The Central Credential Provider (CCP) is the agentless AAM method used to integrate with CyberArk allowing UiPath to securely retrieve credentials from a vault without deploying an agent on the server. A client certificate is necessary to ensure secure retrieval of the credential.
Before you can begin to use CyberArk® CCP credential stores in Orchestrator, you must first set up the corresponding application and safe settings in the CyberArk® PVWA (Password Vault Web Access) interface.
- A network that allows for interconnectivity between the Orchestrator service and the CyberArk server.
- CyberArk® Central Credential Provider must be installed on a machine that allows HTTP connections.
- CyberArk® Enterprise Password Vault
For more information about installing and configuring CyberArk® applications, please visit their official page.
From the CyberArk® PVWA, you must perform the following steps:
- Create an application for your Orchestrator instance and add client certificates;
- Create a Safe and add members to it to ensure proper permissions.
- In CyberArk®’s PVWA, log in with a user with permissions to manage applications (it requires Manage Users authorization).
- In the Applications tab, click Add Application. The Add Application window is displayed.
- On the Add Application window, specify the following information:
- Name field - a custom name for the application, such as Orchestrator.
- Description - a short description to help you specify the purpose of the new application.
- Location - the path of the application within the Vault hierarchy. If a location is not specified, the application is added in the same location as the user who is creating this application.
- Click Add. The application is added, and its details are displayed on the Application Details page.
- Select the Allow extended authentication restrictions checkbox.
See supported authentication methods
- Allowed machines
- OS User
- Client Certificates
- Configure the authentication method. For example, in the Authentication tab, click Add > Certificate Serial Number, and add the unique identifier of the client certificate, used to authenticate the requesting application against CCP.
Safes are required to help you better manage your accounts. Also, you can add safe members to ensure proper authorization. CyberArk® recommends adding a credential provider (a user with full rights over the credentials can add and manage them) and the previously created application as safe members. The latter enables Orchestrator to find and retrieve the passwords stored in the safe.
- In the Policies tab, under the Access Control (Safes) section, click Add Safe. The Add Safe page is displayed.
- Fill in the Safe Name field and Description fields.
- Click Save. The Safe Details window is displayed.
- In the Members section, click Add Member. The Add Safe Member window is displayed.
- Search for the previously created application (steps 2-6), and select the following permissions for it:
- View Safe Members
- Retrieve accounts
- List accounts
- Access Safe without Confirmation - Only if you are using a dual control environment and a v7.2 or lower PIM-PSM.
If you install multiple credential providers for this integration, it is recommended to create a group for them and add the group to the Safe once with the above authorization.
- Click Add. Your integration is complete, and you can begin provisioning CyberArk® credential stores in Orchestrator. For details on storing Robot credentials, see here.
Updated 6 months ago