Set up CyberArk | Itential

Prerequisites

CyberArk CCP infrastructure

You need:

CyberArk CCP installed
Network connectivity between Itential Platform and CyberArk CCP
Firewall rules that allow HTTP API communication

When using CyberArk on Windows Server 2022 or newer, you cannot configure Client Credential Authentication (mutual TLS) and TLS 1.3 simultaneously. This is a known compatibility issue between CyberArk and IIS. See CyberArk Support.

CyberArk CCP configuration

Configure these items in CyberArk CCP:

A Safe containing your secrets
An Application ID (AppID) for Itential Platform authentication
Permissions that allow Itential Platform to retrieve secrets

Itential Platform requirements

You need:

Administrative access to Itential Platform
Write access to the Itential Platform server for configuration

Initial setup

Step 1: Install and verify CyberArk CCP

Install CyberArk CCP

Install CyberArk CCP following the CyberArk CCP installation guide or verify its installation.

Test connectivity

Test connectivity from your Itential Platform server to your CyberArk CCP instance.

Step 2: Configure the Itential Platform connection

Configure Itential Platform to connect to CyberArk CCP using one of three methods: Properties File, Environment Variable, or Server Profile (properties.json).

All three configuration methods are available in Platform 6, but 2023.2 only supports the Server Profile (properties.json) method.

Configuration parameters

Properties File	Environment Variable	Server Profile	Description
`secret_provider_name`	`ITENTIAL_SECRET_PROVIDER_NAME`	`vaultProps.secretProviderName`	The secrets provider type (`"CyberArkCcp"`)
`cyberark_url`	`ITENTIAL_CYBERARK_URL`	`vaultProps.cyberarkUrl`	The URL to CyberArk Central Credential Provider
`cyberark_app_id`	`ITENTIAL_CYBERARK_APP_ID`	`vaultProps.appId`	Unique ID of the application issuing the secret request
`cyberark_connection_timeout`	`ITENTIAL_CYBERARK_CONNECTION_TIMEOUT`	`vaultProps.connectionTimeout`	Seconds CCP will try to retrieve the secret value
`cyberark_reason_text`	`ITENTIAL_CYBERARK_REASON_TEXT`	`vaultProps.reasonText`	Reason for retrieving the secret (appears in audit log)
`cyberark_allow_invalid_certificates`	`ITENTIAL_CYBERARK_ALLOW_INVALID_CERTIFICATES`	`vaultProps.allowInvalidCertificates`	If true, disables TLS certificate validation
`cyberark_ca`	`ITENTIAL_CYBERARK_CA`	`vaultProps.ca`	Absolute path to .pem file containing CA root certificate chain
`cyberark_key`	`ITENTIAL_CYBERARK_KEY`	`vaultProps.key`	Absolute path to certificate key file
`cyberark_certificate`	`ITENTIAL_CYBERARK_CERTIFICATE`	`vaultProps.certificate`	Absolute path to .pem file containing client certificate
`cyberark_ca_contents`	`ITENTIAL_CYBERARK_CA_CONTENTS`	`vaultProps.caContents`	PEM-encoded CA root certificate chain as a string
`cyberark_key_contents`	`ITENTIAL_CYBERARK_KEY_CONTENTS`	`vaultProps.keyContents`	PEM-encoded certificate key as a string
`cyberark_certificate_contents`	`ITENTIAL_CYBERARK_CERTIFICATE_CONTENTS`	`vaultProps.certificateContents`	PEM-encoded client certificate as a string

Configuration examples

1 secret_provider_name=CyberArkCcp
2 cyberark_url=https://cyberark.company.com/AIMWebService
3 cyberark_app_id=Itential-Platform
4 cyberark_connection_timeout=30
5 cyberark_allow_invalid_certificates=true
6 cyberark_ca=/etc/pki/cyberark/ca.pem
7 cyberark_key=/etc/pki/cyberark/key.pem
8 cyberark_certificate=/etc/pki/cyberark/cert.pem
9 cyberark_reason_text=Configuration of Itential Platform

Step 3: Verify the connection

Restart Itential Platform

Restart Itential Platform to apply configuration changes.

View configuration

View the CyberArk CCP configuration in Admin Essentials (read-only):

Platform 6: Navigate to Admin Essentials > Configuration
2023.2: Navigate to Admin Essentials > Profiles

Check health endpoint

Check the Itential Platform health endpoint (GET /health/status) for CyberArk CCP connectivity.

Test secret retrieval

Retrieve a test secret to validate your setup. See Use secrets for details.

Next steps

Use secrets

Reference secrets in configurations

Troubleshoot

Resolve common issues