CyberArk Credential Provider


Adding a new passwords repository

  1. Select Settings > External passwords repositories.
  2. Click Add server.
  1. Select CyberArk Credential Provider from the Type drop-down list.
  2. Specify object’s name.
  3. Provide the URL to the passwords server’s API (HTTP or HTTPS).
  4. Provide application identification (Application ID).
  5. Provide Safe (optional). If Safe is not defined, the search will be performed across all CyberArk safes.

Note

The search for a given server/account is performed based on the following attributes from the CyberArk Credential Provider, which must be set up according to the rules below:

  • Address - has to match exactly with Fudo server’s IP address (required),
  • UserName - has to match exactly with Fudo account’s Login (required) - please refer to Creating a regular account topic,
  • Safe - has to match exactly with external password repository Safe field (optional).
  1. When used client certificate authentication Identity certificate and Identity key fields has to be defined.

Note

Identity certificate and Identity key fields must be filled using PKCS #8 format. To learn how to generate Identity certificate and Identity key please follow the next section.

  1. If HTTPS URL to the passwords server’s API was used, provide HTTPS server certificate in SSL certificate field.

Warning

If the HTTPS protocol is used without providing an SSL Certificate, the SSL connection will not undergo verification and will be accepted.

  1. Click Save.

  2. Assign external password repository to an account.

    • Select Management > Accounts.
    • Browse objects and click an account to access the settings form.
    • In the Credentials section, select password from external repository from the Replace secret with drop-down list.
    • From the External passwords repository select one of the previously defined password repository.
    ../../_images/5-1-external-psswd-repository.png
    • Click Save.

Generating `CyberArk Credential Provider’s` client certificate authorization

  1. Generate random Serial Number (e.g. 11223344556677) that will be used by CyberArk to verify the client.
  2. Generate client.key and client.crt files using openssl. Example:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=PL/ST=Mazowieckie/L=Warsaw/OU=MyApp/CN=client" -set_serial "11223344556677" -keyout client.key -out client.crt
  1. Paste the content of the file client.crt in Identity certificate field.
  2. Paste the content of the file client.key in Identity key field.
  3. Add client serial number to CyberArk server authentication configuration.

Editing a passwords repository

To edit a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Find the repository definition and change its configuration as desired.
  3. Click Save.

Deleting a passwords repository

To delete a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Find desired repository definition and select the Delete option.
  3. Click Save.

Note

You cannot delete password repository definition if it is assigned to any account.

Related topics: