Changing external key vault to another

If you did not integrate the external key vault during the initial installation and you want to configure it without re-installing, you must use the key vault utility. Also, to change the external key vault connection details or to change the bootstrap credentials, you must use the key vault utility.

You use the key vault utility for each of these scenarios:

To initially configure the external key vault connection if it was not configured during initial installation and you do not want to re-install the external key vault.
To change external key vault connection details:
- Example 1: CyberArk Password Vault is migrating to a server with a different name
- Example 2: CyberArk Password Vault authentication certificate is changing
- Example 3: You want to change from one AWS Secrets Manager instance to another
- Example 4: You want to change from one Azure Key Vault instance to another
- Example 5: HashiCorp Vault authentication certificate is changing
The Automation 360 Control Room is malfunctioning because the external key vault connection has changed, and the Control Room is no longer able to retrieve credentials from the external key vault.
The Control Room is malfunctioning because the credentials defined for bootstrap or Active Directory integration have changed names.

To change the KEY_VAULT from one external key vault to another, or to NONE, you must first manually set the database and service account credentials that are currently being retrieved from the external key vault.

For example, to change from an AWS Secrets Manager key vault to a CyberArk Password Vault, you must perform these actions:

Set the external KEY_VAULT attribute to NONE.
Set the external key vault to the new key vault type.

This following table provides guidelines on acceptable state changes for the KEY_VAULT attribute:


New key vault	Original key vault
New key vault	AWS	CyberArk	Azure	HashiCorp	None
AWS	Yes	No	No	No	Yes
CyberArk	No	Yes	No	No	Yes
Azure	No	No	No	No	Yes
HashiCorp	No	No	No	Yes	Yes
None	Yes	Yes	Yes	Yes	Yes

To change from an AWS Secrets Manager key vault to a CyberArk Password Vault (or vice-versa), you must first change the KEY_VAULT attribute to NONE.
To change an AWS Secrets Manager key vault or a CyberArk Password Vault to NONE, ensure that the database is not connected with the KEY_VAULT attribute.

Automation 360

Changing external key vault to another