Getting CyberArk ready for integration with Trust Protection Platform

Implementing CyberArk with Trust Protection Platform (TPP) involves detailed setup on both platforms. The following information clarifies the tasks and platform responsibilities to speed up the process. Once set up correctly, the benefits clearly justify the initial effort.

CyberArk objects

Related CyberArk permissions for each CyberArk object

TPP objects

Action in Trust Protection Platform

Vault and Safe

 

 

 

End User

This is a user created in CyberArk that is used by TPP users who need an application or server to authenticate with CyberArk.

Use accounts or Retrieve accounts

NOTE  User may be granted access individually or via group membership. Access may not be granted using Object Level Access Control (OLAC). A reason cannot be required for the effective Master Policy to access the password for an account.

 

You must provide CyberArk credentials that have access to the safe whenever you create a CyberArk Username Password credential.

Application

Retrieve accounts

 

For Trust Protection Platform to use when it retrieves account passwords from a safe

Authorization User

View Safe Members

 

For Trust Protection Platform to verify that the Actual User is authorized to create CyberArk Username Password credentials

Providers

Retrieve accounts, List accounts, and View Safe Members.

 

Access required by the Application Identity Manager (AIM) installed on each Trust Protection Platform server

NOTE  Refer to CyberArk Enterprise Password Vault documentation for help with tasks that must be completed on the CyberArk platform.

TIP  Keep in mind that in CyberArk, "account" is analogous to "credential" in Trust Protection Platform. Terminology can be confusing as many security companies adopt their own nomenclature.

Step-by-step

Step

Platform

Task

1

CyberArk

Create a CyberArk vault and safe.

2

CyberArk

Create a CyberArk (PVWA) user for verifying a Trust Protection Platform user has access to a safe.

3

CyberArk

Grant access to CyberArk Application Identity Manager.
Follow the steps when using either AIM/AAM or Central Credential Provider to grant access.

4

CyberArk

Create a CyberArk Application for Trust Protection Platform to use when retrieving accounts from safes.

When using Central Credential Provider method also create an AIM Web Service application.

BEST PRACTICE  About securing a CyberArk application

5

CyberArk

Create a CyberArk end user (if one does not already exist).

The credentials for this new CyberArk user will be used later when you create a CyberArk Username Password Credential in Trust Protection Platform. See Adding and configuring CyberArk credentials.

Grant user either Use Accounts or Retrieve Accounts access to the safe.

6

Trust Protection Platform

If the password retrieval method will be through an AIM/AAM Agent, install the CyberArk Application Identity Manager (AIM/AAM) on all Trust Protection Platform servers.

Installation is optional for servers which will never provision certificates using CyberArk credentials and are not hosting the web console.

  • Retrieve Accounts
  • List Accounts
  • View Safe Members

Grant all providers created by installing AIM/AAM (from Step 6) Retrieve Accounts, List Accounts, and View Safe Members access to the safe.

7

Trust Protection Platform

NOTE This step does not apply when using Central Credential Provider

Configure the CyberArk connector in Venafi Configuration Console to connect to CyberArk using the web service (PVWA) user credential (from Step 2). See Creating a CyberArk connector.

On the CyberArk Connector, configure the connection between Trust Protection Platform and the CyberArk service and configure all other settings as appropriate. For example, if you want the proxy to manage the CyberArk connection, be sure to enable the proxy settings. See Configuring and editing the CyberArk Credentials driver in the Policy Tree.

8

CyberArk

Grant the verification user—the PVWA user from Step 3—View Safe Members access to the safe.

Grant the Application (from Step 4) Retrieve Accounts access to the safe.

9

CyberArk

Grant user (from step 5) either Use Accounts or Retrieve Accounts access to the safe.

NOTE  See Configuring and editing the CyberArk Credentials driver in the Policy Tree.

10

CyberArk

Create and set up a CyberArk Enterprise Password Vault account that will be used to manage the password of the credential for accessing the device.

11

Trust Protection Platform

Assign the CyberArk Password credential to applications and devices for provisioning. See Using a CyberArk credential for provisioning (certificate installation)