UC_VAULT_CYBERARK - Password Vault Configuration

This static Variable (VARA) object allows you to configure your password vault. For more information, see Password Vaults.

UC_VAULT_CYBERARK is not supplied with the system and needs to be created and defined for all clients using a password vault. You can create it in Client 0 or in any of your other Clients. If the variable is defined in Client 0, all your Clients use the same configuration. However, you can override the definition in Client 0 by creating the variable in the relevant Client and modifying the configuration.

This variable includes the following keys:

  • PORT

    Default port: 18923

  • TIMEOUT

    Default value: 30 seconds

  • APPID

    (Mandatory) This parameter is necessary to register the application in the vault.

  • REST

    URL of the REST endpoint used to retrieve the passwords when using TLS/SSL for the communication between CyberArk and the Automic Automation system, see Using a REST Endpoint.

    Important! The host defined in this parameter must match the Common Name (CN) defined in the certificate used to authenticate the REST endpoint.

  • REASON

    (Optional) Specify why the passwords were accessed in the vault.

  • VLT_SAFE<nr>

    Specify the safe from which the Login object needs to retrieve the credentials.

  • USEOBJECT

    (Optional) If this parameter is set to Y and the agent name is set in the Login object (* is not a valid value), you can use this value to match the object name in the vault. This applies only if the object name in the vault was to configured to use the agent name.

    Allowed values: Y and N (default).

Note: You must re-open the Login object after setting the values of the UC_VAULT_CYBERARK variable to be able to select your configured safes, for further details see Login (LOGIN).

Configuration Options

You can select from different options such as defining only the safe name, a combination of safe and object name or safe name and address, or all three - safe name, object name and address. This also depends on whether your user name is unique in each safe or not.

Key definition Value 1 Value 2 Value 3
VLT_SAFE<nr> Safe name Object name Address

Once set up, the vault is listed in the Login object, where you can select it as needed.

Option 1: Vault Configuration with Safe

This option requires a unique user name in each safe. You have to define the VLT_SAFE<nr> key of the UC_VAULT_CYBERARK variable for each safe.

To do so, define the safe value in the Value 1 column of the variable definition page using the following format: <safe>.

Example

Key definition Value 1 Value 2 Value 3
VLT_SAFE<nr> AECredentials empty empty

 

The vault is listed in the Login object as follows:

AECredentials@CYBERARK

Option 2: Vault Configuration with Safe and Object Name

If the user name is not unique within a safe, you can use the object name (account name) as an additional identifier. In this case, make sure that the object name is unique within the safe. The name is created automatically when creating a new account, but you can also change it manually.

In this case, you define the safe value in the Value 1 column and the object name on the Value 2 column of the variable definition page using the following format: <safe>*<objectname>.

Example

Key definition Value 1 Value 2 Value 3
VLT_SAFE<nr> AECredentials Operating System-WinDomain-hostname.domain-aeuser empty

 

The vault is listed in the Login object as follows:

AECredentials*Operating System-WinDomain-hostname.domain-aeuser@CYBERARK

Option 3: Vault Configuration with Safe and Address

You can also use the address as part of the Cyberark query in combination with the safe name. The user name is always part of the query.

In this case, you define the safe value in the Value 1 column and the address on the Value 3 column of the variable definition page using the following format: <safe>*<address>. The Value 2 column remains empty.

Example

Key definition Value 1 Value 2 Value 3
VLT_SAFE<nr> AECredentials empty myhost.com

Note: An empty string is inserted representing the empty Value 2 column.

The vault is listed in the Login object as follows:

AECredentials**myhost.com@CYBERARK

Option 4: Vault Configuration with Safe, Object Name and Address

You can also decide to use all three values: safe name, object name, and address.

In this case, you define the safe value in the Value 1 column, the object name on the Value 2 column, and the address on the Value 3 column of the variable definition page using the following format: <safe>*<objectname>*<address>.

Key definition Value 1 Value 2 Value 3
VLT_SAFE<nr> AECredentials Operating System-WinDomain-hostname.domain-aeuser myhost.com

 

The vault is listed in the Login object as follows:

AECredentials*Operating System-WinDomain-hostname.domain-aeuser*myhost.com@CYBERARK

See also: