Skip to content

EPAS Integration

Refer to the document labeled EPAS Operations for basic EPAS installation and configuration. Once EPAS is configured within an environment, in order to enable CyberArk integration, the following steps should be performed:

Configuring EPAS for standalone Credential Provider integration

  1. Configure the CyberArk credential provider connection and provisioning details.

    1. Logged in as an EPAS Administrator, navigate to the System → Integration page.
    2. Click on the CyberArk Credential Providers tab. CyberArk: EPAS Local Credential Provider
    3. Click the Add New Credential Provider action.
    4. Enter a name for the defined credential provider.
    5. Enter the hostname assigned to the CyberArk AAM Vault.
    6. Enter the port number associated with the Vault.
    7. Enter the credentials associated with the Vault access, which are allowed to provision new providers (administrative).
    8. Change (if applicable) any of the default options for the created provider: username, location and configuration safe.
    9. Save the changes. The provisioning of the credential provider will start, creating the aforementioned provider user and starting the (EPAS local) credential provider service.

  2. Updating the internal Certificate Authority store to include the certificate chain used by the HTTPS-enabled Central Credential Provider endpoint.

    1. Logged in as an EPAS Administrator, navigate to the System → SSL Settings page.
    2. Click on the Certificate Store tab.
    3. Enter in the X509 PEM Certificate an X509 PEM encoded trusted certificate (either CA or Intermediate).
    4. Repeat step c) for all certificates in the chain, up to (not including) the Central Credential Provider server certificate.

    Note

    Before continuing to Step 2, it is recommended to confirm that the CyberArk Central Credential Provider endpoint is set-up using secure (TLS) channel encryption; EPAS will not accept any endpoint configured to use plain-text.

  3. Configure the CyberArk credential provider location, port number, virtual host and application ID (see section Defining the application id (Appid) and authentication details).

    1. Logged in as an EPAS Administrator, navigate to the System → Integration page.
    2. Click on the CyberArk Enterprise Password Vaults tab. CyberArk: Local Password Vault
    3. Click the Add New Vault action.
    4. Enter a name for the defined vault.
    5. Select the (Local) Credential Provider type.
    6. Enter the application ID assigned to the EPAS MASTER.
    7. Select the credential provider defined in Step 1.
    8. Save the changes.

It is now possible to define EPAS target systems which leverage the CyberArk Vault in order to retrieve credentials.

Configuring EPAS for Central Credential Provider integration

  1. Updating the internal Certificate Authority store to include the certificate chain used by the HTTPS-enabled Central Credential Provider endpoint.

    1. Logged in as an EPAS Administrator, navigate to the System → SSL Settings page.
    2. Click on the Certificate Store tab. CyberArk: EPAS Certificate Configuration
    3. Enter in the X509 PEM Certificate an X509 PEM encoded trusted certificate (either CA or Intermediate).
    4. Repeat step c) for all certificates in the chain, up to (not including) the Central Credential Provider server certificate.

    Note

    Before continuing to Step 2, it is recommended to confirm that the CyberArk Central Credential Provider endpoint is set-up using secure (TLS) channel encryption; EPAS will not accept any endpoint configured to use plain-text.

  2. Configure the CyberArk credential provider location, port number, virtual host and application ID (see section Defining the application id (Appid) and authentication details).

    1. Logged in as an EPAS Administrator, navigate to the System → Integration page.
    2. Click on the CyberArk Enterprise Password Vaults tab. CyberArk: CyberArk Password Vault
    3. Click the Add New Vault action.
    4. Enter a name for the defined vault.
    5. Enter the application ID assigned to the EPAS MASTER.
    6. Enter the port number associated with the Central Credential Provider.
    7. Enter the virtual directory associated with the Central Credential Provider (the default value is AIMWebService).
    8. Save the changes.

It is now possible to define EPAS target systems which leverage the CyberArk Vault in order to retrieve credentials.

Defining EPAS target systems with CyberArk integration

To use credentials provided by the CyberArk in EPAS single target retrievals:

  1. Navigate to the Targets menu and add or edit any EPAS target.

  2. For editing:

    1. Enable the CyberArk Integration checkbox.
    2. Select any vault configured during the previous section, in the CyberArk Vault dropdown.
    3. Enter a CyberArk Query identifying the object or credential set. The CyberArk Query is composed of several elements, separated by a semicolon, which identify the credential set:
      1. Safe: the name of the safe
      2. UserName: the name of the user
      3. Address: the address of the system
      4. Platform: the platform name
      5. Object name: full qualified object name
      6. For additional query options, refer to the "Central Credential Provider Implementation Guide" document.

    Examples of queries include:

    • Safe=Test;Object=EPAS-MSSQL-SRV01
    • Safe=Test;Address=1.2.3.4;UserName=Administrator
    • Object=EPAS-MSSQL-SRV01

EPAS: Query against CyberArk

After saving the target definition. A new data retrieval operation can be performed, which leverages the CyberArk Vault integration: navigate to the Retrieve Data tab and start the operation.

EPAS: CyberArk MSSQL Retrieval

To use credentials provided by the CyberArk in EPAS MASS target retrievals:

  1. Navigate to the Targets menu and add or edit any EPAS target.

  2. For editing:

    1. Enable the CyberArk Integration checkbox.
    2. Select any vault configured during the previous section, in the CyberArk Vault dropdown.
    3. In the uploaded file contents, make sure that the CyberArk Query is included in the field corresponding to the password (in the tab delimited structure defined by the target).

    Examples of queries include:

    • Safe=Test;Object=EPAS-MSSQL-SRV01
    • Safe=Test;Address=1.2.3.4;UserName=Administrator
    • Object=EPAS-MSSQL-SRV01

EPAS: Editing existing CyberArk entry

After saving the target definition. A new data retrieval operation can be performed, which leverages the CyberArk Vault integration: navigate to the Retrieve Data tab and start the operation.

Usage of the CyberArk integration ensures that:

  • Privileged credentials are not stored within EPAS
  • Credential retrieval is done at the data retrieval operation run-time
  • Credentials are not cached or re-used by EPAS
  • Switching the required credentials or migrating to other service accounts is seamless and does not require any changes in EPAS.