Purpose

This document provides information about integrating Product Enterprise with CyberArk Password Vault® for managing sensitive data such as user passwords. This ensures that you do not have to:

• Store your sensitive data in two places or copy and paste data, such as your passwords, from CyberArk Password Vault® to Product Credential Vault.
• Expend effort in maintaining data security at two places.

To achieve this, MetaRobot utilities are used to communicate with CyberArk Password Vault® and retrieve the sensitive data. Once the data is retrieved, you can use it to automate your business applications through Product Robots.

There could be different types of combinations where this integration is useful, such as:

• A user cannot retrieve all the passwords stored in CyberArk Password Vault®.
• A user can only access passwords that are assigned and authorized to that user.

Key benefits

For clients that have Product and CyberArk, this integration gives them the ability to securely retrieve credentials needed for the robots to perform their functions. Not only does this give the ability to secure these credentials, CyberArk can rotate those credentials to ensure the client stays in compliance with corporate policies and industry guidelines.

Product diagram & description of product integration

The following figure illustrates the communication between the CyberArk Password Vault®, and Product TaskRobots, MetaRobots, and Enterprise applications.

• Product's MetaRobot engine makes API calls and passes parameters, for example: "AppID", "Address", and "Username", or "Safe", "Folder", and "Object" to securely retrieve a credential from CyberArk.
• This retrieved credential is then further used by Robot runners to automate enterprise applications, such as Salesforce and SAP.

  

Return to top

Refer to the "Central Credential Provider Implementation Guide" for the CyberArk Credential Provider installation.

Beyond the configuration steps (described in the following topics), no extra installation steps are necessary.

3.1 AIM (Application Identity Manager) configuration

3.1.1 Defining the Application ID (APPID) and authentication details

Here are the instructions to manually define the application via CyberArk’s PVWA (Password Vault Web Access) Interface.

1. Logon as a user allowed to manage applications (it requires the "Manage Users" authorization).
   1. In the Applications tab, click "Add Application"; the Add Application dialog box appears.

      

2. Specify the following information:
   • In the "Name" field, specify AutomationAnywhere.
   • In the "Description" field, specify a short description of the application that will help you identify it.
   • In the "Business owner" section, specify contact information about the application's Business owner.
   • In the "Location" section, specify the location of the application in the Vault hierarchy.
     • If a Location is not selected, the application will be added in the same Location as the user who is creating this application.
3. Click Add. The application is added and displayed in the Application Details page.

   

   1. Allowing extended authentication restrictions.
      1. This enables you to specify an unlimited number of machines and Windows domain OS users for a single application.
      2. Please check this box.
   2. Specify the application’s Authentication details.
      1. This information enables the Credential Provider to check certain application characteristics before retrieving the application password.
      2. In the "Authentication" tab, click Add.
      3. A drop-down list of authentication characteristics is displayed.
   3. Select the authentication characteristic to specify it.
4. Specify the application’s Allowed Machines.
   1. This information enables the Credential Provider to make sure that only applications that run from specified machines can access their passwords.
   2. In the "Allowed Machines" tab, click Add; the "dd allowed machine" window is displayed. See the following screenshot.

      

   3. Specify the IP/hostname/DNS of the machine where the application will run and will request passwords, then click Add; the IP address is listed in the "Allowed machines" tab.
   4. Make sure the servers allowed include all mid-tier servers or all endpoints where the AIM Credential Providers were installed.

Return to top

3.1.2 Provisioning accounts and setting permissions for application access

For the application to perform its functionality or tasks, the application must have access to an existing, certain account, or new accounts to be provisioned in CyberArk Vault (Step 1). Once the accounts are managed by CyberArk, make sure to setup the access to both the application and CyberArk Application Password Providers serving the Application (Step 2).

1. In the Password Safe, provision the privileged accounts that will be required by the application. You can do this in either of the following ways:
   • Manually: Add accounts manually one at a time and specify all the account details.
   • Automatically: Add multiple accounts automatically using the Password Upload feature. For this step, you require the "Add accounts" authorization in the Password Safe.
   For more information about adding and managing privileged accounts, refer to the Privileged Account Security Implementation Guide.
2. Add the Credential Provider and application users as members of the "Password Safes" where the application passwords are stored. This can either be done manually in the "Safes" tab, or by specifying the Safe names in the CSV file for adding multiple applications.
   1. Add the Provider user as a "Safe Member" with the following authorizations:
      • List accounts
      • Retrieve accounts
      • View Safe Members
      Note: When installing multiple Providers for this integration, it is recommended to create a group for them, and add the group to the Safe "once" with the above authorization.

      

   2. Add the application (the APPID) as a "Safe Member" with the following authorizations:
      • Retrieve accounts

        

   3. If your environment is configured for dual control:
      • In PIM-PSM environments (v7.2 and lower), if the Safe is configured to require confirmation from authorized users before passwords can be retrieved, give the Provider user and the application the following permission:
        • Access Safe without Confirmation
      • In Privileged Account Security solutions (v8.0 and higher), when working with dual control, the Provider user can always access without confirmation, thus, it is not necessary to set this permission.
   4. If the Safe is configured for object level access, make sure that both the Provider user and the application have access to the password(s) to retrieve.

For more information about configuring Safe Members, refer to the Privileged Account Security Implementation Guide.

Return to top

To retrieve credentials from the CyberArk Password Vault®, you can use Product CyberArk MetaRobot utilities within your Robots. These utilities communicate with CyberArk Password Vault and retrieve the credentials stored in the CyberArk Password Vault.

The following figure illustrates how MetaRobot utilities communicate with CyberArk password vault.

The MetaRobot utility accepts input parameters from TaskRobots. The above utility passes "AppID", "Address" and "Username" values to CyberArk password vault and retrieves the corresponding data for that combination. You can also pass "Safe", "Folder" and "Object" to the CyberArk vault and retrieve data from the CyberArk vault.

The following figure illustrates what the REST web service "Request" tab looks like.

Run a test to connect to CyberArk by clicking on the "Send Request" button and passing the values of the parameters, as shown in the following window screenshot.

4.1 Using CyberArk MetaRobot utilities in automation

Different TaskRobots dynamically provide their own input values to Metabot utilities and receive the retrieved data from the CyberArk password vault.

This TaskRobot passes the following parameters:

• AppID: AutomationAnywhere
• Address: db1.mycompany.com
• Username: dbadmin

The output value from CyberArk is stored into the "ProductMAdmin_password" variable. See the following screenshot.

Data retrieved from CyberArk is used to automate business applications such as Salesforce, SAP, etc.

You can also create your MetaRobots to communicate with CyberArk and retrieve the data stored inside Password Vault.

• You can also ensure that the user authenticates himself before communicating with CyberArk.
• The Product platform also allows automatically considering the windows logged in user’s credentials and using those for authentication, without needing an explicit credential entry.
• This is supported through the Product REST Web Service command.