Setting up a CyberArk identity-management system

CyberArk is an external password vault that optionally can be used with Lenovo XClarity Administrator to store XClarity Administrator and Lenovo XClarity Controller credentials. After an account password is stored in CyberArk, the password is managed by CyberArk

About this task

XClarity Administrator allows you to store your XCC passwords in identity-management systems provided by CyberArk, a third party service. Lenovo is not responsible for the CyberArk service, and you are responsible for your direct relationship with CyberArk.

If user accounts for a ThinkSystem or ThinkAgile server are onboarded onto CyberArk, you can choose to have XClarity Administrator retrieve credentials from CyberArk to log in to the server when initially setting up the servers for management (with managed or local authentication). Before credentials can be retrieved from CyberArk, the CyberArk paths must be defined in XClarity Administrator and mutual trust must be established between CyberArk and XClarity Administrator using TLS mutual authentication through client certificates.

Procedure

To configure XClarity Administrator to use CyberArk, complete the following steps.

  1. Configure CyberArk.
    1. From the XClarity Administrator menu bar, click Administration > Security.

    2. Click CyberArk under the Identity Management section.

    3. Click Edit CyberArk Server Details from the toolbar.

    4. Specify the CyberArk hostname or IP address, and the port number.

    5. Click Apply.

  2. Import the XClarity Administrator mutual-authentication certificate into CyberArk.
    1. From the XClarity Administrator menu bar, click Administration > Security.

    2. Click Server Certificate in the Certificate Management section.

    3. Click Client Certificate tab.

    4. Select CyberArk as the server type.

    5. Click Regenerate Certificate to generate a new TLS mutual-authentication certificate for CyberArk.

      Attention: If you regenerate the TLS mutual-authentication certificate for CyberArk after a connection is established between XClarity Administrator and CyberArk, the connection is lost until you import the new certificate in CyberArk.
    6. Click Download Certificate, and then click Save as der or Save as pem to save the certificate as a file to your local system.

    7. Import the downloaded certificate into CyberArk.

  3. Import the CyberArk root CA certificate in to XClarity Administrator.
    1. Download the root CA certificate from CyberArk.

    2. From the XClarity Administrator menu bar, click Administration > Security.

    3. Click Trusted Certificates in the Certificate Management section.

    4. Click the Create icon (Create icon) to add a certificate.

    5. Browse for the file or paste the PEM-formatted certificate text.

    6. Click Create.

  4. Add paths that identify the location of onboarded user accounts in CyberArk.
    1. From the XClarity Administrator menu bar, click Administration > Security.

    2. Click CyberArk under the Identity Management section.

    3. Click the Paths tab.

    4. Click the Create icon (Create icon) to display the Create CyberArk Path dialog.


      Illustrates the dialog to create a CyberArk identity.
    5. Optionally specify the application ID, safe and folder where the user accounts are stored in CyberArk.

      If you specify the application ID and safe and optionally the folder, XClarity Administrator attempt to find the user account in the specified location.

      If you specify a combination of fields other than application ID and safe (for example, if you specify only the application ID, only the safe and folder, or only the application ID and folder), XClarity Administrator filters the path using the specified values.

    6. Click Apply.

What to do next