Skip to main content

CyberArk CCP Reference Guide

Defining Policy Manager Teams in the Vault

This section describes how to define Policy Manager Teams in the CyberArk Password Vault and add authentication details for the Teams, using the CyberArk Password Vault Web Access (PVWA) interface.

Requests that are made to CyberArk are made using the application id that is specified by the following property in the platform application.properties file. (This file is used to configure many areas of Policy Manager):

agrotera.cyberark.application_id

For more information, see CyberArk Application Properties.

However, the platform mandates that when using a JDBC Token Vault with CyberArk, all JDBC credentials must be stored, managed and retrieved from CyberArk. This means that when making requests to CyberArk to retrieve JDBC Token Vault credentials, a team-specific application id (Team ID) is required. Any Teams in the platform that need to retrieve these credentials will need to be defined in the Password Vault. This enables access to secrets to be restricted between different Teams.

For more information about Teams and how to obtain the Team ID for a Team, see the Privitar User Guide.

For more information about configuring the platform to store JDBC credentials in CyberArk, see Configuring JDBC Token Vault credentials.

To add a Privitar Team to the Password Vault:

  1. Log in to the CyberArk Vault as a user with access rights to to manage applications. (The user must have Manage Users authorization.)

  2. Click Add Application, in the Applications tab. The Add Application window is displayed:

    add-application.png

    Enter the following information:

    • In the Name field, specify the Team id defined in the application. This name must be defined using the format that is defined in the platform application property:

      agrotera.cyberark.application_id.team_format

      By default, the format is specified as:

      {globalAppId}_Team_{teamId}

      For example, if the globalAppId for the platform application is POLICY_MANAGER and the teamID for the Team is 12345, then the definition to add to the Password Vault would be:

      POLICY_MANAGER_Team_12345

      For more information, see CyberArk Application Properties.

    • In the Description field, specify a short description of the platform application that will help you identify it.

    • In the Business owner section, specify the contact information for the platform application’s business owner.

    • In the Location field, specify the location of the platform application in the Vault hierarchy. (If a location is not specified, the application will be added in the same location as the user who is creating this application.)

  3. Click Add. The Team details are added to the Vault and displayed in the Application Details page.

  4. Select the Authentication tab from the Application Details page.

  5. Check the Allowing extended authentication restrictions box.

    This setting enables an unlimited number of machines and Windows domain OS users to be specified for a single application.

  6. In the Authentication tab, click Add. A list box is displayed containing a list of authentication characteristics that can be added for an application.

    These characteristics can be used by the CyberArk CCP to check the application before retrieving the application password.

  7. Select Certificate Serial Number from the list box. The Add Certificate Serial Number Authentication dialog box is displayed.

  8. Enter the Certificate Serial Number in the SN field.

    The serial number that is entered must match the client certificate serial number that is defined in the application property:

    agrotera.cyberark.certificate.path

    For more information, see CyberArk Application Properties.

  9. Click Add to save the details.

In this section: