Integrating with CyberArk Vault for Dual Account
Last updated on 06 September, 2024You can integrate LogicMonitor Collector with CyberArk Vault to store sensitive information such as login credentials, keys, and other sensitive data for hosts, devices, services, and more. In addition to a single account, CyberArk Vault also supports Dual Account to eliminate any edge case delays that may occur using a single account such as data collection loss and locking of accounts that could occur during the password rotation process.
Requirements
To integrate LogicMonitor Collector with CyberArk for Dual Account, you must fulfil the following requirements:
- EA Collector version 32.200 or later.
- Two CyberArk accounts with similar privileges. The VirtualUsername for both the accounts must be the same.
- One of the two CyberArk accounts must be marked as active in the CyberArk portal. CyberArk should handle this automatically during the password rotation.
CyberArk Application Authentication Methods
LogicMonitor Collector and CyberArk integration support the following methods for the application authentication:
- Allowed machines
- Path
- Hash
- Client certificates
Out of these four methods, we have explained the Client certificate method in the Configuring CyberArk Certificates section.
Authentication to Privileged Access Security (PAS) Solution
The CyberArk AIMWebService application is deployed on the IIS Server. LogicMonitor Collector and CyberArk integration uses Basic authentication to the IIS Server.
You should use the password provided to you to log in to the Vault. After logging in, we recommend that you change your password.
Collector Agent Configuration Settings for CyberArk Integration
The following table contains Collector agent configurations for the Dual Accounts:
Agent Configuration | Type | Default | Description |
vault.bypass | Boolean | TRUE | If the value is set as true, the Vault API is not called. If the value is set as false, the Vault API is called. |
vault.credentials.cache.expirationtime | Integer | 60 minutes | Expiration timeout (in minutes) for credentials in Vault cache. After this time, the credentials in the Vault cache expire and you have to re-fetch them from the Vault. |
vault.credentials.refresh.delay | Integer | 15 seconds | The amount of time delay (in seconds) after credentials cache expiration time. Refresh the task after the cache expiration time. Note: You may customise the amount of time delay while installing the Collector. |
vault.credentials.pair.enable | Boolean | FALSE | This property enables CyberArk Dual Account configuration on Collector. To enable it, set the value as ‘true’. |
Configuring Vault Properties
You must configure Vault properties that include Vault metadata and Vault keys for the Collector at the device or device group level.
Note: CyberArk does not allow use of special characters such as \ / : * ? ” < > in safe names and object names.
Configuring Metadata Properties
You must configure the following Vault metadata properties.
Vault Metadata | Description |
vault.meta.url | URL of the Vault. This URL must contain the folder and application ID only. |
vault.meta.safe | Safe (Applicable only in case of CyberArk). A device can have only a single Safe. |
vault.meta.type | The type of the Vault. Currently, the “CyberArk” Vault integration is supported in the Collector. |
vault.meta.header | The headers required for HTTP Get Request. The value for this custom property would be the header separated with “&“ the header key value would be separated with “=” as shown in the below example: vault.meta.header – Content-Type=application/json&Accept-Encoding=gzip, deflate, br |
vault.meta.keystore.type | Type of the key store. If the key store type is not specified, the default type for the key store is JKS. |
vault.meta.keystore.path | Path of the Keystore file. |
vault.meta.keystore.pass | Password for the Keystore. |
Configuring Vault Keys
Vault keys need to be specified at the device level with the suffix .lmvault. For example, ssh.user information should have the key specified as ssh.user.lmvault. You must configure the following Vault keys.
Vault Key | Description |
Property suffixed with .lmvault (for a single account) | The custom property for which value must be retrieved from the Vault and must be specified at the device level by adding suffix .lmvault. The value of such property would be the path of the key in the Vault. For example: ssh.user.lmvault = ssh\ssh.user For ssh.user.lmvault, the property should be retrieved from the Vault. The value of this property “ssh\ssh.user” represents the path in the Vault where the credential is stored. |
Property suffixed with .lmvault : Multi-Safe | The multi-Safe approach allows fetching the values for lmvault properties from different safes within the Vault. The LM Vault property value should be specified in the format safe:path. For example, the property referring to the safe sshcreds and object path as ssh\ssh.user can be specified as: ssh.user.lmvault = sshcreds:ssh\ssh.user The Safe specified at the property level would override the value specified at the device level through the “vault.meta.safe” property. |
Property suffixed with .lmvault (for dual accounts) | The parameters such as safe, appid, and folder are used from the existing Vault metadata. The query is made against the VirtualUsername where the DualAccountStatus is active. An attribute name specified within <> is then parsed from the Vault API JSON response. The Dual Account API has the username and password within the same response, hence such a credential chain is formed at the Collector during the Collector startup. Note: The LM Vault property value must consist of the field/attribute along with the VirtualUsername. The field or attribute can be passed within <>. You can use a Dual Account with any property present in the respective template. The field/attribute will be parsed from the API response received from CyberArk. For example: jdbc.mysql.user.lmvault = VirtualUsername=Test<Username> jdbc.mysql.pass.lmvault = VirtualUsername=Test<Content> jdbc.mysql.port.lmvault = VirtualUsername=Test<Port> |
Collector and CyberArk Vault Integration
- Multi-Safe support: Specify multiple Safes under a device to retrieve credentials from Multiple Safes.
- Multi-Vault support: You can use multiple Vaults for the devices under a Collector. Each of the devices can point to a single Vault.
- You can call Vault API over HTTP or HTTPS. However, if you call the Vault APIs over HTTPS, you must configure the RootCA cert. For more information, see RootCA cert.
- You must complete CyberArk authentication. For more information, see CyberArk Application Authentication Methods section.
Note: Device-specific cache is implemented at the collector to avoid frequent requests to the Vault API.
- For CyberArk Dual Accounts, along with the existing parameters, the CyberArk API call requires two additional parameters: ‘DualAccountStatus’ and ‘VirtualUsername’. See the Dual Account Properties section on the CyberArk Dual Account page.
- For CyberArk Dual Accounts, the property can be specified at the device or device group level.
- You must set the Dual Account properties such as VirtualUsername at each property level on the device.
- When a Dual Account is enabled for CyberArk Vault, then based on the template of the account the response parsing can be done for various fields in the response.