On-Premises initial installation using CyberArk Password Vault

Using the initial installation method, you can connect and configure the external key vault connector, service account credential (Active Directory master password), and bootstrap (database) credential identifier.

Note: You must select Microsoft SQL Server Authentication as the database; other database authentication methods are not supported for this use case.

The initial installation supports a password-less installation regarding the Control Room bootstrap credentials. The password-less installation identifies the bootstrap credentials by the Safe name and Object name within CyberArk.

You can configure the SMTP and AD credential identifier to retrieve from the external key vault using the Automation 360 user interface.

Procedure

After you start the Automation 360 installation wizard, select On-premises as the Deployment Option and click Next.
Accept the license agreement and click Next.
Select Custom as the Installation Type Preference and click Next.
Accept the default locations for the destination folders and click Next.
To connect and configure the external key vault integration, select CyberArk.
Accept the default settings from the TLS Configuration dialog box and click Next.
From the Service Credentials dialog box, select an option to specify the Safe name and Object name from CyberArk instead of manually entering the user name and password for the Service Account used by the Control Room.
Click Service Account (retrieve credential from external key vault), and then enter the Safe name and Object name values. Optionally, you can enter the property that is set to your CyberArk username. For example, to configure the username in the format domain\username, you must enter: $domain$\$username$ where the values for domain and username are retrieved from the CyberArk secret response.
The installer will query CyberArk for the credential to validate that the object exists in the specified safe.

Note: If the Service Account option to specify Safe name and Object name is not available, then this indicates that the CyberArk Password Vault was not previously configured and connected properly as the external key vault. Contact your AAI Support team or review.
See also: Troubleshooting external key vaults.
Click Next.
From the Database Server dialog box, select your Database Server and enter the name of your Control Room database, and then click Next.
From the Database Authentication dialog box, select an option to specify the Safe name and Object name from CyberArk instead of manually entering the user name and password the Control Room uses to authenticate to the database.
1. Click SQL Server authentication (retrieve credential from external key vault), and then enter the Safe name and Object name values.
  
  Note: Enter the same Safe name you previously entered for the Service Account safe name.
2. Click Next to continue and complete the initial installation.

After you successfully complete the initial installation, the Automation 360 Control Room can access and retrieve credentials within the CyberArk Password Vault.