specify the Certificate Serial number:
Provisiong Accounts and Setting Permissions for Application Access
For the application to perform its functionality or tasks, the application must have access to particular existing accounts, or new accounts to be provisioned in CyberArk Vault (Step 1). Once the accounts are managed by CyberArk, make sure to setup the access to both the application and CyberArk Application Password Providers serving the Application (Step 2).
In the Password Safe, provision the privileged accounts that will be required by the application. You can ¬do this in either of the following ways:
Manually – Add accounts manually one at a time, and specify all the account details.
Automatically – Add multiple accounts automatically using the Password Upload feature.
For this step, the Add accounts authorization in the Password Safe is required.
For more information about adding and managing privileged accounts, refer to https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Adding-Accounts.htm?Highlight=adding%20accountsAdd the Credential Provider and application users as members of the Password Safes where the application passwords are stored. This can either be done manually in the Safes tab, or by specifying the Safe names in the CSV file for adding multiple applications.
Add the Provider user as a Safe Member with the following authorizations:
List accounts
Retrieve accounts
View Safe Members
Note: When installing multiple Providers for this integration, it is recommended to create a group for them, and to then add the group to the Safe with the above authorization.
Add the application (the APPID) as a Safe Member with the following authorizations:
Retrieve accounts
If your environment is configured for dual control:
- In PIM-PSM environments (v7.2 and lower), if the Safe is configured to require confirmation from authorized users before passwords can be retrieved, give the Provider user and the application the following permission:
- Access Safe without Confirmation
- In Privileged Account Security solutions (v8.0 and higher), when working with dual control, the Provider user can always access without confirmation, thus, it is not necessary to set this permission.
- In PIM-PSM environments (v7.2 and lower), if the Safe is configured to require confirmation from authorized users before passwords can be retrieved, give the Provider user and the application the following permission:
If the Safe is configured for object level access, make sure that both the Provider user and the application have access to the password(s) to retrieve.
For more information about configuring Safe Members, refer to the CyberArks' Privileged Access Security Implementation Guide.