AnsweredAssumed Answered

Authentication Vault Issues

Question asked by Jodi Pruitt on Oct 29, 2010
Latest reply on Nov 4, 2010 by Eric Perraudeau

Like • Show 0 Likes0
Comment • 5

Help! We use CyberArk at our company. I have added a vault (which my CyberArk admin tells me is actually a safe in CyberArk terms - a vault is the physical (or virtual) server, a safe is a logical area with distinct security rules applied to it within the vault server.)

First, we added an account to CyberArk for Qualys to access the safe and gave that account a 14 character password.

Then I created the Authentication Vault (Safe) in Qualys with that account and password. (The first problem I encountered was that the 14 character password appeared to reset to an 8 character password no matter how many times I saved.)

I also added an authentication record to call a specific account from that safe with the IP address of my test machine.

Then I tried to do an authenticated scan (using an option profile called 'authenticated internal scan" that I had created previously). The authentication failed and CyberArk did not log an access attempt to the safe.

Then we tried changing the password on the safe to an 8 character password thinking that it was truncating part of the 14 character one and retried the same steps, but still authenticaiton failed and no logon attempt was logged on the CyberArk Safe.

What am I doing wrong?

Jodi Pruitt Nov 4, 2010 2:38 PM

Correct Answer

Working with representatives from Qualys, Cyber-Ark and Williams revealed that the Qualys Vault User had to be setup with the following parameters in order to successfully connect to the vault:

Vault User Parameters:

Type: AIMAccount

Authorized Interfaces: AIMAPP,PAPI

User Auth method: CyberArk

Additionally, the following Safe Permissions had to be set in order to allow Qualys to perform its standard scan with the retrieved password:

Safe Permissions: List Files, Retrieve Files, View Audit, Use Password.

Once these changes were made, QualysGuard was able to retrieve a Windows local admin password from the Cyber-Ark Vault and successfully perform a standard authenticated scan.

See the reply in context

No one else had this question

Outcomes

Jodi Pruitt Oct 29, 2010 1:00 PM

Oh, one more thing... my CyberArk admin suggested that the auth record should have the safe/folder/file, the vault record should just have vault info.

Actions

Eric Perraudeau

@ Jodi Pruitt on Oct 29, 2010 4:22 PM

Hello Jodi,

Interesting feedback, thanks for sharing your experience.

Concerning the length of the password to connect to the vault, we support 28 characters as specified in the Cyber-Ark documentation.

When you view or edit the authentication vault record, the password is replaced by 8 "obfuscating" dots, not matter the size of the real password. So you should not worry, the 14 characters password is correctly saved.

Concerning the length of the password to connect to the vault, we support 28 characters as specified in the Cyber-Ark documentation.

Concerning the other issue, you need to check multiple points (no specific order - I am pretty sure you already did a lot):

Network connectivity between the scanner appliance and the vault
Privileges of the cyber-ark. This user needs right to get the password in the specified vault/safe
Make sure that your Cyber-Ark installation is ready to accept external API calls from a third party solution like the Qualys scanner appliance. I would recommend to reach out to a Cyber-Ark representative to check this point.

Last, the authentication record doesn't contain the safe name a in the current QualysGuard version. We did that on purpose based on user feedback and the way they use their cyber-Ark EPV. But this is something we will consider as a future change.

Thanks,

Eric

1 person found this helpful

Actions

czhao

@ Jodi Pruitt on Oct 29, 2010 5:30 PM

Hi Jodi,

There may be several reasons for the failure:

1. QG does not pick up this new authentication record for your scan or, ip/username/password is not correctly set;

2. Scanner may not have access to the Safe. For example, scanner is not in safe's authorized area;

3. Your Vault account may not be the owner of the safe where password file resides; you have to manually add the safe to the account after you create it;

4. You may not uncheck the “User Must Change Password at Next Logon” check box, when you first create the account;

5. Your Vault account may not have “Retrieve files from safe” privilege for the particular safe, you have to manually grant the privilege to the new created account.

If you can, please check your scan result. In information gathered section, you should see “Unix|Windows Authentication Failed” entry, in case you were scanning windows or unix targets. The error message can help us narrow the problem down. The message looks like:

Error Message: Vault:,*.*.*.* Port:****, Safe:***, Error:Errorwhileloggingonwithlogonfile./.cyberark-auth-23731-23930.ini(Code:9, Error:ITATS203EPasswordhasexpired.)Authentication RecordCyber-Ark

For the password truncation issue, I didn’t see it in my scan. My Vault account has 10 characters password and I can use it to have a successful authentication scan.

Thanks

1 person found this helpful

Actions

Jodi Pruitt @ Jodi Pruitt on Nov 4, 2010 2:38 PM

Working with representatives from Qualys, Cyber-Ark and Williams revealed that the Qualys Vault User had to be setup with the following parameters in order to successfully connect to the vault:

Vault User Parameters:

Type: AIMAccount

Authorized Interfaces: AIMAPP,PAPI

User Auth method: CyberArk

Additionally, the following Safe Permissions had to be set in order to allow Qualys to perform its standard scan with the retrieved password:

Safe Permissions: List Files, Retrieve Files, View Audit, Use Password.

Once these changes were made, QualysGuard was able to retrieve a Windows local admin password from the Cyber-Ark Vault and successfully perform a standard authenticated scan.

Actions

Eric Perraudeau

@ Jodi Pruitt on Nov 4, 2010 4:03 PM

Thank you Jodi for this reply and for your time on troubleshooting the situation. We will clarify these points in the QualysGuard documentation.

Actions

5 Replies

Jodi Pruitt Oct 29, 2010 1:00 PM
Mark Correct
Correct Answer
Oh, one more thing... my CyberArk admin suggested that the auth record should have the safe/folder/file, the vault record should just have vault info.
Like • Show 0 Likes0
Actions
- Eric Perraudeau @ Jodi Pruitt on Oct 29, 2010 4:22 PM
  Mark Correct
  Correct Answer
  Hello Jodi,
  
  Interesting feedback, thanks for sharing your experience.
  
  Concerning the length of the password to connect to the vault, we support 28 characters as specified in the Cyber-Ark documentation.
  When you view or edit the authentication vault record, the password is replaced by 8 "obfuscating" dots, not matter the size of the real password. So you should not worry, the 14 characters password is correctly saved.
  Concerning the length of the password to connect to the vault, we support 28 characters as specified in the Cyber-Ark documentation.
  When you view or edit the authentication vault record, the password is replaced by 8 "obfuscating" dots, not matter the size of the real password. So you should not worry, the 14 characters password is correctly saved.
  
  Concerning the other issue, you need to check multiple points (no specific order - I am pretty sure you already did a lot):
  Network connectivity between the scanner appliance and the vault
  Privileges of the cyber-ark. This user needs right to get the password in the specified vault/safe
  Make sure that your Cyber-Ark installation is ready to accept external API calls from a third party solution like the Qualys scanner appliance. I would recommend to reach out to a Cyber-Ark representative to check this point.
  
  Last, the authentication record doesn't contain the safe name a in the current QualysGuard version. We did that on purpose based on user feedback and the way they use their cyber-Ark EPV. But this is something we will consider as a future change.
  
  Thanks,
  Eric
  1 person found this helpful
  Like • Show 0 Likes0
  Actions
- czhao @ Jodi Pruitt on Oct 29, 2010 5:30 PM
  Mark Correct
  Correct Answer
  Hi Jodi,
  
  There may be several reasons for the failure:
  1. QG does not pick up this new authentication record for your scan or, ip/username/password is not correctly set;
  2. Scanner may not have access to the Safe. For example, scanner is not in safe's authorized area;
  3. Your Vault account may not be the owner of the safe where password file resides; you have to manually add the safe to the account after you create it;
  4. You may not uncheck the “User Must Change Password at Next Logon” check box, when you first create the account;
  5. Your Vault account may not have “Retrieve files from safe” privilege for the particular safe, you have to manually grant the privilege to the new created account.
  
  If you can, please check your scan result. In information gathered section, you should see “Unix|Windows Authentication Failed” entry, in case you were scanning windows or unix targets. The error message can help us narrow the problem down. The message looks like:
  
  Error Message: Vault:,*.*.*.* Port:****, Safe:***, Error:Errorwhileloggingonwithlogonfile./.cyberark-auth-23731-23930.ini(Code:9, Error:ITATS203EPasswordhasexpired.)Authentication RecordCyber-Ark
  
  For the password truncation issue, I didn’t see it in my scan. My Vault account has 10 characters password and I can use it to have a successful authentication scan.
  
  Thanks
  1 person found this helpful
  Like • Show 0 Likes0
  Actions
- Jodi Pruitt @ Jodi Pruitt on Nov 4, 2010 2:38 PM
  Unmark Correct
  Correct Answer
  Working with representatives from Qualys, Cyber-Ark and Williams revealed that the Qualys Vault User had to be setup with the following parameters in order to successfully connect to the vault:
  
  Vault User Parameters:
  Type: AIMAccount
  Authorized Interfaces: AIMAPP,PAPI
  User Auth method: CyberArk
  
  Additionally, the following Safe Permissions had to be set in order to allow Qualys to perform its standard scan with the retrieved password:
  Safe Permissions: List Files, Retrieve Files, View Audit, Use Password.
  
  Once these changes were made, QualysGuard was able to retrieve a Windows local admin password from the Cyber-Ark Vault and successfully perform a standard authenticated scan.
  Like • Show 3 Likes3
  Actions
  - Eric Perraudeau @ Jodi Pruitt on Nov 4, 2010 4:03 PM
    Mark Correct
    Correct Answer
    Thank you Jodi for this reply and for your time on troubleshooting the situation. We will clarify these points in the QualysGuard documentation.
    Like • Show 0 Likes0
    Actions

Qualys Community

Authentication Vault Issues

Outcomes

Related Content

Recommended Content

Incoming Links