Adding and configuring CyberArk credentials

You can create CyberArk credentials and assign them to certificates, applications, and devices during the provisioning process. Trust Protection Platform is able to retrieve credentials stored in your CyberArk Enterprise Password Vault.

IMPORTANT  To see the permissions you need to perform this task, see CyberArk user and password integration requirements.

To create CyberArk credentials

  1. From the TLS Protect menu bar, click Inventory > Credentials, and then click Create a New Credential.

  2. Click the Credential Type list and select CyberArk Username Password or CyberArk Password.

  3. Click Folder and select the policy folder in which to create your new credential.

  4. In Credential Name, type a unique name for the new credential object, and then click Create and Configure.

  1. (Conditional) If you selected the CyberArk Username Password credential type (in Step 2), then in the User Name field, type the user name that Trust Protection Platform will use when provisioning a certificate to a device.

    This should match the User Name property of the account you created in the CyberArk safe.

  2. In Application ID, type the name of the CyberArk user that you created for the Application Identity Manager installed on your Trust Protection Platform servers to use when retrieving a password from CyberArk. Refer to Check CyberArk permissions on safe members for details.

  3. Complete the remaining fields:
    1. Safe Name: from the CyberArk Vault.
    2. Folder Name: from the CyberArk Safe.
      NOTE: If no folder was used during the creation of the account (secret) in CyberArk, enter Root.
    3. Account Name: from the CyberArk Safe.

    4. CyberArk Username: This is the end user account (not the service account configured in VCC). It is needed ONLY to verify that the user authenticated to Venafi TPP has permission to retrieve the account (secret) specified above thus, to create credential in TPP. The required permission for this user in CyberArk is Retrieve accounts or Use accounts.

    5. CyberArk Password: The password for the end user account

  4. When you have completed the required fields, click Save.
IMPORTANT: The credential object will be saved ONLY in case of successful retrieval of the account (secret) from the CyberArk Vault. If the credential object was not saved for some reason, you can refer to section “Common Error Messages”.