On-Premises post-installation using CyberArk Password Vault

You use the command-line interactive key vault utility during a scheduled system downtime and you must stop all running Control Room services. You should coordinate any key vault configuration changes that might impact connectivity parameters (such as App ID, vault URL, port numbers, and certificate) during downtimes with the CyberArk administrative team.

Prerequisites

Note: If you use the key vault utility to disable CyberArk Password Vault integration, you must first unmap any mapped credentials that are in use.

Using the post-installation method, you can perform these actions:

  • Modify or configure the external key vault connection parameters.
  • (If not configured during initial installation) Modify or configure the service account credential (Active Directory administrator password).
  • (If not configured during initial installation) Modify or configure the database (bootstrap) credential identifier (retrieved when authenticating the database).
    Note: Retrieving bootstrap credentials from an external key vault might cause the Control Room to fail if the external key vault is not accessible during boot-up, or if the external key vault is not accessible when the Control Room refreshes database connections and authenticates users with Active Directory.
  • Recover the Control Room for these reasons:
    • By modifying the external key vault connection parameters, the service account, and database credential safe and object identifiers.
    • If CyberArk Password Vault connection parameters changes caused the Control Room to experience connectivity issues.
    • When credential identifiers for bootstrap passwords change.

      You can address any initial configuration settings that were not set correctly and recover the system.

    Note: Ensure you add HTTPS headers without spaces or you will not be able to integrate CyberArk using CRUtil.

    Example:

    • Correct: HTTP-Strict-Transport-Security
    • Incorrect: HTTP Strict Transport Security

You can configure and edit SMTP and AD credential identifiers to retrieve information from the external key vault from the Automation 360 Control Room by navigating to Administration > Settings > Active Directory.

Procedure

  1. Run the key vault utility for the CyberArk Password Vault
    Note: You must import the CyberArk server certificate (the certificate issued to the CyberArk server) to the Java truststore before invoking the dB utility commands. The certificate can be in .cer (PEM) format and does not contain a private key.

    To run the key vault utility and update key vault connection settings:

    1. As the Control Room administrator, access the Automation Anywhere Control Room installation directory that was created during the initial Automation 360 installation.
      For example: C:\Program Files\Automation Anywhere\Automation360
    2. Download the latest version of the key vault utility. To download the jar file used to update the directory, use the following instructions:
      1. Open a browser and access the A-People site: A-People Downloads page (Login required).
      2. Click the link to the latest On-Premises build.
      3. Click the Installation Setup folder.
      4. Download the crutils.jar file.
      Note: If DB authentication is configured to use external key vault, the utility returns the following exception: Database currently configured to retrieve credentials from key vault. Update database authentication to WINDOWS/SQL to proceed further and exit.
      The utility requests the user to confirm the action: Disable/update of key vault might impact functionalities using key vault (for example, Active Directory configuration, Email Settings configuration). Make sure to update these settings (if any). Are you sure you want to continue?
    3. Enter Y to continue.
    4. Enter the following:
      > jdk11\bin\java -jar certmgr.jar -appDir . -importTrustCert <Full path of the certificate>
    5. Add these jvm arguments to the command to run the key vault utility:
      1. -Djavax.net.ssl.trustStore="C:\Program Files\Automation Anywhere\Automation360\pki\trust\store.ks"
      2. -Djavax.net.ssl.trustStorePassword=changeit --module-path lib -jar crutils.jar -configPath "C:\Program Files\Automation Anywhere\Automation360\config" -action [UPDATE_KEY_VAULT_CONFIGURATION or UPDATE_DB_AUTHENTICATION_CONFIGURATION]

      You can update either of these configuration actions:

      • Enter UPDATE_KEY_VAULT_CONFIGURATION to edit the CyberArk key vault configuration.
      • Enter UPDATE_DB_AUTHENTICATION_CONFIGURATION to change to database authentication using external key vault.
  2. Based on which configuration action you used, choose the appropriate action:
    • Update key vault configuration for CyberArk: If you entered UPDATE_KEY_VAULT_CONFIGURATION as the configuration action:
      1. After the utility loads the current key vault configuration and properties, and this prompt is displayed: Enter key vault [AWS/CYBERARK/AZURE/NONE] :, enter CYBERARK
      2. At the Please enter Vault URL: prompt, enter (for example): https://services.uscentral.skytap.com:19516
      3. At the Please enter Application ID: prompt, enter (for example): AAEControlRoom
      4. At the Please enter Certificate path: prompt, enter (for example): C:\Users\Admin\Downloads\client_combined_cert_key_Adminat1234.p12
        Note: The client certificate issued to the Control Room for authenticating to CyberArk must be in .p12 (pkcs#12) format with the private key.
      5. At the Passphrase will not be displayed on the console Passphrase: prompt, enter your passphrase.
      The key vault utility runs. If the configuration was successful (the utility was able to connect to the external key vault using the configured parameters), these messages are displayed on the console: 
      Connection configurations valid
  Key Vault configurations successfully updated
    • Update database authentication for CyberArk: If you entered UPDATE_DB_AUTHENTICATION_CONFIGURATION as the configuration action:
      1. After the utility loads the current database configuration information, this prompt is displayed:
        Database authentication configurations loaded
Currently configured database authentication [SQL]

Change database authentication. Available options:
WINDOWS: Connect to database using windows authentication
SQL: Connect to database using SQL server authentication, manually enter username and password
KEY_VAULT: Connect to database using SQL server authentication, retrieve username and password from external key Vault 

Enter database authentication [WINDOWS/SQL/KEY_VAULT]:

        Enter KEY_VAULT

      2. At the Please enter Safe name: prompt, enter (for example): aa_vb_safe
      3. At the Please enter Object name: prompt, enter (for example): Database-MSSql-administrator-admin

      The key vault utility runs. If the database configuration was successful (the utility was able to connect to CyberArk, retrieve the designated credential and then use the credential to connect to the database), these messages are displayed on the console:

      Database Credentials are valid
Database authentication configurations successfully updated