Setting up CyberArk
This section specifies how FortiSIEM can be configured to fetch credentials from CyberArk.
Installing CyberArk Provider in FortiSIEM
- Login to FortiSIEM as root
- Run the rpm command to begin the installation:
The installation runs automatically and does not require any interactive response from the user. When the installation is complete, the following message appears: “Installation process completed successfully.”
Configuring CyberArk Provider in FortiSIEM
- Login as root
- Open the Vault.ini file and specify the parameters of the Vault that will be accessed by the Provider
- Run CreateCredFile to create a credential file for the administrative user that will create the Vault environment during installation.
- Check the log file /var/tmp/aim-install-logs/CreateEnv.log to make sure that the Provider environment was created successfully
- Start the CyberArk Application Password Provider service manually as a privileged user
- Run ldconfig
Configuring CyberArk for communication with FortiSIEM
- Login to CyberArk Password Vault Web Access (PVWA) Interface as an user allowed to managed applications (it requires Manage Users authorization).
- Add FortiSIEM as an Application
- Go to Applications and click Add Application.
- Set Name to FortiSIEM
- In the Description, specify a short description of the application that will help you identify it (e.g. FortiSIEM SIEM)
- In the Business owner section, specify contact information about the application’s Business owner.
- In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the user who is creating this application.
- Click Add; the application is added and is displayed in the Application Detailspage
- Check Allow extended authentication restrictions – this enables you to specify an unlimited number of machines and Windows domain OS users for a single application
- Specify the application’s (FortiSIEM) Authentication This information enables the Credential Provider to check certain application characteristics before retrieving the application password.
- In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
- Specify the OS user as “admin” and Click
- Specify the application path as “/opt/phoenix/bin”. Make sure Path is folder and Allow internal scripts to request credentials… check boxes are checked
- Do not specify a hash
- In the Allowed Machines tab, click Add and specify the IP/host name of the FortiSIEM Supervisor, Workers and Collectors 5. Authorize FortiSIEM to retrieve accounts.
- Go to Policies > Access Control (Safes)
- For every Safe, Click on Members.
- Click on Add Safe Member
- Search for FortiSIEM. An entry will already exist. Select that entry.
- Check Retrieve accounts.
- Click Add
Now FortiSIEM should be ready to retrieve passwords from CyberArk via Test Connectivity and Discovery.