Getting Started with Vendor Application Connection

1.0 Introduction

This article helps you get started with the CyberArk vendor application integration in Fortanix Key Insight.

It also describes:

• How to sign up and log in to Fortanix Armor.

• How to access Fortanix Key Insight.

• How to set up the CyberArk connection (Software-as-a-Service (SaaS) and On-premises) to scan certificates.

• How to manage the vendor application connections on Fortanix Key Insight.

2.0 Terminology References

For CyberArk connection concepts and supported features, refer to CyberArk Connection Concepts.

3.0 Log In and Create an Account

Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.

3.1 Sign Up and Log In to Fortanix Armor Platform - New Users

If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.

For more information on how to sign up, log in, and create an account for Fortanix Key Insight, refer to Fortanix Armor – Getting Started.

3.2 Log In to Fortanix Armor Platform - Existing Users

You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.

For more information on how to log in and create an account on Fortanix Armor, refer to Fortanix Armor – Getting Started.

4.0 Access Fortanix Key Insight

After creating and selecting the Fortanix Armor account, you will be redirected to the Available Solutions page in Fortanix Armor. From there, you can access the Fortanix Key Insight solution.

Perform the following steps:

1. Ensure the appropriate Region is selected. This determines where your data is processed and ensures that all subsequent steps, such as configuring connections and viewing scanned data in the user interface (UI), are displayed correctly for the selected region. For more information on configuring regions, refer to Fortanix Armor – Solutions.

2. Click GO TO KEY INSIGHT.

5.0 Configure a CyberArk (SaaS) Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a CyberArk (SaaS) connection to scan your cryptographic materials.

5.1 Prerequisites

Before setting up a CyberArk (SaaS) connection in Fortanix Key Insight, ensure that the CyberArk platform is correctly set up and that the necessary access, permissions, and API integration are in place.

5.1.1 Set Up CyberArk Certificate Management Identity and Permissions

Perform the following steps to set up identity and permissions in CyberArk Certificate Management:

1. Log in to the CyberArk Certificate Management (formerly Venafi SaaS) platform.

2. Set up the service account for Fortanix Key Insight integration by creating an identity with WebSDK access enabled.

   NOTE

   Use the CyberArk Certificate Management Username and Password created in this step when configuring the CyberArk (SaaS or On-premises) connection in Fortanix Key Insight.

3. Perform the following steps to assign permissions to the service account created in Step 2:

   1. Navigate to Policy Tree.

   2. Select the Root Policy Object.

   3. Click General, and then select Permissions.

   4. Grant the following permissions to the selected service account:

      • View

      • Read

   5. Click Save.

5.1.2 Create CyberArk Certificate Management API Integration

Perform the following steps to create an API Integration in CyberArk Certificate Management for Fortanix Key Insight:

1. Log in to the CyberArk Certificate Management (formerly Venafi SaaS) platform.

2. Create a new API Integration. For detailed steps, refer to the CyberArk documentation.

   While creating the API Integration, ensure Access Token Authentication is configured with the following settings:

   • Token Refresh is enabled (this is enabled by default).

   • The Username and Password is selected in Allowed Authentication Methods.

   For detailed steps on Access Token authentication, refer to Setting up access token authentication.

3. In the User or team access section of the API Integration, add the service account created in Section 5.1.1: Set Up CyberArk Certificate Management Identity and Permissions to run this integration.

   1. Search for the service account and select it.

   2. Click Add.

   For detailed steps, refer to the CyberArk documentation on assigning service accounts to an API Integration.

4. Create the API Integration for Fortanix Key Insight by importing the following JSON configuration:

   {
     "id": "fortanix",
     "name": "Fortanix",
     "vendor": "",
     "description": "Fortanix Key Insight",
     "scope": "certificate:discover,manage;configuration:manage"
   }
   

   NOTE

   The value of the id field (for example, fortanix) is used as the Client ID when configuring the CyberArk (SaaS or On-premises) connection in Fortanix Key Insight.

5.1.3 Confirm CyberArk Certificate Management Access Details

Before proceeding, ensure you have the following information readily available:

• CyberArk URL:  The base URL of the CyberArk Certificate Management (formerly Venafi SaaS) tenant used to access the service.

• Username and Password: Defined in Section 5.1.1: Set Up CyberArk Certificate Management Identity and Permissions.

• Client ID of the API Integration: Defined in Section 5.1.2: Create CyberArk Certificate Management API Integration.

NOTE

Contact your CyberArk administrator if you need help confirming the required access details.

Using these credentials, Fortanix Key Insight makes an API call to CyberArk to obtain an access token with the required scopes (certificate:discover,manage;configuration:manage). These scopes authorize Fortanix Key Insight to scan and analyze certificates managed by CyberArk.

5.1.4 IP Whitelisting Requirements

To enable secure and reliable communication between Fortanix Key Insight and your CyberArk environment, certain network connections may need to be allowed.

If your CyberArk deployment enforces IP-based access controls, you may need to whitelist the following Fortanix Key Insight IP addresses:

• 149.14.69.36/32

• 149.14.123.28/32

• 184.104.204.100/32

NOTE

IP whitelisting is not mandatory. It is required only if your CyberArk environment restricts inbound API access based on source IP addresses.

5.2 CyberArk Authentication Methods

CyberArk supports the following authentication mechanisms to control how users and applications authenticate and obtain access to CyberArk resources:

• Secret-based authentication: An authentication method in which an application securely stores CyberArk (SaaS) connection secrets (CyberArk URL, username, password, and client ID) and uses them to authenticate with CyberArk and obtain an access token. This access token is then used to authorize subsequent CyberArk API requests.

5.3 Select Connection Type

Perform the following steps to select the CyberArk (SaaS) connection type:

1. On the Select Connection Type step, select the Vendor Applications option. The CyberArk (SaaS) vendor application is selected by default.

2. Click NEXT.

5.4 Set Up Authentication

CyberArk supports secret-based authentication to control how users and applications obtain credentials to access CyberArk certificates.

For definitions of the CyberArk authentication methods, refer to Section 5.2: CyberArk Authentication Methods.

5.4.1 Secret-Based Authentication

Perform the following steps to add secret-based CyberArk authentication:

1. On the Select Authentication step,

   1. Enter the CyberArk URL.

   2. Enter the Username.

   3. Enter the Password.

   4. Enter the Client ID.

2. Click NEXT.

5.5 Set Up Connections

On the Set Up Connections step, enter the following details:

1. Enter a Connection Name. For example, CyberArk connection.

2. Click NEXT.

5.6 Add Fortanix Key Insight Policy

The Fortanix Key Insight System Defined Policy is selected by default on the Key Insight Policy step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.

Additionally, you can:

• Click ADD POLICY to add a new user-defined policy to the policy center.

• Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

Click FINISH to complete the CyberArk (SaaS) connection onboarding. After the connection is onboarded, you can access its Overview page and view the discovered certificates.

NOTE

After onboarding the CyberArk (SaaS) connection,

• You can switch the region at any time using the region switcher drop down located in the top navigation bar of the connection user interface (UI). When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.

• A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

For more information about the CyberArk connection (SaaS and On-premises) overview and related UI components, refer to CyberArk Connection-User Interface Components.

6.0 Configure a CyberArk (On-premises) Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a CyberArk (On-premises) connection to scan your cryptographic materials.

6.1 Prerequisites

Before configuring a CyberArk (On-premises) connection in Fortanix Key Insight, ensure that the required CyberArk identity, permissions, API integration, and Fortanix On-premises Scanner prerequisites are ready.

6.1.1 Set Up CyberArk Certificate Management Identity and Permissions

Perform the steps described in Section 5.1.1: Set Up CyberArk Certificate Management Identity and Permissions.

6.1.2 Create CyberArk Certificate Management API Integration

Perform the steps described in Section 5.1.2: Create CyberArk Certificate Management API Integration to create an API Integration in CyberArk for Fortanix Key Insight.

6.1.3 Fortanix On-premises Scanner Requirements

In addition to the CyberArk platform configuration, CyberArk (On-premises) connections require the Fortanix On-premises Scanner.

For Fortanix On-premises Scanner prerequisites, refer to Getting Started with On-premises Connection.

6.2 Select Connection Type

Perform the following steps to select the CyberArk (On-premises) connection type:

1. On the Select Connection Type step, select the Vendor Applications option.

2. Select CyberArk (On-Premises) vendor application.

3. Click NEXT.

6.3 Add Vendor (On-premises) Connection

On the Add Vendor (On-Premises) Connection step,

1. Enter a Connection Name. For example, CyberArk on-premises connection.

2. Click Fortanix on-premises scanner package to download the Fortanix On-premises Scanner for a CyberArk on-premises connection.

   1. After downloading the package, install it depending on your operating system (Linux or Windows).

      • For instructions on how to install the Fortanix On-Premises Scanner package on Linux, refer to On-premises Scanner Configuration - Linux.

      • For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to On-premises Scanner Configuration - Windows.

   2. After installing the package, configure the CyberArk on-premises connection using the configuration file.

      For information on CyberArk On-premises connection configuration file parameters, refer to On-premises Scanner Configuration File.

   3. After configuration, run the Fortanix On-premises Scanner package depending on your operating system (Linux or Windows).

      • For instructions on how to run the Fortanix On-Premises Scanner package on Linux, refer to On-premises Scanner Configuration - Linux.

      • For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to On-premises Scanner Configuration - Windows.

3. After the scanner installation and configuration, enable the I have downloaded and installed the Scanner package check box. The scanner establishes a secure connection between your CyberArk On-premises environment and Fortanix Key Insight.

4. Click NEXT.

6.4 Add Fortanix Key Insight Policy

The Fortanix Key Insight System Defined Policy is selected by default on the Key Insight Policy step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.

Additionally, you can:

• Click ADD POLICY to add a new user-defined policy to the policy center.

• Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

Perform the following steps:

1. Click ADD SCANNER & GENERATE API KEY.

2. In the API Key Details dialog box, click COPY API KEY to copy the API key value and to complete the CyberArk(On-premises) connection onboarding.

   NOTE

   The API key is used by the Fortanix On-premises Scanner to authenticate with Fortanix Key Insight.

   After the connection is onboarded, you can access its Overview page and view the discovered certificates.

   NOTE

   After onboarding the CyberArk (On-premises) connection,

   • You can switch the region at any time using the region switcher drop down located in the top navigation bar of the connection user interface (UI). When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.

   • A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

   For more information about the CyberArk connection (SaaS and On-premises) overview and related UI components, refer to CyberArk Connection-User Interface Components.

7.0 Manage Vendor Applications

The Connections page allows you to manage cloud, on-premises, external key source, and vendor application connections added to Fortanix Key Insight.

The VENDOR APPLICATIONS tab on the Connections page shows all the vendor application connections configured for the selected Fortanix Key Insight account.

You can perform the following on the Connections page:

• Use the Search field to find a specific connection by entering its Name.

• Click a connection to navigate to its corresponding Overview page.

• Identify the vendor type from the value in the VENDOR column. For example, CyberArk (SaaS).

• Click ADD VENDOR APPLICATION to add a new vendor application connection.

  • For more information on adding a new CyberArk (SaaS) connection, refer to Section 5.0: Configure a CyberArk (SaaS) Connection.

  • For more information on adding a new CyberArk (On-Premises) connection, refer to Section 6.0: Configure a CyberArk (On-Premises) Connection.

NOTE

When adding or editing a vendor application, on the Key Insight Policy step, If you change or update a policy, you must rescan the connection to apply the updated policy.

For more information on managing (add, duplicate and modify, edit, and delete) the cryptographic policies, refer to Cryptographic Policy Management.

• For each vendor application connection, you can perform the following:

  • Edit

  • Delete

  • Rescan

  • View Details (Available only for CyberArk on-premises connections).

  NOTE

  Only users with the Account Administrator and Group Administrator roles can perform add, edit, delete, and rescan operations.

7.1 Edit the Vendor Application

Use this feature to update the vendor application connection details when required.

Perform the following steps to edit the vendor application connection:

1. Click on the required connection.

2. Select Edit.

3. On the Vendor Application Connections page, update the required details in each step, if required.

4. Click SAVE to update the details.

7.2 Delete the Vendor Application

Use this feature to remove a vendor application connection and its associated information.

Perform the following steps to delete the vendor application connection:

1. Click on the required connection.

2. Select Delete.

3. In the Delete dialog box, read the details and enter the scanner name in the text box.

4. Click CONFIRM.

Warning

Deleting the vendor application connection is irreversible.

After deletion, the vendor application will no longer appear in the list on the Connections page.

7.3 Rescan the Vendor Application

Use this feature to retrieve the latest resources available for the vendor application.

Perform the following steps to rescan a vendor application connection:

1. Click on the required connection.

2. Select Rescan.

   NOTE

   The Rescan option is enabled only when CyberArk On-premises connection status is Connected.

3. Click START SCANNING to restart the scan. If the scan is successful, it will update the LAST SCANNED column with the latest scan date and time.

7.4 View the Vendor Application Details

This feature is available only for Vendor applications’ on-premises connections.

Perform the following steps to view the connection details:

1. Click on the required CyberArk on-premises connection.

2. Select View Details.

3. On the CyberArk On-premises connection details page,

   • Click DOWNLOAD PACKAGE to download the package again in case you changed your machine, your current package has errors or was not installed correctly.

   • Click → Delete to remove the CyberArk (On-premises) connection.

   • Click → Edit to update the name of the connection, if required.

   Also, you can view the following sections:

   • Scanner Details: This section provides details about the scanner's connection status, connection ID, last scan, periodic polling interval, and the date and time it was created.

   • Access Type: This section offers details about the API key.

     Perform the following to manage the API keys:

     1. Click MANAGE API KEY to manage the generated API key(s).  

     2. In the Manage API Key dialog box, read the details.

        NOTE

        You can generate a maximum of two API keys for configuring the connection between Fortanix DSM (On-premises) and Fortanix Key Insight.

     3. Click GENERATE ANOTHER API KEY to generate a second key if one already exists.

     4. For each API Key, you can perform the following:

        • Click COPY to copy the API key value.

        • Click DELETE to remove the generated API key.

        WARNING

        Deleting an API key may revoke access for the CyberArk On-premises connection, potentially disrupting its functionality. This action is irreversible.

   

8.0 Delete Fortanix Key Insight Account

Deleting a Fortanix Key Insight (KI) account is the same as deleting a Fortanix Armor account, since Fortanix Key Insight is part of the Fortanix Armor platform.

For more information on deleting the Fortanix Key Insight (Fortanix Armor) account, refer to Fortanix Armor - Getting Started.