Getting Started with Vendor Application Connection

1.0 Introduction

This article helps you get started with the CyberArk vendor application integration in Fortanix Key Insight.

It also describes:

How to sign up and log in to Fortanix Armor.
How to access Fortanix Key Insight.
How to set up the CyberArk connection (Software-as-a-Service (SaaS) and On-premises) to scan certificates.

2.0 Terminology References

For CyberArk connection concepts and supported features, refer to CyberArk Connection Concepts.

3.0 Log In and Create an Account

Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.

3.1 Sign Up and Log In to Fortanix Armor Platform - New Users

If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.

For more information on how to sign up, log in, and create an account for Fortanix Key Insight, refer to Fortanix Armor – Getting Started.

3.2 Log In to Fortanix Armor Platform - Existing Users

You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.

For more information on how to log in and create an account on Fortanix Armor, refer to Fortanix Armor – Getting Started.

4.0 Access Fortanix Key Insight

After creating and selecting your Fortanix Armor account, you are redirected to the Available Solutions page in Fortanix Armor. From this page, you can access Fortanix Key Insight.

Perform the following steps:

Ensure the appropriate region (European Union or North America) is selected from the Region drop down. The selected region determines where your data is processed and stored. It also ensures that connections, scans, and UI elements are displayed based on the selected region. For more information on configuring regions, refer to Fortanix Armor – Solutions.
Click GO TO KEY INSIGHT to access Fortanix Key Insight and begin onboarding vendor application connections.

**Figure 1: Access Fortanix Key Insight solution**

5.0 Configure a CyberArk (SaaS) Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a CyberArk (SaaS) connection to scan your cryptographic materials.

5.1 Prerequisites

Before setting up a CyberArk (SaaS) connection in Fortanix Key Insight, ensure that the CyberArk platform is correctly set up and that the necessary access, permissions, and API integration are in place.

5.1.1 Set Up CyberArk Certificate Management Identity and Permissions

Perform the following steps to set up identity and permissions in CyberArk Certificate Management:

Log in to the CyberArk Certificate Management (formerly Venafi SaaS) platform.
Set up the service account for Fortanix Key Insight integration by creating an identity with WebSDK access enabled.
NOTE
Use the CyberArk Certificate Management Username and Password created in this step when configuring the CyberArk (SaaS or On-premises) connection in Fortanix Key Insight.
Assign permissions to the service account created in Step 2:
1. Navigate to Policy Tree.
2. Select the Root Policy Object.
3. Click General, and then select Permissions.
4. Grant the following permissions to the selected service account:
  - View
  - Read
5. Click Save.

**Figure 2: Set up CyberArk user and permissions**

5.1.2 Create CyberArk Certificate Management API Integration

Perform the following steps to create an API Integration in CyberArk Certificate Management for Fortanix Key Insight:

Log in to the CyberArk Certificate Management (formerly Venafi SaaS) platform.
Create a new API Integration. For detailed steps, refer to the CyberArk's official documentation.
While creating the API Integration, ensure Access Token Authentication is configured with the following settings:
- Token Refresh is enabled (this is enabled by default).
- The Username and Password is selected in Allowed Authentication Methods.
For detailed steps on Access Token authentication, refer to the CyberArk's official documentation.
In the User or team access section of the API Integration, add the service account created in Section 5.1.1: Set Up CyberArk Certificate Management Identity and Permissions to run this integration.
1. Search for the service account and select it.
2. Click Add.
For detailed steps, refer to the CyberArk's official documentation on assigning service accounts to an API Integration.
Create the API Integration for Fortanix Key Insight by importing the following JSON configuration:
```
{
  "id": "fortanix",
  "name": "Fortanix",
  "vendor": "",
  "description": "Fortanix Key Insight",
  "scope": "certificate:discover,manage;configuration:manage"
}
```
NOTE
The value of the id field (for example, fortanix) is used as the Client ID when configuring the CyberArk (SaaS or On-premises) connection in Fortanix Key Insight.

5.1.3 Confirm CyberArk Certificate Management Access Details

Before proceeding, ensure you have the following information readily available:

CyberArk URL: The base URL of the CyberArk Certificate Management (formerly Venafi SaaS) tenant used to access the service.
Username and Password: Defined in Section 5.1.1: Set Up CyberArk Certificate Management Identity and Permissions.
Client ID of the API Integration: Defined in Section 5.1.2: Create CyberArk Certificate Management API Integration.

NOTE
Contact your CyberArk administrator if you need help confirming the required access details.
Using these credentials, Fortanix Key Insight makes an API call to CyberArk to obtain an access token with the required scopes (certificate:discover,manage;configuration:manage). These scopes authorize Fortanix Key Insight to scan and analyze certificates managed by CyberArk.

5.1.4 IP Whitelisting Requirements

To enable secure and reliable communication between Fortanix Key Insight and your CyberArk environment, certain network connections may need to be allowed.

If your CyberArk deployment enforces IP-based access controls, you may need to whitelist the following Fortanix Key Insight IP addresses:

149.14.69.36/32
149.14.123.28/32
184.104.204.100/32

NOTE
IP whitelisting is not mandatory. It is required only if your CyberArk environment restricts inbound API access based on source IP addresses.

5.2 CyberArk Authentication Methods

CyberArk supports the following authentication mechanisms to control how users and applications authenticate and obtain access to CyberArk resources:

Secret-based authentication: An authentication method in which an application securely stores CyberArk (SaaS) connection secrets (CyberArk URL, username, password, and client ID) and uses them to authenticate with CyberArk and obtain an access token. This access token is then used to authorize subsequent CyberArk API requests.

5.3 Select Connection Type

Perform the following steps to select the CyberArk (SaaS) connection type:

On the Select Connection Type step, select the Vendor Applications option. The CyberArk (SaaS) vendor application is selected by default.
Click NEXT.

**Figure 3: Access CyberArk connections**

NOTE
You can also add a CyberArk (SaaS) connection by clicking ADD VENDOR APPLICATION in the top-right corner of the VENDOR APPLICATIONS tab on the Connections page.

5.4 Set Up Authentication

CyberArk supports secret-based authentication to control how users and applications obtain credentials to access CyberArk certificates.

For definitions of the CyberArk authentication methods, refer to Section 5.2: CyberArk Authentication Methods.

5.4.1 Secret-Based Authentication

Perform the following steps to add secret-based CyberArk authentication:

On the Select Authentication step:
1. CyberArk URL: Enter the CyberArk URL.
2. Username: Enter the CyberArk username.
3. Password: Enter the CyberArk password.
4. Client ID: Enter the CyberArk Client ID.
Click NEXT.

**Figure 4: Configure secret-based authentication**

5.5 Set Up Connections

Perform the following steps on the Set Up Connections step:

Connection Name: Enter a name for your connection. For example, CyberArk connection.
Click NEXT.

**Figure 5: Configure a CyberArk connection**

5.6 Add Fortanix Key Insight Policy

The Fortanix Key Insight System Defined Policy is selected by default on the Key Insight Policy step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.

Additionally,

Click ADD POLICY to add a new user-defined policy to the policy center.
Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

NOTE
If you change or update the policy instead of the System Defined Policy, you must Rescan the CyberArk (SaaS) connection to apply the new policy.

**Figure 6: Fortanix Key Insight policy**

Click FINISH to complete the CyberArk (SaaS) connection onboarding.

NOTE
After onboarding the CyberArk (SaaS) connection:
View the user interface (UI) (Overview and Certificates). You can also switch the region at any time using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
For more information about the CyberArk connection (SaaS and On-premises) overview and related UI components, refer to CyberArk Connection-User Interface Components.
Users with the Account Administrator and Group Administrator roles can manage (edit, delete, rescan) the connection from the Connections page under the VENDOR APPLICATIONS tab.
Deleting the CyberArk (SaaS) connection cannot be undone.
A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

6.0 Configure a CyberArk (On-premises) Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a CyberArk (On-premises) connection to scan your cryptographic materials.

6.1 Prerequisites

Before configuring a CyberArk (On-premises) connection in Fortanix Key Insight, ensure that the required CyberArk identity, permissions, API integration, and Fortanix On-premises Scanner prerequisites are ready.

6.1.1 Set Up CyberArk Certificate Management Identity and Permissions

Perform the steps described in Section 5.1.1: Set Up CyberArk Certificate Management Identity and Permissions.

6.1.2 Create CyberArk Certificate Management API Integration

Perform the steps described in Section 5.1.2: Create CyberArk Certificate Management API Integration to create an API Integration in CyberArk for Fortanix Key Insight.

6.1.3 Fortanix On-premises Scanner Requirements

In addition to the CyberArk platform configuration, CyberArk (On-premises) connections require the Fortanix On-premises Scanner.

For Fortanix On-premises Scanner prerequisites, refer to Getting Started with On-premises Connection.

6.2 Select Connection Type

Perform the following steps to select the CyberArk (On-premises) connection type:

On the Select Connection Type step, select the Vendor Applications option.
Select CyberArk (On-Premises) vendor application.
Click NEXT.

**Figure 7: Access CyberArk on-premises connections**

NOTE
You can also add a CyberArk (On-premises) connection by clicking ADD VENDOR APPLICATION in the top-right corner of the VENDOR APPLICATIONS tab on the Connections page.

6.3 Add Vendor (On-premises) Connection

Perform the following steps on the Add Vendor (On-Premises) Connection step:

Connection Name: Enter a name for your connection. For example, CyberArk on-premises connection.
Click Fortanix on-premises scanner package to download the Fortanix On-premises Scanner for a CyberArk on-premises connection.
1. After downloading the package, install it depending on your operating system (Linux or Windows).
  - For instructions on how to install the Fortanix On-Premises Scanner package on Linux, refer to On-premises Scanner Configuration - Linux.
  - For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to On-premises Scanner Configuration - Windows.
2. After installing the package, configure the CyberArk on-premises connection using the configuration file.
  For information on CyberArk On-premises connection configuration file parameters, refer to On-premises Scanner Configuration File.
3. After configuration, run the Fortanix On-premises Scanner package depending on your operating system (Linux or Windows).
  - For instructions on how to run the Fortanix On-Premises Scanner package on Linux, refer to On-premises Scanner Configuration - Linux.
  - For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to On-premises Scanner Configuration - Windows.
I have downloaded and installed the Scanner package: After the scanner installation and configuration, enable the check box to establish a secure connection between your CyberArk On-premises environment and Fortanix Key Insight.
Click NEXT.

**Figure 8: Configure a CyberArk on-premises connection**

6.4 Add Fortanix Key Insight Policy

Additionally,

Click ADD POLICY to add a new user-defined policy to the policy center.
Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

NOTE
If you change or update the policy instead of the System Defined Policy, you must Rescan the CyberArk (On-premises) connection to apply the new policy.

**Figure 9: Fortanix Key Insight policy**

Perform the following steps:

Click ADD SCANNER & GENERATE API KEY.
In the API Key Details dialog box, click COPY API KEY to copy the API key value and to complete the CyberArk(On-premises) connection onboarding.
NOTE
The API key is used by the Fortanix On-premises Scanner to authenticate with Fortanix Key Insight.
Close the dialog box to complete the onboarding.
NOTE
After onboarding the CyberArk (On-premises) connection:
- You can verify the connection status from the Connections page under the VENDOR APPLICATIONS tab.
  - If the status is Connected, you can access the user interface (UI) (Overview and Certificates). You can also switch the region at any time using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
    For more information on the UI, refer to CyberArk Connection-User Interface Components.
  - If the status is Disconnected, restart the scanner to re-establish the connection.
  - If the status is Pending, use the generated API key to connect to Fortanix Key Insight. After the connection is established, add the resources to begin scanning.
- Users with the Account Administrator and Group Administrator roles can manage (edit, delete, rescan, and view details) the connection from the Connections page under the VENDOR APPLICATIONS tab.
  - Deleting the CyberArk (On-premises) connection cannot be undone.
  - The Rescan option is available only when the CyberArk (On-premises) connection status is Connected.
  - When viewing the connection details:
    - Copy the Connection ID. This value is required in the Fortanix On-premises Scanner configuration.
    - Click MANAGE API KEY to manage (copy, delete, regenerate) the API key geneated.
      You can generate a maximum of two API keys for configuring the connection between CyberArk (On-premises) and Fortanix Key Insight.
      Deleting an API key may revoke access for the CyberArk (On-premises) connection, potentially disrupting its functionality. This action is irreversible.
    - Click DOWNLOAD PACKAGE to download the package again in case you changed your machine, your current package has errors or was not installed correctly.
    Figure 10: View CyberArk (on-premises) key details
- A group with the same name will be created on the Fortanix IAM Groups page. For more information on Groups, refer to Fortanix Armor Identity and Access Management-IAM.