Interfacing Automate with CyberArk

 

Overview

Automate 11.6.10 or later can integrate with CyberArk to securely transfer credentials from your CyberArk Vault to Automate for use by Automate tasks. By creating a Credentials Connection in Automate, CyberArk credentials are available to specified groups and users without exposing the associated values.

Determine Your CyberArk Authentication Methods

CyberArk can be configured to use one or more authentication methods to authenticate applications. Determine which authentication methods are in use with your CyberArk service to determine how to authenticate the Automate Server running Automate 11.6.10 or later. For example:

• Allowed machines: If your CyberArk service is using this method, the IP address of the Automate Server must be added as a trusted IP with the application ID in the CyberArk Vault.
• Client certificates: If your CyberArk service is using this method, a CyberArk-trusted client certificate must be installed on the Automate Server and used with each Credentials Connection.

Important: The Hash authentication method is not currently supported by Automate.

Install a Server Certificate on the Automate Server

Before creating a Credentials Connection for CyberArk, you must install a server certificate on the Automate Server to provide internal connections to Automate components. Server certificates are purchasable from a Certified Authority (CA), or you can create a self-signed server certificate (see New-SelfSignedCertificate for more information).

Important: If you create a self-signed server certificate, any machine running an Automate Agent and/or Automate Task Builder must have this certificate set as Trusted before it can be used with a Credentials Connection.

1. Install a purchased or self-signed server certificate on the Automate Server.
2. Open Services on the Automate Server.
3. Stop the Automate <version number> Execution Server service.
4. Open C:\ProgramData\Automate\Automate <version number>.
5. Open the CredentialBroker.config.xml file, and then update the following entries using the server certificate you just installed:
   1. CredentialBrokerPort – The communication port. The default and recommended value is 9720. For example, <CredentialBrokerPort>9720</CredentialBrokerPort>.
   2. CredentialBrokerHost – The host name or IP address of the Automate Enterprise Server. For example, <CredentialBrokerHost>10.70.0.23</CredentialBrokerHost>.
      1. Important:
         1. If you purchase a server certificate commercially, this value must use the Common Name (CN) of the certificate.
         2. A self-signed server certificate must be created with the DnsName (that is, Common Name) matching the CredentialBrokerHost entry.
   3. CertStoreLocation – The store location of the server certificate. The default and recommended value is LocalMachine. For example, <CertStoreLocation>LocalMachine</CertStoreLocation>.
   4. CertStoreName – The store name of the server certificate. The default value is TrustedPeople. For example, <CertStoreName>TrustedPeople</CertStoreName>.
   5. CertSearchType – The criteria to use to search for the certificate. The default value is FindByThumbprint. For example, <CertSearchType>FindByThumbprint</CertSearchType>.
   6. CertSearchValue – The unique identifier used by the CertSearchType value to locate the server certificate. For example, <CertSearchValue>579008489D814136C62809695EC5C2AC986C7751</CertSearchValue>.
6. Save the CredentialBroker.config.xml file.
7. Restart the Automate <version number> Execution Server service.

Create a Credentials Connection for CyberArk

After the server certificate is successfully installed, do the following:

1. On the Automate Server, open Automate <version number> Management Console. 
2. On the Server Managment Console's navigation bar, select Options.
3. Select Settings > Server Settings > Credentials Connections.
4. Select New to create a connection for CyberArk (see Credentials Connections in the Automate User Guide for more information).