On-Premises initial installation using CyberArk Password Vault

Using the initial installation method, you can connect and configure the external key vault connector, service account credential (Active Directory administrator password), and bootstrap (database) credential identifier.

Prerequisites

Ensure that you understand the key vault naming convention requirements before you integrate the CyberArk password vault. See External key vault naming conventions.
Note: You must select Microsoft SQL Server Authentication as the database; other database authentication methods are not supported for this use case.

The initial installation supports a password-less installation regarding the Control Room bootstrap credentials. The password-less installation identifies the bootstrap credentials by the Safe name and Object name within CyberArk.

You can configure the SMTP and AD credential identifier to retrieve from the external key vault using the Automation 360 user interface.

Procedure

  1. After you start the Automation 360 installation wizard, select On-premises as the Deployment Option and click Next.
  2. Accept the license agreement and click Next.
  3. Select Custom as the Installation Type Preference and click Next.
  4. Accept the default locations for the destination folders and click Next.
  5. To connect and configure the external key vault integration, select CyberArk.
    1. In the Vault URL field, enter the CyberArk AIM server CCP API URL (for example: https://<hostname:port_num>/.
    2. In the Application ID field, enter the CCP API AppID (for example: AAEControlRoom).
    3. Enter the path to the CyberArk AIM server certificate (in .pem format using .p12) issued to the Control Room server (The certificate Subject: field contains the Control Room fully qualified domain name (FQDN)).
      This certificate must be trusted by and configured within CyberArk.
    4. In the Virtual Directory field, specify the key vault's virtual directory path. The path is set to /AIMWebService/api/Accounts/ by default. You can change this path if your key vault's virtual directory is different.
    5. Click Upload Certificate to store on the Automation 360 Control Room server.
    6. Enter the certificate file passphrase used to access the Control Room certificate file.
    7. Optional: If the issuing Certificate Authority (CA) of the CyberArk server certificate is not trusted by the Control Room, then enter an optional server certificate.
      This is the server certificate for the CyberArk server without a private key (the certificate Subject: field contains the CyberArk AIM Server FQDN). The installer will add the optional CyberArk Server certificate to the truststore used by the Control Room.
    8. Click Next.
  6. Accept the default settings from the TLS Configuration dialog box and click Next.
  7. From the Service Credentials dialog box, select an option to specify the Safe name and Object name from CyberArk instead of manually entering the user name and password for the Service Account used by the Control Room.
  8. Click Service Account (retrieve credential from external key vault), and then enter the Safe name and Object name values. Optionally, you can enter the property that is set to your CyberArk username. For example, to configure the username in the format domain\username, you must enter: $domain$\$username$ where the values for domain and username are retrieved from the CyberArk secret response.
    The installer will query CyberArk for the credential to validate that the object exists in the specified safe.
    Note: If the Service Account option to specify Safe name and Object name is not available, then this indicates that the CyberArk Password Vault was not previously configured and connected properly as the external key vault. Contact your AAI Support team or review.

    See also: Troubleshooting external key vaults.

  9. Click Next.
  10. From the Database Server dialog box, select your Database Server and enter the name of your Control Room database, and then click Next.
  11. From the Database Authentication dialog box, select an option to specify the Safe name and Object name from CyberArk instead of manually entering the user name and password the Control Room uses to authenticate to the database.
    1. Click SQL Server authentication (retrieve credential from external key vault), and then enter the Safe name and Object name values.
      Note: Enter the same Safe name you previously entered for the Service Account safe name.
    2. Click Next to continue and complete the initial installation.

After you successfully complete the initial installation, the Automation 360 Control Room can access and retrieve credentials within the CyberArk Password Vault.

Next steps