Preparing CyberArk to Work with Keyfactor Command

Configuring the CyberArk Credential Provider to interoperate with Keyfactor Command and store Keyfactor Command credentials in the CyberArk vault involves these preparatory steps before configuration in Keyfactor Command can begin:

  • Install required software on the Keyfactor Command server.
  • Create a safe for the Keyfactor Command credentials in the CyberArk PrivateArk (or identify an existing safe).
  • Create passwords in your CyberArk safe for use with your Keyfactor Command certificate stores.
  • Create an application user for Keyfactor Command use in the CyberArk PrivateArk.
  • Grant the application user and Keyfactor Command provider account in CyberArk appropriate permissions in PrivateArk to the safe.
  • Create a credential file on the Keyfactor Command server for use with CyberArk.
  • Register the CyberArk software assembly file with Keyfactor Command.

CyberArk has the following software requirements for interoperability with Keyfactor Command:

Both versions of Microsoft Visual C++ must be installed on the Keyfactor Command server along with the CyberArk Credential Provider software before you proceed to creating a credential file on the Keyfactor Command server or registration of the CyberArk software on the Keyfactor Command server.

Keyfactor Command uses an application user account within CyberArk to retrieve credentials.

To create an application user in CyberArk:

  1. Open the CyberArk Password Vault web portal.
  2. In the Password Vault web portal, expand the left-hand menu and choose Applications > Add Application.
  3. On the Add Application page, enter a Name and Description for your application. If desired, enter Business owner information. Select Applications in the Location dropdown. No other configuration changes are required on this page for interoperability with Keyfactor Command, but you may have other configuration settings you may wish to make. Click Add to save the record.
    Important:  The name you enter in the Name field should begin with App_ (e.g. App_Keyfactor). Make note of the name you enter here. This name becomes your application ID and you will need to reference this from Keyfactor Command.

    Figure 387: Add an Application User in CyberArk for Use with Keyfactor Command

You will need a CyberArk safe in which to store the certificate store credentials for Keyfactor Command that you wish to manage with CyberArk. You may either create a new one or leverage an existing one. This documentation assumes you will create a new one.

To create a safe in CyberArk:

  1. Open the CyberArk Password Vault web portal.
  2. In the Password Vault web portal, expand the left-hand menu and choose Policies > Access Control (Safes) > Add Safe.
  3. On the Add Safe page, enter a Safe name and Description for your safe. No other configuration changes are required on this page for interoperability with Keyfactor Command, but you may have other configuration settings you may wish to make. Click Save to save the record.

    Figure 388: Create a CyberArk Safe for Keyfactor Command

Once an application account and a safe you will use for Keyfactor Command certificate store credentials have been created in CyberArk, you need to grant both the account and the credential provider user on the Keyfactor Command server appropriate permissions to the safe. You may immediately be informed of this upon creating the safe with a warning that "Object level access is not enabled" for the safe. If you receive this message, begin with step three of the instructions for granting permissions.

Figure 389: Warning that Access is Not Enabled for CyberArk Safe

To grant permissions to the safe in CyberArk:

  1. Open the CyberArk Password Vault web portal.
  2. In the Password Vault web portal, expand the left-hand menu, choose Policies > Access Control (Safes), and highlight the safe you created for Keyfactor Command credentials. On the lower right part of the screen, click the Members icon.

    Figure 390: Open Members for the Application User on the Keyfactor Command CyberArk Safe

  3. On the Safe Details page in the Members section, click Add Member.

    Figure 391: Safe Details for the Application User on the Keyfactor Command CyberArk Safe

  4. In the Add Safe Members dialog, search for your application user (e.g. App_Keyfactor), select it in the search results list, and grant the user at minimum the Retrieve accounts and List accounts permissions under Access and View Safe Members permission under Monitor. Click Add to save the permission settings.
    Tip:  Since Keyfactor Command is designed to read existing passwords from CyberArk and not write passwords to CyberArk, these permissions are sufficient for full functionality.

    Figure 392: Grant Permissions for the Application User on the Keyfactor Command CyberArk Safe

  5. Repeat the previous step for the credential provider user. Typically, this username is Prov_HOSTNAME (where HOSTNAME is the short hostnameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). of your Keyfactor Command server). You can find the credential provider username in the AppProviderUser.cred file in the ApplicationPasswordProvider\Vault directory under your CyberArk credential provider directory.

You will need at least one CyberArk password for each certificate store in Keyfactor Command that you wish to manage with CyberArk.

Tip:  Some types of certificates stores (e.g. Java keystores) use the CyberArk safe to store passwords only. Other types of certificates stores (e.g. F5 SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. Profiles, FTP, AWS) can use the CyberArk safe to store both a username and a password for the store in separate PrivateArk objects. For stores that use both a username and password, you have the option to store the username in Keyfactor Command and the password in the CyberArk safe. Both usernames and passwords are stored in the CyberArk safe as password objects.

To create a password in CyberArk:

  1. Open the CyberArk PrivateArk application and open your vault.
  2. In PrivateArk, locate your safe, right-click and choose Open and Step Into.
  3. Once the safe opens, optionally create a folder structure on the left under Root and drill down into it to the level where you would like to create your password (e.g. Root\ftp).
  4. In your selected folder, right-click in the main window on the right and choose New > PrivateArk Protected Object > Password.

    Figure 393: Create a Password for a Keyfactor Command Certificate Store in the CyberArk Safe

  5. Enter a name for the object and either generate or enter a password or username.

To register the CyberArk software on the Keyfactor Command server:

  1. Acquire a copy of the CyberArk NetPasswordSDK.dll. This is one of the files installed with the CyberArk Credential Provider. Its installed location may vary depending on the CyberArk version and installation options. In some implementations it is found in:

    C:\Program Files (x86)\CyberArk\ApplicationPasswordSdk\NetPasswordSDK.dll

  2. On the Keyfactor Command server, place a copy of the assembly in the WebAgentServices\bin, KeyfactorAPI\bin, WebConsole\bin, and Service directories under your Keyfactor Command installation directory. By default, the directory paths for these will be:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\bin
    C:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\bin
    C:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\bin
    C:\Program Files\Keyfactor\Keyfactor Platform\Service
  3. On the Keyfactor Command server, open a text editor (e.g. Notepad) using the "Run as administrator" option.

  4. In the text editor, browse to open the web.config file in the WebAgentService directory. By default, this file is located in the following directory path:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\web.config
  5. If you are using NetPasswordSDK versions 10.5.1.3 , or higher, in the web.config file, locate the assemblyBinding section and add a new dependentAssembly section containing the following code.
    <dependentAssembly>
  <publisherPolicy apply="no" />
  <assemblyIdentity name="NetPasswordSDK" publicKeyToken="40be1dbc8718670f"  />
  <bindingRedirect oldVersion="10.5.1.0-10.5.1.3" newVersion="12.4.1.0" />
</dependentAssembly>
    Important:  The redirect newVersion is 12.4.1.0 for the DLL version 12.4.1.8. The 4th number for the build revision is omitted in the redirect and should be 0 instead for any version targeted.
  6. In the web.config file, locate the container section and locate the commented out registration section containing the following code, as shown in Figure 394: Enable Registration Entry for CyberArk in web.config File: 
    <register type="IPAMProvider" mapTo="Keyfactor.Command.PAMProviders.CyberArkProvider, Keyfactor.Command.PAMProviders" name="CyberArk" />

    Remove the comments to activate the registration section so that it appears exactly as the above code.

    Figure 394: Enable Registration Entry for CyberArk in web.config File

  7. Repeat the previous two steps for the web.config files found in the KeyfactorAPI and WebConsole directories and the CMSTimerService.exe.config file found in the Service directory. By default, these files are found in the following directory paths:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\web.config
    C:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\web.config
    C:\Program Files\Keyfactor\Keyfactor Platform\Service\CMSTimerService.exe.config