CyberArk CPM Plugin Configuration for RSA Authentication Manager  - RSA Ready Implementation Guide 
5 months ago

This article describes how to integrate CyberArk CPM Plugin with Authentication Manager.

Before You Begin

Make the RSA Root Certificate Available for the Plugin

You must export your RSA Authentication Manager server’s root certificate and import it into your CPM host’s keystore before the plugin can use the server’s API. Follow the following steps to make the certificate available for the plugin.

  1. Use your browser to export the certificate from your RSA Authentication Manager server and save it on your device.
  2. Copy the root certificate from the local machine to the CPM host.
  3. Use the Certificate Import Wizard to import the certificate to the client keystore.

 

Obtain the RSA Authentication Manager Operating System User’s Credentials

The plugin uses the rsaadmin operating system user to connect to the RSA Authentication Manager appliance over SSH and manage Operations Console users’ passwords.

Note: The integration does not support password management for the operating system user. 

 

Obtain RSA Authentication Manager Super Admin Credentials

The plugin requires multiple RSA super admin account credentials to manage Security Console users’ passwords via the RSA Authentication Manager API. A super admin account was created when you initially setup your RSA Authentication Manager instance. Use this account to create other super admin accounts (Security Console users) which will have their passwords managed by the CPM plugin.

 

Obtain RSA Authentication Manager Operations Console User Credentials

You will need RSA Authentication Manager Operations Console account credentials to retrieve the command client username and password in the following section. An Operations Console User account when you initially setup your RSA Authentication Manager instance.

 

Obtain the Command Client User Name and Password

When you install RSA Authentication Manager, the system creates credentials for securing API connections to the API’s command server. These credentials are randomly generated and unique to the server. Follow the following procedure to obtain the command client user name and password from RSA Authentication Manager. You will need these values when you create a Security Console super admin account in the CyberArk CPM.

  1. Open a command prompt on your RSA Authentication Manager host, navigate to the /opt/rsa/am//utils directory and enter the following command:

./rsautil manage-secrets --action list

  1. When prompted, enter your Operations Console username and password. The system will display the list of your internal system passwords.
  2. Locate and copy the values for your command client user name and password. See the following example:

Command Client User Name .................: CmdClient_wnuoizd8
Command Client User Password .............: ZNJVSP78smpzLZdPqmuN4OoZPZAByw

 

Configuring CyberArk CPM Plugin

Activate the RSA Authentication Manager Platform

 

  1. Log in to the Password Vault Web Access client (PVWA).
  2. From the left panel, navigate to Administration > Configuration options. 

  1. From the main pane, choose edit Platform Management.

  1. Check for RSA Authentication Manager status in the list of platform management. If showing as Active, you can go to the next section.

  1. If the status is not active, select RSA Authentication Manager and from the Platform preview pane on the right, set the Status toggle switch value to the Active and click the disk icon.

Create a Command Client User Account

Use your RSA Command Client credentials obtained earlier to create a CyberArk Command Client Account. The plugin will use the account to communicate with RSA Authentication Manager’s API server.

Note: Never use CyberArk to manage Command Client credentials. The credentials aren’t associated with a user account. If you modify them, the plugin won’t be able to communicate with RSA Authentication Manger’s API server. 

  1. From the left panel, navigate to the Accounts.

  1. From the main pane, click Add Account.
  2. Select Application from the Select system type.
  3. Select RSA Authentication Manager from the Assign to platform step.
  4. Select the appropriate safe from the Store in Safe step.
  5. In the Define Properties step, enter the following values: 
    1. Enter your Command Client name in the Username field.
    2. Enter your RSA Authentication Manager fully qualified hostname in the Address field.
    3. Enter your Command Client password in the Password and Confirm Password fields.
    4. Select Command Client User from the RSA User Type dropdown list.
    5. Disable Allow automatic password management.
    6. Click Add.

Create and Configure Security User Accounts for RSA Super Admins

You must create a CyberArk Security User account for each of your RSA Security Console super admins that you want managed.

Follow the instructions below for each of your RSA Authentication Manager superadmin users that will be managed.

  1. From the left panel, navigate to the Accounts tab.

  1. Click Add Account at the main pane.
  2. Select Application from the select system type.
  3. Select RSA Authentication Manager from the Assign to platform step.
  4. Select the appropriate safe from the Store in Safe step.
  5. In the Define Properties step:
    1. Enter the Security console user superadmin username in the Username field.
    2. Enter your RSA Authentication Manager fully qualified hostname in the Address field.
    3. Enter your Security console user superadmin password in the Password and Confirm Password fields.
    4. Select Security User from the RSA User Type dropdown list.
    5. Toggle on the Allow automatic password management checkbox if this user will be managed by the CPM plugin.
    6. Click Add.

  1. Choose the newly created account and choose Details. Under Linked Accounts, click on the 3 dots button at the Logon Account field and choose the command client user that was created previously. 

Link the RSA Super Admin CyberArk Security User Accounts to Reconciliation Accounts

Follow the instructions below for each Security User account you created in the previous section. You will modify each account to use the other one as its reconciliation account.

  1. Navigate to the Accounts tab in the on the navigation bar at the left.
  2. Choose the superadmin Security User Account you want to modify and choose Details. Under Linked Accounts, click on the 3 dots button at the Reconcile Account field and choose another super admin security user account.

Create an Operating System User Account

Use your RSA Authentication Manager operating system user (rsaadmin) credentials to create a CyberArk Operating System User Account. The plugin will use the account to connect to the RSA Authentication Manager appliance over SSH in order to manage Operations Console users’ passwords.

Note: The integration does not support password management for the operating system user. You should only use the account as described in the following section. 

  1. From the left panel, navigate to Accounts. 

  1. From the main pane, click Add Account.
  2. Select Application from the Select system type.
  3. Select RSA Authentication Manager from the Assign to platform step.
  4. Select the appropriate safe from the Store in Safe step.
  5. In the Define Properties step, enter the following values: 
    1. Enter rsaadmin in the Username field.
    2. Enter your RSA Authentication Manager fully qualified hostname in the Address field.
    3. Enter your operating system user’s password in the Password and Confirm Password fields.
    4. Select Operating System User from the RSA User Type dropdown list.
    5. Disable Allow automatic password management. if this user will be managed by the CPM plugin.
    6. Click Add.

Create Operation User Accounts

Follow the instructions below for each of your RSA Authentication Manager Operations Console users that you want managed.

  1. From the left panel, navigate to the Accounts.

  1. From the main pane, click Add Account.
  2. Select Application from the Select system type.
  3. Select RSA Authentication Manager from the Assign to platform step.
  4. Select the appropriate safe from the Store in Safe step.
  5. In the Define Properties step, enter the following values:
    1. Enter the RSA Authentication Manager Operations Console user’s username in the Username field.
    2. Enter your RSA Authentication Manager fully qualified hostname in the Address field.
    3. Enter your RSA Authentication Manager Operations Console user’s password in the Password and Confirm Password fields.
    4. Select Operation User from the RSA User Type dropdown list.
    5. Toggle on Allow automatic password management if this user will be managed by the CPM plugin.
    6. Click Add.

  1. Choose the newly created account and choose Details.
  2. In the Linked Accounts section, click the 3 dots at the Logon Account field and choose operating system user that was created in the previous section.

  1. In the Linked Accounts section, click the 3 dots at the Reconcile Account field and choose a super admin security user account.

 

Configuration is complete. 

Related Articles

Trending Articles

Don't see what you're looking for?