CyberArk connector

Add a CyberArk connector to retrieve credentials from your CyberArk vault using the Central Credential Provider (CCP) service. Once connected, you can use these credentials to authenticate other integration types in DigiCert® Trust Lifecycle Manager, streamlining configuration and centralizing credentials management.

Before you begin

Before adding a CyberArk secrets manager connector in Trust Lifecycle Manager, make sure the following prerequisites are satisfied.

DigiCert prerequisites

Your account must include the Secrets managers category under Integrations > Connectors > Add connector. For help verifying or enabling this feature, contact your DigiCert account representative.
You need at least one active DigiCert sensor to securely establish and manage the connection to your secrets manager instance. To learn more, see Deploy and manage sensors.
For fault-tolerant connectivity, use multiple sensors to manage the connector. If one of the sensors fails, the connector automatically fails over to use one of the other sensors.

CyberArk prerequisites

Your CyberArk instance must be running the Central Credential Provider (CCP) service. You need to know the base URL for the CCP service, and it must be reachable by the DigiCert sensors on your network that will manage the integration.
You need an Application ID (AppID) in CyberArk Password Vault Web Access (PVWA) to use for integrating with Trust Lifecycle Manager.
The CyberArk AppID must be configured for client certificate-based authentication using the Certificate Serial Number authentication method. Specify the serial number for the authorized certificate in CyberArk, and have the client certificate on hand to use for configuring the connector in Trust Lifecycle Manager.
Configure the Allowed Machines setting for the CyberArk AppID to allow access from the outbound IP addresses of any DigiCert sensors you use to set up the connector.
For the CyberArk safe that stores the credentials to use in Trust Lifecycle Manager, add the AppID as a member with the List accounts and Retrieve accounts permissions at minimum.

Add CyberArk connector

To add a CyberArk connector in Trust Lifecycle Manager:

From the Trust Lifecycle Manager menu, go to Integrations > Connectors.
Select the Add connector button.
In the Secrets manager section, select the option for CyberArk.
Complete the form as described in the following steps.
Configure the general connector properties in the top section of the form:
- Name: Assign a friendly name to this connector.
- Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.
- Managing sensor: Select one or more active DigiCert sensors to manage the integration.
  Tip
  Selecting multiple sensors adds fault-tolerance to the integration. If one sensor fails, Trust Lifecycle Manager will automatically fail over and use one of the other sensors.
Configure the CyberArk access details in the Link instance section:
- Base URL: Enter the base URL for your CyberArk CCP service (for example, https://ccp.example.com).
- Application ID: Enter the name of the CyberArk AppID to use for the integration (for example, MyIntegrationsApp).
- Safe name: Enter the name of the CyberArk safe that stores the credentials (for example, PKI-Admin).
- Authentication certificate: Upload the client certificate used to authenticate the AppID entered above, as authorized via the Certificate Serial Number authentication method in CyberArk.
- Certificate passphrase: (Optional) If the authentication certificate is password-protected, enter the passphrase for it.
Select Add to create the CyberArk connector with the configured settings.

What's next

Once the CyberArk connection is established, you can select it when configuring authentication for F5 appliances or AWS Certificate Manager (ACM) in Trust Lifecycle Manager.
To reference specific credentials in the connected CyberArk instance, provide the managed account name using the format AccountName (for example, My-credentials).
When you manage or rotate credentials in CyberArk, the updated credentials are automatically applied wherever they're referenced in Trust Lifecycle Manager.

In this section: