CyberArk PIM Suite Integration

CyberArk PIM Suite must be installed and properly configured. Be sure to check network connectivity between the scanner appliance and the safe which contains the system login credentials.

Click here to find out how how it worksClick here to find out how how it works

- Qualys scanner calls a password query API provided by the CyberArk SDK.

- CyberArk SDK library initiates a TCP connection to an EPV server, sends a password query to this server and returns a password.

- All connection specifics are handled internally by the CyberArk library. The protocol is proprietary and developed by CyberArk.

- TCP port is defined in your CyberArk authentication record, and the default port number is 1858.

- Whatever routing is set up for the scanner appliance LAN interface is used to connect to scan targets and vaults. CyberArk EPV server LAN and VLAN configurations are not used.

Account Requirements

Add a dedicated account within your CyberArk PIM Suite environment with access to the safe which contains the system login credentials to be used for scanning. When creating this account, be sure to assign these settings:

Clear (uncheck) the check box "User Must Change Password at Next Logon".

Grant the privilege "Retrieve files from safe" for the safe containing the login credentials.

For compliance scans to Cisco devices, you must configure the user account in such a way that the "enable" command enters the privileged shell automatically without prompting for a 2nd password.

Authorized Interface "PAPI" is Required

The "PAPI" authorized interface must be enabled for your CyberArk license. This interface allows your CyberArk PIM Suite environment to accept external API calls from our security service. Follow these steps to confirm "PAPI" is enabled:

1) Go to Tools > Administrative Tools > Users and Groups.

2) Select the user account and click the "Update" button.

3) Next to the "User type" field, click the "Authorized Interfaces" button to view the authorized interfaces for the user type displayed.

4) Check to be sure "PAPI" is included in the list of authorized interfaces. If not, please contact your CyberArk representative to enable PAPI support for your license.

Required Safe Ownership Permissions

The following permissions for safe ownership are required. Follow these steps to check the safe ownership permissions and update if needed:

1) Go to Tools > Administrative Tools > Users and Groups.

2) Select the user account and click the "Safe Ownership" button.

3) Select the relevant safe from the "Available Safes" list and check the permissions. These permissions must be checked: "Monitor Safe" and "Retrieve files from Safe".

4) Move the safe to the "Owner Of" list on the left. You'll notice the authorizations at the bottom of the popup: List, Retrieve, View, Audit, View Owners, User Password.