UC_VAULT_CYBERARK - Password Vault Configuration
This static Variable (VARA) object allows you to configure your password vault.
UC_VAULT_CYBERARK is not supplied with the system and needs to be created and defined for all clients using a password vault. You can create it in Client 0 or in any of your other Clients. If the variable is defined in Client 0, all your Clients use the same configuration. However, you can override the definition in Client 0 by creating the variable in the relevant Client and modifying the configuration.
This variable includes the following keys:
-
PORT
Default port: 18923
-
TIMEOUT
Default value: 30 seconds
-
APPID
(Mandatory) This parameter is necessary to register the application in the vault.
-
REST
URL of the REST endpoint used to retrieve the passwords when using TLS/SSL for the communication between CyberArk and the Automic Automation system, see Password Vaults.
Important! The host defined in this parameter must match the Common Name (CN) defined in the certificate used to authenticate the REST endpoint.
-
REASON
(Optional) Specify why the passwords were accessed in the vault.
-
VLT_SAFE<nr>
Specify the safe from which the Login object needs to retrieve the credentials.
Important! This parameter is optional if the user name is unique in the vault. If the user is not unique in the vault, you need to assign the safe to the account and configure it accordingly.
-
USEOBJECT
(Optional) If this parameter is set to Y and the agent name is set in the Login object (* is not a valid value), you can use this value to match the object name in the vault. This applies only if the object name in the vault was to configured to use the agent name.
Allowed values: Y and N (default).
Note: You must re-open the Login object after setting the values of the UC_VAULT_CYBERARK variable to be able to select your configured safes, for further details see Login (LOGIN).
Configuration Options
You can select from three options to configure the vault depending on whether your user name is unique or not in each safe.
Option 1: Vault Configuration with Safe
This option requires that the user name is unique in each safe. The UC_VAULT_CYBERARK variable must include the VLT_SAFE<nr> key for each safe that should be configurable in the Login object. Once set up, the Login object allows selecting the correct safe with the pattern <safe>@CYBERARK.
Option 2: Vault Configuration with Object Name (and Safe)
If the user name is not unique within a safe, you can use the object name (account name) as an identifier. Cyberark requires this object name to be unique within a safe. Upon creation of a new account, this name is automatically created, but you can also change it manually.
In the UC_VAULT_CYBERARK variable, the Value 2 column is used to specify the object name. Value 1 is used for the safe name. Once set up, the Login object allows you to select the correct safe with the pattern <safe>*<objectname>@CYBERARK.
Note: If the object name is unique across the vault, you can leave the Value 1 column empty.
Option 3: Vault Configuration with Address and Safe
You can use the address as part of the Cyberark query. We recommend that you use the address combined with the safe name. The user name is always part of the query. In the UC_VAULT_CYBERARK variable, the Value 3 column is used to specify the address. In the Login object, you can select the correct safe with the pattern <safe>*<objectname>*<address>@CYBERARK.
Note: An empty string is inserted if one or both values are not set. Example if the object name is empty: Safe**myhost.com@CYBERARK
See also: