Configuring and editing the CyberArk Credentials driver in the Policy Tree

After you create a CyberArk connector in Venafi Configuration Console (VCC), the connector appears in the Credentials tree.

You can also configure a SCIM server for cases where a CyberArk user is granted access to a CyberArk safe through a group rather than being granted access to their user account directly.

To edit the configuration of a CyberArk credential in Policy Tree

  1. Open the Policy Tree and go to the Credentials tree.

  2. Open the CyberArk credentials driver (the name you see depends on the name you gave the connector in VCC).

  3. Add or edit the Description and specify the Contact(s) for this driver.

  4. (Optional) Select Disabled if you want to turn off CyberArk functionality.

  5. (Optional) Select Use Proxy Settings if you want the proxy to manage the CyberArk connection.

    NOTE  This setting only applies to interactions between the Trust Protection Platform server and CyberArk Password Vault Web Access (PVWA). The Application Identity Manager (AIM/AAM), which is a standalone software component, requires additional Vault.ini configuration as detailed in the CyberArk Application Identity Manager Implementation Guide.

  6. In Privileged Account Security Web Service URI, enter the location of your Components server.

    Refer to CyberArk's documentation for more information.

  7. From the Service Account Authentication Method drop-down list select the authentication method to use to authenticate to the vault.

  8. For Service Account Credential, click , then select the CyberArk web service credential (PVWA) that contains the web service user name and password.

    For more information, see Editing the CyberArk Web Service credential.

  9. From the End User Authentication Method drop-down list select the authentication method to verify that the user authenticated to the Trust Protection Platform has permission to retrieve the account secrets.

  10. Select a Password Retrieval Method.

    • If you select Windows Credential Provider (AAM Agent), then select a version from Windows Credential Provider Version.
    • If you select Central Credential Provider, then enter the Central Credential Provider Web Service URL. Entering the URL for password retrieval through a Central Credential Provider web service eliminates the need to install the CyberArk AIM/AAM agent on a Trust Protection Platform server.
    • If you select Central Credential Provider, select the Certificate Credential. This credential is used when Central Credential Provider has certificate-based authentication configured.
  11. (Optional) If you are using a SCIM server for cases where a CyberArk user is granted access to a CyberArk safe through a group rather than being granted access to their user account directly, do the following:
    1. In SCIM Server URI, enter the location of your SCIM server.
    2. In Service Account Credential, click , then select the SCIM credential.
  12. Click Save.