CyberArk credential storage integration The MID Server integration with the CyberArk vault enables Orchestration, Discovery, and Service Mapping to run without storing any credentials on the instance. CyberArk’s Application Identity Management (AIM) product uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, logged and managed within the CyberArk vault. This approach enables organizations to comply with internal and regulatory requirements of periodic password replacement and to monitor activities associated with all types of privileged identities, whether on-premise or in the cloud. The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential. The CyberArk integration requires the ServiceNow® External Credential Storage plugin, which is available by request. The CyberArk integration supports these ServiceNow credential types: CIM JMS SNMP Community SSH SSH Private Key (with key only) VMware Windows Orchestration activities that use these network protocols support the use of credentials stored on a CyberArk vault: SOAP (with basic authentication overrides) REST (with basic authentication overrides) JDBC SSH PowerShell JMS SFTP Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client Figure 1. CyberArk architecture Installed with the CyberArk integrationThe External Credential Storage plugin installs specific components used by the CyberArk integration.How the MID Server handles Windows accounts on CyberArkThe MID Server must determine if the Windows credential it receives from CyberArk is a local or domain account.CyberArk integration configurationThese procedures include both CyberArk and ServiceNow configuration tasks, including references to the appropriate CyberArk documentation.MID Server logging for CyberArkThe MID Server logs any failures with CyberArk stored credentials in the agent log.