Help! We use CyberArk at our company. I have added a vault (which my CyberArk admin tells me is actually a safe in CyberArk terms - a vault is the physical (or virtual) server, a safe is a logical area with distinct security rules applied to it within the vault server.)
First, we added an account to CyberArk for Qualys to access the safe and gave that account a 14 character password.
Then I created the Authentication Vault (Safe) in Qualys with that account and password. (The first problem I encountered was that the 14 character password appeared to reset to an 8 character password no matter how many times I saved.)
I also added an authentication record to call a specific account from that safe with the IP address of my test machine.
Then I tried to do an authenticated scan (using an option profile called 'authenticated internal scan" that I had created previously). The authentication failed and CyberArk did not log an access attempt to the safe.
Then we tried changing the password on the safe to an 8 character password thinking that it was truncating part of the 14 character one and retried the same steps, but still authenticaiton failed and no logon attempt was logged on the CyberArk Safe.
What am I doing wrong?
Working with representatives from Qualys, Cyber-Ark and Williams revealed that the Qualys Vault User had to be setup with the following parameters in order to successfully connect to the vault:
Vault User Parameters:
Type: AIMAccount
Authorized Interfaces: AIMAPP,PAPI
User Auth method: CyberArk
Additionally, the following Safe Permissions had to be set in order to allow Qualys to perform its standard scan with the retrieved password:
Safe Permissions: List Files, Retrieve Files, View Audit, Use Password.
Once these changes were made, QualysGuard was able to retrieve a Windows local admin password from the Cyber-Ark Vault and successfully perform a standard authenticated scan.