How to manage SSH keys for CyberArk Vault users

Modified on Sun, 09 Aug 2020 at 10:18 AM

Problem:


When configuring or using PKI authentication in CyberArk and you require to use that auth method for components other then PVWA, additional steps are required to get this working.



Solution:


CyberArk can be used with both vault local or LDAP users, each of which has its own way of how to manage and access they key. Local users store the key internally and those can be accessed or modified via REST API while LDAP users store the key in an Active Directory attribute. Follow the steps below to configure the required user type.

Additional info on the matter can be found here:

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-Management-of-Users-Public-SSH-Keys.htm


Note: Only 1 type of configuration can work at a time, as you point the vault to either look at the vault or LDAP attribute for the key management.


CyberArk Local users

  1. Log in to the PVWA, go to Administration > Options and navigate to Privileged Session Management > General Settings > Server Settings. and make sure that LDAPUserSSHKeysManagement is set to Vault:
  2. Create a key pair using one of the allowed and supported methods
  3. Use the CyberArk REST API and upload the public key from step 1 to the relevant user in CyberArk

CyberArk LDAP Users

  1. Log in to the PVWA, go to Administration > Options and navigate to Privileged Session Management > General Settings > Server Settings. and make sure that LDAPUserSSHKeysManagement is set to LDAP:
  2. Create a key pair using one of the allowed and supported methods
  3. Extract the public ssh-rsa key from the cert. Example on how to do that  using PUTTY-CAC
    1. Get the latest version of Putty-CAC from here:
      https://github.com/NoMoreFood/putty-cac/releases
    2. Run Putty-CAC, go to the Connection > SSH > Certificate and press Set CAPI Cert button. In pop-up window select certificate, which is stored in smart-card, and press OK.
    3. Press Copy to Clipboard button, and paste it to the notepad. You need only ssh public key, which starts from ssh-rsa AAAAB3Nza... and 'till CAPI:... You don't need CAPI and everything after that
  4. Open the Active Directory Users and Computers, Find user account, open it's properties. Go to the Attribute Editor tab
  5. Find altSecurityIdentities attribute, and if you don't using it somewhere, paste SSH key there (ssh-rsa AAAAB3NzaC1yc2...). If it is used - then you need to create new attribute or use another unused attribute.
  6. Go to PVWA Options > LDAP Integration, and in MicrosoftADProfile.ini set UserSSHPublicKey to the attribute name, in which public SSH key is stored. In our case - altSecurityIdentities.
  7. Restart the PSMP service -> service psmpsrv restart
  8. In the PrivateArk Client delete transparent user, which you are testing. It will be recreated automatically when it will login for the first time.
    Note: At this moment in time, I didn't find a way on how to get this to work with an existing user.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article