Integrate Edge with a CyberArk Vault
You can integrate your Edge site with your existing CyberArk Vault to more easily and securely manage your data source information and set up your Edge site connections. In this topic, we review how to set up the integration between your Edge site and your existing vault.
- Forward proxies are not supported.
- There must be a direct connection between your Edge site and CyberArk. You can only use scalar values.
- Pass phrase protected certificates are not currently supported.
Use the steps below based on your vault authentication method for Edge sites installed on bunlded k3s.
You can integrate your Edge site with your CyberArk Vault using one of the following authentication methods:
mTLS authentication
Prerequisites
On your local server
- You installed your Edge site.
- You installed and configured the Edge CLI tool.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a CyberArk Vault .
- Your CyberArk Vault is configured with either Allowed machines (allow-list) or Client certificates (mTLS).
- You can administer CyberArk secrets. This includes the ability to do the following in your
CyberArk Vault :
- Create
- Edit
- Delete
- Rotate credentials
- Your CyberArk Credential Provider has GetPassword Web Service available in
/AIMWebService. - If you use a
--caPath, it must be in the X.509 format (PEM encoded). - If you use a
--certPath, it must be in the X.509 format (PEM encoded). - If you use a
--keyPath, it must be in the PKCS#8 format (PEM encoded).
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the mTLS authentication method.
Copy
sudo ./edgecli vault create cyber tls <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath> \
--certPath <certPath> \
--keyPassword <keyPassword> \
--keyPath <keyPath>Show me an example…sudo ./edgecli vault create cyber tls Edge CyberArk Vault mTLS \ --desc CyberArk vault with mTLS authentication. \ --appId edge \ --url https://edge-cyberark-server.example.com \ --caPath ./certs/ca.crt \ --certPath ./certs/aimws.crt \ --keyPassword filePassword123 \ --keyPath ./certs/aimws-pkcs8.keyCopy./edgecli vault create cyber tls <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath> \
--certPath <certPath> \
--keyPassword <keyPassword> \
--keyPath <keyPath>Show me an example…./edgecli vault create cyber tls Edge CyberArk Vault mTLS \ --desc CyberArk vault with mTLS authentication. \ --appId edge \ --url https://edge-cyberark-server.example.com \ --caPath ./certs/ca.crt \ --certPath ./certs/aimws.crt \ --keyPassword filePassword123 \ --keyPath ./certs/aimws-pkcs8.keyCommand Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <appId>(required)The application ID configured on the CyberArk server. <url>(required)The URL of your CyberArk Vault .
Note You can specify different service paths, if you have multiple virtual applications in IIS.
For example, if your CyberArk URL is https://1.2.3.4 but you have a virtual application in AIMWebService/api/Accounts, you would configure the URL to be: https://1.2.3.4/AIMWebService/api/Accounts<caPath>(required)The file containing the Certificate Authority. If you use a--caPath, it must be in the X.509 format (PEM encoded).<certPath>(required)The file containing the Client Certificate. If you use a--certPath, it must be in the X.509 format (PEM encoded).<keyPassword>(optional)The password for the Client Private Key file. <keyPath>(required)The file containing the Client Private Key. If you use a--keyPath, it must be in the PKCS#8 format (PEM encoded). - Go to your Edge site to confirm the new vault is available in the Vaults tab.
Allow-list authentication
Prerequisites
On your local server
- You installed your Edge site.
- You installed and configured the Edge CLI tool.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a CyberArk Vault .
- Your CyberArk Vault is configured with either Allowed machines (allow-list) or Client certificates (mTLS).
- You can administer CyberArk secrets. This includes the ability to do the following in your
CyberArk Vault :
- Create
- Edit
- Delete
- Rotate credentials
- Your CyberArk Credential Provider has GetPassword Web Service available in
/AIMWebService. - If you use a
--caPath, it must be in the X.509 format (PEM encoded).
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the allow-list authentication method.
Copy
sudo ./edgecli vault create cyber allow-list <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath>Show me an example…sudo ./edgecli vault create cyber allow-list Edge CyberArk allowlist \ --desc CyberArk vault with allowlist authentication. \ --appId edge \ --url https://edge-cyberark-server.example.com \ --caPath ./certs/ca.crtCopy./edgecli vault create cyber allow-list <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath>Show me an example…./edgecli vault create cyber allow-list Edge CyberArk allowlist \ --desc CyberArk vault with allowlist authentication. \ --appId edge \ --url https://edge-cyberark-server.example.com \ --caPath ./certs/ca.crtCommand Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. <appId>(required)The application ID configured on the CyberArk server. <url>(required)The URL of your CyberArk Vault .
Note You can specify different service paths, if you have multiple virtual applications in IIS.
For example, if your CyberArk URL is https://1.2.3.4 but you have a virtual application in AIMWebService/api/Accounts, you would configure the URL to be: https://1.2.3.4/AIMWebService/api/Accounts<caPath>(required)The file containing the Certificate Authority. If you use a--caPath, it must be in the X.509 format (PEM encoded). - Go to your Edge site to confirm the new vault is available in the Vaults tab.
- You can now set up an Edge connection with your CyberArk Vault .
- You can retrieve and review the configuration details of your vault integrations.
- You can edit your vault integration configuration.
Helpful resources
For more information about how to configure your CyberArk Vault integration, go to the following CyberArk resources: