CyberArk Integration - KB

Pluggable credential store: Cyberark integration and communication

Cloud Platform: In the UiPath Cloud Platform, only Azure Key Vault and Orchestrator database are supported. Other pluggable credential stores, including CyberArk are not supported currently.

By default, when connecting Robot to Orchestrator, One is required to provide the Robot with the Windows login details (username and password) of the user it is going to use to connect to the machine. The credentials are stored in Orchestrator's database using a 256-bit encryption.

However, to enable one to keep and manage them from a third-party enterprise-grade credential store, one can also store them in CyberArk® Enterprise Password Vault®. Please keep in mind that CyberArk® is not a free service. In case of Attended Robot, they can only be triggered manually in an existing Windows Session, so they do not require the credentials.

Starting UiPath Platform V2019.10 (LTS) release, one can:

  • configure CyberArk per tenant (for example different stores for robots and assets).
  • use the Orchestrator Database and CyberArk stores side by side.
  • store the credentials required to login to target applications during automation (also called as Assets in Orchestrator) in CyberArk. 

For a list of versions of CyberArk  supported by us click here.

For more details on how to set this up please follow this link.

CyberArk has developed two plug-ins for UiPath Orchestrator for the CPM ( Central Policy Manager ) product and PSM ( Privileged Session Manager ) product which are available in their marketplace .

Some responses from Slack
  • Description on communication flows (including protocols and ports) in Cyberark integration: 
		<p style="margin: 12px 0px 0px 30px;padding: 0px;color: rgb(51, 51, 51);font-family: -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Noto Sans&quot;, Ubuntu, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif;font-size: 14px;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 2;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;">Orchestrator communicates with the CyberArk® AAM (Application Access Manager) installed locally via API functions. The AAM app then communicates with the Cyberark instance. More information on how AAM and Cyberark instance communicate can be obtained from Cyb<span style="color: rgb(51, 51, 51);font-family: -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Noto Sans&quot;, Ubuntu, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif;font-size: 14px;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 2;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;" uipath_custom_id="34">erark as we do not control it. We only send API calls to AAM which most likely creates WebService calls to the CyberArk instance</span></p>
		</th></tr></thead><tbody><tr><td colspan="1" rowspan="1">
		<ul style="margin: 12px 0px 0px;padding: 0px 0px 0px 40px;list-style-type: disc;color: rgb(51, 51, 51);font-family: -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Noto Sans&quot;, Ubuntu, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif;font-size: 14px;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 2;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;"><li><span style="color: rgb(29, 28, 29);" uipath_custom_id="35">Are the API calls via 443?</span></li></ul>

		<p style="margin: 12px 0px 0px 30px;padding: 0px;color: rgb(51, 51, 51);font-family: -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Noto Sans&quot;, Ubuntu, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif;font-size: 14px;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 2;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;"><span style="color: rgb(29, 28, 29);" uipath_custom_id="36"><span style="color: rgb(29, 28, 29);" uipath_custom_id="37">No, they are programmatic functions via the Cyberark AAM SDK. Therefore, the<span style="color: rgb(29, 28, 29);" uipath_custom_id="38">&nbsp;AAM is installed on the Orchestrator nodes, so we can run the calls using the libraries from AAM</span></span>.</span></p>
		</td></tr></tbody></table>