CyberArk Integration

The integration between Axonius and CyberArk enables Axonius to securely pull privileged credentials from the CyberArk Vault using CyberArk’s Application Access Manager (AAM). The integration helps ensure that privileged credentials are secured in the CyberArk Vault, rotated to meet company guidelines, and meet complexity requirements.

Description of Product Integration

Axonius uses the Agentless AAM method (called Central Credential Provider (CCP) to integrate with CyberArk). The Agentless AAM method allows an application (e.g., Axonius) to use a REST API to securely retrieve the credentials from the Vault.

A client certificate is required as it provides protection for the credential while in transit from the agent to the application. The credential is encrypted while in transit from the vault to the AAM shared agent. The application is authenticated by the client certificate serial number and machine address.
In order to securely retrieve credentials from the Vault, the authorized application only requires an Application ID and a Query. The Application ID identifies an application to the CyberArk Vault. It needs to be granted sufficient privileges to retrieve all the credentials it needs.

Axonius uses the Agentless AAM method (called Central Credential Provider (CCP)) to fetch credentials from CyberArk Vault. Axonius uses the REST API when:

• Creating a new adapter connection
• Updating an existing adapter connection
• Running an enforcement set
• During a discovery cycle, to fetch asset information from the various adapters

Axonius does not store the credentials anywhere and deletes any trace of credentials.

To enable fetching credentials from your CyberArk Vault, you need to:

1. Install and configure CyberArk’s Application Access Manager (AAM).
2. Enable and configure the External Password Managers - Enterprise Password Management Settings in Axonius.
3. Configure adapter connection credential to fetch passwords from CyberArk vault.
   
   

AAM Installation and Configuration

Follow guidelines in AAM Installation and Configuration

Enable CyberArk Integration

Enable CyberArk integration and allow to Axonius to securely pull privileged credentials from the CyberArk Vault using CyberArk’s Application Access Manager (AAM).
Following the guidelines in Enterprise Password Management Settings.

Working with CyberArk Vault

Once CyberArk integration is enabled in Axonius, a new CyberArk icon will appear in all password fields when configuring adapters or configuring Enforcement sets, allowing you to enter a password manually or to fetch the password from CyberArk Vault.

To fetch the password from CyberArk Vault:

1. In a password field, click the CyberArk icon. If you have configured more than one password manager, click the vault icon and select CyberArk Vault from the drop-down. A CyberArk popup opens.
   
2. In the popup, specify a query. This query represents a location of the Password Object within a Safe in a Vault. The query has the following format: Property=Value;Property=Value; ... Property=Value
   For example:

Safe=Test;Folder=root\OS\Windows;Object=windows1

Safe: This is the name of the safe where the account resides.
Folder: This is the folder inside the safe where the account resides.
Object: This is the Object Name of the account (referred to as Name in the account properties).

3. Click Fetch.
   • If the fetch is successful, a green indication will be displayed. Hovering over the CyberArk icon will show the Query defined.
     
   • If the fetch is unsuccessful, a red indication will be displayed. Hovering over the CyberArk icon will show the error.