UiPath Orchestrator Guide

Storing Robot Credentials in CyberArk

By default, when you connect your Robot to Orchestrator, you are required to provide the Robot with the Windows login details (username and password) of the user it is going to use to connect to the machine. The credentials are stored in Orchestrator's database using a 256-bit encryption.

However, to enable you to keep and manage them from a third-party enterprise-grade credential store, you can also store them in CyberArk® Enterprise Password Vault®. They can be retrieved when needed with the help of CyberArk®’s Application Identity Manager (AIM).

Please keep in mind that CyberArk® is not a free service.

Important!

If you enable CyberArk, you can no longer store Robot credentials in the SQL database.

Setup Considerations

Simple installation of a one-node Orchestrator

Simple installation of a one-node Orchestrator

  • CyberArk® Enterprise Password Vault® can be installed on any machine that can communicate with the one on which Orchestrator is installed.
  • CyberArk®’s Application Identity Manager (AIM) needs to be installed on the same machine where Orchestrator is also installed. If Orchestrator is installed in a cluster mode, then an instance of AIM needs to be installed on each Orchestrator node.

For more information about how to install CyberArk®’s Enterprise Password Vault® and Application Identity Manager, please visit their official page.

Configuring the Integration

To store your Robot credentials in CyberArk® Enterprise Password Vault® and retrieve them in Orchestrator through AIM, you are required to perform the following steps:

  1. Create an application for your Orchestrator instance and add allowed machines;
  2. Create a Safe and add members to it to ensure proper permissions;
  3. Add accounts for your Robots;
  4. Configure the web.config file with CyberArk information.

Creating an Orchestrator Application

The CyberArk application is required to help you identify the app for which you store credentials, and enable only indicated machines to access them.

  1. In CyberArk®’s PVWA (Password Vault Web Access) Interface, log in with a user that has permissions to manage applications (it requires Manage Users authorization).
  2. In the Applications tab, click Add Application. The Add Application page is displayed.
  1. Specify the following information:
    • Name field - a custom name for the application, such as Orchestrator.
    • Description - a short description to help you specify the purpose of the new application.
    • Business owner section - optionally, add information about the application's Business owner.
    • Location - the path of the application within the Vault hierarchy. If a Location is not specified, the application is added in the same Location as the user who is creating this application.
  2. Click Add. The application is added and its details are displayed in the Application Details page.
  3. In the Authentication tab, select the Allow extended authentication restrictions check box.
  4. In the Allowed Machines tab, click Add. The Add allowed machine window is displayed. Here you should add information about the machine or machines on which Orchestrator is installed.
  5. In the Address field, specify the address of a machine using the IP/hostname/DNS format.
  6. Click Add. The IP address is listed in the Allowed machines tab. This information enables the Credential Provider to make sure that only applications that run on the specified machines can access their passwords.
  7. Perform steps 6 - 8 as many times as you need, to ensure that the servers allowed include all mid-tier servers or all endpoints where the AIM Credential Providers were installed. This might be the case if you installed Orchestrator on multiple nodes.

Creating an Orchestrator Safe

Safes are required to help you better manage your accounts. Also, you can add safe members to ensure a proper authorization. CyberArk recommends adding a credential provider (a user that has full rights over the credentials, can add and manage them) and the previously created application as safe members. The latter enables Orchestrator to find and retrieve the passwords stored in the safe.

Important!

Even if you are using tenants, you should create only one safe per Orchestrator instance.

  1. In the Policies tab, under the Access Control (Safe) section, click Add Safe. The Add Safe page is displayed.
  1. Fill in the Safe Name field and Description fields.
  2. Click Save. The Safe Details window is displayed.
  1. In the Members section, click Add Member. The Add Safe Member window is displayed.
  2. Search for the previously created application (steps 2-5) so you can add it.
  3. Add a credential provider, and select the following permissions for it:
    • View Safe Members
    • Retrieve accounts
    • List accounts
    • Access Safe without Confirmation - Only if you are using a dual control environment and a v7.2 or lower PIM-PSM.
      If you install multiple credential providers for this integration, it is recommended to create a group for them, and add the group to the Safe once with the above authorization.
  4. Click Add. A confirmation message is displayed in the Add Safe Member window.
  5. Add the previously created application as a safe member, with the Retrieve accounts permission.
  6. Click Add. A confirmation message is displayed in the Add Safe Member window.

Adding Accounts for your Robots

At this step, you add the login credentials under which your Robot runs. If you have multiple Robots, perform this procedure for all of them. This procedure applies to both local and domain users.

  1. In the Accounts tab, click Add Acccount. The Add Account page is displayed.
  1. Select the safe you previously created in the Store in Safe drop-down list.
  2. Select Operating System in the Device Type list.
  3. In the Platform Name list:
    a. select Windows Desktop Local Accounts if the Robot user is local.
    b. select Windows Domain Account if the Robot user is part of an Active Directory.
  4. In the Address field:
    a. type the name of the machine on which the Robot is installed if you are using local users.
    b. type the name of the domain in which the Robot machine in installed on.
  5. Fill in the Username field with the name of the user under which the Robot runs.
  6. In the Password and Confirm Password fields type the password that belongs to the user under which the Robot runs.
  7. Under Name, select Custom and type the machine or domain name, and the Robot username, using the following convention:
    a. for local users - machineName-username, such as E47LTUF- documentation;
    b. for domain users - domainName-username, such as deskover-documentation.
  8. Click Save. The account is saved. This is used by Orchestrator to retrieve the Robot credentials when it needs to if you also have the Robot provisioned in Orchestrator.

Configuring the web.config File

  1. Navigate to Orchestrator's web.config file and open it with a text editor, such as Notepad++.
  2. Configure the parameters as follows:
    • Vault.Type - leave only CyberArk.
    • Vault.CyberArk.AppId - the application id, as it is in the CyberArk® Enterprise Password Vault®, such as DocOrchestrator.
    • Vault.CyberArk.Safe - the safe name, as it is in CyberArk® Enterprise Password Vault®, such as DocOrchestratorSafe.
    • Vault.CyberArk.Folder - the location in which your credentials are stored in CyberArk® Enterprise Password Vault®, such as ROOT.
  3. Save the file.
  4. On the Orchestrator machine, restart the Cyberark Application Password Provider service.

Retrieving the Vault Credentials

After performing the steps above, in Orchestrator, you have to provision the Robot. As you are now using CyberArk to store your passwords, please note that in the Provision Robot window, you no longer have to add the password. However, please keep in mind that the user is still mandatory.

When provisioning the Robot in Orchestrator, add the username as you normally would:

  • for local users - the actual username, such as Documentation;
  • for domain users - the username and domain it runs under, in the DOMAIN\username format, such as uipath\administrator.

Based on the user provided for the Robot, Orchestrator searches for a match in CyberArk. When a match is found, the corresponding password is retrieved.

Important!

When making changes to the password in Cyberark Application Password Provider, please keep in mind that it might take a few minutes for it to be propagated in Orchestrator due to AIM's cache system.



Storing Robot Credentials in CyberArk


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.