Cloud integration using CyberArk Password Vault
- Updated: 2023/11/20
Cloud integration using CyberArk Password Vault
You connect and integrate the external CyberArk Password Vault to the Automation 360 Control Room.
The following image shows CyberArk Cloud integration with the Control Room:
You must configure the customer network perimeter firewall to allow access to the CyberArk_CCP_hostname:port from the Automation 360 Cloud AWS NAT Gateway IP addresses.
The following table provides an example of how to configure the customer perimeter firewall:
| From | To | Protocol used |
|---|---|---|
| Control Room in Automation 360 Cloud: Three AWS NAT Gateway IP addresses |
CyberArk_CCP API_hostname:port
For example: cyberarkpwv.dev.abcd.com:4043 |
TLS Encrypted CCP API (TLS mutually authenticated) |
For more details, see Control Room IP addresses for external integrations.
For Cloud integrations, you can configure the Control Room and external key vault integration using the Automation 360 Control Room user interface.
The Agent auto-login and Agent automation use cases are only supported on Automation 360 Cloud Control Room instances. Neither of these use cases affect the Control Room boot sequence or Control Room functionality.
- Bootstrap and service account credential retrieval use cases are not supported on Cloud Control Room instances because the database and services are managed internally by Automation Anywhere. There is no compliance use case (requirement) for these credentials to be stored in the customer external key vault.
- If you are using CyberArk in an Automation 360 Cloud deployment, then the CyberArk external key vault must be reachable from the Cloud Control Room through the network perimeter firewall rules. For external firewall rules configuration details, see Control Room IP addresses for external integrations.
- Gather the specific CyberArk information required to configure the external key vault
connector using the Automation 360
Control Room.
Item Description Vault URL The CyberArk AIM server CCP API URL (for example: https://<hostname:port_num>/ Note: To access the CCP APIs, the Control Room will automatically append /AIMWebService/api/Accounts? to the vault URL you enter. As a result, you must configure the Web Service on the CyberArk AIM server as AIMWebServiceApplication ID The CCP API AppID (for example: AAEControlRoom). For details, see Define CyberArk application ID.
Certificate file Enter the path to the client certificate issued to the Control Room server. The client certificate file that is issued for the Control Room is a .p12 file that contains the private key. CyberArk admins configure this file on the CyberArk server. After configuring the certificate file, it is used to authenticate every client request that is sent from the Automation 360 Cloud Control Room to the CyberArk server.
The certificate will be issued to the Cloud Control Room (Subject: field of the certificate will contain fully qualified domain name (FQDN) of the Control Room) by the customer internal certificate authority.
Certificate file password A password used to open the certificate file. Server certificate - PEM format (Required only for Cloud integration): The server certificate without the private key of the CyberArk AIM server (Subject: field of the certificate will contain the FQDN of the CyberArk AIM server). This server certificate is a public certificate for the URL where CyberArk is hosted. This certificate is in the PEM text format and contains the Subject Alternative Names (SAN) on which the CyberArk is listening to requests. For more information, see CyberArk CACert.
- Log in to the Automation 360 Control Room as the Administrator.
- From the Control Room, navigate to .
- Click the Edit icon to open the Configuration settings pane.
- Click CyberArk and then enter the specific CyberArk information described in the preceding table.
- Click Save changes to connect the external key vault.