CyberArk® CCP Integration

The Central Credential Provider (CCP) is the agentless AAM method used to integrate with CyberArk allowing UiPath to securely retrieve credentials from a vault without deploying an agent on the server. A client certificate is necessary to ensure secure retrieval of the credential.

Before you can begin to use CyberArk® CCP credential stores in Orchestrator, you must first set up the corresponding application and safe settings in the CyberArk® PVWA (Password Vault Web Access) interface.

Prerequisites

A network that allows for interconnectivity between the Orchestrator service and the CyberArk server.
CyberArk® Central Credential Provider must be installed on a machine that allows HTTP connections.
CyberArk® Enterprise Password Vault

For more information about installing and configuring CyberArk® applications, please visit their official page.

Configuring the Integration

From the CyberArk® PVWA, you must perform the following steps:

Creating an Orchestrator application

In CyberArk®’s PVWA, log in with a user with permissions to manage applications (it requires Manage Users authorization).
In the Applications tab, click Add Application. The Add Application window is displayed.
On the Add Application window, specify the following information:
- Name field - a custom name for the application, such as Orchestrator.
- Description - a short description to help you specify the purpose of the new application.
- Location - the path of the application within the Vault hierarchy. If a location is not specified, the application is added in the same location as the user who is creating this application.
Click Add. The application is added, and its details are displayed on the Application Details page.
Select the Allow extended authentication restrictions checkbox.
Supported authentication method:
- Allowed machines
- OS User
- Client Certificates - the client certificate used for the CyberArk authentication should be at least 2048 bits
Configure the authentication method. For example, in the Authentication tab, click Add > Certificate Serial Number, and add the unique identifier of the client certificate, used to authenticate the requesting application against CCP.

Creating an Orchestrator Safe

Safes are required to help you better manage your accounts. Also, you can add safe members to ensure proper authorization. CyberArk® recommends adding a credential provider (a user with full rights over the credentials can add and manage them) and the previously created application as safe members. The latter enables Orchestrator to find and retrieve the passwords stored in the safe.

In the Policies tab, under the Access Control (Safes) section, click Add Safe. The Add Safe page is displayed.
Fill in the Safe Name field and Description fields.
Click Save. The Safe Details window is displayed.
In the Members section, click Add Member. The Add Safe Member window is displayed.
Search for the previously created application (steps 2-6), and select the following permissions for it:
- View Safe Members
- Retrieve accounts
- List accounts
- Access Safe without Confirmation - Only if you are using a dual control environment and a v7.2 or lower PIM-PSM.
  
  If you install multiple credential providers for this integration, it is recommended to create a group for them and add the group to the Safe once with the above authorization.
Click Add. Your integration is complete, and you can begin provisioning CyberArk® credential stores in Orchestrator.