CyberArk Credential Provider


Adding a new passwords repository

  1. Select Settings > External passwords repositories.
  2. Click Add password repository.
  3. Specify object’s name.
  4. Provide the URL to the passwords server’s API (HTTPS).
  5. In the Server certificate field, provide the SSL certificate, or click the Get certificate button to obtain it from the provider’s server.

Warning

If the HTTPS protocol is used without providing an SSL Certificate, the SSL connection will not undergo verification and will be accepted.

../../_images/5-5-external-psswd-repository-cyber-cp.png
  1. Select CYBERARK CREDENTIAL PROVIDER button in the Type section.
  1. Provide application identification (Application ID).
  2. Provide Safe (optional). If Safe is not defined, the search will be performed across all CyberArk safes.

Note

The search for a given server/account is performed based on the following attributes from the CyberArk Credential Provider, which must be set up according to the rules below:

  • Address - has to match exactly with Fudo server’s IP address (required),
  • UserName - has to match exactly with Fudo account’s Login (required) - please refer to Creating a regular account topic,
  • Safe - has to match exactly with external password repository Safe field (optional).
  1. When used client certificate authentication Identity certificate and Identity key fields has to be defined.

Note

-Identity certificate and Identity key configuration is available only for HTTPS type servers. - Both fields must be filled using PKCS #8 format. - To learn how to generate Identity certificate and Identity key please follow the next section.

  1. Click Save.

  2. Assign external password repository to an account.

    • Select Management > Accounts.
    • Browse objects and click an account to access the settings form.
    • In the Credentials section, on the Replace secret with field, select Repository button.
    • From the Passwords repository drop-down list select one of the previously defined password repositories.
    ../../_images/5-5-external-psswd-repository.png
    • Click Save.

Generating `CyberArk Credential Provider’s` client certificate authorization

  1. Generate random Serial Number (e.g. 11223344556677) that will be used by CyberArk to verify the client.
  2. Generate client.key and client.crt files using openssl. Example:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=PL/ST=Mazowieckie/L=Warsaw/OU=MyApp/CN=client" -set_serial "11223344556677" -keyout client.key -out client.crt
  1. Paste the content of the file client.crt in Identity certificate field.
  2. Paste the content of the file client.key in Identity key field.
  3. Add client serial number to CyberArk server authentication configuration.

Editing a passwords repository

To edit a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Locate the repository definition and click on its name to edit its configuration as needed.
  3. Click Save.

Deleting a passwords repository

To delete a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Find desired repository definition, select it, and click the Delete selected button.
  3. Click Save.

Note

You cannot delete password repository definition if it is assigned to any account.

Related topics: