Come join our live training webinar every other Wednesday at 11am PST and hear LogicMonitor experts explain best practices and answer common questions. We understand these are uncertain times, and we are here to help!
LogicMonitor stores sensitive information including credentials, secrets, etc for hosts, devices, services. The LogicMonitor Collector provides the integration with CyberArk as a Vault solution. For more information, see CyberArk documentation.
The CyberArk Credential Provider provides multiple methods to authenticate applications. For more information, see CyberArk documentation on Application authentication methods and Add applications.
LogicMonitor Collector and CyberArk integration support the following methods for the application authentication:1. Allowed Machines2. Path3. Hash4. Client Certificates.
The CyberArk AIMWebService application is deployed on the IIS Server. Hence, LogicMonitor Collector and CyberArk integration support the following authentication methods of IIS:
Basic AuthenticationYou can log on to the Vault by using the password that is provided to you. After logging into the Vault, you must change your password for security purposes.
To integrate the CyberArk Vault with LogicMonitor Collector, see Integrating Credential Vault Properties.
The following table contains the collector agent configuration related to the Vault:
Vault properties, such as Vault Metadata and Vault Keys for the Collector, can be configured at the device or device group level.
CyberArk does not allow special characters, such as \ / : * ? ” < > , to be used in Safe names and object names.
\ / : * ? ” < >
The following table lists the Vault Metadata properties.
Vault keys need to be specified at the device level with suffix .lmvault. For example, ssh.user information should have the key specified as ssh.user.lmvault.
1. Multi-Safe support: Specify the multiple safes under a device to retrieve the credentials from Multiple Safe.
2. Multi-Vault support: You can use multiple vaults for the devices under the collector. Each of the devices can point to a single Vault.
3. You can call Vault API over HTTP or HTTPS. However, if you are calling the Vault APIs over HTTPS, you must configure the RootCA cert. For more information, see RootCA cert.
4. You must complete the CyberArk Authentication. For more information, see CyberArk Application Authentication Methods section.
Note: Device-specific cache is implemented at the Collector to avoid frequent requests to the Vault API.
You must configure the following CyberArk files at the requesting application side:
1. RootCA cert:
You must enable the Require SSL checkbox for including the RootCA cert file in the trust store of the requesting application’s server.
To import RootCA cert for the collector, complete the following steps:
To import RootCA certificate in the collector’s jre default trust store, use the command:
keytool -importcert -file Path_For_Root_CA_Folder/RootCA.crt -alias CyberArkRootCA -keystore /usr/local/logicmonitor/agent/jre/lib/security/cacert -storepass Store_Password
2. client.pfx file:
CyberArk provides client.pfx file which is a pkcs12 file containing the client certificate and client key. The client certificate and client key must be present in the HTTP request to authenticate the application request to IIS. As the client.pfx is a key store containing the client certificate and client key, this file can be directly used to authenticate the collector’s request with Vault Service deployed on IIS.
To use the client.pfx file, set the below properties at the device/device group level at the Santaba:
3. client.cert and client.pem files:
Though CyberArk provides the client.pfx key store containing the client certificate and client key, it still provides the client.cert and client.pem files. These files can be used to create the custom key store. Such a custom key store can be used to authenticate the applications/collector’s request to the IIS server on which Vault Credential Service is deployed.
To create the key store using client.cert and client.pem files, use the below command.
openssl pcks12 -export -in Client_Cert_Folder/client.crt -inkey Client_Key_Folder/client.pem -out myclient.pfx -passout pass:Store_Pass
Store_Pass: The password to protect the generated key store.
In This Article