CyberArk Vault Integration

You can integrate Control-M with a CyberArk vault where you store and manage sensitive information (called secrets), such as passwords, access keys, or security keys. This integration enables Control-M/Agents to retrieve secrets from your vault only when they connect to your plug-in application servers and run jobs, so that sensitive information is not saved in Control-M components.

The following diagram demonstrates how Control-M retrieves secrets from a CyberArk vault:

To set up an integration with a CyberArk vault, see Setting Up a CyberArk Vault Integration.

You can use secrets from your CyberArk vault in password-type fields in centralized connection profiles for the following:

• Control-M Managed File Transfer (MFT)

• Plug-ins that you create using Control-M Application Integrator

• Control-M Integrations

During creation or configuration of a connection profile, the Use External Vault option enables you to locate and retrieve a secret for any password-type field in the connection profile parameters. See CyberArk Secret Parameters in Connection Profiles.

Setting Up a CyberArk Vault Integration

This procedure describes how to set up an integration with a CyberArk vault, which includes configuring vault integration parameters and selecting the vault integrations to display in Control-M Web.

Begin

1. Install and configure CyberArk Credential Provider on the Control-M/Agent host machine.

2. Open a command prompt window where your Agent is installed.

3. Run the Vault CLI utility and configure the integration for each relevant Control-M plug-in or group of plug-ins, as follows:

   1. Navigate to the directory that contains the Vault CLI utility for the relevant plug-in or group of plug-ins:

      • Control-M MFT: <AGENT_HOME>/ctm/cm/AFT/exe/

      • Application Integrator plug-ins: <AGENT_HOME>/ctm/cm/AI/exe/

   2. Configure vault integration parameters by running one of the following commands:

      • Linux: ./vault-cli.sh config update -p=<parameter> -v=<value>

      • Windows: vault-cli.cmd config update -p=<parameter> -v=<value>

      Repeat this command for each parameter that you want to update. For descriptions of the CyberArk Vault integration parameters, see CyberArk Vault Integration Parameters.

      • For certain parameters, you must recycle the Control-M plug-in (either Control-M MFT or Control-M Application Integrator) after changing the parameter value, as indicated in CyberArk Vault Integration Parameters.

      • After you configure the vault integration parameters, you can display the current parameter values by running one of the following commands:

        • Linux: ./vault-cli.sh config display

        • Windows: vault-cli.cmd config display

      • If you want to delete your settings and disable the vault integration, use one of the following commands:

        • Linux: ./vault-cli.sh config delete

        • Windows: vault-cli.cmd config delete

   3. Test the connection to your vault by running one of the following commands:

      • Linux: ./vault-cli.sh test -f=<secret_parameters_file>

      • Windows: vault-cli.cmd test -f=<secret_parameters_file>

      Where <secret_parameters_file> is the path to a file that defines values for secret parameters in JSON format, as shown in the following example:

      Copy

      {
         "Type": "Secret:CyberArkVault:Basic",
         "AppID": "finance",
         "Safe": "financeDept",
         "Folder": "Root",
         "Account": "oracleSalaryService",
         "Reason": "I need it to export salaries for VP"
      }

      These parameters are described in CyberArk Secret Parameters in Connection Profiles. For a similar JSON format used by Control-M Automation API, seeExternal Vault Secrets.

      For a list of possible return codes for the connection test, see CyberArk Vault Connection Return Codes.

4. Select the vault integrations to appear in Control-M Web to use in centralized connection profiles, as described in Defining System Settings.

   By default, all supported vault integrations are available when you want to retrieve secrets for password-type fields in connection profiles. Use this procedure to hide any integrations that are not relevant to you from appearing in the user interface.

   The selection of vault integrations does not affect the following:

   • Existing connection profile fields that are already configured to retrieve secrets from vault integrations that are no longer enabled.

   • JSON references to secrets used by Control-M Automation API. For more information, see Secrets in Code.

CyberArk Vault Integration Parameters

The following table lists the CyberArk Vault integration parameters that you can configure using the Vault CLI utility, and indicates whether you need to recycle the component (Control-M MFT or Application Integrator) after changing the parameter value.

CyberArk Secret Parameters in Connection Profiles

The following table describes the parameters that are used to locate and retrieve passwords or secrets from a CyberArk vault. These parameters appear when you select the Use External Vault option for any password-type field in the connection profile parameters. For the retrieval of the secret, you can choose between retrieval based on default CyberArk parameters or retrieval based on a query to CyberArk.

The following parameters are available for retrieval of a secret based on default CyberArk parameters:

The following parameters are available for retrieval of a secret based on a query to CyberArk:

property1=value1;property2=value2;property3=value3

CyberArk Vault Connection Return Codes

The following table lists return codes from connections to the CyberArk vault by either the Vault CLI utility connection test or during a job execution when Control-M attempts to locate and retrieve a secret.