Cyberark Integration

  • 18 March 2021
  • 3 replies
  • 252 views

Userlevel 2
Badge +7

You can manage and secure Commvault login credentials, application credentials, and administrative login sessions using CyberArk’s Privileged Credentials and Session Management solution.

With CyberArk and Commvault integration, you can synchronously rotate account passwords across your environment. Commvault receives password rotation requests to update application and local admin account credentials so that backups continue to run seamlessly, without manual intervention. You can also use CyberArk session management to log on to Commvault using one-time use admin credentials.

 

This went relatively straightforward. The only thing that is missing in Commvault is a way to verify that the password rotation was successful.

One can either try using the commcell user or the application user to browse a subclient to test whether the change was successful. But this is a trial and error method. An enhancement to this plugin would be to have a report or an event log entry in Commvault that a change request was attempted and was successful or a report about when the last password rotation took place.

So to be sure that the REST API call from Cyberark was successful, one can check the webserver.log on the webserver to see something as follows:

Webserver.log

3 replies

Userlevel 7
Badge +19

This is awesome, @neuwiesener !  Very valuable share!

Userlevel 2
Badge +7

If you want to assign granular permissions to the user that you want to use to integrate with Cyberark. So create a user in Commvault with this role. 

Userlevel 5
Badge +10

I have 2 questions:

  • Can we expect cloud native secret management solutions like Azure Key Vault and AWS Secret Manager to be added to the list?
  • Can we expect the ability to dynamically assign credential to application within Commvault. Example if you automate you configuration of Commvault to include AD server who require credentials for the backup than in the current status Appaware pushes the agent and kicks of the backup of the AD agent that will fail because of missing credentials. Now what would be cool is the ability to assign credential from the credential manager which pulls them from the internal or external secret store to the application using assignment rules. If server name like A and agent installed like B than assign credential X.

Reply