Connect Secrets Hub to PAM - Self-Hosted

This topic describes how to connect Secrets Hub to PAM - Self-Hosted in order to sync secrets in AWS Secrets Manager or in Azure Key Vault.

Overview

The first step of setting up Secrets Hub for syncing secrets is to establish a connection between Secrets Hub and your PAM - Self-Hosted solution with which you want to sync. You do this by installing a connector. The connector includes a CyberArk Management agent, which facilitates the communication between Secrets Hub and PAM - Self-Hosted. For details on the connector requirements, see Connector requirements.

To give Secrets Hub access to the Safes and CyberArk accounts that hold the secrets you want to sync, you need to create a Secrets Hub service user with the relevant permissions in Secrets Hub.

The first time that you open Secrets Hub, you see the introduction page.

This page guides you through the steps for onboarding to Secrets Hub, the first being Configure PAM Self-Hosted, and is described in the following procedures.

Prerequisites

Log on to the connector host

Log on to the connector host that you prepared in Connector requirements as a local administrator.

Add a connector in Connector Management

PAM - Self-Hosted requires a dedicated connector. To support Microsoft Azure, install a separate connector.

To perform this task you need to be a member of the Connector Management Admin role in ISPSS. Make sure that your CyberArk admin added you to this role before you proceed.

To add a connector in the Connector Management service in ISPSS:

  1. Click the service picker, and select Connector Management.

  2. On the Connectors page, click Add a connector.

  3. In the Add connector wizard > Define installation details tab define the following details for the Management Agent in the host machine:

    Installation location

    Define the installation location in the host machine.

    • Default location. This is the default installation location in the host machine. The Management Agent is installed by default in C:\Program Files. If your \Program Files folder is located in any other drive, it is installed there.

      The agent is installed in a subfolder \CyberArk\Management Agent.

      The folder name must be in English.

      In the Installation path field, enter the full path in English, including drive and folder path, for example, D:\Program.

    • Custom location. The Management Agent is installed by default in C:\Program Files. If your \Program Files folder is located in any other drive, it is installed there.

      • Optionally, enter a full path to an alternative installation folder.

      • The agent is installed in a subfolder \CyberArk\Management Agent.

      • The folder name must be in English.

      The Management Agent is installed in the selected location, in subfolder \CyberArk\Management Agent.

    Pool configuration

    In the Advanced settings section, the Connector is assigned by default to the Connector pool. This will enable high availability for components that support this option, are assigned to the pool, and are assigned to the same network targets.

    • For Secrets Hub with Azure: Cancel the default pool assignment.

  4. Click Next.

  5. In the Copy installation script tab, review the connector settings you defined:

    Defined agent installation details

    Installation location

    The default /Program Files folder

    or

    A custom installation folder.

    Assigned to pool

    Yes/No

  6. Click Copy script to later copy it to the connector host machine.

    The script is available for 5 minutes.

    Optionally:

    • Click Renew to renew the script availability for an additional 5 minutes

    • Click Preview to view the script format

    Click Close.

  7. On the Windows instance you are using as the connector host, copy the installation script into a PowerShell command window, and run it.

    The installation script is valid for 5 minutes.

  8. In the Connector Management service, click Connectors. The Connector list displays all Connectors in the system and their details. Click a filter to display a shortlist of the required connectors.

    You can filter the Connector list based on the main characteristics

    In the connector list, click the newly added connector. Verify that the Management Agent is installed.

Step 1: Configure PAM Self-Hosted in Secrets Hub

  1. In Secrets Hub, in the introduction page, click Configure PAM Self-Hosted.

  2. On the Select a connector page, select the connector that you added in Add a connector in Connector Management and then click Next.

Step 2: Verify the trust between the connector and PVWA

Verify that trust was established between the connector you installed and PVWA so that Secrets Hub can access PVWA.

On the connector host, run the following PowerShell command with the relevant parameters:

Invoke-WebRequest -URI https://<PVWA_Domain>/passwordvault

This command makes an http request to the PVWA machine.

If the trust exists, you do not receive an error and you can proceed to next step.

If you receive the following error: 

The underlying connection was closed, Could not establish trust relationship for the ssl/tls secure channel

Add the PVWA certificate to the connector machine’s Trust Store, and then run the verification script again.

Step 3: Configure PAM - Self-Hosted

On the Configure PAM Self-Hosted page, in the PAM Self-Hosted details section, enter your PAM - Self-Hosted details:

  • The URL of your PAM - Self-Hosted PVWA, or the load balancer for the PVWA.

  • A name for your PAM - Self-Hosted. This is the name that will be displayed in Secrets Hub.

Step 4: Create a service user

The Secrets Hub service user is a CyberArk system user that is used to authenticate to PAM - Self-Hosted and get secrets from the Safes.

To create a service user you need the following permissions in the CyberArk Vault:

  • Add Users

  • Update Users

There are various methods for creating a user in PAM - Self-Hosted. We recommend using one of the following methods: 

On the Configure PAM Self-Hosted page, in the Secrets Hub service user section, select the PowerShell tab to display the command. Follow the instructions on the screen to create the service user that Secrets Hub will use to access Safes and secrets in PAM - Self-Hosted.

When you create the service user you provide an initial password. This password is managed (rotated) by Secrets Hub.

On the Configure PAM Self-Hosted page, in the Secrets Hub service user section, select the cURL tab to display the command. Follow the instructions on the screen to create the service user that Secrets Hub will use to access Safes and secrets in PAM - Self-Hosted.

When you create the service user you provide an initial password. This password is managed (rotated) by Secrets Hub.

Follow the instruction in Add user to run the API. Use the following parameter values:

Parameter

Value

username

SecretsHub

UserType

DAPService

authenticationMethod

AuthTypePass

enableUser

true

initialPassword

Enter an initial password. This password is managed (rotated) by Secrets Hub.

When you are done, click Configure to establish the first connection between Secrets Hub and PAM - Self-Hosted.

Add an AWS target secret store