POST Credentials/CyberArk/Create

Creates an entry in the Trust Protection Foundation policy folder to match credential information in a CyberArk Safe. Trust Protection Foundation will use the credential data for provisioning.

Before you make this REST API call:

  • In Trust Protection Foundation, confirm that the CyberArk Credentials driver is installed. Verify that the CyberArk connector is configured. See the Administration Guide for details.
  • In CyberArk, identify the Safe that contains grant permissions for Trust Protection Foundation. In the Safe, get the name and folder of the account that Trust Protection Foundation retrieves for the credential.
  • To create or modify this object, you must provide credentials for a CyberArk user who has either 'Use Accounts' (permission to log on to a device using the CyberArk account through the CyberArk UI) or 'Retrieve Accounts' (permission to retrieve the actual password for the CyberArk account).
NOTE: The credential type is permanently assigned at creation. You cannot use the CyberArk/Update method to change a CyberArk credential into a Username or Password credential. If a different type is needed, a new credential must be created.

Requirements

  • Permissions:  The caller must have Create permission and Write permission to the folder that will hold the new credential.
  • Token scope:  Security:Manage

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description
AccountName The CyberArk account name where the password is stored inside of the Safe.
AppID The CyberArk application ID. The Application ID must be a member of the CyberArk Safe with rights to the Safe.

CredentialPath

The policy location for the credential. For example: \\VED\\Policy\\MyCredential.
CyberArkPassword (Optional) The password for the CyberArk account used to retrieve the credential from the Safe.

CyberArkUsername

  • (Optional) Creates a CyberArk Username Password credential.

  • The CyberArk Username from the CyberArk safe.

  • This is the CyberArk user that has rights to the Safe that contains the necessary credentials for Trust Protection Foundation to provision a certificate to a device.

  • This field does not determine the credential type.

DualAccount

(Optional) The Dual Account adds a second user to the credential, and consists of two identically privileged accounts. One account is active while the other is rotated, enabling password updates without downtime.
FolderName The CyberArk folder name inside the Safe where passwords are stored.
SafeName The CyberArk Safe name that contains password account information.
Username

  • The Trust Protection Foundation user name to authenticate to a device or application.

  • The corresponding password originates in CyberArk.

    • This field determines the credential type.

    • If the Username property is present in the request JSON, the credential is treated as a CyberArk Username Password credential

    • If the Usernameproperty is omitted, the credential is treated as a CyberArk Password credential

    • The value can be a string, empty (""), or null

    • If empty or null, the username is retrieved from CyberArk at runtime

VirtualUserName

(Optional) The Virtual User Name specifies the username used for authentication when Dual Account is enabled.

Returns

For valid requests, Credentials/Cyberark/Create returns a HTTP 200 message and a Result of 1. For invalid requests, note the HTTP message, Result of 0, and corresponding Error.

Response description

Name

Description

HTTP 200

Result1: Success.

HTTP 400

For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:

  • Result0.
  • Error: If available, additional information about how to retry the request.

Example: Create a CyberArk password credential

Request

POST: https://tpp.venafi.example/vedsdk/Credentials/CyberArk/Create	
Authorization:Bearer 4MyGeneratedBearerTknz==
{
    "CyberArkUsername" : "AdmCorp",
    "CyberArkPassword" : "!omepassw0rd",
    "Username" : "admin",
    "AppID" : "VenafiTPP",
    "SafeName" : "SafeCorp",
    "FolderName" : "Root\\local",
    "AccountName" : "rootpw",
    "CredentialPath" : "\\VED\\Policy\\MyTPPfolder\\AdmCorp"
}

Response

HTTP/1.1 200 OK
{
   "Result":1
}

Example: Create a Dual Account Password Credential

Request

POST: https://tpp.venafi.example/vedsdk/Credentials/CyberArk/Create	
Authorization:Bearer 4MyGeneratedBearerTknz==
{
	"CyberArkUsername": "pam_username",
	"CyberArkPassword": "pam_pass",
	"DualAccount": "0",
	"Username": "",
	"AppID": "AppName",
	"SafeName": "SafeName",
	"FolderName": "Root",
	"AccountName": "pam_account",
	"CredentialPath": "\\VED\\Policy\\test_folder\\test_credential",
	"ConnectorName": "ConnectorName"
}

Response

HTTP/1.1 200 OK
{
   "Result":1
}

Example: Create a Dynamic PAM Username Credential

Request

POST: https://tpp.venafi.example/vedsdk/Credentials/CyberArk/Create	
Authorization:Bearer 4MyGeneratedBearerTknz==
{
	"CyberArkUsername": "pam_username",
	"CyberArkPassword": "pam_pass",
	"DualAccount": "0",
	"Username": "",
	"AppID": "AppName",
	"SafeName": "SafeName",
	"FolderName": "Root",
	"AccountName": "pam_account",
	"CredentialPath": "\\VED\\Policy\\test_folder\\test_credential",
	"ConnectorName": "ConnectorName"
}

Response

HTTP/1.1 200 OK
{
	"Result":1
}

Example: Create a Privilege Cloud (TPF) Managed Password Credential

Request

POST: https://tpp.venafi.example/vedsdk/Credentials/CyberArk/Create	
Authorization:Bearer 4MyGeneratedBearerTknz==
{
	"DualAccount": "0",
	"Username": "credential_user",
	"AppID": "AppName",
	"SafeName": "SafeName",
	"FolderName": "Root",
	"AccountName": "pam_account",
	"CredentialPath": "\\VED\\Policy\\test_folder\\test_credential",
	"ConnectorName": "ConnectorName"
}

Response

HTTP/1.1 200 OK
{
	"Result":1
}