Configure the MID Server for CyberArk CCP
Configure the config.xml file to grant the MID Server access to the CyberArk CCP vault.
Before you begin
About this task
Note:
In the Zurich family release, the instance needs an additional Update Set that can be downloaded from Enable CyberArk Central Credential Provider (CCP) Integration in Zurich Release [KB2682524]. Follow the provided installation steps. The Australia family release includes this script by default.
Procedure
Manually configure the MID Server Add a MID Server parameter file with these parameters.
This configuration cannot be done from the instance.
| Parameter | Value | Description |
|---|---|---|
| ext.cred.safe_folder | NameOfFolder | Folder to use for all credential lookups. For example, root. |
| ext.cred.use_cyberark | true | Boolean parameter indicating that this MID Server is integrated with CyberArk. |
| ext.cred.ccp_endpoint | CCPendpointURL |
The CCP endpoint URL, which must use HTTPS. For example: https:// /AIMWebService/api/Accounts |
| ext.cred.cyberark.cert_path | /path/on/mid/agent/security/EXAMPLE-cyberark-client.pfx | Path to the certificate file. |
| ext.cred.cyberark.cert_password | example-password | Password for the certificate file. |
| Parameter | Value | Description |
|---|---|---|
| ext.cred.timeout | 30 | Timeout of each credential lookup in the vault, specified in seconds. |
| ext.cred.safe_name | NameOfSafe | Default safe name used for all credential lookups. If parameters are in multiple safes, the credential ID may be specified in the format <safeName>:<CredentialID>. When
configured like this, the NameOfSafe field is ignored. If all external credentials have their credential IDs specified in this format, then leave out the
NameOfSafe field. Note:
By default the separator character in this format is a colon. To assign any character you want as a separator, add this line to the CredMap.properties file:
safe.cred.split.string=<string>. |
| ext.cred.app_id | ServiceNow_MID_Server | Specifies the App-ID used to grant permission to the MID Server to access the CyberArk vault. The default value, ServiceNow_MID_Server, must be defined in the CyberArk vault. You can use this parameter to override the default and specify your own App-ID. If you edit the App-ID in this parameter, make sure to configure CyberArk to match. |
| ext.cred.type_specifier | true | Forces an IP address lookup to return credentials that match both the CyberArk platform ID and the IP address. For example, if an IP address is shared by both Windows and Tomcat, a credential with a
platform ID starting with Win returns the Windows credential only. When this parameter is set to true, CyberArk looks for platform IDs that begin with:
|
| ext.cred.check_ssh_type | false | When set to true, requires that the type of SSH credential returned from CyberArk matches the type of credential requested. For example, if a normal SSH username/password credential is requested and only SSH keys are available, the credential lookup fails. |
| ext.cred.verify_ssl | true | The MID Server validates the CCP server certificate, verifying the server’s identity. This setting is recommended for production environments. If set to false, the MID Server does not validate the CCP server certificate. |
| ext.cred.check_revocation | true | This parameter controls certificate revocation checking for the CCP server certificate chain. While true, enables CRL/OCSP checks. |
| ext.cred.snmpv2_community_property | AttributeName | SNMPv2 is not natively supported in CyberArk. If your organization has created custom SNMPv2 credentials in which the community string does not appear in the password field of the credential, use this property to map the attribute in the credential to the community string. |