Getting CyberArk ready for integration with Trust Protection Platform
Implementing CyberArk with Trust Protection Platform (TPP) involves detailed setup on both platforms. The following information clarifies the tasks and platform responsibilities to speed up the process. Once set up correctly, the benefits clearly justify the initial effort.
CyberArk objects |
Related CyberArk permissions for each CyberArk object |
TPP objects |
Action in Trust Protection Platform |
---|---|---|---|
Vault and Safe |
|
|
|
End User This is a user created in CyberArk that is used by TPP users who need an application or server to authenticate with CyberArk. |
Use accounts or Retrieve accounts NOTE User may be granted access individually or via group membership. Access may not be granted using Object Level Access Control (OLAC). A reason cannot be required for the effective Master Policy to access the password for an account. |
|
You must provide CyberArk credentials that have access to the safe whenever you create a CyberArk Username Password credential. |
Application |
Retrieve accounts |
|
For Trust Protection Platform to use when it retrieves account passwords from a safe |
Authorization User |
View Safe Members |
|
For Trust Protection Platform to verify that the Actual User is authorized to create CyberArk Username Password credentials |
Providers |
Retrieve accounts, List accounts, and View Safe Members. |
|
Access required by the Application Identity Manager (AIM) installed on each Trust Protection Platform server |
NOTE Refer to CyberArk Enterprise Password Vault documentation for help with tasks that must be completed on the CyberArk platform.
TIP Keep in mind that in CyberArk, "account" is analogous to "credential" in Trust Protection Platform. Terminology can be confusing as many security companies adopt their own nomenclature.
Step-by-step
Step |
Platform |
Task |
1 |
CyberArk |
Create a CyberArk vault and safe. |
2 |
CyberArk |
Create a CyberArk (PVWA) user for verifying a Trust Protection Platform user has access to a safe. |
3 |
CyberArk |
Grant access to CyberArk Application Identity Manager. |
4 |
CyberArk |
Create a CyberArk Application for Trust Protection Platform to use when retrieving accounts from safes. When using Central Credential Provider method also create an AIM Web Service application. BEST PRACTICE About securing a CyberArk application |
5 |
CyberArk |
Create a CyberArk end user (if one does not already exist). The credentials for this new CyberArk user will be used later when you create a CyberArk Username Password Credential in Trust Protection Platform. See Adding and configuring CyberArk credentials.
Grant user either Use Accounts or Retrieve Accounts access to the safe. |
6 |
Trust Protection Platform |
If the password retrieval method will be through an AIM/AAM Agent, install the CyberArk Application Identity Manager (AIM/AAM) on all Trust Protection Platform servers. Installation is optional for servers which will never provision certificates using CyberArk credentials and are not hosting the web console.
Grant all providers created by installing AIM/AAM (from Step 6) Retrieve Accounts, List Accounts, and View Safe Members access to the safe. |
7 |
Trust Protection Platform |
NOTE This step does not apply when using Central Credential Provider
Configure the CyberArk connector in Venafi Configuration Console to connect to CyberArk using the web service (PVWA) user credential (from Step 2). See Creating a CyberArk connector. On the CyberArk Connector, configure the connection between Trust Protection Platform and the CyberArk service and configure all other settings as appropriate. For example, if you want the proxy to manage the CyberArk connection, be sure to enable the proxy settings. See Configuring and editing the CyberArk Credentials driver in the Policy Tree. |
8 |
CyberArk |
Grant the verification user—the PVWA user from Step 3—View Safe Members access to the safe. Grant the Application (from Step 4) Retrieve Accounts access to the safe. |
9 |
CyberArk |
Grant user (from step 5) either Use Accounts or Retrieve Accounts access to the safe. |
10 |
CyberArk |
Create and set up a CyberArk Enterprise Password Vault account that will be used to manage the password of the credential for accessing the device. |
11 |
Trust Protection Platform |
Assign the CyberArk Password credential to applications and devices for provisioning. See Using a CyberArk credential for provisioning (certificate installation) |