To configure the Cloud Agent for Database Authentication, your system must meet the following requirements:
1. Cloud Agent Version: Windows Cloud Agent version 6.0 or later.
2. Subscriptions: Cloud Agent must be activated for the Policy Compliance and Middleware Assessment applications.
3. Database Server: Microsoft SQL Server 2014, 2016, 2019, or 2022 must be installed.
4. CyberArk: CyberArk Credential Provider (CP) or CyberArk Central Credential Provider (CCP) is required to fetch the SQL Server authentication credentials from Vault.
5. CyberArk Vault: An application ID with the name QualysAgent must be created in the CyberArk Vault.
6. SQL Server authentication credentials must be stored in the CyberArk Vault, with required access permissions assigned.
7. Store the username for a Windows domain user account in the CyberArk Vault using the User Principal Name (UPN) format, which includes the domain username and DNS domain name e.g., UserName@DNSDomainName.
8. Certificate Installation: Install the C:\Program Files\CyberArk\ApplicationPasswordSdk\CPasswordSDK64.dll certificate in the Trusted Root Certification Authorities to enable DLL signature verification by the Qualys Cloud Agent.
Note: If the optional username input value provided in the new assessment does not match the username stored in the vault, the database assessment is skipped.
CyberArk Application Access Manager (AAM) must be installed as it is necessary for the Qualys cloud agent to fetch the SQL Server Authentication credentials from CyberArk Vault.
For database authentication using CyberArk, Qualys is currently supporting the following cobination for CP.
| Windows Platform | Vault (On-premise) | PVWA | SDK/CyberArk AAM | Credential Provider |
| All Windows platforms with SQL Support | 13.2.4 | 9.10 | 13.0.0.6 | 13.0.2 |
1. CyberArk SSL Certificates must be installed in the Trusted Root Certification Authorities and Intermediate Certification Authorities Stores.
2. Central Credential Provider REST Web Service URL must be accessible.
3. If the proxy is enabled in the network settings, bypass the CCP URL from proxy. Open Proxy settings and update the CCP URL name to bypass the proxy.
4. If the CCP REST Web Service URL is not accessible, update the Hosts file with "<IP Address> <URL Name>" and save the file. Navigate to C:\Windows\System32\drivers\etc to access the host file.
5. Ensure that username for assessment profile matches with the username provided while creating a vault connection. If the username specified for an assessment profile does not match with the username specified for the vault connection, the database assessment is skipped.
Important: The certificate of C:\Program Files\CyberArk\ApplicationPasswordSdk\CPasswordSDK64.dll must be installed in the trusted root certification authorities for DLL signature verification by the Qualys Cloud Agent.