Changing external key vault to another

If you did not integrate the external key vault during the initial installation and you want to configure it without re-installing, you must use the key vault utility. Also, to change the external key vault connection details or to change the bootstrap credentials, you must use the key vault utility.

You use the key vault utility for each of these scenarios:

  • To initially configure the external key vault connection if it was not configured during initial installation and you do not want to re-install the external key vault.
  • To change external key vault connection details:
    • Example 1: CyberArk Password Vault is migrating to a server with a different name
    • Example 2: CyberArk Password Vault authentication certificate is changing
    • Example 3: You want to change from one AWS Secrets Manager instance to another
    • Example 4: You want to change from one Azure Key Vault instance to another
    • Example 5: HashiCorp Vault authentication certificate is changing
  • The Automation 360 Control Room is malfunctioning because the external key vault connection has changed, and the Control Room is no longer able to retrieve credentials from the external key vault.
  • The Control Room is malfunctioning because the credentials defined for bootstrap or Active Directory integration have changed names.
  • To change the KEY_VAULT from one external key vault to another, or to NONE, you must first manually set the database and service account credentials that are currently being retrieved from the external key vault.

    For example, to change from an AWS Secrets Manager key vault to a CyberArk Password Vault, you must perform these actions:

    1. Set the external KEY_VAULT attribute to NONE.
    2. Set the external key vault to the new key vault type.

    This following table provides guidelines on acceptable state changes for the KEY_VAULT attribute:

    New key vault Original key vault
    AWS CyberArk Azure HashiCorp None
    AWS Yes No No No Yes
    CyberArk No Yes No No Yes
    Azure No No No No Yes
    HashiCorp No No No Yes Yes
    None Yes Yes Yes Yes Yes
  • To change from an AWS Secrets Manager key vault to a CyberArk Password Vault (or vice-versa), you must first change the KEY_VAULT attribute to NONE.
  • To change an AWS Secrets Manager key vault or a CyberArk Password Vault to NONE, ensure that the database is not connected with the KEY_VAULT attribute.