Configure CyberArk PAM Integration

Last modified on August 18, 2023

Overview

CyberArk Privileged Access Manager (PAM) accounts facilitate access to privileged accounts on your resources. Pieces of information that are not considered secret (such as user names, where applicable) are stored with CyberArk as basic account properties. Secret information, such as passwords or private keys, are stored in CyberArk PAM Safes. This guide walks you through the steps to integrate CyberArk PAM as a secret store with StrongDM.

Secret Store integrations allow you to use your existing third-party secret stores with StrongDM. Your credentials are saved in a tool you control. Those credentials are never transmitted to StrongDM in any form. To learn more about Secret Store integrations and their usage, read the Secret Stores Reference.

Prerequisites

The following items are required to successfully integrate CyberArk PAM with StrongDM:

  • You must be an account administrator in StrongDM.
  • You should have a healthy gateway or relay to allow authentication with the secret store.
  • You have existing resources that you currently manage access to via CyberArk PAM.
  • When adding a resource to StrongDM that uses CyberArk PAM for secrets management, you need to have the CyberArk account ID of the resource.

Configure CyberArk PAM

First, any gateway(s) and relay(s) that you intend to use to access resources with via CyberArk PAM must be configured to authenticate with CyberArk. Due to the manner in which CyberArk identifies users and manages seats, each of those gateways and relays must be set up in CyberArk as a user with its own credentials. Once this is done, those gateways and relays are capable of authenticating to CyberArk in order to fetch the required credentials to connect a user to a protected resource.

On the gateway or relay, set the environment variables PAM_USERNAME and PAM_PASSWORD with the user’s corresponding credentials as the value. You can also set PAM_TLS_SKIP_VERIFY=true to skip certificate verification if the CyberArk instance doesn’t have a valid certificate.

Set up the Secret Store in StrongDM

Next, set up CyberArk integration as a secret store in StrongDM.

  1. In the Admin UI, go to Network > Secret Stores.
  2. Click Add secret store.
  3. Give the secret store a name that is recognizable within your organization, such as “CyberArk PAM.”
  4. Choose CyberArk PAM as the secret store type.
  5. For the application URL, enter the IP address of the Windows server that hosts your Central Credential Provider.

Connect to a StrongDM Resource

Now that you have configured your gateways or relays to authenticate to CyberArk and you have set up the secret store within StrongDM, you should be able to use CyberArk PAM when adding resources to StrongDM. The following steps provide an example of how to connect to a database resource using CyberArk PAM.

  1. From the Admin UI, go to Infrastructure > Datasources.
  2. Click Add datasource.
  3. Enter the properties for your database resource.
  4. From the Secret Store dropdown menu, select the CyberArk PAM option.
  5. In the Username (path) field, add the path to retrieve the username, in the format <ACCOUNT_ID>?key=username. Use the CyberArk account ID of your resource, followed by ?key=username.
  6. In the Private Key (path) field, add the path to retrieve the password, in the format <ACCOUNT_ID>?key=password. Use the CyberArk account ID of your resource, followed by ?key=password.
  7. When all required fields are complete, click Create.

When the resource is ready, the Health icon indicates a positive, green status.

At this point, any StrongDM user in your organization who has been granted access to this resource should be able to access it.