Prerequisites
Verify these requirements before you configure your Itential Platform to integrate with CyberArk CCP.
CyberArk CCP infrastructure
You need:
- CyberArk CCP installed
- Network connectivity between your Itential Platform and CyberArk CCP
- Firewall rules that allow HTTP API communication between Itential Platform and CyberArk CCP
CyberArk CCP configuration
Configure these items in CyberArk CCP:
- A Safe containing your secrets
- An Application ID (AppID) for Itential Platform authentication
- Permissions that allow Itential Platform to retrieve secrets
Itential Platform requirements
You need:
- Administrative access to Itential Platform
- Access to the Itential Platform server with write access for Itential Platform configuration options listed under Step 2 of Initial Setup below
Initial setup
Follow these steps to set up CyberArk integration.
Step 1: Install and verify CyberArk CCP
- Install CyberArk CCP following the CyberArk CCP installation guide or verify its installation.
- Test connectivity from your Itential Platform server to your CyberArk CCP instance.
Step 2: Configure the Itential Platform connection
Configure the Itential Platform to connect to CyberArk CCP using one of three methods, Properties File, Environment Variable, or Server Profile (properties.json). See possible values for each of the three methods below.
Important
All three configuration methods are available in Platform 6, but 2023.2 only supports the Server Profile (properties.json) method.
Configuration options
To view all table data: If some columns or rows aren't visible, try scrolling horizontally or vertically within the table. You can also collapse the side navigation panels to give the table more screen space.
| Properties File | Environment Variable | Server Profile (properties.json) | Description |
|---|---|---|---|
secret_provider_name |
ITENTIAL_SECRET_PROVIDER_NAME |
vaultProps.secretProviderName |
The secrets provider type to use ("CyberArkCcp") |
cyberark_url |
ITENTIAL_CYBERARK_URL |
vaultProps.cyberarkUrl |
The URL to the CyberArk Central Credential Provider. |
cyberark_app_id |
ITENTIAL_CYBERARK_APP_ID |
vaultProps.appId |
Specifies the unique ID of the application issuing the secret request to CyberArk CCP. |
cyberark_connection_timeout |
ITENTIAL_CYBERARK_CONNECTION_TIMEOUT |
vaultProps.connectionTimeout |
The number of seconds that the Central Credential Provider will try to retrieve the secret value. |
cyberark_reason_text |
ITENTIAL_CYBERARK_REASON_TEXT |
vaultProps.reasonText |
The reason for retrieving the secret. The reason text will appear in CyberArk Credential Provider's audit log. |
cyberark_allow_invalid_certificates |
ITENTIAL_CYBERARK_ALLOW_INVALID_CERTIFICATES |
vaultProps.allowInvalidCertificates |
If true, disables the validation checks for TLS certificates and allows the use of invalid or self-signed certificates to connect. |
cyberark_ca |
ITENTIAL_CYBERARK_CA |
vaultProps.ca |
The .pem file that contains the Certificate Authority root certificate chain. Specify the file location using absolute paths. |
cyberark_key |
ITENTIAL_CYBERARK_KEY |
vaultProps.key |
The certificate key file location. Specify the location of the key file using absolute paths. |
cyberark_certificate |
ITENTIAL_CYBERARK_CERTIFICATE |
vaultProps.certificate |
The .pem file that contains the client certificate. Specify the file name of the .pem file using absolute paths. |
cyberark_ca_contents |
ITENTIAL_CYBERARK_CA_CONTENTS |
vaultProps.caContents |
String representation of the PEM-encoded Certificate Authority root certificate chain. |
cyberark_key_contents |
ITENTIAL_CYBERARK_KEY_CONTENTS |
vaultProps.keyContents |
String representation of the PEM-encoded certificate key. |
cyberark_certificate_contents |
ITENTIAL_CYBERARK_CERTIFICATE_CONTENTS |
vaultProps.certificateContents |
String representation of the PEM-encoded client certificate. |
Step 3: Verify the connection
To verify your Itential Platform configuration and connectivity to CyberArk CCP:
- Restart the Itential Platform to apply configuration changes.
- View the CyberArk CCP configuration in Admin Essentials (read-only).
- Platform 6 - Navigate to Admin Essentials > Configuration
- 2023.2 - Navigate to Admin Essentials > Profiles
- Check the Itential Platform health endpoint (
GET /health/status) for CyberArk CCP connectivity. - Retrieve a test secret to validate your setup.
For more information on retrieving and using secrets, see Using CyberArk secrets.
Configuration examples
Local properties file (Platform 6 ONLY)
secret_provider_name=CyberArkCcp
cyberark_url=https://cyberark.company.com/AIMWebService
cyberark_app_id=Itential-Platform
cyberark_connection_timeout=30
cyberark_allow_invalid_certificates=true
cyberark_ca=/etc/pki/cyberark/ca.pem
cyberark_key=/etc/pki/cyberark/key.pem
cyberark_certificate=/etc/pki/cyberark/cert.pem
cyberark_reason_text=Configuration of Itential Platform
Environment variables (Platform 6 ONLY)
export ITENTIAL_SECRET_PROVIDER_NAME="CyberArkCcp"
export ITENTIAL_CYBERARK_URL="https://cyberark.company.com/AIMWebService"
export ITENTIAL_CYBERARK_APP_ID="Itential-Platform"
export ITENTIAL_CYBERARK_CONNECTION_TIMEOUT="30"
export ITENTIAL_CYBERARK_ALLOW_INVALID_CERTIFICATES="true"
export ITENTIAL_CYBERARK_CA_CONTENTS="-----BEGIN CERTIFICATE-----\nMIIFSzCCAzOgAwIBAgIUfilXD5xtBH5zYXxntKkF0wN2WlQwDQYJKoZIhvcNAQEL\nBQAwNTETMBEGA1UECgwKUmVkaXMgVGVzdDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUg\nQXV0aG9yaXR5MB4XDTI1MDgwNzEzNDM1MVoXDTM1MDgwNTEzNDM1MVowNTETMBEG\nA1UECgwKUmVkaXMgVGVzdDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4KXOr8hFeMCf5tCimiaO\ncTnXL+sJRcQLYk3uvIs7QHY+vuN99f0MaLOlO92gSpIdNxvPKfhgAdS2HMvkbev9\nYxoqXXZH/m6AWMrQ9jKERkBuzSBMSV2uijFaVeLfToZyos5cz++Qzu0SpevDtM+K\n9R27o2XDvHxr7WvIEz0SH4Y5ICFciAQ9MHdWE+mVZjuKqlp0jOmqVm8BtRt3C3x5\nI9/RpNwF2ct1rUWVj3hNDn5w1D5eZxeU6NwP+de+w0DuLhtOikTJRngAYXm9um/0\nlM4aIvA7E3WMp8S5tUi90QZSYkcm7xlTmiAuyeclIuoWmveGoXXHgPWACUuHcZbk\n+SCk7E2M89bEJX3VqvzkW/R5jicrTLUUtKHYB/R4cC5OOgBLoHkHZ65+NQN0/r/c\nivcckIbpZRaTCKi4/Gtb8fkRk4lkZJJAKY+p8FcJC6d2mQcpbwkD6l80JHYfLkbu\nAuwCIGTg7KoymZcv/wHfif4EMqaI6wNfxCMCx3HwxVqXNPcOKfUv2WOWMVqsB5H/\npwGT3K7Fg3rmkzsGMjnfpapohAEM9XbsoodyLDdTubjyn0DX2WCj0aZAhhs6DAPH\nxt1cJEdfjGE/8Ec72vgelvOK9a/LT854LD417qAFOiC2VpO/eUI9kRDkWYfpnupx\n1YYsjROkeIDOwZt+Sy1WMmsCAwEAAaNTMFEwHQYDVR0OBBYEFFrt4Nxu3FlvBe70\nfCC6WuWLVesJMB8GA1UdIwQYMBaAFFrt4Nxu3FlvBe70fCC6WuWLVesJMA8GA1Ud\nEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAH3LZ93DWVvEd9PdcIzN/xhe\nv93MWJTRoMy8VMBCpZ4xfho6j7dKIPryQ2K9w+hJAyqm0K05ZtIJkjq+4mxPNCfC\nuC+cT90ItxNdhC9IQN6IeUtHgY6r8NJ93HFZn78xlNKXGsHDTozJo+9xYM4kvaVl\nkcogFAhxoLLY1vZb0EkiZJ+itK9ThZ/aNflEMKPGQgvkEuOJVwN5l2y4EKP+lKlu\nHRPlkrSU2Jhx2etjixPd11HHyLGI3Qt9DvWT0fwCNCKHNb1R9KCLjIwpXGfWCRHj\nJDNlTC2JkGYbiuLc51WGbHHD9+OjqvEaUJYouxBIA7WO9IdfvPL8W5j22yxeBQjm\nXlxMXr+T7KcszzM0CAbJvgeNNZvOdi7q6iBSnwI+Hqcvzi3SrGh94djGSY62eu0H\n7mequWHIeXdQfCP0v0+yGrruz52Rl3PU83jCikOTl62z4Ve9BqMXN9mrsgXlvrEq\njR5x89laLJ2JtPHTm0eE6ayMsWdju0V6OfLtNGWS8s0LU9U0xaIxu1q+lQaNl4lA\n+/GZ5SXwrvZfXVL+B2z6TOxbHaj9pePfW/tqE8FA6h9ccp3wZuAmzQPBGvlZBS7f\n7tkPT+hcMTzSkmLeVZdAUgSSxZEUi3SFBIWy3EowJoMPFJ4DOflPnlcDgJpUs1uw\nlbzeYSkO+IqOOh3BWHau\n-----END CERTIFICATE-----"
export ITENTIAL_CYBERARK_KEY_CONTENTS="-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIyWEXd2dAAr20\n7HMmaKCwnDkN75caMIiJe9zgdA9K7nfawMKRS/Jvg+OtAHpEwHxdO8+VMCHD9G8I\nPLRFYccBUAOW9QLm0FckEGDFXBJlCkMa00ArmQLslfGom3iboebsRp+yf4jlzwJ2\nJQbgDfMv9Oj6hAFGl7SBBMDA7h/eO4vTrZV6nDaG3+uf4YNNX6AJ9QPYbwxrbTdO\nJAF2gJRBbbbwNukMg+zEJoxWbY1/nqEZ3CiQL6JECQ1SOjjjEEHp5FQp8cph5jiZ\nsGFjyeKz4aJP4qTLiGsqj9tg5I0BIPJc5jfJ1QjikL12qNG6Yvd92/PAf66vNl/q\nKY3QDRC3AgMBAAECggEAEnX+46h1KXvXCMPWETRSKfWDLWvXqcRymVQhH9Cr+J4V\nDluQyB6CgOGl1P8+lARaquaClIX4uh/xoYFAq0HCiWAGTyKMjL+fyM9qBlthJEHI\nSmFyp0+J5vTLuPk/zUIajaOEsBBtJtayCZN9SVZ0WKFyVljoFnSBAn0ht9ttD1f3\n3ccsOMurwcH8ELHUhR+S9c3FK1vxnDT7jfJpFkP29a/Ayu5lAi0Z/g8h8FIgWabS\nqbDUM9yTgBrqk9HrhRo6P8vnSySXgy/OcimRSDwmz5F5Gvn0NKO6u7XSWtMSQkj2\nscRIrVrT/cBKLdGB/tuW8VFcwzk4U+EQhh8rCR9iaQKBgQDpMS8jL9ChSbdEfzjq\nlKTUlIzMkvgaOmb0aTzUzJJt029lzqJUjA1pn7YCAK48dOH+ktfOQ9FaaDx5hMyv\nH1UzTko8/m4ztxl3LoG2FcuKiOVAHN0xvFcCX7AKHpJeRBuWInMV7xMBQqW+AmH5\ntZ7lTEZELO1iaxcFknADas/ucwKBgQDcbM40b3p77ZEznEtOAbqba6ICvYWwi79A\nNNjTyPErz85RIWNp1jw+fnlZWEBM9WqOByFx/V6wrrR1m1wIuQVkB6J0ymX6HqDl\n/EDrNduanLEZmg8SVqQo0d/4blh7IBJ5jetcIYCPWoOUD9dtjM5cY/V4xjp46d4p\n9WY/0nMfrQKBgQDn8l8jjbTkKPGctTrEwhNty1B9T5ZuaDbt1xuFwvHHQe7lAfKf\nTCsvK4gbV9f3FH+R+zei1/wOA+5bJMd/TRgvDylyn9S3peEzldO5bNZnNqFo8wzl\nIqQdHVZ5ykzmbLJP1HZKk+GAeG1poO8ZNRkWlJazy0hXg5ODnFPEYmLulwKBgQCE\nGl12xXzlutoz0S68gILC1L3S4Jy30vj61PFB9AK93BvtOZJoArI2TfwSFLbsqISE\nvDdKJqxSPVH/ze1ZePGHIqA1WHvHbAXH7+dEUBHd1py5GECCIBTgNfAB5rf2iqEn\n4ms02ws+XuPOn7PffuzKKEocaMjwYFD6Wo0+ILVIPQKBgEGcAKzGPa7r3NFNgtdG\n/gjvgOhWQ2J6l7No8bzu3yUHDsYghhn4gX6uufYvpQfSZ4YU8d3IYghah8cH1BiY\n/eyKgF4rjzmrFI+Eyi5pT59TRSerOLitDY3XpQLcNgB0+yjVL28+G1SUCNCuy95o\nVPMHGAanglRGQCNhb0S4+dDb\n-----END PRIVATE KEY-----"
export ITENTIAL_CYBERARK_CERTIFICATE_CONTENTS="-----BEGIN CERTIFICATE-----\nMIIETzCCAjegAwIBAgITcN0ATnSHxcmszHYWNPGUlYD/ZTANBgkqhkiG9w0BAQsF\nADA1MRMwEQYDVQQKDApSZWRpcyBUZXN0MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBB\ndXRob3JpdHkwHhcNMjUwODA3MTM0MzUxWhcNMjYwODA3MTM0MzUxWjArMRMwEQYD\nVQQKDApSZWRpcyBUZXN0MRQwEgYDVQQDDAtDbGllbnQtb25seTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAMjJYRd3Z0ACvbTscyZooLCcOQ3vlxowiIl7\n3OB0D0rud9rAwpFL8m+D460AekTAfF07z5UwIcP0bwg8tEVhxwFQA5b1AubQVyQQ\nYMVcEmUKQxrTQCuZAuyV8aibeJuh5uxGn7J/iOXPAnYlBuAN8y/06PqEAUaXtIEE\nwMDuH947i9OtlXqcNobf65/hg01foAn1A9hvDGttN04kAXaAlEFttvA26QyD7MQm\njFZtjX+eoRncKJAvokQJDVI6OOMQQenkVCnxymHmOJmwYWPJ4rPhok/ipMuIayqP\n22DkjQEg8lzmN8nVCOKQvXao0bpi933b88B/rq82X+opjdANELcCAwEAAaNiMGAw\nCwYDVR0PBAQDAgWgMBEGCWCGSAGG+EIBAQQEAwIHgDAdBgNVHQ4EFgQUgjfn09F2\noYhaWMHzXrUUovvAR7owHwYDVR0jBBgwFoAUWu3g3G7cWW8F7vR8ILpa5YtV6wkw\nDQYJKoZIhvcNAQELBQADggIBAE51zPBt0EU/8vjvOJs0ivss7OR80u/zIRtAMH1n\nW0dOOPrv2EAqiD7sPDiR04+ofT4ngVTAXerlQ1IIyCJrYw20C3YvmFeBSOFxvHXq\n7yGPv4mUFqhP4Xsf49VpTA77Yx6n/X8fCmo5jRt3t4TxFKjG3KtRCfVUmEjx5G9d\nCsNhbfxf/gatM+ZSfjY9TP+4SkI8Xh+l6AWRVQIYx1I6Ey/UpAIQ2mKVperE9+oY\nmC/jY4NyS6CvpzXS3Z0eVt1Ml6RgqDn8hXtNOR7CsPZgtMDBCwGdglb8uX90Rmei\nv1X+QOHR2SXrb0qXb2nYEoh/94c3PbVJsXNkRO+CW6ySeJqhZreVl401X1MDIYaJ\n+ffZdVWxoORBg3QhOg8ugjARTDYl0MlUEPwhBBB5p4CzzLvSXPfAsXTx2Jf1Q3CG\nPr1WdBsugZ1goE74b9cG4U8W6TYfCyR8kG8VmqKb+uTn1dWkxlLWN0QSVQ8ZywhG\nlMIvjvGf2RN8QmKb1e1JW9CXoVn9dy2h1LWjgnDHEPCmjMFJtQ2/rE9O9vnyU37o\nhgZyvcy1qPKkI1xN44NzOKaB3WgVyVcG98v51EdKPE13iGVRGpd7GH9yKApuMsMk\neB7duOSVONmoGeD7l0uaUKUNYwvVC51K6ll8CT4d3yGmqJCJ6+enuYNnMQUhZoOL\npb1Y\n-----END CERTIFICATE-----"
export ITENTIAL_CYBERARK_REASON_TEXT="Configuration of Itential Platform"
Server profile (properties.json)
{
...
"vaultProps": {
"secretProviderName": "CyberArkCcp",
"cyberarkUrl": "http://localhost:18923/AIMWebService",
"appId": "Itential-Platform",
"timeout": 30
}
}