CyberArk Integration Helpful Tips
The overall process of the CyberArk integration is like other PAM integrations, as follows:
-
Tenable Vulnerability Management or Tenable Security Center pass the policy and credential values down to Tenable Nessus. This includes values like the CyberArk host, port, object identifier, and client certificates.
-
The Tenable Nessus scanner communicates with the API, and the API returns the username, password, and/or SSH key required for target authentication.
-
The scanner uses these values for target authentication.
Testing Connectivity with curl
Customers may test connectivity and API functionality using the curl command. CyberArk also documents curl commands in the Secrets Manager Documentation:
-
Secrets Manager (Self-Hosted) REST APIs
-
Secrets Manager SaaS REST APIs
This section contains two example commands, one to test login and one to test fetching a secret. The commands require substituting in site-specific values such as host, port and API key. Refer to the scan configuration section for additional detail on these values.
Authentication
curl -s -X POST -d API_KEY -H 'Accept-Encoding: base64'
https://HOST:PORT/AUTH_BASE_URL/LOGIN_NAME/authenticateReplace the command values with the values in the following table.
| Value | Replacement |
|---|---|
| API_KEY | The API key of the workload. |
| HOST |
The secrets manager host |
| PORT | The secrets manager port. |
| AUTH_BASE_URL |
The authentication base URL. |
| LOGIN_NAME |
The login name or workload. |
For example, a CyberArk Secrets Manager SaaS configuration using a workload named “MyWorkload” would use:
curl -s -X POST -d API_KEY -H 'Accept-Encoding: base64'
https://CUSTOMER.secretsmgr.cyberark.cloud:443/api/authn/conjur/host%2Fdata%2FMyWorkload/authenticateIf successful, this command outputs a token which should be used in the next command.
Retrieve Secret
After authenticating, retrieve a secret from CyberArk Secrets Manager.
$ curl -X GET -H 'Content-Type: application/json' -H 'Authorization: Token token="TOKEN"'
https://HOST:PORT/BASE_URL/variable/CREDENTIAL_ID/passwordSubstitute the following values:
| Value | Replacement |
|---|---|
| TOKEN | The token obtained in the previous step. |
| HOST |
The secrets manager host |
| PORT | The secrets manager port. |
| AUTH_BASE_URL |
The authentication base URL. |
| CREDENTIAL_ID |
The full identifier of the credential. (e.g., data/vault/VAULT_NAME/CREDENTIAL_ID or data/USER) |
For example, a CyberArk Secrets Manager SaaS configuration that uses “Conjur Sync” would use the following command to fetch an account named UnixSSH-MyHost from the vault MyVault:
$ curl -X GET -H 'Content-Type: application/json' -H 'Authorization: Token token="TOKEN"'
https://CUSTOMER.secretsmgr.cyberark.cloud:443/api/secrets/conjur/variable/data/vault/MyVault/UnixSSH-MyHost/passwordIf successful, this command displays the password for UnixSSH-MyHost.