Configure the CyberArk credential identifier

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read

    • Create the unique key that CyberArk can use to identify specific credentials in the external repository.

    Before you begin

    Role required: admin

    Before starting this procedure, ensure that the External Credential Storage plugin is activated, and the com.snc.use_external_credentials system property is set to true.

    Procedure

    1. Navigate to All > Discovery > Credentials or Orchestration > Credentials.
    2. Click New.
    3. From the list of credential types, select a type that supports CyberArk external storage.
    4. Complete the form using the fields from your credential type.
    5. Select the External credential store check box.
      The User name and Password fields are replaced with the Credential ID field.
      Note:
      If the check box is not visible, click the menu icon in the header bar and select View > External Storage.
    6. In the Credential ID field, enter an expression using one of these formats:
      • If all your credentials are in the same safe, configure this safe name in the MID Server config.xml file using the ext.cred.safe_name parameter, and then specify the credential ID by name only, as <credential ID>.
      • To name credentials for a given platform that reside is a specific safe, define the credential ID as <safe>:<credential ID>:<platform ID>.
      • If your credentials are in multiple safes, specify the credential ID in this format: <safe>:<credential ID>.
      • If you want CyberArk to look up the credential by IP address, using an alternate safe, specify the credential ID in this format: <safe>:.
      • If you want CyberArk to look up the credential for an alternate platform ID in the same safe, use this format: ::<platform ID>
      • If you want CyberArk to look up the credential in a configured safe by the IP address rather than the credential ID, leave this field blank. This is the best practice for handling installations in which each server has a unique credential. Without this type of lookup, you must create a credential ID record in your instance for every server in your environment.
      Note:
      The credential ID must match the value in the Name field for the CyberArk account. The Credential ID field has a limit of 160 characters.
    7. If you are storing SNMPv3 credentials in CyberArk and are using the privacy protocol and privacy key, configure the ID as follows:
      1. In the Credential Store Type field, select CyberArk.
        The Privacy Credential ID field appears.
      2. Enter the Name of the CyberArk SNMPv3 privacy account in the Privacy Credential ID field.
      Note:
      Character limits for Credential ID and Privacy Credential ID vary by vault. ServiceNow supports up to 180 characters. CyberArk supports 160. Verify the limit in your vault.
    8. Click Submit.