Fortra's Beyond Security

To integrate beSECURE with CyberArk Application Identity Manager (now called CyberArk Application Access Manager), that will allow beSECURE to pull credentials for SMB (Windows) or SSH (UNIX) from a CyberArk AIM, all you need to do is follow these easy steps:

The first step is to collect the information from CyberArk such that will have the relevant credentials ready for use. Let's start first with logging in into CyberArk Password Vault:

Now create a “UnixSSH”, “UnixSSHKeys”, “WinDomain”, “WinServerLocal”,  or “WinDesktopLocal” account in CyberArk. Make note of the Safe, Folder and Object as these will be required later when you define the Credentials Storage to use.

You can obtain the information of Safe, Folder and Object (name) by viewing the details (in the Classic interface) under “Advanced”:

In this case the Safe name is “Test”, Folder name is “Root” and (Object) Name is “linux2”, that will be used by beSECURE to retrieve the credentials for this element via a defined Query of:
Safe=Test;Folder=Root;Object=linux2

Once you have one or more Accounts set up, we now need to configure beSECURE’s Credentials Storage to utilize the third-party CyberArk AIM for its passwords, login to beSECURE and access the Credentials Storage page:

Here you need to create a new Credentials Storage that utilizes under the “Storage Location” the “CyberArk Application Identity Manager” followed by the:

• FQDN or IP address of the server - either a deployed solution or a cloud based solution followed by a Port number if the 443 port is not used, for example: services-uscentral.skytap.com:12091)

• AppID - The Application ID you have configured in CyberArk for beSECURE to use, in this case we used “BeyondSecurity”. You can review which Applications have been configured by accessing the Applications page and searching for the relevant ApplicationID:

• Or by creating a new one by clicking on the “Add Application”:

And filling the dialog with the following information:

Make sure the Application ID has Retrieve permissions on the appropriate safes. 

• Query - This should be in the form Property=Value;Property=Value; … Property=Value, for example: Safe=[Safe Name];Folder=[Folder Name];Object=[Object Name] which are the values seen in the CyberArk system (under the “Advanced” information view of the account you created). For example: Safe=Test;Folder=Root;Object=linux2

While the configuration is being done on the beSECURE management screen, the CyberArk AIM will be contacted by the scanner just prior to the initialization of the scan and therefore the provided FQDN or IP should be reachable to the scanner and not the management system.

It’s strongly recommended that the Application ID is secured with a client side certificate serial number. The first step is to generate a client side certificate, by running this command (or similar):

openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 365 -subj "/CN=localhost/O=Client\ Certificate\ Demo"

The value of 365 indicates when the certificate expires, a longer term of expiry can be provided by using a value higher than 365. The subject (subj) value is provided for your own information and is not enforced by the server.

After the certificate and key is generated, you will need to extract the Serial Number of the certificate, this is done by running the following command against the generated file:

openssl x509 -in server_cert.pem -serial -noout

The output should appear in the form of:

serial=EC4D1A3C2342A393

Once you have this value, place this information on the CyberArk’s relevant AppID, the Authentication options will be shown after you have opened the relevant AppID, first click on Add:

Followed by pasting the Certificate Serial Number:

Once this is set up, on the beSECURE side, do the following, open the relevant Certificate Storage item, and paste the Certificate and Key information into the UI:

The certificate and key information should look like so:

-----BEGIN PRIVATE KEY-----

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCvhg8yMPUdZcFS

…

Ci2ZII/iARhKIiLQ5+j1lS/MlHBcog==

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIFPzCCAyegAwIBAgIJAOxNGjwjQqOTMA0GCSqGSIb3DQEBCwUAMDYxEjAQBgNV

...

opz9

-----END CERTIFICATE-----

If you have a p12 certificate instead of a PEM file, you can use this command to extract the two components from it:

   openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys

   openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes

To verify that the information has been placed correctly after clicking “Modify” check that the Serial Number displayed is correct: