Question

Outofbox CyberArch Integration using CredentialManager.xml

We want to use out of the box integration with cyberarch to login to runtime VM and use MFA PIN (stored in cyberarch). CyberArch team need to understand below details after looking at CredentialManager.xml file.

<Provider name="CyberArk" applicationID="" adminOperator="">
<Credentials>
<!--
Variable names available for use in this section
{AdminOperator} - returns the adminOperator attribute of the Provider
{RobotName} - returns the robot name
{AdapterFriendlyName} - used for application credentials, returns the credential name
-->

<!-- This is registration operator(Runtime) credentials-->
<!-- <Credential name="RegistrationOperator" safe="" folder="" objectName="" /> -->

<!-- Uncomment the WindowsUser only for RPA service -->
<!-- <Credential name="WindowsUser" safe="" folder="" objectName="" /> -->

<!-- Uncomment the RuntimeUser only when RPA service needs to launch runtime with different windows user -->
<!-- <Credential name="RuntimeUser" safe="" folder="" objectName="" /> -->

<!-- Sample crdentials -->
<!-- <Credential name="WebApp1" safe="{RobotName}" folder="root" objectName="WebApp1-{RobotName}" /> -->
<!-- <Credential name="Default" safe="{RobotName}" folder="root" objectName="{AdapterFriendlyName}-{RobotName}" /> -->
</Credentials>
</Provider>

1. Do we have to install CyberArch SDK on runtime VM?

2. Does Pega Robotics Supports Certificate Authentication?

3. How the this integration & Authenticatin process works? Do you have any sample code snippet for reference?

4. What inputs required from CyberArch team to take this forward?

***Edited by Moderator Marissa to update platform capability tags****

Correct Answer
August 23, 2019 - 9:34am

There is more information available here on implementing CyberArk.

A few quick answers to your questions:

  1. You need to install the CyberArk AIM application on each VM.  This software is used by the Runtime and RPA Service to communicate with CyberArk.
  2. We support what CyberArk AIM supports for authentication. One of those methods of authentication does use certificates, but we are not restricted to any particular authentication method since AIM is actually contacting CyberArk.
  3. The Runtime and RPA Service are configured to use CyberArk through and entries in the CommonConfig.xml and the CredentialManagerConfig.xml
    1. CommonConfig entries (see attached image)
      1. Enable the RobotManager and set RPA="True"
      2. Enable the CredentialManager and set the providerType to CyberArk
    2. CredentialManagerConfig 
      1. Add the applicationID to the CyberArk provider, the adminOperator should be entered as well (this is used later as a replaceable value in building credential identifiers)
      2. There are sample Credential entries in the file which you may uncomment and edit
        1. RegistrationOperator is used by Runtime and the RPA Service to log into Robot Manager
        2. WindowsUser is used by the RPA Service to log into Windows
        3. RuntimeUser if specified is used by the RPA Service to start the Runtime (the Runtime is then started using credentials other than logged in user). In most cases the RuntimeUser will not be specified and instead the WindowsUser credentials will be used to start the Runtime.
        4. Other application credentials my be added using the applicationKey as the name.
        5. If the applicationKey is not specified in the CredentialManagerConfig, the Credential with the name Default will be used if available.
        6. Each Credential requires three pieces of information that will need to be provided by the CyberArk team - safe, folder and objectName.
    3. When you have CyberArk configured the RPA Service will draw credentials it requires from CyberArk. To access credentials in Runtime use the ASOManager or CredentialStore components as you would normally.
  4. The CyberArk team will need to:
    1. install AIM on each VM and enable AIM for that machine in CyberArk
    2. provide you with the ApplicationID you should use to retrieve credentials
    3. provide you with the safe, folder and objectName for each credential

 

Comments

Keep up to date on this post and subscribe to comments

Pega
August 23, 2019 - 9:34am

There is more information available here on implementing CyberArk.

A few quick answers to your questions:

  1. You need to install the CyberArk AIM application on each VM.  This software is used by the Runtime and RPA Service to communicate with CyberArk.
  2. We support what CyberArk AIM supports for authentication. One of those methods of authentication does use certificates, but we are not restricted to any particular authentication method since AIM is actually contacting CyberArk.
  3. The Runtime and RPA Service are configured to use CyberArk through and entries in the CommonConfig.xml and the CredentialManagerConfig.xml
    1. CommonConfig entries (see attached image)
      1. Enable the RobotManager and set RPA="True"
      2. Enable the CredentialManager and set the providerType to CyberArk
    2. CredentialManagerConfig 
      1. Add the applicationID to the CyberArk provider, the adminOperator should be entered as well (this is used later as a replaceable value in building credential identifiers)
      2. There are sample Credential entries in the file which you may uncomment and edit
        1. RegistrationOperator is used by Runtime and the RPA Service to log into Robot Manager
        2. WindowsUser is used by the RPA Service to log into Windows
        3. RuntimeUser if specified is used by the RPA Service to start the Runtime (the Runtime is then started using credentials other than logged in user). In most cases the RuntimeUser will not be specified and instead the WindowsUser credentials will be used to start the Runtime.
        4. Other application credentials my be added using the applicationKey as the name.
        5. If the applicationKey is not specified in the CredentialManagerConfig, the Credential with the name Default will be used if available.
        6. Each Credential requires three pieces of information that will need to be provided by the CyberArk team - safe, folder and objectName.
    3. When you have CyberArk configured the RPA Service will draw credentials it requires from CyberArk. To access credentials in Runtime use the ASOManager or CredentialStore components as you would normally.
  4. The CyberArk team will need to:
    1. install AIM on each VM and enable AIM for that machine in CyberArk
    2. provide you with the ApplicationID you should use to retrieve credentials
    3. provide you with the safe, folder and objectName for each credential