The beSECURE/CyberArk integration allows beSECURE to pull credentials for SMB (Windows) or SSH (UNIX) from a CyberArk Account Identity Manager (AIM). Note: This guide references the legacy CyberArk Application Identity Manager interface which is now known as CyberArk Application Access Manager.
Configuring CyberArk to integrate with beSECURE
To integrate CyberArk with beSECURE, do the following:
- Sign in to CyberArk Password Vault.
- Depending on your platform and setup, create a UnixSSH, UnixSSHKeys, WinDomain, WinServerLocal, or WinDesktopLocal PolicyID.
- Under the Advanced tab, make note of the policy’s Safe, Folder, and Object values. beSECURE will use these settings to retrieve the credentials for this element by way of the following query:
Safe=<value>;Folder=<value>;Object=<value>
- Create an Application ID for beSECURE by doing the following:
- Open the Applications page.
- Select Add Application.
- In the Name box, enter BeyondSecurity.
- Select Add.
- Secure the Application ID with a client-side certificate serial number by doing the following:
- Generate the client-side certificate by running the following command:
openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 365 -subj "/CN=localhost/O=Client\ Certificate\ Demo"
Note: You can increase the days 365 value to extend the expiration date. The subj value is provided for your own information and is not enforced by the server. - Extract and copy the certificate’s Serial Number by running the following command (the output will appear in the following example format: serial=EC4D1A3C2342A393):
openssl x509 -in server_cert.pem -serial -noout
- Open the BeyondSecurity Application ID, and then select Add > Certificate Serial Number.
- Paste the Certificate Serial Number to the Application ID.
- Generate the client-side certificate by running the following command:
Configuring beSECURE to integrate with CyberArk
To integrate beSECURE with CyberArk, do the following:
- Log in to beSECURE.
- In the upper-left corner of the Home page, select DevOps.
- Select Scans > Credentials Storage.
- Select the Newbutton .
- On the Credentials Storage Detailspage, do the following:
- In the Name box, enter CyberArk.
- In the Available box, select users to assign them permissions to the CyberArk Credentials Storage.
- In the Storage Location box, select CyberArk Application Identity Manager (AAM).
- In the CyberArk IP Address or FQDN (and port if differs 443) box, enter the CyberArk’s server IP address or FQDN followed by its port number (for example, services-uscentral.skytap.com:12091).
- In the AppID box, enter BeyondSecurity.
- In the Query box, enter the Safe, Folder, and Object values from CyberArk in the following query:
Safe=<value>;Folder=<value>;Object=<value>
- In the Client Side Certificate, paste the Certificate and Key information from CyberArk. For example:
-----BEGIN PRIVATE KEY--- MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCvhg8yMPUdZcFS -----END PRIVATE KEY----- -----BEGIN CERTIFICATE-----MIIFPzCCAyegAwIBAgIJAOxNGjwjQqOTMA0GCSqGSIb3DQEBCwUAMDYxEjAQBgNV -----END CERTIFICATE-----
- Select Modify.
Note: If you have a p12 certificate instead of a .pem file, use this command to extract the two components from it in place of the Certificate and Key Information:
openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes