DataPower

Hi All,

If any one have onboarded Datapower to cyberArc for password Management? 

Is it possible? If yes please share some insights about it.

Thanks,

Sourabh

Yes, and there are a few ways to go about doing it.  Some are good, others, well, it is what it is!   This really depends upon what your security requirements are:

• You can use a jump box.  Log into the jump box with CyberArk and have a CyberArk PSM fire up a browser window on that box.  From there you log into DataPower.
• Use a jump box and have CyberArk jump you, fire up the browser and log in.  For this, you'd definitely need to setup RBM to accept the login via LDAP/AD and handle it custom.
• CyberArk has a module called AIM (I think that's the name of it), where you can invoke a script that logs you or a tool into DataPower.  That is, say you're using an external tool, script, what have you.  That tools acts as your surrogate for logging into the appliances.  You can have your script call out to the CyberArk API to fetch your current password which can then be used to log into the appropriate management interface (RMI, XMI, etc.).  Again, your DataPower RBM needs to be pretty solid.
• You can configure CyberArk to change local account passwords on the appliances and then use one of the above to methods to log in.  This way, you don't necessarily need a custom RBM.

On that last one, I never had the guts to allow CyberArk to change the "admin" password for fear that if CyberArk failed with some kind of bug, we may not have any clue as to what the password might be.  Of course, we could always use a backup account to recover, but security generally wants that one equally protected.   I would suggest if you have CyberArk changing on-board passwords, you make sure you have a backup account that auto changes at an alternative time to enable one to be able to recover the on-board passwords, especially "admin".

Hi All,

If any one have onboarded Datapower to cyberArc for password Management? 

Is it possible? If yes please share some insights about it.

Thanks,

Sourabh

Yes, and there are a few ways to go about doing it.  Some are good, others, well, it is what it is!   This really depends upon what your security requirements are:

• You can use a jump box.  Log into the jump box with CyberArk and have a CyberArk PSM fire up a browser window on that box.  From there you log into DataPower.
• Use a jump box and have CyberArk jump you, fire up the browser and log in.  For this, you'd definitely need to setup RBM to accept the login via LDAP/AD and handle it custom.
• CyberArk has a module called AIM (I think that's the name of it), where you can invoke a script that logs you or a tool into DataPower.  That is, say you're using an external tool, script, what have you.  That tools acts as your surrogate for logging into the appliances.  You can have your script call out to the CyberArk API to fetch your current password which can then be used to log into the appropriate management interface (RMI, XMI, etc.).  Again, your DataPower RBM needs to be pretty solid.
• You can configure CyberArk to change local account passwords on the appliances and then use one of the above to methods to log in.  This way, you don't necessarily need a custom RBM.

On that last one, I never had the guts to allow CyberArk to change the "admin" password for fear that if CyberArk failed with some kind of bug, we may not have any clue as to what the password might be.  Of course, we could always use a backup account to recover, but security generally wants that one equally protected.   I would suggest if you have CyberArk changing on-board passwords, you make sure you have a backup account that auto changes at an alternative time to enable one to be able to recover the on-board passwords, especially "admin".

Hi All,

If any one have onboarded Datapower to cyberArc for password Management? 

Is it possible? If yes please share some insights about it.

Thanks,

Sourabh