Enhance CyberArk credential entry to work with RSA token id

Hello,

Setting the username/password directly in the entry should be the exception, not the norm. The reason is that these are the credentials used to connect to the Vault and it should not be shared. Thats why we have the "Use my account settings" to store your personal credentials.

That being said, I totally understand your needs regarding the PIN code, we have a macro that was perfect for it, but could maybe improve it by making a better integration. We will meet internally to come up with something.

As for any other requests, you must understand that we can only use the CyberArk REST API as it stands. (https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Implementing%20Privileged%20Account%20Security%20Web%20Services%20.htm)

Subrequest A: RSA Token, I do not believe there's an API call that allows for that.

Subrequest B: Checkout Reason, as per https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/GetPasswordValueV10.htm its available, but we are still using the legacy method. We will need to evaluate the impact of switching to the latest calls. We will need to get back to you on that.

As with all work on our CyberArk integration, their business services team must approve changes before we go live. They have the final word and will be consulted.

Best regards,

For subrequest A, RSA token :
Since the RSA token is effectively a one-time password, I've tried to select 'use "My Account Settings"' and update my personal credentials to be a One-time password.
However, that also doesn't seem to work, it requires me to fill in a key :

and if I read the documentation on https://help.remotedesktopmanager.com/credentials_onetimepassword.htm it's usage seems to be the other way, an OTP entry seems to SHOW a OTP instead of opening up a dialog to enter our time-based one-time password like the one from our RSA Key fob, or Microsoft / Google Authenticator app, to be filled in during authentication to any service.
But then, not to have 2 requests in 1 thread, maybe this subrequest A can move to my already existing request for RSA token support:
https://forum.devolutions.net/messages.aspx?TopicID=31306 ( or https://forum.devolutions.net/messages.aspx?TopicID=28273 )


For subrequest B, Add a reason: updating to the latest CyberArk REST API calls would be ideal of course, but may take some time. But when the current legacy calls also allow a 'reason' to be filled then only on the Devolutions RDM side things would need to change: just add an optional 'reason' field to the GUI and provide that during CyberArk password retrieval. That is completely under your control and should take less time to implement.


Regards, Ben van Zanten

Hello,

I will need to rewrite my answer to make it clearer. The "use my account settings" does not support the RSA token, this will be the subject of an internal design meeting.

subrequest B, where do you see that the legacy call supports providing the reason???

Hi Maurice, thanks for your answer.
Indeed on https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/GetPasswordValueV10.htm there is a description of the body allowing a reason to be filled in.
In our CyberArk implementation, the 'reason' field is required, meaning we somehow have to provide such a string during our (API) calls to CyberArk. And if we try to integrate with RDM it is the RDM call that needs to fill in the reason. So somewhere either in the RDM interface or in an additional macro or event we would like to have the possibility to fill in a reason and have that delivered in the call to CyberArk.
Regards, Ben van Zanten

yes, as described in my answer, I had listed that link myself, but mentioned that we were still using the legacy method (the one pre-v10). The impact of using GetPasswordValue has to be evaluated.