CyberArk Connector

Configure the CyberArk Connector

Please note that an administrative PowerShell console at the ScriptRunner Service host is required to run the cmdlets of the ScriptRunnerSettings module.

The Connector connects exclusively to a CyberArk AIM component via HTTPS. ScriptRunner does not directly access the underlying CyberArk backend infrastructure.

Within CyberArk, the stored credentials are organized in safes and folders. ScriptRunner must be created there as an application and authorized for the corresponding safes and folders.

The ScriptRunner CyberArk Connector is then configured using the ScriptRunnerSettings PowerShell module with two cmdlets:

  • Basic Password Server Settings (Set-AsrPasswordServerConnector Cmdlet)
  • Special CyberArk Settings (Set-AsrCyberArkConnector Cmdlet)

You can use these cmdlets to change one or more settings in the connector's current configuration with each call. For a change to take effect in ScriptRunner, the ScriptRunner service must be restarted using the Restart parameter.

As soon as you have selected an API with Set-AsrPasswordServerConnector -API, you can create corresponding credentials in the admin app. When the CyberArk is finally unlocked as well, switch the connector on with

Set-AsrPasswordServerConnector -On -Restart

With the following Cmdlet you get – as with all ScriptRunnerSettings cmdlets – an overview of all 
available parameters.

Get-Help -Name Set-AsrPasswordServerConnector -detailed

Basic Password Server Settings

Use Set-AsrPasswordServerConnector to set the basic connection parameters.
For CyberArk these are first and foremost:

  • The CyberArk API (-API 'CyberArk AIM API')
  • FQDN and IP port of the used CyberArk AIM (-host, -port).

ScriptRunner compiles the URI for the access to the AIM (e.g. https://fqdn:port/AIMWebService/api/Accounts... ).
The URI used is output with all errors and messages for checking purposes.
Surely the access should take place over HTTPS (-UseSSL), because otherwise the passwords would be transmitted in plain text.

Authentication

Within CyberArk, you configure an application via the accessing machine/IP address,
the (Windows) user, or the executable.

For ScriptRunner you can specify the ScriptRunner host, the ScriptRunner service acccount (machine account of the ScriptRunner host; the one with the $ as the end) and/or the ScriptRunnerSvc.exe.

For the use of credentials during script execution, for example as script parameters or for the target system connections, the executable is also the ScriptRunner PowerShell host (SRXPSHost.exe).

If you want this to work even when running locally under a RunAS account, you must either allow these accounts in CyberArk as well.
Alternatively, a general access account for the password server accesses can be configured in the connector (Set-AsrPasswordServerConnector -User -Password -ClearPassword parameter), which then executes all accesses from the service and PowerShell Host.

CyberArk Settings

These are three CyberArk specific settings in the Password Server Connector:

  • The Application ID configured in CyberArk for ScriptRunner access
  • Optional: One default CyberArk safe for all ScriptRunner access
  • Optional: One default CyberArk folder for all ScriptRunner access

In CyberArk, the stored credentials are organized in safes and folders, and use a name (string) as ID, which must be unique in each folder.
If you have defined a fixed safe and/or folder in CyberArk for all ScriptRunner credentials
(which ScriptRunner is authorized to use), set it as default.

When configuring a CyberArk credential in the ScriptRunner Admin app, specify only the CyberArk entry ID (the entry name) 
as the reference. For exceptions from this default safe or folder, you must specify the different safe or folder in ScriptRunner in addition to the ID. The notation then corresponds to the typical file system notation for paths:

<Safe>:/<Folder>/.../<ID>

This way, any entries in CyberArk can be referenced from ScriptRunner. Independently of this, ScriptRunner can only access a credential if the application in CyberArk has been authorized there.

Start using the connector

After the ScriptRunner CyberArk Connector has been configured and started with

 Set-AsrPasswordServerConnector -On -Restart 

ScriptRunner will read credentials from the CyberArk password server when configured credentials are to be used. For testing purposes, you can, for example, create an action with corresponding RunAs
If errors occur during the access, please take a look at execution reports. Access problems can also be traced in the ScriptRunner logs.

More information can be found here: Connector settings

This page has been automatically translated and may contain grammatical errors or inaccuracies