CyberArk credential storage integration

The MID Server integration with the CyberArk vault enables Orchestration, Discovery, and Service Mapping to run without storing any credentials on the instance.

CyberArk’s Application Identity Management (AIM) product uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, logged and managed within the CyberArk vault. This approach enables organizations to comply with internal and regulatory requirements of periodic password replacement and to monitor activities associated with all types of privileged identities, whether on-premise or in the cloud.

The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential.

The CyberArk integration requires the ServiceNow® External Credential Storage plugin, which is available by request.

The CyberArk integration supports these ServiceNow credential types:
  • CIM
  • JMS
  • SNMP Community
  • SSH
  • SSH Private Key (with key only)
  • VMware
  • Windows
Orchestration activities that use these network protocols support the use of credentials stored on a CyberArk vault:
Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client
Figure 1. CyberArk architecture
CyberAak architecture