Integrating CyberArk Central Policy Manager (CPM) with Enterprise Vault to automate Service Account password management

Description

This article explains how to integrate CyberArk Central Policy Manager (CPM) with Enterprise Vault to efficiently rotate the Enterprise Vault Service Account's password.

Note: For eDiscovery (formerly known as Discovery Accelerator) and Surveillance (formerly known as Compliance Accelerator), refer to the steps given in the link below to rotate the Service Account password with built-in capabilities of CPM:
https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/windowsservicesaccounts.htm

Prerequisites for the integration

To execute a PowerShell script on an Enterprise Vault server managed by CPM, you must create a PSSessionConfiguration named EVCyberArkConfig using the following command, embedding the CyberArk login account credentials:

Register-PSSessionConfiguration -Name EVCyberArkConfig -RunAsCredential <Domain\CPMLoginUserName> - ProcessorArchitecture x86 -Force

Note: If the CyberArk login account credentials change, you must recreate the configuration object by first removing the previously created one. For more details on the relevant PowerShell commands, refer to the links below:

• Register-PSSessionConfiguration

• Get-PSSessionConfiguration

• Unregister-PSSessionConfiguration

Integration steps

Note: For steps 1 to 5 (except step 4), contact your CyberArk administrator for configuration assistance.

1. Deploy and configure CPM.
2. Identify a domain user (for example, earth\msmith) within the Enterprise Vault domain and grant necessary permissions to rotate passwords for other users in Active Directory.
3. Configure earth\msmith as a login account in the CPM instance.
4. Add earth\msmith to the Enterprise Vault Role-Based Access (RBA) Credential Administrator role.
   Refer to the Enterprise Vault PowerShell Cmdlets Guide for details on managing role membership.
   Note: The CPM login account must also be a local administrator on all Enterprise Vault servers in the directory, which is implicit for any user assigned to an Enterprise Vault RBA role.
5. Configure the CyberArk CPM plugin for Enterprise Vault.

Additional information

For instructions on configuring and using the CPM plugin developed for Enterprise Vault, refer to this article. You may need to log in to the CyberArk Community page to access it.

This plugin enables the execution of the SetEVServiceAccountPasswordUsingCyberArk.ps1 script on the Enterprise Vault server through the CPM instance.

Note: The SetEVServiceAccountPasswordUsingCyberArk.ps1 script supports Enterprise Vault 15.1 and later. 

• If you are on the Enterprise Vault 15.1 major release or any 15.1.x minor releases, download the script from https://www.veritas.com/support/en_US/downloads/detail.REL285126.
• If you are on a major release later than 15.1, the script is included in the product and does not need to be downloaded separately.

This script runs on the target Enterprise Vault server and rotates the credentials of the Enterprise Vault Service Account across all Enterprise Vault and File servers within the Enterprise Vault directory.
 

Troubleshooting steps

Scenario: Password rotation fails

Contact the CyberArk administrator to obtain the latest Enterprise Vault Service Account password from CPM and manually execute the following PowerShell script SetEVServiceAccountPasswordUsingCyberArk.ps1 present on the Enterprise Vault server at <Enterprise_Vault_Install_Directory>\PowerShellScripts\ with -Verbose switch along with other required parameters to troubleshoot further.

Note: To manually execute the script, you must use the PowerShell x86 elevated (Run as Administrator) instance.
Add to Dtrace the following Enterprise Vault processes, re-perform operation, and check logs for more details:

• PowerShell.exe

• DirectoryService.exe

• AdminService.exe

Known limitations

This integration does not support rotating the password of the Enterprise Vault Service Account when Enterprise Vault servers are configured in clustered environments.