Use CyberArk CCP for agentless connections

CyberArk Central Credential Provider is a service for centralizing credentials from which Cyberwatch can fetch passwords when logging in to SSH or WinRM assets.

Configuring access to CyberArk CCP

Cyberwatch accesses CyberArk CCP through its REST API, with authentication by certificate.

First, generate a key along with a certificate that must be signed by the Certificate Authority configured on CyberArk CCP.

Then, create an application for Cyberwatch on CyberArk CCP. See the official documentation at https://docs.cyberark.com/credential-providers/Latest/en/Content/Common/Adding-Applications.htm. The Certificate Serial Number must be associated to the new application.

The following pieces of information will be required in order to configure the access to CyberArk CCP from Cyberwatch:

  1. The ID of the created application.
  2. The private key generated at the first step.
  3. The signed certificate associated to the key.
  4. The certificate of the Certificate Authority.

The private key and the certificates must be exported to the PEM format.

Finally, from Cyberwatch, go to Settings > Stored credentials and click Add. Select the CyberArk Central Credential Provider type and fill in the fields with the above information.

Create an agentless connection with CyberArk CCP

  1. In section Assets, go to Assets management > Agentless connections.

  2. Click Add.

  3. Select SSH or WinRM as Access protocol.

  4. Select the credential for CyberArk CCP configured in the previous section.

  5. Specify the CyberArk CCP query for fetching the account to use when connecting to the asset. The recommended query format is Safe=…;Folder=…;Object=…, but any other format supported by CyberArk CCP would work.

Back to top