Discovery: How to integrate Discovery with CyberArk?

Knowledge Article

Article Number

000386181

Old Article Number

Article Type

FAQ/Procedural

Title

Discovery: How to integrate Discovery with CyberArk? - INCLUDES VIDEO

Summary

What are "TLS verification Type" and "Client Certificate Bundle" parameters for ?

Product

BMC Discovery

Component

Applies to

>=20.08

Question

How to integrate Discovery with CyberArk?
What are "TLS verification Type" and "Client Certificate Bundle" parameters for ?

Answer

Here is a Video showing the configuration of CyberArk and the integration using AIM.

Here is a Video showing the integration of CyberArk using the REST API in appliance and outposts

More information related to the CyberArk credential broker integration is available here:
https://docs.bmc.com/docs/discovery/233/integrating-with-cyberark-enterprise-password-vault-1223809951.html

Here are information about "TLS verification Type" and "Client Certificate Bundle" parameters:

1) Client Certificate Bundle: All connections from Discovery Appliances and/or Outposts have to be accepted on CyberArk server. Here are different ways to allow these connections:

1.1) Allow incoming connections in CyberArk via client certificate ("Client Certificate Bundle" parameter parameter in Discovery):
Generate a Client certificate Bundle for CyberArk that include "intermediate CA + root CA + Private Key".
Discovery prerequisites is to have this certificate as PEM file.

This client certificate need to be allowed on CyberArk side for the Application ID.
To do so add certificate serial in CyberArk UI > Applications > Application_ID > Authentication.
See https://docs.cyberark.com/credential-providers/13.0/en/Content/CP%20and%20ASCP/Application-Authentication-Methods-general.htm for more information.
CyberArk Documentation indicates that certificate serial number must be allowed in IIS to.

Import in Discovery the "Client Certificate Bundle".

1.2) Define Whitelist in CyberArk for Outpost/Appliance IPs that connect to the CyberArk server.
This way CyberArk will accept connections from the whitelisted IPs.
In this case there is no need to import "Client Certificate Bundle" in Discovery.

2) "TLS verification Type": This parameters defines if Discovery has to verify CyberArk server certificate or not.

This parameter has to be set to "Off" in case CyberArk server certificate is self-signed or issued from a Non Public CA (not included in "CA Certificates" bundle imported in Discovery).
This parameter can be set to "Public" if CyberArk server certificate CA is public or if CA is included in the imported "Client Certificate Bundle" as explained in point 1.1.

Attachment(s):