Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/24/2023 11:51 PM - last edited on 09/25/2023 02:06 AM by Sunil
Hi
I am trying to setup CyberArk as a vault connector to inject account credentials in one of the REST connectors.
1st Step
While setting up CyberArk as a vault connector (after following the document link provided below), i have configured all required parameters like Auth_URL, USERNAME, PASSWORD, URL, ACCOUNTID, DEFAULT_PATH (/${accountID}/Password/Retrieve) etc. to test the connection and got the popup for successful connection. Also, in logs i don't see any error message.
With this, can i assume that the connection is setup successfully? OR is there anything else i can do to make sure its setup perfectly fine?
Doc link : Understanding the Integration Between EIC and CyberArk Vault (saviyntcloud.com)
2nd Step
I created a REST connector, where i got the option to select "Credential Vault Connection" which i created in 1st Step. Checked this checkbox "Save Credential Vault", selected the "accountID" in "Account Id Credential Vault Connection" field as configured in 1st Step and the "vault config" which was auto populated with this value "https://{instance}/PasswordVault/api/Accounts/{$accountID}/Password/Retrieve" .
Now when i click on "Advanced" button next to "vault config" then it gives a blank white screen. Because of it , not able to complete remaining configuration required for "Is Encoded" field. What could be the reason for this issue? Do we need to raise a fresh service ticket?
Also, what will be the "ConnectionJSON" configuration if credentials are pulled from vault? Didn't find any example on the below given document link.
REST Developer Handbook : Developers Handbook (saviyntcloud.com)
Please let me know if any further information is required on above issue.
One more findings from logs is - While testing REST connector, i saw this entry in logs where the configured accountID is not picked by REST connector and is showing as "null"
calling url to retrieve password :: https://{instance}/PasswordVault/api/Accounts/null/Password/Retrieve
not sure if its related to "Advanced" configuration issue i mentioned in my original post or something else.
Regards
Gaurav
[This message has been edited by moderator to merge reply comment]
09/25/2023 01:09 PM
The Valut connector should ideally be successful if you saw then success message on clicking Save & Test. Though for confirmation, I would suggest updating the value for password or url to incorrect one and then validate.
Also, you can refer to the below documentation and follow the steps to setup the connection.
09/25/2023 10:24 PM
Hi Sahil - Thanks for reverting.
Even after putting wrong password in Vault connector, it says "Connection is successful" and also logs same events in log file. no difference.
Also, i have followed the latest documentation 23.x because our product version is 23.5. but still, i have gone through the link you have mentioned, the popup on click of "Advanced" button still doesn't come up.
09/25/2023 11:53 PM - edited 09/25/2023 11:54 PM
Hi @SB - Can you please comment on following issues as well?
09/27/2023 09:47 PM
Hi @SB in my last reply on "09/25/2023 11:54 PM", i have managed to resolve first 4 points by trial and error methodology. Now, i am looking for help on following 2 items which are critical to move forward on Saviynt-CyberArk integration:
09/26/2023 08:18 AM
Hi @SB which type of authorization is expected in Saviynt for CyberArk vault integration. Currently, i am using CyberArk auth using this url "/PasswordVault/API/auth/Cyberark/Logon". Other options could be OAuth 2.0 / OpenID connect etc..
09/28/2023 09:25 AM
hi @GauravJain Let me check if REST is even supported for using Cyberark vault and will update you.
09/28/2023 11:27 PM
Hi @SB - Thanks for your revert. On this document, it says all connector types support CyberArk vault integration https://docs.saviyntcloud.com/bundle/SVCF-v23x/page/Content/SVCF-Overview.htm
Also, when we create a REST connector, it has an option to select CyberArk vault connector which ideally means its supported. Secondly, one of the users on forum has also answered the same Re: Which all connector types support CyberArk as ... - Saviynt Forums - 52208
But i will wait for your confirmation before proceeding further.
10/02/2023 11:03 PM
Hi @SB Any updates on this please?
10/04/2023 09:13 AM
I am still researching on it and will update.
10/05/2023 04:46 AM
Hi @SB thanks for your revert. Till you research on it, can you look at following general questions w.r.t vault configuration:
1) whats the significance of attached screen shot "Advanced_vault_config_screen.JPG" while configuring Vault connector in any other connector type like AD? documentation is very confusing so if you have any idea please throw some light on it.
2) what should be the value of "Vault Config" (Account Id Credential Vault Connection)? is it correct "/${accountID}/Password/Retrieve" or there is more to it? Saviynt documentation is just not explaining it properly here Understanding the Integration Between EIC and CyberArk Vault (saviyntcloud.com)
3) Save Credential Vault checkbox - As per doc "Select this parameter to save the encrypted attribute in the vault configured with the connector."
Which encrypted attributes its referring to? i don't think we can save anything in vault from Saviynt so this checkbox must be unchecked only right?
10/09/2023 10:59 PM
Any luck Sahil?
10/10/2023 10:39 AM
I have confirmed this and REST connector does not support using Vault connection.
10/10/2023 09:20 PM
thanks Sahil. Can we please modify documentation to avoid such confusion and time waste for other people trying to use same functionality? 2 different document links with conflicting information
https://docs.saviyntcloud.com/bundle/SVCF-v23x/page/Content/SVCF-Overview.htm
https://docs.saviyntcloud.com/bundle/CyberArk-Vault-v23x/page/Content/Introduction.htm
Also, if possible the implementation of REST connector should not really show the CyberArk vault connector configuration if its not supported for good user experience.
Regards
Gaurav
10/11/2023 10:16 AM
We have informed the Doc team to get this updated. Also, there is an alternate I think you can try that might work for you. For this, you will need to store the entire Connection JSON in the Cyberark (not just the password) and then use the Vault in REST Connection to fetch the Connection JSON value. Since the vault integration is only used for Encrypted fields and because the entire Connection JSON is encrypted in a REST connection, using just password will not work but fetching the entire Connection JSON may work.
I have not personally implemented this but is certainly worth a try if you want to.