Using CyberArk secrets

  • Published on Aug 14, 2025
Prev Next

This section explains how to reference and use secrets from CyberArk CCP in Itential Platform. Secret references can be used for Itential Platform configuration values as well as in Application, Adapter, and Integration properties.

Note

Itential Platform maintains read-only access to CyberArk CCP. You cannot write secrets to CyberArk Digital Vault through CyberArk Central Credential Provider from Itential Platform.

Secret reference format

Use this format when you reference CyberArk secrets:

$SAFE_<SafeName> $NAME_<SecretName>

The format includes:

  • $SAFE_ followed by the CyberArk Safe name
  • A space character
  • $NAME_ followed by the secret name

Example: $SAFE_My-Safe $NAME_mongodb retrieves the "mongodb" secret from the "My-Safe" safe.\

Usage examples

Itential Platform configuration

Important

You cannot use CyberArk secret references to configure the Itential Platform connection to CyberArk CCP.

Configure properties files
Add CyberArk references to system properties. You can configure these through property files or environment variables, see Platform Properties and Environment Variables.

Platform 6 (platform.properties)

mongo_auth_enabled=true
mongo_user=$SAFE_DavyJonesLocker $NAME_mongodb-user
mongo_password=$SAFE_DavyJonesLocker $NAME_mongodb-password
mongo_db_name=itential-platform-6
mongo_url=$SAFE_DavyJonesLocker $NAME_mongouri

IAP 2023.2 (properties.json)

{
  "mongoProps": {
    "credentials": {
      "dbAuth": true,
      "user": "$SAFE_DavyJonesLocker $NAME_mongodb-user",
      "passwd": "$SAFE_DavyJonesLocker $NAME_mongodb-password"
    },
    "db": "itential-platform-23-2",
    "url": "$SAFE_DavyJonesLocker $NAME_mongouri"
  }
}

Configure environment variables (Platform 6 ONLY)
Set environment-specific secrets using CyberArk references:

export ITENTIAL_MONGO_AUTH_ENABLED="true"
export ITENTIAL_MONGO_USER="$SAFE_DavyJonesLocker $NAME_mongodb-user"
export ITENTIAL_MONGO_PASSWORD="$SAFE_DavyJonesLocker $NAME_mongodb-password"
export ITENTIAL_MONGO_DB_NAME="itential-platform"
export ITENTIAL_MONGO_URL="$SAFE_DavyJonesLocker $NAME_mongouri"

Configure system profiles

  1. Navigate to Admin Essentials and select Profiles from the left-side navigation menu.
  2. Select the active profile.
  3. Click the Configure tab.
  4. Select a profile property to encrypt.

Figure 1: Edit Profile properties
image-20250813-145317.png

  1. Replace the value with a CyberArk reference.
  2. Save and restart the Itential Platform.

Configure Applications, Adapters, and Integrations
The following example applies to Applications, Adapters, and Integrations. The example will use an Adapter Instance.

  1. Navigate to Admin Essentials and select Adapters from the left-side navigation menu.

  2. Select your adapter.

  3. Replace sensitive values in the property configuration form.
    Figure 2: Example username and password configuration using a CyberArk Secret Reference
    Screenshot 2025-08-13 at 11.22.06 AM.png

  4. Alternatively, click the Advanced View toggle in the upper-right to access the JSON configuration.

  5. Replace sensitive values with CyberArk references:
    Figure 3: Example configuration via Advanced View
    Screenshot 2025-08-13 at 11.25.44 AM.png

  6. Click Save. The adapter (or application) restarts automatically and retrieves the secret.
    Figure 4: Adapter connection status
    image-20250813-153240.png