CyberArk Integration
  • 2 Minutes To Read
  • Print
  • Share
  • Dark
    Light

CyberArk Integration

  • Print
  • Share
  • Dark
    Light

The integration between Axonius and CyberArk enables Axonius to securely pull privileged credentials from the CyberArk Vault using CyberArk’s Application Access Manager (AAM). The integration helps ensure that privileged credentials are secured in the CyberArk Vault, rotated to meet company guidelines, and meet complexity requirements.

NOTE

License for Central Credential Provider (CCP) is a prerequisite for the CyberArk integration

Description of Product Integration

Axonius uses the Agentless AAM method (called Central Credential Provider (CCP) to integrate with CyberArk). The Agentless AAM method allows an application (e.g. Axonius) to use a REST API to securely retrieve the credentials from the Vault.

A client certificate is required as it provides protection for the credential while in transit from the agent to the application. The credential is encrypted while in transit from the vault to the AAM shared agent. The application is authenticated by the client certificate serial number and machine address.
In order to securely retrieve credentials from the Vault, the authorized application only requires an Application ID and a Query. The Application ID identifies an application to the CyberArk Vault. It needs to be granted sufficient privileges to retrieve all the credentials it needs.

Axonius uses the Agentless AAM method (called Central Credential Provider (CCP)) to fetch credentials from CyberArk Vault. Axonius uses the REST API when:

  • Creating a new adapter connection
  • Updating an existing adapter connection
  • During a discovery cycle, to fetch asset information from the various adapters

Axonius does not store the credentials anywhere and deletes any trace of credentials.




To enable fetching credentials from your CyberArk Vault, you need to:

  1. Install and configure CyberArk’s Application Access Manager (AAM).
  2. Enable and configure the Enterprise Password Management Settings in Axonius, under the Global Settings.
  3. Configure adapter connection credential to fetch passwords from CyberArk vault.

AAM Installation and Configuration

Follow guidelines in AAM Installation and Configuration

Enable CyberArk Integration

Enable CyberArk integration and allow to Axonius to securely pull privileged credentials from the CyberArk Vault using CyberArk’s Application Access Manager (AAM).
Following the guidelines in Global Settings - Enterprise Password Management Settings.

Adapter Configuration

Once CyberArk integration is enabled in Axonius, while configuring adapters, a new CyberArk icon will appear in all password fields, allowing you to enter a password manually or to fetch the password from CyberArk Vault.

image.png

To fetch the password from CyberArk Vault:

  1. In a password field, click the CyberArk icon. A CyberArk popup opens.
    image.png
  2. In the popup, specify a query. This query represents a location of the Password Object within a Safe in a Vault. The query has the following format: Property=Value;Property=Value; ... Property=Value
    For example:
Safe=Test;Folder=root\OS\Windows;Object=windows1

Safe: This is the name of the safe where the account resides.
Folder: This is the folder inside the safe where the account resides.
Object: This is the Object Name of the account (referred to as Name in the account properties).

  1. Click Fetch.
    • If the fetch is successful, a green indication will be displayed. Hovering over the CyberArk icon will show the Query defined.
      image.png
    • If the fetch is unsuccessful, a red indication will be displayed. Hovering over the CyberArk icon will show the error.
      image.png
NOTE
Typing or deleting any character in the textbox will change the password field back to a manual password input.
Was This Article Helpful?