CyberArk Privileged Access Management (PAM)

Prev Next

CyberArk Privileged Access Management (PAM) secures privileged accounts, credentials, and secrets across IT environments. CyberArk PAM provides centralized control and monitoring of privileged access, helping organizations reduce risk, ensure compliance, and protect critical systems. For detailed information, please refer to CyberArk’s official documentation.

Integration Method: API

Tables: Entity Management (3004), Account Change (3001)

This integration supports the following types of events.

Event

Description

Safes

Retrieve a list of all safes.

Safe Members

Retrieve a list of safe members.

Accounts

Retrieve a list of all accounts.

This integration supports the following versions

CyberArk PAM version

Version 14.6

CyberArk PAM API

2nd gen API

Prerequisites

  • The user should have access to the CyberArk PAM portal as an Administrator. 

  • The user should have access to the DataBee console.

Configuration Overview

  1. For on premise deployments of CyberArk PAM install the DataBee data collector

  2. Create new user. The user must be a member of the Safes they want to retrieve from the Vault.

  3. Create CyberArk PAM Data Feed in the DataBee console with the required credentials.

DataBee Parameter

CyberArk Parameter

Username

PVWA username

Password

PVWA password

Base URL

https://<PVWA Server ip address>:<port>

Data Collector Configuration and Installation

NOTE: This step is only needed if CyberArk is installed in an on-premises environment. The data collector needs to be deployed on the same network so that it can make API calls and communicate back to DataBee.

If CyberArk is installed in the cloud, the data collector is NOT needed. Ensure the DataBee IP addresses are whitelisted in CyberArk PAM.

Follow the steps provided in DataBee's official documentation to complete the configuration. Additionally, refer to this guide for detailed instructions on installing the Data Collector on your Linux machine.

CyberArk PAM Configuration

  1. Log in to CyberArk PAM PVWA portal as an Administrator.

  2. Copy the instance value from the URL for later use.
     

  3. Navigate to the User Provisioning > Users.
     

  4. Click on Create CyberArk User.
     

  5. In the Define general properties page, add the following details,

    1. Username: Username of your choice.

    2. User type: Select BasicUser from the dropdown menu.

    3. Select Auditor as Role and check necessary permissions.

    4. Disable user account: Choose Never and click on Next.
       

  6. In the Add personal details page, add the required details.
     

  7. In the Select authentication method page, add the following details

    1. Authentication method: Select Internal from the dropdown menu.

    2. Password: Set password for New CyberArk user.

    3. Confirm password: Confirm the same password.

    4. Password expiration: Select password expiration of your choice and click on Next.

NOTE: If you select password expiration as “After 30 Days” you will have to replace the latest password in data source configuration on each 30 days interval.

  1. In the Assign to groups page, select the group name.

    IMPORTANT NOTE

    Only the Accounts and Safes that your selected groups have access to will be shown accessible via the API

     

  2. Click on Create.

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for CyberArk Privileged Access Manager and click on it as shown below.
     

  3. For onprem installations, choose the Data Collector option.  For SaaS deployments, move to step 7
     

  4. Click on the API Ingest option as the polling mechanism.
     

  5. Enter the feed contact information, select the collector that you have created from the drop down, and click on the Next button.
     

  6. In the configuration page, confirm the following:

    • Base URL: Paste the Base URL which would be the PVWA Server address of the CyberArk PAM Server

    • Request Count: Set to 500

    • Interval: Set to 60 seconds

    • Event Types: Preselected for all the event types that integration pulls.
       

  7. In the configure authentication page, confirm the following, then click Next.

    • Authorization Method: TokenUrlAuth

    • Username: PVWA username

    • Password: PVWA password.

    • Select Enable TLS and Skip Server-side Certification Verification.

    • Root CAS File Path:

      1. For linux collector: /opt/comcast-databee-collector/certs/ca-cert.pem

      2. For windows collector: C:\Program Files\Comcast Databee Collector\certs\ca-cert.pem  
        NOTE: Do not use these credentials anywhere else. Doing so may interrupt the data source connection and can take up to 20 minutes to recover.

  8. Click Submit.
     

Troubleshooting Tips

  • If you are facing a response code - 401 this might be possibly due to incorrect credentials. Ensure the Username and Password are pasted correctly.

  • If you are facing a response code - 403 this might be possibly due to missing permission. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.

  • If despite your CyberArk PAM VM being up and running if you still see 500 error, try stopping and restarting the data collector service: ref

  • If in step 7 in Databee Configuration steps next button is disabled, try configuring without selecting Enable TLS and Skip Server-side Certification Verification. After configuration is complete re-configure the data source and select Enable TLS and Skip Server-side Certification Verification and click on next.