CyberArk credential retrieval use cases

You can retrieve CyberArk credentials for these use cases: bootstrap, system, auto-login, and automations.

Retrieve Control Room bootstrap credentials with CyberArk

The Automation 360 Control Room uses bootstrap credentials to access supporting services such as database, service account, and Active Directory (AD). You configure these credentials during the initial On-Premises installation or post-installation (using the key vault utility) by specifying the safe name and object name.

The following images shows the process of retrieving the Control Room bootstrap credentials with CyberArk:

CyberArk Control Room bootstrap credential retrieval

When required during the bootup sequence or normal operations (such as refreshing a service authentication), the Control Room uses the key vault connection to retrieve the credential and perform the required authentication.

Note: You must select the Microsoft SQL Server Authentication for this use case; other database authentication methods are not supported for bootstrap.

Retrieve Control Room system credentials with CyberArk

Note: You can configure the service account only during the initial installation.

If you configured an external key vault during the initial installation, you can then use the Automation 360 user interface (post-installation) to configure SMTP and Active Directory (AD) credentials.

  1. Log in to the Automation 360 Control Room as the Administrator.
  2. From the Control Room, navigate to: Administration > Settings > Email Settings.
  3. You can map the AD primary account credential from the external key vault, configure external credentials, or set to manual (switch modes of AD primary account credential retrieval).

Retrieve auto-login credentials with CyberArk

Auto-login credentials are used to authenticate to an Automation 360 Bot Agent device and start an active Windows session. Robotic Process Automation (RPA) requires an active Windows session to function. Auto-login occurs prior to the automation running when automations are launched from a remote Bot Agent device.
Note:

If auto-login is enabled for unattended Bot Runners, then all the unattended Bot Runner devices will use use auto-login by looking up for the credentials in the configured external key vaults. Ensure that the credentials of all the Bot Runner devices are created in external key vaults. Otherwise, the Bot Runner devices will encounter the Secret not found error.

The following image shows the process of retrieving the auto-login credentials with CyberArk:

CyberArk retrieve auto-login credentials

A Control Room administrator can manually launch or schedule a job to launch an automation on a Bot Agent device by specifying these details:

  • Automation (bot) name
  • Device name
  • User context

The system performs auto-login to the specified device with the user name and password associated with the user context, and then runs the automation on the device.

To configure retrieval of auto-login credentials from the external key vault, perform these steps:

Note: Ensure that you understand the key vault naming convention requirements before you integrate the CyberArk key vault. See External key vault naming conventions.
  1. Log in to the Automation 360 Control Room as the Administrator with the view and manage setting permission set.
  2. From the Control Room, navigate to Administration > Settings > Devices.
  3. Scroll down to the auto-login settings section and click Edit.
  4. If you previously configured CyberArk as the external key vault connection, click Enabled to retrieve the auto-login credentials from that external key vault.

    If this option is disabled, then the external key vault connection was not configured.

    Note: If you disable auto-login from the external key vault, then credentials are retrieved using the AAI Credential Vault and its stored credentials instead.
    Note: If your Control Room is using a device pool to retrieve auto-login credentials using CyberArk, ensure that the auto-login option is enabled on all the devices in the device pool. Otherwise, the auto-login credentials are not retrieved for devices that do not have the auto-login option enabled.
  5. Enter the Safe name (for example: AA_Auto-login_Safe).
    The safe name you enter is also known as the Auto-login Credential Safe.
    Note: For safe name and object name formats, see External key vault naming conventions.
  6. Enter the property set to your CyberArk username. For example, to configure the username in the format domain\username, you must enter: $domain$\$username$ where the values for domain and username are retrieved from the CyberArk secret response.
  7. To add an optional safe, click Add optional safe, enter the Safe name, and then select roles. You can add up to 25 safes.
  8. Click Save changes.

    If successful, then the auto-login settings successfully saved message is displayed.

CyberArk auto-login credential example

For this auto-login credential retrieval example, consider a Control Room user who wants to deploy a bot on a device as a specific user. This example uses the following details:

  • Automation (bot) name run on a device = ProcureToPayGeoEast
  • Agent device name = WinVDI1138
  • Agent user context = roboticworker2112@automation.abcd.com

The following image shows this an example of retrieving auto-login credentials with CyberArk:

CyberArk auto-login credential example

Before starting the automation, ensure the following:

  1. The Control Room connection details have been successfully configured, and the Control Room uses these connection details to connect to CyberArk and performs authentication.
  2. The Control Room queries the Bot Agent device running on device WinVDI1138 to check if there is an active Windows (operating system) session currently on device WinVDI1138, and if that session belongs to Agent user robiticworker2112.

    If there is an existing session on the device for user robiticworker2112, then there is no need to perform auto-login and the bot continues with the deployment.

  3. However, if there is an no active session or if there is an active session that does not belong to robiticworker2112, then the Control Room retrieves the auto-login credential from the CyberArk Password Vault.
  4. The Control Room passes the credential (password) to theBot Agent. The Bot Agent performs a Windows login on device WinVDI1138 as robiticworker2112 (first, logging off any other user login session) using the auto-login credential for robiticworker2112. The automation (Bot) ProcureToPayGeoEast then starts to run on device WinVDI1138 as robiticworker2112.

Retrieve automation credentials with CyberArk

Automation credentials are variables used by bot developers within automation (bot) actions that define and retrieve data from encrypted storage. The automation uses the credentials to authenticate to applications (for example: finance application). Automation credentials are retrieved by the Automation 360 Bot Agent during runtime. Within CyberArk, a safe is a locker, and an object is a credential.

The following image shows the process of retrieving automation credentials with CyberArk:

CyberArk retrieving automation credentials

Automation credentials retrieved from the CyberArk Password Vault are mapped in the Automation Anywhere Credential Vault. The Credential Vault supports these two types of automation credentials:

Default credentials
Credentials where the value returned by the credential variable is the same for any automation that uses that variable.
Username - based credentials
Credentials where the value returned by the credential variable is distinct based on the user context in which the automation is running.
Note: You cannot enter dynamic values into Central Credential Provider (CCP) from a different user profile using a username - based credential option. The values and attributes remain static and are created within CyberArk Password Vault.

For both system credentials and user-defined credentials, the bot developer specifies the same credential variable within the bot code. Then, the system determines which credential to retrieve during bot runtime.

User-defined credentials simplify automation development by enabling bot developers to write code using a single credential variable where the RPA platform substitutes the value returned during runtime with a unique user-specific value. Developers can avoid writing duplicate code with different user-specific credential variables.

The following image shows the relationship between the Automation Anywhere Credential Vault objects and the CyberArk credentials for system and user-defined credentials:

Automation Anywhere and CyberArk mapped credentials

  • The Control Room locker (Locker1) is mapped to the CyberArk safe name (Safe1).
  • The Control Room system credential (Credential1) is mapped to the CyberArk object (Object1).

As an administrator, you create and configure a locker and credentials using the external key vault feature in the Automation 360 Control Room. Within the Control Room, an administrator maps the Automation Anywhere locker (Locker1) to a safe name (Safe1) and maps the credential (Credential1) to an object name (Object1). The credentials available to Control Room users are determined by what is configured in the external key vault (CyberArk Password Vault).

If you want to use user-defined credentials with the CyberArk integration, then the CyberArk administrator must create objects for each user-defined credential by naming those objects with the Control Room_username postfix. During runtime, the RPA platform retrieves the object name that is named with a postfix that matches the user context (user-defined credential) in which the automation is running. If there is no user-defined credential, then the RPA platform retrieves the object name without a username postfix (and uses the system credential).

Note: You can map any Automation Anywhere locker to any CyberArk Safe Name. However, any safe names you use to map automation credentials should be distinct from the safe names you use for auto-login.

As an administrator, you can use the access controls in the Automation 360 Control Room to separate access to credentials by providing users access to a locker. You control access to credentials by assigning different Control Room users to different roles and then associating different lockers with those roles. By mapping different CyberArk safes to different lockers, access to credentials in the CyberArk safes is mapped to and enforced by the access controls in the Control Room.

Note: The same permissions and privileges (assigned through roles) in the Control Room apply to credentials mapped to the external key vault.

CyberArk automations credentials retrieval example

To configure automation credentials retrieval and integrate with the CyberArk Password Vault, you first create a locker and then create credentials.

Note: If you want to store credentials in the Control Room credential vaults and external key vaults, we recommend that you perform the following:
  • Create separate lockers in the Control Room to store credentials created in the Control Room credential vaults.
  • Create separate lockers in the Control Room to store credentials created in external key vaults.

The Control Room does not support storing credentials from the Control Room credential vaults and external key vaults in the same locker.

To create a locker to integrate with the CyberArk Password Vault, perform these steps:

  1. From the Automation 360 Control Room, navigate to Manage > Credential.

    A user with Manage my credentials and lockers permissions is authorized to create credentials.

  2. Click the Lockers tab.
  3. Click Create locker.
  4. Enter a name for the locker.

    This name is local to the Control Room and does not have any dependency on the CyberArk safe name.

  5. Click External Key Vault and enter the CyberArk safe name in the Safe name field (for example: Finance_Safe).
    Note: For safe name and object name formats, see External key vault naming conventions.
  6. Click Next.
  7. Configure Owners, Managers, Participants, and Consumers for the locker.
  8. Click Create locker.

    See Create locker.

The Control Room is now ready to retrieve credentials and enforce access controls on the mapped CyberArk safe. To continue, you now create the credentials.

To create a credential to integrate with the CyberArk Password Vault, perform these steps:

  1. From the Automation 360 Control Room, navigate to Manage > Credentials .

    A user with Manage my credentials and lockers permissions is authorized to create credentials.

  2. From the Credentials tab, select Create Credential.
  3. Enter the credential name in the Credential name field.

    This name is local to the Control Room and does not have any dependency on the CyberArk safe name.

    Note: For safe name and object name formats, see External key vault naming conventions.
  4. Click External key vault below the name field.
  5. From the list of available lockers, select the appropriate locker that was previously mapped to the safe name for the credential you are now mapping to the object (credential).
  6. Enter the CyberArk object name in the Object name field.
  7. Click Validate and retrieve attributes.

    The system validates the mapping by attempting to retrieve from the CyberArk Password Vault the combination of safe name (locker) and object name (credential). Within the safe name mapped to the locker, Automation 360 expects objects to use the correct naming conventions. . See External key vault naming conventions.

    If validation fails, then no object exists in the CyberArk Password Vault with the name that matches the combination of safe name (locker) and object name (credential).

    When the system successfully retrieves the object details, it will display the CyberArk Password Vault object attributes (the fields within the secret).

  8. From the list of attributes, select attributes to map to the credential.
  9. Click Create credential.

    If successful, then the credential successfully created message is displayed.