Use CyberArk CCP for agentless connections
CyberArk Central Credential Provider is a service for centralizing credentials from which Cyberwatch can fetch passwords when logging in to SSH or WinRM assets.
Configuring access to CyberArk CCP
Cyberwatch accesses CyberArk CCP through its REST API, with authentication by certificate.
First, generate a key along with a certificate that must be signed by the Certificate Authority configured on CyberArk CCP.
Then, create an application for Cyberwatch on CyberArk CCP. See the official documentation at https://docs.cyberark.com/credential-providers/Latest/en/Content/Common/Adding-Applications.htm. The Certificate Serial Number must be associated to the new application.
The following pieces of information will be required in order to configure the access to CyberArk CCP from Cyberwatch:
- The ID of the created application
- The private key generated at the first step
- The signed certificate associated to the key
- The certificate of the Certificate Authority
The private key and the certificates must be exported to the PEM format.
Finally, from Cyberwatch, go to Settings > Stored credentials and click Add. Select the CyberArk Central Credential Provider type and fill in the fields with the above information.
Create an agentless connection with CyberArk CCP
In section Assets, go to Assets management > Agentless connections
Click Add
Select SSH or WinRM as Access protocol
Select the credential for CyberArk CCP configured in the previous section
Specify the CyberArk CCP query for fetching the account to use when connecting to the asset. The recommended query format is
Safe=…;Folder=…;Object=…
, but any other format supported by CyberArk CCP would work